Skip to content

7 ‐ SLSA and Charts images synchronization

Jump to bottom
Nicholas openSUSE Software Engineer edited this page Jul 8, 2025 · 12 revisions

SLSA lvl.3

All projects that became SLSA compliant based on the SLSA guidance will automatically push their images directly to both DockerHub and Rancher Prime registries.

It is of the utmost importance that no background processes are trying to sync those DockerHub images back into Rancher Prime, as the digests between the two images may be different, which may result on the Prime image getting overwritten and its cosign signature no longer being discoverable.

The image sync process within Rancher Prime now only copies missing images, as to avoid this problem. However, Rancher charts also have a sync process.

More information on SLSA compliance: SLSA Guidance Doc

Registries Sync

As of Jun 20 - 2025 there is a new registries synchronization process adopted by charts repository.

When releasing a chart (i.e., merging any chart from dev-v2.* branch to release-v2.* branch). The .github/workflows/registry.yaml job will do:

  1. Scan all Charts image/tag dependencies in all .tgz files.
  2. Check if these image/tag dependencies are already synced in Prime registry.
  3. For those that are not yet synced, it will also check if the image/tag dependency is present on Staging registry.
  4. The image/tag dependency that is present only in Docker will be copied straight to Prime registry
  5. The image/tag dependency that is present also in Staging registry will be copied (with its signatures) to Prime registry

The process has redundant safety checks in place to prevent any image/tag dependency from being overwritten in Prime registry.

regsync was deprecated, we are using 'go-containerruntime' and 'cosign' for this process.

Implementations made by the following Pull Requests:

Overview

Chart Owner Process

This process is the responsibility of the chart owners.

It must be done before the chart bump.

graph BT
    A[upstream chart repository]
    A -->|pushes entity only| D[Docker Hub]
    A -->|pushes entity, .sig, .att and .sbom| E[Staging Registry]
Loading

Scan Registries

The result of this process are these 2 files:

  • dockerToPrime.yaml
  • stagingToPrime.yaml

Example: https://github.com/rancher/charts/pull/5810/commits/a496196bc95545d69287a9c29e0222a3d7725fdc

graph LR
    A[charts repository sync process]
    B[assets/*.tgz image/tag dependencies]
    C[Docker Hub]
    D[Staging Registry]

    A --> |list| B
    B --> |corresponds to| C
    A --> |compare with| D
Loading

Sync Registries

The below behavior is hard-coded to ensure safety, the sync-registries:

  • will never overwrite anything in the Prime Registry
  • will never try to cosign copy any signatures from Docker Hub.

Everything is logged before/after for inspection, example: https://github.com/rancher/charts/actions/runs/15810654554/job/44561503914?pr=5810

graph LR
    A[charts repository sync process]
    B[Docker Hub]
    C[Staging Registry]
    D[Prime Registry]

    A --> B
    A --> C
    B --> |copy only entity tag| D
    C --> |cosign copy entity, .sig, .att and sbom| D
Loading

No Sync from Registries

Some Chart Owners prefer to push and cosign the image/tags directly to Prime.

That is not a problem; our CI job will recognize that the image is already present and will not overwrite it.

However, no one can push the following tags to Prime:

  • RC's
  • alpha's
  • beta's

If you work with this type of tags, you should push them to Staging and let The CI from rancher/charts handle the sync process.

Clone this wiki locally