Skip to content

Add migration for image verifiers #4773

Merged
KCSesh merged 2 commits intobottlerocket-os:developfrom
KCSesh:pr-114/bottlerocket
Feb 25, 2026
Merged

Add migration for image verifiers #4773
KCSesh merged 2 commits intobottlerocket-os:developfrom
KCSesh:pr-114/bottlerocket

Conversation

@KCSesh
Copy link
Contributor

@KCSesh KCSesh commented Feb 25, 2026
edited
Loading

Related:
bottlerocket-os/bottlerocket-settings-sdk#114
bottlerocket-os/bottlerocket-core-kit#820
bottlerocket-os/bottlerocket-core-kit#841
#4766

Description of changes:

  • Added a migration for the expansion of image-verifiers.

Testing done:

  • Launched an old ami, and setup notation settings.
  • Migrated to new AMI, and added a custom image verifier settings (only via setting - no bootstrap copy).
  • Rolled back to old ami, and verified only notation settings were persisted.
Details 
1.55.0

bash-5.2# apiclient get settings.image-verifier-plugins
{
  "settings": {
    "image-verifier-plugins": {
      "enabled": true,
      "notation": {
        "trustpolicy": "ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
      }
    }
  }
}
bash-5.2# apiclient set settings.image-verifier-plugins.digestion.trustpolicy="ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
Failed to change settings: Failed PATCH request to '/settings/keypair?tx=apiclient-set-Q8I8TyFmNICanHqu': Status 400 when PATCHing /settings/keypair?tx=apiclient-set-Q8I8TyFmNICanHqu: Unable to match your input to the data model.  We may not have enough type information.  Please try the --json input form.  Cause: Error during deserialization: unknown field `digestion`, expected `enabled` or `notation` at line 1 column 38

Move to 1.56.0



bash-5.2# apiclient get settings.image-verifier-plugins
{
  "settings": {
    "image-verifier-plugins": {
      "enabled": true,
      "notation": {
        "trustpolicy": "ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
      }
    }
  }
}
bash-5.2# apiclient set settings.image-verifier-plugins.digestion.trustpolicy="ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
bash-5.2# apiclient get settings.image-verifier-plugins
{
  "settings": {
    "image-verifier-plugins": {
      "digestion": {
        "trustpolicy": "ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
      },
      "enabled": true,
      "notation": {
        "trustpolicy": "ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
      }
    }
  }
}

Rollback to 1.55:

[ssm-user@control]$ apiclient get settings.image-verifier-plugins
{
  "settings": {
    "image-verifier-plugins": {
      "enabled": true,
      "notation": {
        "trustpolicy": "ewogICJ2ZXJzaW9uIjogIjEuMCIsCiAgInRydXN0UG9saWNpZXMiOiBbXQp9"
      }
    }
  }
}
**Terms of contribution:**

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@KCSesh
chore: bump to bottlerocket-settings-models v0.21.0
fe317bf 
Signed-off-by: Kyle Sessions <kssessio@amazon.com>
@KCSesh KCSesh requested review from bcressey and vigh-m February 25, 2026 22:05
@KCSesh
migration: add migration for extensible image verifier plugins
296029a 
Signed-off-by: Kyle Sessions <kssessio@amazon.com>
@KCSesh KCSesh force-pushed the pr-114/bottlerocket branch from 2e07775 to 296029a Compare February 25, 2026 22:59
@KCSesh KCSesh merged commit 6376a4b into bottlerocket-os:develop Feb 25, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcressey bcressey bcressey approved these changes

@piyush-jena piyush-jena piyush-jena approved these changes

@vigh-m vigh-m vigh-m approved these changes

@mgsharm mgsharm mgsharm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@KCSesh @bcressey @piyush-jena @vigh-m @mgsharm