Add --base-domain-overwrite option to container image signing functions

[deplab]

Dear OCI Team,

When attempting to sign images using OCI CLI, the request times out as the URL returned by OCI CLI is incorrect. The correct URL is https://-crypto.kms.me-riyadh-1.oci.oraclecloud.com but the one the OCI CLI attempts to use is https://-crypto.kms.me-riyadh-1.oraclecloud.com without ".oci." - as a result the image signing fails.

The command that is used to sign images with full administrative permissions is as follows:

oci artifacts container image-signature sign-upload --compartment-id ocid1.compartment.oc1...<redacted> --image-id ocid1.containerimage.oc1.me-riyadh-1.0.<redacted> --kms-key-id ocid1.key.oc1.me-riyadh-1.<redacted> --kms-key-version-id ocid1.keyversion.oc1.me-riyadh-1.<redacted> --signing-algorithm SHA_<redacted>_RSA_PKCS_PSS --debug

The error that is returned is as follows:
File "/site-packages/oci/base_client.py", line 694, in request raise exceptions.RequestException(e) oci.exceptions.RequestException: (MaxRetryError("OCIConnectionPool(host='-crypto.kms.me-riyadh-1.oraclecloud.com', port=443): Max retries exceeded with url: //sign (Caused by NewConnectionError('< oci.base_client.OCIConnection object at 0x1123f34d0>: Failed to establish a new connection: [Errno 8] nodename nor servname provided, or not known'))"), 'Request Endpoint: POST https://-crypto.kms.me-riyadh-1.oraclecloud.com//sign See https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_troubleshooting.htm for help troubleshooting this error, or contact support and provide this full error message.')

After further investigation and chat with kind OCI Support team, it became apparent that this issue is related to a change of endpoint format and may affect multiple regions including me-riyadh-1. The following is from comments in this repository:

# New Endpoint format: <region>.<service>.<oci/ocp/ocs>.<oraclecloud/oracleiaas>.com # Old Endpoint format: <Service Identifier>.<Region ID>.oraclecloud.com OR <Service Identifier>.<AD#>.<Region ID>.<oraclecloud/oracleiaas>.com # Above info is from below confluence links:
# Old endpoint naming convention: https://confluence.oci.oraclecorp.com/display/PM/OCI+-+Service+Endpoints # New endpoint naming convention: https://confluence.oci.oraclecorp.com/display/~sumidey/Service+Endpoint+Update

Please, accept this PR which will allow flexibility for overwriting the Cryptographic Endpoint to 'oraclecloud.com' or 'oci.oraclecloud.com' or 'oracleiaas.com' etc. as below:

oci artifacts container image-signature sign-upload .... --base-domain-overwrite oci.oraclecloud.com

[oracle-contributor-agreement]

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
The following contributors of this PR have not signed the OCA:

• PR author: [email protected] (@deplab)
• [email protected] (@deplab)

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

[oracle-contributor-agreement]

Thank you for signing the OCA.

[pankajmjx]

Hi @deplab
This API is managed by the Service Team (Artifacts Service). We have created an internal ticket with the Service Team to address this issue.

[deplab]

Hi @deplab This API is managed by the Service Team (Artifacts Service). We have created an internal ticket with the Service Team to address this issue.

Thank you very much @pankajmjx! 😊