argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Invalid reference format for digest update strategy

Open LS80 opened this issue 3 years ago • 8 comments

I tried out the digest update strategy for a Helm application (introduced in https://github.com/argoproj-labs/argocd-image-updater/pull/176) and found that the default behaviour will produce an invalid reference format some/image:sha256:<somelonghashstring>. This should be some/image@sha256:<somelonghashstring>, so it appears that the sha256: is being considered part of the "tag". If using the helm.image-spec annotation the format is valid.

One solution would be to append @sha256 to the image name instead of making it part of the tag? Or at least document that the helm.image-spec annotation is required?

Another solution would be to set the tag to include latest or whatever tag is set by the annotation, so some/image:latest@sha256:<somelonghashstring>. That is also a valid format.

It might also be useful to have a dedicated annotation for the digest, to enable usage such as in the kube-prometheus-stack helm chart.

The commit message is also not ideal.

updates image some/image tag 'dummy' to 'sha256:<somelonghashstring>'

A better message would be.

updates image some/image tag 'latest' to digest 'sha256:<somelonghashstring>'

LS80 avatar May 25 '21 16:05 LS80

Hey @LS80, good point there.

However, since it's the Helm template which constructs the final image name from the parameters given, are there any best practices documentation for Helm how to properly handle SHAs instead of tags, i.e. how to pass them to the template?

Because in the end, it's up to the Helm template whether to render input variables image.name=foo and image.tag=sha256:somehash as foo@sha256:somehash or as foo:sha256:somehash.

jannfis avatar Jun 07 '21 08:06 jannfis

I'm unaware of any Helm best practices for that, but perhaps the simplest fix is to always include the tag name as well as the digest. So set image.tag=latest@sha256:somehash.

Of course it might not be latest, so if we set

argocd-image-updater.argoproj.io/image-list: someimage=some/image:sometag
argocd-image-updater.argoproj.io/someimage.update-strategy: digest

Then it should set image.tag=sometag@sha256:somehash.

I think that would be compatible with existing Helm templates that use a tag parameter, so there should be no need for an additional Helm parameter for the digest. Do you think that would work?

P.S. This is enough reason to use Kustomize instead of Helm in my opinion 😄

LS80 avatar Jun 07 '21 12:06 LS80

Hey @LS80, sorry for coming back so late to this. I agree that probably the format you are refering (sometag@sha256:somehash) is the way to go forward for compatibility. I will check how that works out and if it does, publish a patch release shortly.

jannfis avatar Aug 13 '21 10:08 jannfis

Are there any updates on this ?

imdbere avatar Nov 23 '21 21:11 imdbere

same issue here looking forward for updates

mehrdadpfg avatar Nov 24 '21 17:11 mehrdadpfg

Similar to #259

agorgl avatar Dec 11 '21 20:12 agorgl

Given the fix mentioned above, does it address the issue? What's the ETA for including the fix in a release?

dwi-mfbcs avatar Jan 14 '22 23:01 dwi-mfbcs

Yeah, the fix above will address this issue. I'm a little hesitant to put in a patch release (e.g. 0.11.4) tho, because it might break workarounds that people have in place. So target for #317 is 0.12.0, which (unfortunately) does not have an ETA yet but a milestone

jannfis avatar Jan 19 '22 18:01 jannfis