argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

`digest` update-strategy does not work when registry's `tagsortmode` is `latest-first`

Open jngbng opened this issue 3 years ago • 3 comments

Describe the bug

When registry's tagsortmode is set latest-first, digest update strategy does not work. (at least with ECR). argocd-image-updater do detect that update is needed. But it updates to targetTagName itself again instead of sha256:new-sha-tag, which makes no effect. (If you use helm, you have to use helm.image-spec. #210)

level=info msg="Successfully updated image '.../my-app:latest' to '.../my-app:latest', but pending spec update (dry run=false)" alias=my-app application=my-app image_name=my-app image_tag=dummy registry=xxx.dkr.ecr.ap-southeast-1.amazonaws.com
...
level=info msg="Successfully updated the live application spec" application=my-app
level=info msg="Processing results: applications=1 images_considered=1 images_skipped=0 images_updated=1 errors=0"

I guess it has something to do with below notes in registry option document:

tagsortmode (optional) defines ... If tagsortmode is set to one of latest-first or latest-last, Argo CD Image Updater will not request additional meta data from the registry if the <image_alias>.sort-mode is latest but will instead use the sorting from the tag list.

I assume that additional meta data might include image's sha256 tag so that digest strategy cannot be performed. (Just my assumption. I do not read the code.)

Anyway, after changing tagsortmode back to none and restarting argocd-image-updater, everything works well.

I would be better that argocd-image-updater prints more detailed log message when digest update strategy fails to update to sha256 tag. Currently, there is no clue and took me lots of time to figure the problem out.

If my assumption is correct, it would be better that proper notice is mentioned in tagsortmode document.

To Reproduce

Add ECR registry with tagsortmode: latest-first and add application with digest update-strategy.

Application.yaml:

    argocd-image-updater.argoproj.io/image-list: my-app=xxx.dkr.ecr.ap-southeast-1.amazonaws.com/my-app:latest
    argocd-image-updater.argoproj.io/my-app.update-strategy: digest
    argocd-image-updater.argoproj.io/my-app.pull-secret: ext:/tmp/script.sh

registries.conf:

  registries.conf: |
    registries:
    - name: ECR
      api_url: https://xxx.dkr.ecr.ap-southeast-1.amazonaws.com
      prefix: xxx.dkr.ecr.ap-southeast-1.amazonaws.com
      ping: yes
      tagsortmode: latest-first
      credentials: ext:/tmp/script.sh

Expected behavior Application should be update to new image such as 'my-app@sha256:new-sha256-tag'.

Additional context None

Version 0.10.2

Logs Please paste any relevant logs here

jngbng avatar Aug 18 '21 15:08 jngbng

Hey, tagsortmode was introduced for special cases where the registry may not provide the metadata required to determine the build date of a tag, and when set, uses the order of the tags as returned by the registry.

I would suggest to simply remove this setting from the configuration, if you don't have a proper reason for using it.

jannfis avatar Aug 21 '21 17:08 jannfis

@jannfis Yes, you are right. The document does not warn about this problem now and some examples in the document and github answers are using tagsortmode, which might lead some copy-paste users (like me) to panic. I leave this issue for someone who might suffer from it.

jngbng avatar Aug 31 '21 01:08 jngbng

Shouldn't tagsortmode be ignored for the digest update strategy? It makes no sense for a single mutable tag, as required for the digest strategy, right?

joebowbeer avatar Mar 07 '22 06:03 joebowbeer