carvel-dev
harbor fails to recognize non-existent image repository and returns "some" digest
Hi team
I'm exploring this tool to improve our existing CD pipelines and found an issue while trying to setup a POC.
Problem is that even kbld finish successfully and the output manifest contains the image referenced by a digest, metadata is added, etc.. but the digest used doesn't exist.
Even worst, trying with an incorrect tag gives same result, successful completion but incorrect digest.
Any idea?
About my environment:
Harbor as registry and kbld v 0.21.0.
im guessing the behaviour you are observing is following (if url already contains digest, kbld just passes it through):
$ echo "image: blah.com/foo@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | kbld -f-
arguably kbld should double check that there is indeed an image with that digest.
however, im not quite sure what you mean by "trying with an incorrect tag gives same result". here is the expected behaviour for non-existing tag:
$ echo "image: nginx:foo" | kbld -f-
kbld: Error:
- Resolving image 'nginx:foo': GET https://index.docker.io/v2/library/nginx/manifests/foo: MANIFEST_UNKNOWN: manifest unknown; map[Tag:foo]
can you provide an example i can reproduce?
Problem could be our registry is not public, but this is some test I have just run. (I replaced registry names & image names)
Considering this image...
❯ docker inspect --format='{{.RepoDigests}}' our.harbor.registry.com/project/test-image:latest
[our.harbor.registry.com/project/test-image@sha256:019971b1bf91154a1c71c27bd3d976dc6252ed8929e4e82a91763b93363797c4]
And this deployment
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: test
spec:
template:
metadata:
labels:
app: test
containers:
- name: test-image
image: our.harbor.registry.com/project/test-image@sha256:019971b1bf91154a1c71c27bd3d976dc6252ed8929e4e82a91763b93363797c4
imagePullPolicy: Always
- name: test-image
image: our.harbor.registry.com/project/test-image:latest
imagePullPolicy: Always
- name: test-image
image: our.harbor.registry.com/project/test-image:fake
imagePullPolicy: Always
- name: test-image
image: our.harbor.registry.com/project/invalid:fake
imagePullPolicy: Always
kbld -f deployment.yml
...is producing this...
apiVersion: apps/v1beta1
kind: Deployment
metadata:
annotations:
kbld.k14s.io/images: |
- Metas: null
URL: our.harbor.registry.com/project/test-image@sha256:019971b1bf91154a1c71c27bd3d976dc6252ed8929e4e82a91763b93363797c4
- Metas:
- Tag: latest
Type: resolved
URL: our.harbor.registry.com/project/test-image:latest
URL: our.harbor.registry.com/project/test-image@sha256:19834618b82fdba704ed3a9f37b50e0f4437f3e59dc06c0dc53e06daa4e180d4
- Metas:
- Tag: fake
Type: resolved
URL: our.harbor.registry.com/project/test-image:fake
URL: our.harbor.registry.com/project/test-image@sha256:19834618b82fdba704ed3a9f37b50e0f4437f3e59dc06c0dc53e06daa4e180d4
- Metas:
- Tag: fake
Type: resolved
URL: our.harbor.registry.com/project/invalid:fake
URL: our.harbor.registry.com/project/invalid@sha256:19834618b82fdba704ed3a9f37b50e0f4437f3e59dc06c0dc53e06daa4e180d4
name: test
spec:
template:
metadata:
containers:
- image: our.harbor.registry.com/project/test-image@sha256:019971b1bf91154a1c71c27bd3d976dc6252ed8929e4e82a91763b93363797c4
imagePullPolicy: Always
name: test-image
- image: our.harbor.registry.com/project/test-image@sha256:19834618b82fdba704ed3a9f37b50e0f4437f3e59dc06c0dc53e06daa4e180d4
imagePullPolicy: Always
name: test-image
- image: our.harbor.registry.com/project/test-image@sha256:19834618b82fdba704ed3a9f37b50e0f4437f3e59dc06c0dc53e06daa4e180d4
imagePullPolicy: Always
name: test-image
- image: our.harbor.registry.com/project/invalid@sha256:19834618b82fdba704ed3a9f37b50e0f4437f3e59dc06c0dc53e06daa4e180d4
imagePullPolicy: Always
name: test-image
labels:
app: test
As you can see either the image & tag exists or not, the digest I got is the same, which is not correct.
hmm, looks like this might be harbor specific behaviour. ill have to try installing harbor and trying it out.