terraform-provider-docker icon indicating copy to clipboard operation
terraform-provider-docker copied to clipboard

Published 20 hours ago verified publisher icon kreuzwerker

Docker Registry Image data source uses GET request to query image digest

Open giesmininkas opened this issue 3 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and docker Provider) Version

Terraform v1.2.6
on linux_amd64
+ provider registry.terraform.io/kreuzwerker/docker v2.20.0

Affected Resource(s)

  • data.docker_registry_image

Terraform Configuration Files

terraform {
  required_providers {
    docker = {
      source  = "kreuzwerker/docker"
      version = "2.20.0"
    }
  }
}

provider "docker" {
  host = "tcp://localhost:2375"
}

data "docker_registry_image" "nginx" {
  name = "nginx:1"
}

Debug Output

Panic Output

Expected Behaviour

Provider executes HEAD request to query image manifest endpoint and extract image digest from headers.

Actual Behaviour

Provider executes GET request which counts into Docker Hub rate limiting policy and quickly exhausts available requests. For bigger configurations with more docker images this happens quickly, because this request is executed on every refresh.

Steps to Reproduce

  1. terraform plan until remaining Docker Hub requests are exhausted.

Important Factoids

References

giesmininkas avatar Aug 09 '22 22:08 giesmininkas

I double checked with the implementation. We are issueing a GET request and then taking the docker-content-digest header value (https://github.com/kreuzwerker/terraform-provider-docker/blob/master/internal/provider/data_source_docker_registry_image.go#L186)

We could change that to use HEAD request to prevent rate limiting. The only thing I am concerned of is the handling when the registry does not return the docker-content-digest header (https://github.com/kreuzwerker/terraform-provider-docker/blob/master/internal/provider/data_source_docker_registry_image.go#L188)

What we could do:

  • execute the HEAD request
  • if registry does not return docker-content-digest header
    • issue GET request

That way we could prevent rate limiting for most cases and it still works for those registries without that header

Junkern avatar Aug 10 '22 09:08 Junkern

@Junkern Thanks for the response. That's exactly what I thought after examining the code.

giesmininkas avatar Aug 10 '22 09:08 giesmininkas

Perfect! I won't have time in the next 2-3 weeks to implement this but it is on my list. I also would be happy about a PR ;)

Junkern avatar Aug 10 '22 09:08 Junkern