Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

imgpkg v0.40.0 breaks with relocated image #636

Closed
mstergianis opened this issue Feb 22, 2024 · 2 comments
Closed

imgpkg v0.40.0 breaks with relocated image #636

mstergianis opened this issue Feb 22, 2024 · 2 comments
Labels
bug This issue describes a defect or unexpected behavior carvel accepted This issue should be considered for future work and that the triage process has been completed

Comments

@mstergianis
Copy link

mstergianis commented Feb 22, 2024

What steps did you take:

  1. Create a bundle that references an image. It could be anything, I chose nginx for my example
  2. Relocate (imgpkg copy) that bundle to a second private registry. The scenario I'm simulating here is moving something from an company's internal registry, to a company's public yet authenticated registry.
  3. log out of the first registry. So as to simulate a customer that only has access to the public registry
  4. imgpkg describe the image that is on the public registry

Here's a script that roughly sums up what I did to replicate this from scratch

mkdir -p bundle/.imgpkg/
cat >bundle/.imgpkg/images.yml <<EOF
apiVersion: imgpkg.carvel.dev/v1alpha1
images:
- annotations:
    kbld.carvel.dev/id: tdp-configurator
  image: FIRST-PRIVATE-REGISTRY/SOME-URI@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

kind: ImagesLock
EOF

imgpkg push -b FIRST-PRIVATE-REGISTRY/SOME-BUNDLE-URI -f bundle/

imgpkg copy -b FIRST-PRIVATE-REGISTRY/SOME-BUNDLE-URI@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef --to-repo SECOND-PRIVATE-REGISTRY/SOME-BUNDLE-URI

docker logout FIRST-PRIVATE-REGISTRY

imgpkg describe -b SECOND-PRIVATE-REGISTRY/SOME-BUNDLE-URI@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# imgpkg: Error: Error:
#   GET https://FIRST-PRIVATE-REGISTRY/v2/SOME-BUNDLE-URI/manifests/sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:
#     UNAUTHORIZED: unauthorized to access repository: SOME-BUNDLE-URI, action: pull: unauthorized to access repository: SOME-BUNDLE-URI, action: pull in getting remote access of image FIRST-PRIVATE-REGISTRY/SOME-BUNDLE-URI@sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

What happened:
imgpkg describe fails because it tries to list the layers of an image it can't access

What did you expect:
imgpkg describe succeeds

Anything else you would like to add:

  • I figure this is the fix (when I tested my limited example it worked) but I felt bad creating a PR that didn't improve the tests as well. When I timeboxed myself and tried to write a test I got lost in the FakeRegistry and how to describe this particular case.
    diff --git a/pkg/imgpkg/v1/describe.go b/pkg/imgpkg/v1/describe.go
    index ac0359ca..bc93e04f 100644
    --- a/pkg/imgpkg/v1/describe.go
    +++ b/pkg/imgpkg/v1/describe.go
    @@ -188,11 +188,11 @@ func (r *refWithDescription) describeBundleRec(visitedImgs map[string]refWithDes
     			desc.bundle.Content.Bundles[digest.DigestStr()] = bundleDesc
     		} else {
     			if ref.Error == "" {
    -				digest, err := name.NewDigest(ref.Image)
    +				digest, err := name.NewDigest(ref.PrimaryLocation())
     				if err != nil {
     					return desc.bundle, fmt.Errorf("Internal inconsistency: image %s should be fully resolved", ref.Image)
     				}
    -				layers, err = getImageLayersInfo(ref.Image)
    +				layers, err = getImageLayersInfo(ref.PrimaryLocation())
     				if err != nil {
     					return desc.bundle, err
     				}
  • I find it a little bit odd that the default behaviour now includes fetching these layers. It roughly doubles the execution time of my example, and I'd imagine for many real world cases where a bundle contains more than one image it might be worse. Maybe consider putting the new feature behind an option?
  • Cross linking Updated describe command to show layer's digest of each image #622

Environment:

  • imgpkg version (use imgpkg --version):
    • imgpkg version 0.41.0 - broken
    • 0.40.0 - broken
    • 0.39.0 - working
  • Docker registry used (e.g. Docker HUB): I used a harbor instance and azurecr in my example
  • OS (e.g. from /etc/os-release): linux

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

@mstergianis mstergianis added bug This issue describes a defect or unexpected behavior carvel triage This issue has not yet been reviewed for validity labels Feb 22, 2024
@joaopapereira
Copy link
Member

joaopapereira commented Feb 22, 2024

Great catch.
That bug has been around since 2022 😄 not sure how we did not catch that earlier.

I find it a little bit odd that the default behaviour now includes fetching these layers. It roughly doubles the execution time of my example, and I'd imagine for many real world cases where a bundle contains more than one image it might be worse. Maybe consider putting the new feature behind an option?

This sounds like an oversight. We also have a flag for cosign artifacts, which defaults to true. Would it be ok if we have a flag called --layers that also defaults to true, and you can set it to false?

When I timeboxed myself and tried to write a test I got lost in the FakeRegistry and how to describe this particular case.

This particular fake only supports one registry, which would make it complicated to test. The easier thing to do here is to create an e2e test where the setup might be easier.

@joaopapereira joaopapereira added carvel accepted This issue should be considered for future work and that the triage process has been completed and removed carvel triage This issue has not yet been reviewed for validity labels Feb 22, 2024
@renuy
Copy link

renuy commented Mar 5, 2024

PR merged

@renuy renuy closed this as completed Mar 5, 2024
@github-project-automation github-project-automation bot moved this to Closed in Carvel Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue describes a defect or unexpected behavior carvel accepted This issue should be considered for future work and that the triage process has been completed
Projects
Archived in project
Development

No branches or pull requests

3 participants