fix: resolve manifest list digest instead of platform-specific digest#3611
Conversation
tekton-robot
added
the
release-note-none
tekton-robot
added
the
size/XS
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
ab-ghosh
force-pushed
the
fix/multi-arch-digest-resolution
branch
from
1c55e9d to
5936721
Compare
|
/lgtm |
| } | ||
|
|
||
| # Get SHA digest for an image:tag | ||
| # Get manifest list SHA digest for an image:tag (multi-arch) |
There was a problem hiding this comment.
I'll suggest to also change the function name. It's no longer obtaining an image SHA. Instead it's generating SHA from some text input.
Another thing is that the function can return different SHA even if the image hasn't changed (extra white spaces, order of json map etc.). So instead, you can pin on the top level manifest digest, e.g.: skopeo inspect docker://quay.io/enatan/jenkins2tekton:latest | jq -r '.Digest' . Here is also what AI tells me:
To support multi-arch clusters, your Operator CSV must pin to the top-level Manifest List Digest (sometimes called an index digest).
When you point Kubernetes to a multi-arch digest, the container runtime on each node (cri-o or containerd) automatically inspects the list, matches its own native CPU architecture (amd64 or arm64), and pulls the correct underlying layer.
There was a problem hiding this comment.
skopeo inspect does not return .Digest
I have comment a different solution for the same
There was a problem hiding this comment.
Thanks for the review. Updated and renamed to get_manifest_list_digest and using skopeo inspect | jq -r '.Digest'.
There was a problem hiding this comment.
@pramodbindal i tested it locally and it gives the manifest list digest not sure if i am missing anything
| get_image_sha() { | ||
| local image_url=$1 | ||
| skopeo inspect --raw docker://${image_url} | jq -r '.manifests[0].digest // .digest' | ||
| skopeo inspect --raw docker://${image_url} | sha256sum | awk '{print "sha256:"$1}' |
There was a problem hiding this comment.
This method of calculating manifest digest is not guaranteed to match with registered digest.
Can you try something like this
docker buildx imagetools inspect \
registry.redhat.io/rhel9/postgresql-15:latest \
--format '{{json .Manifest}}'
This command gives output like this
sha256:0b2579cba0fd9f1754c2c9515d5f873f45de009cf044ce950284dbd1a4e6f10c
There was a problem hiding this comment.
docker buildx imagetools inspect registry.redhat.io/rhel9/postgresql-15:latest --format '{{json .Manifest}}' | jq -r .digest
There was a problem hiding this comment.
}bash-5.3$ docker buildx imagetools inspect registry.redhat.io/rhel9/postgresql-15:latest --format '{{json .Manifest.Digest}}'
This command also worked for me
The get_image_sha() function was using .manifests[0].digest which returns the first platform entry (amd64) instead of the manifest list digest. This causes the operator CSV to pin task images (buildah, s2i, skopeo, ubi-minimal) to amd64-only digests, breaking ARM64 and multi-arch clusters with exec format error. Fix by computing sha256 of the raw manifest list content, which produces the manifest list digest that container runtimes use to resolve the correct platform at pull time. Signed-off-by: ab-ghosh <abghosh@redhat.com>
ab-ghosh
force-pushed
the
fix/multi-arch-digest-resolution
branch
from
5936721 to
98b7967
Compare
| get_manifest_list_digest() { | ||
| local image_url=$1 | ||
| skopeo inspect --raw docker://${image_url} | jq -r '.manifests[0].digest // .digest' | ||
| skopeo inspect --no-tags docker://${image_url} | jq -r '.Digest' |
There was a problem hiding this comment.
This will again return the platform specific digest only
There was a problem hiding this comment.
@pramodbindal I do not think that's correct. It returns the manifest digest, not specific image (arch one).
There was a problem hiding this comment.
skopeo inspect (without --raw) returns the digest matching with host system platform. thats the reason spoke inspect does not work on my machine as it expects darwin/arm64
|
/lgtm |
|
@ab-ghosh if you still prefer to use the raw data as stored in the registry, you can also use something like |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pramodbindal The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/cherry-pick release-v0.78.x release-v0.79.x release-v0.80.x |
|
✅ Cherry-pick to A new pull request has been created to cherry-pick this change to PR: #3636 Please review and merge the cherry-pick PR. |
|
✅ Cherry-pick to A new pull request has been created to cherry-pick this change to PR: #3637 Please review and merge the cherry-pick PR. |
|
✅ Cherry-pick to A new pull request has been created to cherry-pick this change to PR: #3638 Please review and merge the cherry-pick PR. |
6 participants
Changes
Fix
get_image_sha()inhack/openshift/update-image-sha.shto resolve the manifest list digest instead of a platform-specific digest.The function was using
.manifests[0].digestwhich picks the first platform entry (amd64), causing the operator CSV to pin task images (buildah, s2i, skopeo,ubi-minimal) to amd64-only digests. This breaks ARM64/multi-arch clusters withexec format error.Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lintbefore submitting a PRSee the contribution guide for more details.
Release Notes