feat(image): collect OCI annotations for discovered images #3676
Conversation
✅ Deploy Preview for docs-kargo-io ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3676 +/- ##
==========================================
+ Coverage 21.79% 21.82% +0.02%
==========================================
Files 310 312 +2
Lines 64706 65571 +865
==========================================
+ Hits 14105 14311 +206
- Misses 49836 50490 +654
- Partials 765 770 +5 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
force-pushed
the
oci-annotations
branch
from
1df5249 to
588ced4
Compare
Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
force-pushed
the
oci-annotations
branch
from
0d12c7a to
985b771
Compare
hiddeco
changed the title
|
This is more of a question about how OCI annotations work, than than this PR. Can OCI annotations be added or modified after the fact? e.g. is it possible to annotate an existing image already pushed? The reason I ask: currently, we consider Freight immutable. e.g. we generate new Freight when we detect a different image digest but with the same semvers. Annotations, if mutable, pose a challenge in that if the image annotations can change (e.g. due to bad timing/race condition of Kargo image discovery vs. image push), then we may be left with a Kargo Freight that has stale/missing annotations. If so, we may need to account for this scenario somehow. |
Manifests are immutable. So "adding" an annotation is really pushing a new manifest. The new manifest will have a different digest. The new manifest could have the same tag as the original. So, overwriting an existing tag with new annotations is exactly the same thing as overwriting an existing tag with a new image and the former shouldn't be done for all the same reasons that are widely recognized for not doing the latter. |
internal/image/repository_client.go
Outdated
| // TODO(hidde): Without a platform constraint, we can not collect | ||
| // annotations in a meaningful way. We should consider how to handle | ||
| // this in the future. |
There was a problem hiding this comment.
Is this only because we're currently retrieving a limited amount of data from the registry unless something like latest build or a platform constraint forces us to? Or was there some other reason for this? You know much more than I do about these annotations.
There was a problem hiding this comment.
If you have a multi-platform image with multiple architectures, this would/could round-robin collect annotations from each architecture — resulting in an unpredictable end result.
There was a problem hiding this comment.
I.e. we can't collect more specific details because the details at that level may contradict each other.
There was a problem hiding this comment.
Ohhhh. I don't know why that wasn't obvious right away. I get it.
Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
force-pushed
the
oci-annotations
branch
from
f3c24e4 to
56ff39a
Compare
Part of #2147
This change enables the collection of OCI annotations from image indexes and manifests for discovered OCI images.
The annotations are stored to an
Annotationsfield in eachDiscoveredImageReferenceentry of aWarehouse, and then copied to theAnnotationsfield ofImageobjects inFreightresources.This allows the UI to potentially present more information about images, for example by detecting pre-defined annotation keys from the OCI specification.
Note: Because of caching considerations and potential performance impacts noted in the above issue, the annotations can not be put to use yet to e.g. determine the build date or version of (all) images during image discovery, as this would require deeper inspection of layers attached to all tags.