Add option to use digests for images referenced in registry #195
Conversation
Add script /build/scripts/write_image_digests.sh, which will rewrite all image references in registry to use the current digest for each image tag. Requires adding skopeo to the dockerfiles, in order to find image digests. Option can be enabled via `./build.sh` parameter `--use-digests` or by using docker build arg "USE_DIGESTS=true" Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
amisevsk
requested review from
benoitf,
JPinkney,
sunix,
svor and
tsmaeder
as code owners
| ARG LATEST_ONLY=false | ||
| ENV LATEST_ONLY=${LATEST_ONLY} | ||
| ARG USE_DIGESTS=false | ||
| ENV USE_DIGESTS=${USE_DIGESTS} |
There was a problem hiding this comment.
ok, I can probably use this in Brew if I overwrite with env USE_DIGESTS=true
There was a problem hiding this comment.
I figured there was a reason to have ENV BOOTSTRAP above. I can add this to the plugin registry PR as well.
| @@ -39,7 +39,7 @@ ENV LATEST_ONLY=${LATEST_ONLY} | |||
|
|
|||
| # NOTE: uncomment for local build. Must also set full registry path in FROM to registry.redhat.io or registry.access.redhat.com | |||
| # enable rhel 7 or 8 content sets (from Brew) to resolve jq as rpm | |||
| COPY ./build/dockerfiles/content_sets_epel7.repo /etc/yum.repos.d/ | |||
| COPY ./build/dockerfiles/content_sets_centos8_appstream.repo /etc/yum.repos.d/ | |||
There was a problem hiding this comment.
DUDE. You got Centos in my RHEL. Not cool, bro.
There was a problem hiding this comment.
Give me a RHEL repo that contains skopeo and doesn't require a subscription and I'll toss it in here :)
There was a problem hiding this comment.
well, I need to find one for this to work downstream because Brew can't see epel and centos repos so ... challenge accepted & required.
There was a problem hiding this comment.
skopeo is in the appstream repo for RHEL8 so to build this locally we have three options:
- RHEL subscription
- use Brew internal pulp .repo
- use centos public .repo
Though I really thought that rpms in UBI were also free w/o subscription. Hmm. Maybe not?
|
For the records I had some concerns that I have shared with @amisevsk yesterday. Mainly I was afraid that going in this direction (calculate the digest at build time) is against the goal to replace tags with digests for the images referenced in this repo. Replacing tags with digests in the git repo would have the merit to:
But discussing with @amisevsk we agreed that replacing the tags may be more complicated than this PR and we could do the replacement of the tags with digests during next sprint. |
|
Just to be clear I am ok to merge this PR and the one on the plugin-registry side as they are. Just saying that next sprint we should start working on using digests only. |
Thanks @l0rd ! These PRs should be very useful until we can generalize the use of digests. |
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Note: this PR is a port of eclipse-che/che-plugin-registry#379
What does this PR do?
Add script /build/scripts/write_image_digests.sh, which will rewrite all image references in registry to use the current digest for each image tag. E.g.
is replaced with
To enable this functionality, it is necessary to install
skopeoin the builder images, which required changing adding the CentOS8-AppStream repo for the rhel build.Additional info
Digest-rewriting functionality is disabled by default and can be enabled by using the
./build.shoption--use-digests, or by passing docker build argUSE_DIGESTS=true.Existing airgap options are unaffected (you can still set env vars to override registry, organization, and tag). In the case of overriding tags, image digests are replaced with the tag specified.
There's also a commit included to update all copyright years for 2020.
Testing
Image is available as
amisevsk/che-devfile-registry:digests. I've tested the changes on the dev cluster and locally.