Skip to content

Commit

Permalink
Makefile, push: Prevent overwriting existing version tags (#445)
Browse files Browse the repository at this point in the history 
The IMAGE_GIT_TAG is generated using `git describe` to create a virtual
tag for the image, and used in order to tag every push to the repository
for later use.
However, when an actual git tag exists (e.g., v0.45.0), git describe
returns that tag. This behavior makes it possible to accidentally
overwrite push an existing version tag in the registry.

Flow Leading to the Issue:
1. A new kmp release is created, pushing a new tag (e.g., v0.45.0).
2. A stable branch is created from that commit, pushing a new stable
branch tag (e.g., release-0.45_latest).
2.1 . During this push, IMAGE_GIT_TAG resolves to this Git tag (e.g.,
v0.45.0) due to git describe.
2.2 Makefile attempts to push the image with this tag (e.g., v0.45.0) to
the registry, overwriting the original tag sha256 digest.

To address this, introducing a check to ensure such tags are not
overwritten when pushed to remote repositories, preserving the integrity
of published versions. In case of local repositories the push to
IMAGE_GIT_TAG is removed entirely.

Signed-off-by: Ram Lavi <ralavi@redhat.com>
  • Loading branch information
@RamLavi
RamLavi authored Dec 16, 2024
1 parent e47689f commit 38a92a2
Showing 1 changed file with 13 additions and 2 deletions.
15 changes: 13 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,19 @@ container: manager
# Push the docker image
docker-push:
$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_TAG}
$(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}
$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}
@if [[ "${REGISTRY}" == localhost* || "${REGISTRY}" == 127.0.0.1* ]]; then \
echo "Local registry detected (${REGISTRY}). Skipping IMAGE_GIT_TAG handling."; \
else \
if skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} >/dev/null 2>&1; then \
echo "Tag '${IMAGE_GIT_TAG}' already exists. Skipping tagging and push."; \
elif skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} 2>&1 | grep -q "manifest unknown"; then \
$(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \
$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \
else \
echo "Error checking for tag '${IMAGE_GIT_TAG}'. Aborting to avoid potential overwrite."; \
exit 1; \
fi; \
fi

cluster-up:
./cluster/up.sh
Expand Down

0 comments on commit 38a92a2

Please sign in to comment.