From 38a92a2f8ac4b0821b22c17c49c177dafb5f7498 Mon Sep 17 00:00:00 2001 From: RamLavi Date: Mon, 16 Dec 2024 15:30:00 +0200 Subject: [PATCH] Makefile, push: Prevent overwriting existing version tags (#445) The IMAGE_GIT_TAG is generated using `git describe` to create a virtual tag for the image, and used in order to tag every push to the repository for later use. However, when an actual git tag exists (e.g., v0.45.0), git describe returns that tag. This behavior makes it possible to accidentally overwrite push an existing version tag in the registry. Flow Leading to the Issue: 1. A new kmp release is created, pushing a new tag (e.g., v0.45.0). 2. A stable branch is created from that commit, pushing a new stable branch tag (e.g., release-0.45_latest). 2.1 . During this push, IMAGE_GIT_TAG resolves to this Git tag (e.g., v0.45.0) due to git describe. 2.2 Makefile attempts to push the image with this tag (e.g., v0.45.0) to the registry, overwriting the original tag sha256 digest. To address this, introducing a check to ensure such tags are not overwritten when pushed to remote repositories, preserving the integrity of published versions. In case of local repositories the push to IMAGE_GIT_TAG is removed entirely. Signed-off-by: Ram Lavi --- Makefile | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 11bd848db..8b16fc06d 100644 --- a/Makefile +++ b/Makefile @@ -93,8 +93,19 @@ container: manager # Push the docker image docker-push: $(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_TAG} - $(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} - $(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} + @if [[ "${REGISTRY}" == localhost* || "${REGISTRY}" == 127.0.0.1* ]]; then \ + echo "Local registry detected (${REGISTRY}). Skipping IMAGE_GIT_TAG handling."; \ + else \ + if skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} >/dev/null 2>&1; then \ + echo "Tag '${IMAGE_GIT_TAG}' already exists. Skipping tagging and push."; \ + elif skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} 2>&1 | grep -q "manifest unknown"; then \ + $(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \ + $(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \ + else \ + echo "Error checking for tag '${IMAGE_GIT_TAG}'. Aborting to avoid potential overwrite."; \ + exit 1; \ + fi; \ + fi cluster-up: ./cluster/up.sh