-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for OCI images #717
Conversation
@rusenask can you look at this PR? It seems to be very well prepared and solves an issue that makes Keel unusable. |
looks good! |
Let’s get this in a release! |
I just tried Should I expect this to be resolved in that image tag? |
In the interim, until there is an official keel release, I am using:
|
Thanks for knocking this feature out! Just tried that image ( |
Happy to test if you can find a public gitlab repo that uses OCI images. |
I suspect it has less to do with gitlab and maybe more about manifest? I'm using
Are you sending Could be similar to this: https://bugs.launchpad.net/cloud-images/+bug/2007408 |
https://github.com/keel-hq/keel/blob/master/registry/docker/manifest.go#L28 relates to https://github.com/opencontainers/image-spec/blob/main/specs-go/v1/mediatype.go#L28. This is the test for docker, you'll need to get a bearer token for your repo from gitlab: export DOCKER_REPO=vaultwarden/server;
export DOCKER_TOKEN=$(curl --silent "https://auth.docker.io/token?scope=repository:$DOCKER_REPO:pull&service=registry.docker.io" | jq -r '.token'); \
curl \
--silent \
--header "Accept: application/vnd.oci.image.index.v1+json" \
--header "Authorization: Bearer $DOCKER_TOKEN" \
"https://index.docker.io/v2/$DOCKER_REPO/manifests/latest" Can always add another fallback to manifest header if required. |
So it seems the issue is when the image isn't a multi-arch image? Should we not be sending |
To reiterate my previous comment:
Give me an image and I'll get it working, the current code works for all of the images I use. |
Let me see if I can find one somewhere that's not multi arch real quick (that's public)... |
OK, so I think you can send all 3 values in the same request FYI to reduce the number of requests.
|
Give this image a try, if it works I'll raise a PR: I've added the manifest header and condensed them into a single call as suggested. |
Yes!
Another suggestion, I think As it should help with rate-limiting and decrease (in some cases significantly) the amount of data/bandwidth. For example:
|
HEAD calls don't return the correct e.g. export DOCKER_REPO=vaultwarden/server;
export DOCKER_TOKEN=$(curl --silent "https://auth.docker.io/token?scope=repository:$DOCKER_REPO:pull&service=registry.docker.io" | jq -r '.token'); \
curl \
--head \
--verbose \
--header "Accept: application/vnd.oci.image.index.v1+json" \
--header "Authorization: Bearer $DOCKER_TOKEN" \
"https://index.docker.io/v2/$DOCKER_REPO/manifests/1.25.1" returns If you can get it working with the current tests passing raise a PR. PR for this fix raised here: #718 |
Wow! Very interesting little tidbit. Do you know how prevalent that is? When you execute that command as a GET it returns no such header? (Sorry, afk now) |
Not 100% sure, I only came across that issue because I tried HEAD initially and some of the tests started failing. |
Just doing a bit more research on the Even with oci index/manifest responses the etag/docker-content-digest is not the sha of any of the layers. My golang skills are quite lacking but reading the code seem to make the point irrelevant anyway as if the header is there that is what gets returned (and it's there in the example cited, and it's the same with both GET and HEAD). Am I missing something? |
As an FYI, without
with it (what this code does now) the value returned is:
|
@sjdaws your build seems to be working well FYI for buildah images. Any further thoughts on the |
@travisghansen I've done a test here: #721 With HEAD only, it fails for insecure registries: https://drone-kr.webrelay.io/keel-hq/keel/455/1/2 I'll look into this a bit more, but all these tests need to pass before the change can be made. |
Awesome! Are the tests that fail executed locally by simply running |
The pass when running
|
It's actually failing locally too, |
Ok, it's up and running here: #721. Testing shows it only falls back to insecure registry which is a test registry that purposely doesn't have a docker-content-digest header. |
Previous error with OCI images:
After fix: