Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signatures do not match across backing registries #784

Closed
BenTheElder opened this issue Mar 18, 2023 · 5 comments · Fixed by #809
Closed

Signatures do not match across backing registries #784

BenTheElder opened this issue Mar 18, 2023 · 5 comments · Fixed by #809
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release.

Comments

@BenTheElder
Copy link
Member

What happened:

See:
kubernetes/registry.k8s.io#187 and https://kubernetes.slack.com/archives/CJH2GBF7Y/p1679166550351119

Images should have identical digests no matter what region I pull from.

This does not appear to be the case for some of the sigstore images added by the image-promoter

What you expected to happen:

Images should be identical in all backing registries

How to reproduce it (as minimally and precisely as possible):

Check us-west1 vs us-west2 AR instances for provider-aws/aws-ebs-csi-driver:sha256-c75878156614efc7c501ea655cd9da1ede35e9aee252436a92ff01f67f1c53fa.sig

Anything else we need to know?:

Environment:

  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release):
  • Kernel (e.g. uname -a):
  • Others:
@BenTheElder BenTheElder added area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release. labels Mar 18, 2023
@BenTheElder BenTheElder mentioned this issue Mar 18, 2023
Open
2 tasks
@BenTheElder
Copy link
Member Author

See: kubernetes/registry.k8s.io#187 (comment)

I think this is relatively unlikely to break anyone as long as it remains scoped to sigstore signatures (which appears to be the case) given the usage patterns for this type of """image""". Still worth fixing.

@BenTheElder
Copy link
Member Author

Looks like this is also "some signatures are missing in some regions" kubernetes/registry.k8s.io#187 (comment)

@BenTheElder
Copy link
Member Author

xref: kubernetes/release#2962

@puerco
Copy link
Member

puerco commented Apr 5, 2023
edited
Loading

The signature oci objects are diverging because the promoter died mid process. This PR will not fix the rate limit killing kpromo but at least will stop the propagation of new divergent .sig "images": #809

Remediation is being tracked in kubernetes/release#2962

@puerco puerco mentioned this issue Apr 5, 2023
Merged
@BenTheElder
Copy link
Member Author

Thanks!

Re: killed by rate-limit – We should also consider retry with-backoff on error in case of e.g. network flakes. IIRC crane exposes an API for this and crane copy does this by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/release-eng Issues or PRs related to the Release Engineering subproject kind/bug Categorizes issue or PR as related to a bug. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replicate signatures just once puerco/promo-tools
2 participants
@BenTheElder @puerco