🐞 bug report

Affected Rule

container_push()

Is this a regression?

No

Description

The skip_unchanged_digest attribute is designed so CD systems like FluxCD, ArgoCD etc dont redeploy all the services on every build of the repository. These CD systems track updates to images via image tags like {BUILD_TIMESTAMP} to know when a new version of a service is available. The skip_unchanged_digest attribute is present to ensure only services that have actually changed in the new build get redeployed.

However, the issue is that when code for skip_unchanged_digest checks if an image sha is present, it checks the entire image repository. Thus its possible that the sha for the unchanged image might belong to a much earlier version of the service than what is currently deployed by the CD system. This is easily possible when during a debugging session lots of new logging statements are added and then subsequently removed. Due to behavior of skip_unchanged_digest, the CD systems wont be able to update the services back to the version without logging (which is the 'latest' version.

The solution to this is to add another marker_tag attribute to container_push that skip_unchanged_digest can check against, which will result in the desired correct behavior.

🔬 Minimal Reproduction

1. Use container_push in your code like this:

container_push(
    name = "app_image_push",
    skip_unchanged_digest = True,
    tag = "{GIT_COMMIT}-{BUILD_TIMESTAMP}",
)

2. In your FluxCD configuration, tell it to extract timestamp from image labels to determine the 'latest' image to deploy, eg (for FluxCD:

---
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImagePolicy
spec:
  imageRepositoryRef:
    name: app
  filterTags:
    pattern: '[a-f0-9]+\-(?P<timestamp>.+)'
    extract: '$timestamp'
  policy:
    alphabetical:
      order: asc

3. Make commits to your code like this:

Commit a: "initial code" - generates ImageTag - a-1

fun myFunc() {
  var x = 2+2
}

Commit b: "Add logging" - generates ImageTag - b-2

fun myFunc() {
  var x = 2+2
  println("hello world")
}

Commit c: "Revert 'Add logging'" - generates ImageTag - c-3

fun myFunc() {
  var x = 2+2
}

🔥 Exception or Error

Expected Outcome:

After pushing commit c, your cluster should have imageTag c-3 deployed since that's the latest image.

Actual Outcome:
After pushing commit c, your cluster stiil has imageTag b-2 deployed since c-3 has same sha as a-1, so skip_unchanged_digest did not push that tag.

Proposed Fix

Add an attribute marker_tag to container_push. Thus the rule above in step 1 would look like:

container_push(
    name = "app_image_push",
    skip_unchanged_digest = True,
    tag = "{GIT_COMMIT}-{BUILD_TIMESTAMP}",
   marker_tag = "latest"
)

In the implementation, of container_push(), at the end of its logic, add the equivalent of this code:

current_tags = tags of image with current_sha256
if !current_tags.contain(markerTag) {
    current_tags.add(markerTag)
    current_tags.add(tag)
}

This will solve the above case.

🌍 Your Environment

Operating System:

Ubuntu 22.04

Output of bazel version:

bazel version
Bazelisk version: development
Build label: 5.4.0
Build target: bazel-out/k8-opt/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Thu Dec 15 16:14:25 2022 (1671120865)
Build timestamp: 1671120865
Build timestamp as int: 1671120865

Rules_docker version:

0.25.0

Anything else relevant?

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs in 30 days.
Collaborators can add an assignee to keep this open indefinitely. Thanks for your contributions to rules_docker!

This issue was automatically closed because it went 30 days without a reply since it was labeled "Can Close?"