Image tags override causing broken digest references

[HadrienPatte]

#351 updated the version of the maker image used to build images from a 3 years-old version to a recent one. As a side effect, this caused a key feature of the CI to break.

The build-image.sh script determines whether or not an image needs to be rebuilt by running crane digest $tag to discover whether the target image tag already exists in the registry or not. In case of command failure, it considers that the tag doesn't exist and proceeds to build and push it. But with the newly updated maker image, a credentials issue happens whenever running crane digest $tag, causing it to always fail and causing the script to always assume that the target tag does not exist in the registry and rebuild it.

Rebuilding an already existing tag would not be an issue if the images were fully hermetic and deterministic and the newly rebuilt image was identical to the previously built one and had the same digest. In that case, the rebuild would be noop.

But images here are not hermetic, so the rebuilt tag produces a different digest from the previously built version of the same tag.

This becomes an issue because quay.io purges digests that are no longer referenced by a tag, so the previous digests can no longer be pulled. This means that any place that used a digested reference of one of the affected images now has a broken image ref.

Affected images tags (all images in this repo minus the ones that were meant to be built in #351):

• quay.io/cilium/cilium-checkpatch:1755701578-b97bd7a
  • Used here, fix PR: checkpatch: Update image digest cilium#41360
• quay.io/cilium/iptables:1755027374-a7874bb
  • Not used
• quay.io/cilium/startup-script:1755531540-60ee83e
  • Used here and here, will be updated by chore(deps): update all-dependencies (main) cilium#41358
• quay.io/cilium/ca-certificates:1755531540-60ee83e
  • Not used
• quay.io/cilium/network-perf:1755027472-c3d489a
  • Used here, already updated by chore(deps): update all-dependencies (main) cilium#41340
• quay.io/cilium/image-tester:1755531540-60ee83e
  • Referenced here and here but not actually used, see images: Update bpftools and llvm images cilium#41339

[joestringer]

I was under the impression these builds were always hermetic, it seems like a new thing that we're overriding the tags. 🤔

[HadrienPatte]

The images in this repo are not hermetic to the level that rebuilding an image from the same Dockerfile at a different point in time would yield exactly the same image with the same digest (one simple reason is we're not using SOURCE_DATE_EPOCH, see https://docs.docker.com/build/ci/github-actions/reproducible-builds/).

But with #386, the custom logic that checks if an image already exists for a given commit before attempting to rebuild it is once again functional.

[joestringer]

I think that we should consider putting some kind of protection in place to avoid overwriting tags, as we're currently distributing Helm charts that depend on images that are being overwritten as recently as this morning.

[joestringer]

But with #386, the custom logic that checks if an image already exists for a given commit before attempting to rebuild it is once again functional.

Ah perfect thanks for following up on that.

Then I guess the recovery for the remaining items is just going through all the potential users on all the different branches and ensuring the images are available. At a glance it looks like maybe cilium/cilium main and v1.17 may be affected, and there may be others as well.

[HadrienPatte]

cilium/cilium#41710 should fix all the CI issues in cilium/cilium, and will need to be backported to all the stable branches (similar to cilium/cilium#41360 the first time this issue happened)