Retry failed verifications with exponential backoff

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · Sep 20, 2022 · 7c92949 · 7c92949
1 parent 082028e
commit 7c92949
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -1,6 +1,6 @@
 # Image URL to use all building/pushing image targets
-IMG ?= localhost:5050/source-controller
-TAG ?= test1
+IMG ?= fluxcd/source-controller
+TAG ?= latest
 
 # Base image used to build the Go binary
 LIBGIT2_IMG ?= ghcr.io/fluxcd/golang-with-libgit2-only
@@ -14,9 +14,9 @@ GO_TEST_PREFIX ?=
 
 # Allows for defining additional Docker buildx arguments,
 # e.g. '--push'.
-BUILD_ARGS ?= --load
+BUILD_ARGS ?=
 # Architectures to build images for
-BUILD_PLATFORMS ?= linux/arm64
+BUILD_PLATFORMS ?= linux/amd64,linux/arm64,linux/arm/v7
 
 # Go additional tag arguments, e.g. 'integration',
 # this is append to the tag arguments required for static builds

diff --git a/controllers/ocirepository_controller.go b/controllers/ocirepository_controller.go
@@ -409,11 +409,16 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 		}
 	}()
 
-	// Verify artifact
+	// Verify artifact if:
+	// - the upstream digest differs from the one in storage (revision drift)
+	// - the OCIRepository spec has changed (generation drift)
+	// - the previous reconciliation resulted in a failed artifact verification (retry with exponential backoff)
 	if obj.Spec.Verify == nil {
 		// Remove old observations if verification was disabled
 		conditions.Delete(obj, sourcev1.SourceVerifiedCondition)
-	} else if !obj.GetArtifact().HasRevision(revision) || conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation {
+	} else if !obj.GetArtifact().HasRevision(revision) ||
+		conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation ||
+		conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) {
 		provider := obj.Spec.Verify.Provider
 		err := r.verifyOCISourceSignature(ctx, obj, url, keychain)
 		if err != nil {
@@ -422,7 +427,6 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
 				sourcev1.VerificationError,
 			)
 			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
-			conditions.MarkFalse(obj, meta.ReconcilingCondition, e.Reason, e.Err.Error())
 			return sreconcile.ResultEmpty, e
 		}