Merge pull request #1026 from SaschaSchwarze0/sascha-fix-buildkit-ima…

…ge-digest

Fix BuildKit and BuildAh image digest extraction

samples/buildstrategy/buildah/buildstrategy_buildah_cr.yaml

@@ -149,10 +149,18 @@ spec:
             "${image}" \
             "docker://${image}"
 
-          # Store the digest result
-          buildah images \
-            --format='{{.Digest}}' \
-            "${image}" | tr -d "\n" > '$(results.shp-image-digest.path)'
+          # Store the digest result. This is more complex than expected. BuildAh locally calculates a wrong digest.
+          # We therefore tag the image to a dummy name so that the layers are still present. Then we remove the local
+          # tag. Then we pull again. Then the local digest is correct.
+          # This should be validated again with a newer BuildAh version.
+          # https://github.com/containers/buildah/issues/3866
+          buildah tag "${image}" dummy
+          buildah rmi "${image}"
+          buildah pull --tls-verify="${tlsVerify}" "${image}"
+          buildah inspect \
+            --type=image \
+            --format='{{.FromImageDigest}}' \
+            "${image}" > '$(results.shp-image-digest.path)'
         # That's the separator between the shell script and its args
         - --
         - --context

samples/buildstrategy/buildkit/buildstrategy_buildkit_cr.yaml

@@ -178,7 +178,7 @@ spec:
           /tmp/run.sh
 
           # Store the image digest
-          sed -E 's/.*containerimage.digest":"([^"]*).*/\1/' < /tmp/image-metadata.json > '$(results.shp-image-digest.path)'
+          grep containerimage.digest /tmp/image-metadata.json | sed -E 's/.*containerimage.digest":\s*"([^"]*).*/\1/' | tr -d '\n' > '$(results.shp-image-digest.path)'
         # That's the separator between the shell script and its args
         - --
         - --build-args

samples/buildstrategy/source-to-image/buildstrategy_source-to-image-redhat_cr.yaml

@@ -109,12 +109,21 @@ spec:
           # Push the image
           echo "[INFO] Pushing image ${image}"
           buildah push \
+            --tls-verify="${tlsVerify}" \
             "docker://${image}"
           
-          # Store the digest result
-          buildah images \
-            --format='{{.Digest}}' \
-            "${image}" | tr -d "\n" > '$(results.shp-image-digest.path)'
+          # Store the digest result. This is more complex than expected. BuildAh locally calculates a wrong digest.
+          # We therefore tag the image to a dummy name so that the layers are still present. Then we remove the local
+          # tag. Then we pull again. Then the local digest is correct.
+          # This should be validated again with a newer BuildAh version.
+          # https://github.com/containers/buildah/issues/3866
+          buildah tag "${image}" dummy
+          buildah rmi "${image}"
+          buildah pull --tls-verify="${tlsVerify}" "${image}"
+          buildah inspect \
+            --type=image \
+            --format='{{.FromImageDigest}}' \
+            "${image}" > '$(results.shp-image-digest.path)'
         # That's the separator between the shell script and its args
         - --
         - --image

test/e2e/e2e_bundle_test.go

@@ -76,8 +76,9 @@ var _ = Describe("For a Kubernetes cluster with Tekton and build installed", fun
 				Create()
 			Expect(err).ToNot(HaveOccurred())
 
-			validateBuildRunToSucceed(testBuild, buildRun)
+			buildRun = validateBuildRunToSucceed(testBuild, buildRun)
 			validateBuildRunResultsFromBundleSource(buildRun)
+			testBuild.ValidateImageDigest(buildRun)
 		})
 
 		It("should work with Buildpacks build strategy", func() {
@@ -99,8 +100,9 @@ var _ = Describe("For a Kubernetes cluster with Tekton and build installed", fun
 				Create()
 			Expect(err).ToNot(HaveOccurred())
 
-			validateBuildRunToSucceed(testBuild, buildRun)
+			buildRun = validateBuildRunToSucceed(testBuild, buildRun)
 			validateBuildRunResultsFromBundleSource(buildRun)
+			testBuild.ValidateImageDigest(buildRun)
 		})
 
 		It("should work with Buildah build strategy", func() {
@@ -130,8 +132,9 @@ var _ = Describe("For a Kubernetes cluster with Tekton and build installed", fun
 				Create()
 			Expect(err).ToNot(HaveOccurred())
 
-			validateBuildRunToSucceed(testBuild, buildRun)
+			buildRun = validateBuildRunToSucceed(testBuild, buildRun)
 			validateBuildRunResultsFromBundleSource(buildRun)
+			testBuild.ValidateImageDigest(buildRun)
 		})
 	})
 })

test/e2e/e2e_image_mutate_test.go

@@ -5,17 +5,9 @@
 package e2e_test
 
 import (
-	"encoding/json"
-	"log"
-	"strings"
-
-	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/name"
 	containerreg "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"k8s.io/apimachinery/pkg/types"
 
 	buildv1alpha1 "github.com/shipwright-io/build/pkg/apis/build/v1alpha1"
 )
@@ -66,76 +58,22 @@ var _ = Describe("For a Kubernetes cluster with Tekton and build installed", fun
 			Expect(err).ToNot(HaveOccurred(), "Error retrieving buildrun test data")
 			appendRegistryInsecureParamValue(build, buildRun)
 
-			validateBuildRunToSucceed(testBuild, buildRun)
+			buildRun = validateBuildRunToSucceed(testBuild, buildRun)
+			testBuild.ValidateImageDigest(buildRun)
+
+			image := testBuild.GetImage(buildRun)
 
 			Expect(
-				getImageAnnotation(getImage(build), "org.opencontainers.image.url"),
+				getImageAnnotation(image, "org.opencontainers.image.url"),
 			).To(Equal("https://my-company.com/images"))
 
 			Expect(
-				getImageLabel(getImage(build), "maintainer"),
+				getImageLabel(image, "maintainer"),
 			).To(Equal("team@my-company.com"))
 		})
 	})
 })
 
-func getRegistryAuthentication(
-	build *buildv1alpha1.Build,
-	ref name.Reference,
-) authn.Authenticator {
-	// In case no secret is mounted, use anonymous
-	if build.Spec.Output.Credentials == nil || build.Spec.Output.Credentials.Name == "" {
-		log.Printf("No access credentials provided, using anonymous mode")
-		return authn.Anonymous
-	}
-
-	secret, err := testBuild.LookupSecret(
-		types.NamespacedName{
-			Namespace: build.Namespace,
-			Name:      build.Spec.Output.Credentials.Name,
-		},
-	)
-	Expect(err).ToNot(HaveOccurred(), "Error retrieving registry secret")
-
-	type auth struct {
-		Auths map[string]authn.AuthConfig `json:"auths,omitempty"`
-	}
-
-	var authConfig auth
-
-	Expect(json.Unmarshal(secret.Data[".dockerconfigjson"], &authConfig)).
-		ToNot(HaveOccurred())
-
-	// Look-up the respective registry server inside the credentials
-	registryName := ref.Context().RegistryStr()
-	if registryName == name.DefaultRegistry {
-		registryName = authn.DefaultAuthKey
-	}
-
-	return authn.FromConfig(authConfig.Auths[registryName])
-}
-
-func getImage(build *buildv1alpha1.Build) containerreg.Image {
-	// In the GitHub action, we are using a registry inside the cluster to
-	// push the image created by `buildRun`. The registry inside the cluster
-	// is not directly accessible from the local, so that we have mapped
-	// the cluster registry port to the local system
-	// by providing `test/kind/config.yaml` config to the kind
-	image := strings.Replace(
-		build.Spec.Output.Image,
-		"registry.registry.svc.cluster.local",
-		"localhost", 1,
-	)
-
-	ref, err := name.ParseReference(image)
-	Expect(err).To(BeNil())
-
-	img, err := remote.Image(ref, remote.WithAuth(getRegistryAuthentication(build, ref)))
-	Expect(err).To(BeNil())
-
-	return img
-}
-
 func getImageAnnotation(img containerreg.Image, annotation string) string {
 	manifest, err := img.Manifest()
 	Expect(err).To(BeNil())

test/e2e/e2e_params_test.go

@@ -120,7 +120,7 @@ var _ = Describe("For a Kubernetes cluster with Tekton and build installed", fun
 						Create()
 					Expect(err).ToNot(HaveOccurred())
 
-					validateBuildRunToSucceed(testBuild, buildRun)
+					buildRun = validateBuildRunToSucceed(testBuild, buildRun)
 
 					// we verify the image digest here which is mis-used by the strategy to store a calculated sum
 					// 13 (env1) + 21 (env2 = 2${a-configmap:number1}) + 2 (env3 = ${a-secret:number2}) + 39 (args[0] = ${a-secret:number3}9) + 47 (args[1]) = 122