rules_img support#69
Conversation
| } | ||
| } | ||
| if len(gitopsKind) == 0 { | ||
| gitopsKind = []string{"k8s_container_push", "push_oci"} | ||
| gitopsKind = []string{"push_oci_rule"} | ||
| } | ||
|
|
||
| var gitServer git.Server |
There was a problem hiding this comment.
Potential runtime error due to lack of validation after assigning gitServer
After the switch statement, there is no check to ensure that gitServer is valid (i.e., not nil or a non-function). If git.ServerFunc returns nil or an invalid function, subsequent calls to gitServer.CreatePR may panic. To improve robustness, add a validation step after assignment:
if gitServer == nil {
log.Fatalf("Failed to initialize git server implementation for host: %s", *gitHost)
}This ensures that any issues with the assignment are caught early, preventing unexpected runtime errors.
| "gitops/testing/img_pushed_image_docker_io.push" | ||
| ) | ||
|
|
||
| echo "Verifying gitops targets..." |
There was a problem hiding this comment.
Diagnostic Limitation in Verification Loop
The verification loop for gitops targets (starting at line 67) exits immediately upon encountering the first missing target. This approach prevents the script from reporting all missing targets, which can hinder debugging and reduce diagnostic value.
Recommended Solution:
Modify the loop to collect all missing targets and report them together at the end, for example:
missing_targets=()
for target in "${EXPECTED_TARGETS[@]}"; do
if ! grep -q "target $target" "$OUTPUT_FILE"; then
missing_targets+=("$target")
fi
done
if [ ${#missing_targets[@]} -ne 0 ]; then
echo "ERROR: The following gitops targets were not found in output:" >&2
printf ' %s\n' "${missing_targets[@]}" >&2
exit 1
fiThis approach improves maintainability and provides more comprehensive feedback.
| sleep 1.5 | ||
|
|
There was a problem hiding this comment.
Race Condition: Registry Readiness
The script uses a fixed sleep 1.5 to wait for the registry to start, which may not reliably ensure the registry is ready to accept connections. This can lead to intermittent test failures if the registry takes longer to start.
Recommendation:
Replace the fixed sleep with a loop that checks the registry's readiness, e.g.:
for i in {1..10}; do
if nc -z localhost 1338; then
break
fi
sleep 0.5
doneThis ensures the test proceeds only when the registry is actually ready.
| $1 | ||
|
|
||
| # Verify the image is pushed successfully using crane | ||
| ${CRANE_BIN} validate -v --fast --remote localhost:1338/repo/img:testtag |
There was a problem hiding this comment.
Error Handling: Push and Validation Steps
The script does not check the exit codes of the push operation ($1) or the validation step (${CRANE_BIN} validate). If either fails, the script will continue and may report a false positive.
Recommendation:
Add error checks after each critical step:
$1 || { echo 'Push failed'; exit 1; }
${CRANE_BIN} validate ... || { echo 'Validation failed'; exit 1; }This ensures failures are detected and reported promptly.
| trap "kill -9 $registry_pid" EXIT | ||
|
|
||
| # Wait for registry to start up | ||
| sleep 1.5 |
There was a problem hiding this comment.
Unreliable registry startup wait
Using sleep 1.5 to wait for the registry to start is not robust, as startup time may vary. Replace with a loop that checks registry readiness, e.g.:
for i in {1..10}; do
if curl -s localhost:1338/v2/ > /dev/null; then
break
fi
sleep 0.5
doneThis ensures the script proceeds only when the registry is actually ready.
| $1 | ||
|
|
||
| # Verify the image is pushed successfully using crane | ||
| ${CRANE_BIN} validate -v --fast --remote localhost:1338/repo/oci_img:testtag |
There was a problem hiding this comment.
Missing error handling for push and validation steps
The script does not check the exit status of the push rule target ($1) or the crane validation. Add error checks after each step to ensure failures are detected:
$1 || { echo "Push rule target failed"; exit 1; }
${CRANE_BIN} validate -v --fast --remote localhost:1338/repo/oci_img:testtag || { echo "Image validation failed"; exit 1; }This will make failures explicit and prevent false positives.
michaelschiff
left a comment
There was a problem hiding this comment.
tested in my repos still using rules_oci - LGTM
| trap "kill -9 $registry_pid" EXIT | ||
|
|
||
| # Wait for registry to start up | ||
| for i in {1..50}; do | ||
| if curl -s -f http://localhost:1338/v2/ >/dev/null; then | ||
| break | ||
| fi | ||
| sleep 0.05 | ||
| done | ||
|
|
||
| # Create a temporary directory for the mock kubectl and manifest dump | ||
| tmp_dir=$(mktemp -d) | ||
| trap "rm -rf $tmp_dir; kill -9 $registry_pid" EXIT |
There was a problem hiding this comment.
Trap Overwrite May Cause Incomplete Cleanup
The trap command is set twice: first on line 13 to kill the registry, then on line 25 to remove the temp directory and kill the registry. The second trap overwrites the first, and if the temp directory removal fails or is executed first, the registry process may not be properly killed, potentially leaving orphaned processes.
Recommended Solution:
Combine cleanup actions into a single trap, e.g.:
trap 'rm -rf "$tmp_dir"; kill -9 $registry_pid' EXITSet this after both $tmp_dir and $registry_pid are initialized.
| ${REGISTRY_BIN} & | ||
| registry_pid=$! | ||
| trap "kill -9 $registry_pid" EXIT | ||
|
|
||
| # Wait for registry to start up | ||
| for i in {1..50}; do | ||
| if curl -s -f http://localhost:1338/v2/ >/dev/null; then | ||
| break | ||
| fi | ||
| sleep 0.05 | ||
| done | ||
|
|
||
| # Create a temporary directory for the mock kubectl and manifest dump | ||
| tmp_dir=$(mktemp -d) | ||
| trap "rm -rf $tmp_dir; kill -9 $registry_pid" EXIT | ||
|
|
||
| manifest_out="${tmp_dir}/applied_manifest.yaml" | ||
| mock_kubectl="${tmp_dir}/kubectl" | ||
|
|
||
| cat <<EOF > "${mock_kubectl}" | ||
| #!/bin/bash | ||
| has_apply=false | ||
| for arg in "\$@"; do | ||
| if [ "\$arg" = "apply" ]; then | ||
| has_apply=true | ||
| fi | ||
| done | ||
|
|
||
| if [ "\$has_apply" = true ]; then | ||
| cat > "${manifest_out}" | ||
| else | ||
| echo "mock kubectl: \$@" | ||
| fi | ||
| EOF | ||
|
|
||
| chmod +x "${mock_kubectl}" | ||
|
|
||
| # Prepend mock kubectl to PATH | ||
| export PATH="${tmp_dir}:${PATH}" | ||
|
|
||
| # Execute the apply target executable | ||
| export CLUSTER=testcluster | ||
| export USER=testuser | ||
|
|
||
| ${apply_bin} |
There was a problem hiding this comment.
Lack of Error Checking for Critical External Commands
The script starts the registry (${REGISTRY_BIN}) and executes the apply target (${apply_bin}) without checking their exit statuses. If either fails, subsequent steps may produce misleading results or fail silently.
Recommended Solution:
Add error checks after these commands:
${REGISTRY_BIN} &
registry_pid=$!
if ! kill -0 $registry_pid 2>/dev/null; then
echo "Error: Registry failed to start"
exit 1
fi
...
${apply_bin}
if [ $? -ne 0 ]; then
echo "Error: apply_bin failed"
exit 1
fiThis ensures failures are detected early and reported.
…istroless_static), the deploy tool of rules_img requires the PullInfo provider to identify the base registry and resolve/locate layers of the base image.
Description
This PR implements rules_img support while keeping compatibility with rules_oci to facilitate transition
How Has This Been Tested?
unit test for rules_img has been implemented. Also, verifying end-to-end with external project.
Checklist: