Skip to content

rules_img support#69

Open
apesternikov wants to merge 10 commits into
mainfrom
ap/rules_img_support
Open

rules_img support#69
apesternikov wants to merge 10 commits into
mainfrom
ap/rules_img_support

Conversation

@apesternikov

Copy link
Copy Markdown
Contributor

Description

This PR implements rules_img support while keeping compatibility with rules_oci to facilitate transition

How Has This Been Tested?

unit test for rules_img has been implemented. Also, verifying end-to-end with external project.

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

Comment on lines 166 to 172
}
}
if len(gitopsKind) == 0 {
gitopsKind = []string{"k8s_container_push", "push_oci"}
gitopsKind = []string{"push_oci_rule"}
}

var gitServer git.Server

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential runtime error due to lack of validation after assigning gitServer

After the switch statement, there is no check to ensure that gitServer is valid (i.e., not nil or a non-function). If git.ServerFunc returns nil or an invalid function, subsequent calls to gitServer.CreatePR may panic. To improve robustness, add a validation step after assignment:

if gitServer == nil {
    log.Fatalf("Failed to initialize git server implementation for host: %s", *gitHost)
}

This ensures that any issues with the assignment are caught early, preventing unexpected runtime errors.

Comment thread gitops/prer/prer_test.sh
"gitops/testing/img_pushed_image_docker_io.push"
)

echo "Verifying gitops targets..."

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diagnostic Limitation in Verification Loop

The verification loop for gitops targets (starting at line 67) exits immediately upon encountering the first missing target. This approach prevents the script from reporting all missing targets, which can hinder debugging and reduce diagnostic value.

Recommended Solution:

Modify the loop to collect all missing targets and report them together at the end, for example:

missing_targets=()
for target in "${EXPECTED_TARGETS[@]}"; do
  if ! grep -q "target $target" "$OUTPUT_FILE"; then
    missing_targets+=("$target")
  fi
done
if [ ${#missing_targets[@]} -ne 0 ]; then
  echo "ERROR: The following gitops targets were not found in output:" >&2
  printf '  %s\n' "${missing_targets[@]}" >&2
  exit 1
fi

This approach improves maintainability and provides more comprehensive feedback.

Comment thread push_img/tests/integration_test.sh Outdated
Comment on lines +13 to +14
sleep 1.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Race Condition: Registry Readiness
The script uses a fixed sleep 1.5 to wait for the registry to start, which may not reliably ensure the registry is ready to accept connections. This can lead to intermittent test failures if the registry takes longer to start.

Recommendation:
Replace the fixed sleep with a loop that checks the registry's readiness, e.g.:

for i in {1..10}; do
  if nc -z localhost 1338; then
    break
  fi
  sleep 0.5
done

This ensures the test proceeds only when the registry is actually ready.

Comment on lines +16 to +19
$1

# Verify the image is pushed successfully using crane
${CRANE_BIN} validate -v --fast --remote localhost:1338/repo/img:testtag

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error Handling: Push and Validation Steps
The script does not check the exit codes of the push operation ($1) or the validation step (${CRANE_BIN} validate). If either fails, the script will continue and may report a false positive.

Recommendation:
Add error checks after each critical step:

$1 || { echo 'Push failed'; exit 1; }
${CRANE_BIN} validate ... || { echo 'Validation failed'; exit 1; }

This ensures failures are detected and reported promptly.

Comment thread push_oci/tests/integration_test.sh Outdated
trap "kill -9 $registry_pid" EXIT

# Wait for registry to start up
sleep 1.5

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreliable registry startup wait

Using sleep 1.5 to wait for the registry to start is not robust, as startup time may vary. Replace with a loop that checks registry readiness, e.g.:

for i in {1..10}; do
  if curl -s localhost:1338/v2/ > /dev/null; then
    break
  fi
  sleep 0.5
done

This ensures the script proceeds only when the registry is actually ready.

Comment on lines +16 to +19
$1

# Verify the image is pushed successfully using crane
${CRANE_BIN} validate -v --fast --remote localhost:1338/repo/oci_img:testtag

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing error handling for push and validation steps

The script does not check the exit status of the push rule target ($1) or the crane validation. Add error checks after each step to ensure failures are detected:

$1 || { echo "Push rule target failed"; exit 1; }
${CRANE_BIN} validate -v --fast --remote localhost:1338/repo/oci_img:testtag || { echo "Image validation failed"; exit 1; }

This will make failures explicit and prevent false positives.

@michaelschiff michaelschiff left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested in my repos still using rules_oci - LGTM

Comment on lines +13 to +25
trap "kill -9 $registry_pid" EXIT

# Wait for registry to start up
for i in {1..50}; do
if curl -s -f http://localhost:1338/v2/ >/dev/null; then
break
fi
sleep 0.05
done

# Create a temporary directory for the mock kubectl and manifest dump
tmp_dir=$(mktemp -d)
trap "rm -rf $tmp_dir; kill -9 $registry_pid" EXIT

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trap Overwrite May Cause Incomplete Cleanup

The trap command is set twice: first on line 13 to kill the registry, then on line 25 to remove the temp directory and kill the registry. The second trap overwrites the first, and if the temp directory removal fails or is executed first, the registry process may not be properly killed, potentially leaving orphaned processes.

Recommended Solution:
Combine cleanup actions into a single trap, e.g.:

trap 'rm -rf "$tmp_dir"; kill -9 $registry_pid' EXIT

Set this after both $tmp_dir and $registry_pid are initialized.

Comment on lines +11 to +55
${REGISTRY_BIN} &
registry_pid=$!
trap "kill -9 $registry_pid" EXIT

# Wait for registry to start up
for i in {1..50}; do
if curl -s -f http://localhost:1338/v2/ >/dev/null; then
break
fi
sleep 0.05
done

# Create a temporary directory for the mock kubectl and manifest dump
tmp_dir=$(mktemp -d)
trap "rm -rf $tmp_dir; kill -9 $registry_pid" EXIT

manifest_out="${tmp_dir}/applied_manifest.yaml"
mock_kubectl="${tmp_dir}/kubectl"

cat <<EOF > "${mock_kubectl}"
#!/bin/bash
has_apply=false
for arg in "\$@"; do
if [ "\$arg" = "apply" ]; then
has_apply=true
fi
done

if [ "\$has_apply" = true ]; then
cat > "${manifest_out}"
else
echo "mock kubectl: \$@"
fi
EOF

chmod +x "${mock_kubectl}"

# Prepend mock kubectl to PATH
export PATH="${tmp_dir}:${PATH}"

# Execute the apply target executable
export CLUSTER=testcluster
export USER=testuser

${apply_bin}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lack of Error Checking for Critical External Commands

The script starts the registry (${REGISTRY_BIN}) and executes the apply target (${apply_bin}) without checking their exit statuses. If either fails, subsequent steps may produce misleading results or fail silently.

Recommended Solution:
Add error checks after these commands:

${REGISTRY_BIN} &
registry_pid=$!
if ! kill -0 $registry_pid 2>/dev/null; then
  echo "Error: Registry failed to start"
  exit 1
fi
...
${apply_bin}
if [ $? -ne 0 ]; then
  echo "Error: apply_bin failed"
  exit 1
fi

This ensures failures are detected early and reported.

…istroless_static), the deploy tool of rules_img requires the PullInfo provider to identify the base registry and resolve/locate layers of the base image.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants