Signatures do not match across backing registries

Question

Signatures do not match across backing registries

BenTheElder opened this issue 2 years ago · 5 comments

BenTheElder commented 2 years ago

What happened:

See:
kubernetes/registry.k8s.io#187 and https://kubernetes.slack.com/archives/CJH2GBF7Y/p1679166550351119

Images should have identical digests no matter what region I pull from.

This does not appear to be the case for some of the sigstore images added by the image-promoter

What you expected to happen:

Images should be identical in all backing registries

How to reproduce it (as minimally and precisely as possible):

Check us-west1 vs us-west2 AR instances for provider-aws/aws-ebs-csi-driver:sha256-c75878156614efc7c501ea655cd9da1ede35e9aee252436a92ff01f67f1c53fa.sig

Anything else we need to know?:

Environment:

Cloud provider or hardware configuration:
OS (e.g: cat /etc/os-release):
Kernel (e.g. uname -a):
Others:

Answer 1 · 2023-03-18T19:56:21.000Z

See: kubernetes/registry.k8s.io#187 (comment)

I think this is relatively unlikely to break anyone as long as it remains scoped to sigstore signatures (which appears to be the case) given the usage patterns for this type of """image""". Still worth fixing.

Answer 2 · 2023-03-19T07:48:53.000Z

Looks like this is also "some signatures are missing in some regions" kubernetes/registry.k8s.io#187 (comment)

Answer 3 · 2023-03-24T04:05:28.000Z

xref: kubernetes/release#2962

Answer 4 · 2023-04-05T00:50:32.000Z

The signature oci objects are diverging because the promoter died mid process. This PR will not fix the rate limit killing kpromo but at least will stop the propagation of new divergent .sig "images": #809

Remediation is being tracked in kubernetes/release#2962

Answer 5 · 2023-04-05T19:00:57.000Z

Thanks!

Re: killed by rate-limit – We should also consider retry with-backoff on error in case of e.g. network flakes. IIRC crane exposes an API for this and crane copy does this by default.