Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set manifest annotations with image build #3312

Open
aarongoldenthal opened this issue Sep 12, 2024 · 0 comments
Open

Set manifest annotations with image build #3312

aarongoldenthal opened this issue Sep 12, 2024 · 0 comments

Comments

@aarongoldenthal
Copy link

I'm wondering if there's a way to have kaniko add, override, or remove manifest annotations during an image build, similar to using the docker build --annotation flag. This is related to #1720, but looking more generically at even manual manipulation of the annotations in the manifest.

Some images, especially Docker Official images for at least some languages (my specific examples are the golang and mode images) include annotations identifying the applicable image metadata (revision, source, base image, etc). When they are used as base images for a build with kaniko, the annotations cascade to the final image (per the spec), which can be incorrect. The following shows an example, which happens to be a golang based image from a GitLab container registry.

PS C:\> docker manifest inspect registry.gitlab.com/gitlab-ci-utils/container-images/go-test:2.4.0
{
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "config": {
        "mediaType": "application/vnd.oci.image.config.v1+json",
        "size": 2857,
        "digest": "sha256:c488f401d3e77d3e4cdb7de0800d27df344d8f4c6d7fff61b78c02bd470a3339"
    },
    "layers": [
        ...
    ],
    "annotations": {
            "com.docker.official-images.bashbrew.arch": "amd64",
            "org.opencontainers.image.base.digest": "sha256:216266c86fc4dcef5619930bd394245824c2af52fd21ba7c6fa0e618657d4c3b",
            "org.opencontainers.image.base.name": "alpine:3.20",
            "org.opencontainers.image.created": "2024-05-22T12:22:57Z",
            "org.opencontainers.image.revision": "cf7a37dedf1fd5a25ca72075645368d1e3c30c4a",
            "org.opencontainers.image.source": "https://github.com/docker-library/golang.git#cf7a37dedf1fd5a25ca72075645368d1e3c30c4a:1.22/alpine3.20",
            "org.opencontainers.image.url": "https://hub.docker.com/_/golang",
            "org.opencontainers.image.version": "1.22.3-alpine3.20"
    }
}

In addition to the annotations being incorrect in the final image, they are being used by some other applications as a source of truth.

One example of an issue is using Renovate to manage dependency updates (specifically container image tags/digests). If available in the image manifest, Renovate uses the annotations org.opencontainers.image.source and org.opencontainers.image.url to check for release notes and link to repositories, so it fails to properly pull release notes and links to the incorrect locations (although it uses the container registry itself for versioning data, so the updates are made properly). In the example above, instead of checking the source GitLab repository for release notes, it checks the GitHub golang repository. Without annotations the repository is properly resolved from the container image name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant