search

bazel-contrib / rules_oci

Bazel rules for building OCI containers
Apache License 2.0
289 stars 152 forks source link

Bug: oci_push to GCP broken #530

Open nikonikolov opened 6 months ago

nikonikolov commented 6 months ago

oci_push doesn't seem to work with GCP Artifact Registry (or maybe I am doing something wrong).

GCP quick start instructions here https://cloud.google.com/artifact-registry/docs/docker/store-docker-container-images say that when using docker, the pattern for pushing an image is:

docker push <REGION>-docker.pkg.dev/<PROJECT>/<REPO>/<IMAGE>:<TAG>
# Example: docker push us-central1-docker.pkg.dev/my-project/quickstart-docker-repo/quickstart-image:tag1

If I follow this with oci_push

oci_push(
    name = "push_gcp",
    image = ":image",
    repository = "us-central1-docker.pkg.dev/my-project/quickstart-docker-repo",
    remote_tags = ["tag1"],
)

I get an error

NAME_INVALID: Missing image name. Pushes should be of the form docker push HOST-NAME/PROJECT-ID/REPOSITO
RY/IMAGE

Looking at the generated push script, indeed crane doesn't seem to follow the above pattern

"${CRANE}" push "${IMAGE_DIR}" "${REPOSITORY}@${DIGEST}" "${ARGS[@]+"${ARGS[@]}"}" --image-refs "${REFS}"

In oci_push when I change the repository argument to include the image name us-central1-docker.pkg.dev/my-project/quickstart-docker-repo/quickstart-image, pushing seems to work. However, repository is no longer accurate description of the argument. Furthermore, tagging operations run by crane at the end of the script don't seem to be supported on GCP and I get unexpected status code 405 Method Not Allowed (HEAD responses have no body, use GET for details).

P.S. Definitely not an authentication issue since I can push the image without a problem using docker push

thesayyn commented 6 months ago

Correct use of repository is to include everything including the image name. distribution-spec doesn't say anything about image name and that what we conform to here.

Image name seems to be a distinction made by AR.

nikonikolov commented 6 months ago

Thanks. In that case, what's the correct way of tagging the image as the separate crane tagging commands don't seem to work with GCP.

marvin-hansen commented 6 months ago

After a bit of back and forth, here is the correct BUILD config to push to GCP Artifact Registry:

Assuming:

# Publish image to registry
oci_push(
    name = "push",
    image = ":image",
    repository = "asia-northeast1-docker.pkg.dev/my-project/my-bazel-repo/moby",
    remote_tags = ["latest"],
    visibility = ["//visibility:public"],
)

That way, push works as expected. There is absolutely nothing broken, afaik.

Only the documentation could need an example.