The annotateEolDigests command provides a --force option that will always create an EOL annotation even if one already exists. This was intended to handle scenarios where we essentially want to overwrite an incorrectly defined annotation. However, this causes multiple such annotations to exist in the registry. We don't want obsolete annotations to continue to be around.
The correct thing to do here is to delete the existing annotation before pushing the new one. But it's not as simple as just applying those operations to the manifests in the ACR. That gets applied to the ACR, but the deletion does not propagate to MAR. So if you did that, you'd effectively still be left with multiple annotations in MAR. Deletions in MAR need to be done through a separate workflow that is not automated.
So there isn't a way to fully automate this scenario. For that reason, the command is being modified here to do away with the --force option entirely. In addition, it will report on image digests which have existing annotations. There is logic to check whether the existing annotation already matches the EOL date to be set. If so, it simply skips the annotation. If it differs, it will be skipped but logged as an error as it will need to be addressed through the manual steps described above.
The
annotateEolDigestscommand provides a--forceoption that will always create an EOL annotation even if one already exists. This was intended to handle scenarios where we essentially want to overwrite an incorrectly defined annotation. However, this causes multiple such annotations to exist in the registry. We don't want obsolete annotations to continue to be around.The correct thing to do here is to delete the existing annotation before pushing the new one. But it's not as simple as just applying those operations to the manifests in the ACR. That gets applied to the ACR, but the deletion does not propagate to MAR. So if you did that, you'd effectively still be left with multiple annotations in MAR. Deletions in MAR need to be done through a separate workflow that is not automated.
So there isn't a way to fully automate this scenario. For that reason, the command is being modified here to do away with the
--forceoption entirely. In addition, it will report on image digests which have existing annotations. There is logic to check whether the existing annotation already matches the EOL date to be set. If so, it simply skips the annotation. If it differs, it will be skipped but logged as an error as it will need to be addressed through the manual steps described above.