search

jetstack / version-checker

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
https://jetstack.io
Apache License 2.0
680 stars 76 forks source link

[BUG] `use-sha.version-checker.io/main: "false"` annotation does not appear to do anything #225

Closed UntouchedWagons closed 1 month ago

UntouchedWagons commented 2 months ago

Describe the bug I only want version-checker check if an image is using the latest version by the tag, not the SHA hash but the annotation appears to be ignored.

To Reproduce Steps to reproduce the behavior:

  1. Deploy container with image 'jellyfin/jellyfin:10.9.7' and the annotations of
enable.version-checker.io/main: "true"
use-sha.version-checker.io/main: "false"
match-regex.version-checker.io/main: ^\d+\.\d+\.\d+$
  1. Check Prometheus with the following Query version_checker_is_latest_version{image="jellyfin/jellyfin"}
  2. The expected metric/container should be version_checker_is_latest_version{container="version-checker", container_type="container", current_version="10.9.7@sha256:76930362d2c266e8f0b2f51f1c6b039a5207525d0e138a1cdbec870c66c34b0f", endpoint="web", exported_container="main", exported_namespace="default", exported_pod="jellyfin-799f5b6575-sngkm", image="jellyfin/jellyfin", instance="10.42.0.80:8080", job="version-checker", latest_version="10.9.7@sha256:6203ac578fb69831038be6c9eac7a33575eb13c72b8a70d037147504b2806e8e", namespace="version-checker", pod="version-checker-d4bfc9cd6-499xb", service="version-checker"} = 0 Even though the SHA hash is different that shouldn't matter because I've sent the use-sha annotation to false

Expected behavior The version_checker_is_latest_version query should report a 1 because as of writing 10.9.7 is the latest release of the jellyfin image

Screenshots canvas

These four records in the grafana dashboard will frequently appear and disappear from the dashboard making the dashboard not very useful.

Environment (please complete the following information):

Additional context Add any other context about the problem here.

davidcollom commented 1 month ago

Hi @UntouchedWagons - This isn't the usage for the use-sha.version-checker.io/xxx annotation - this annotation, will switch the logic from using the tags, to actually using the SHA256 Timestamp to detect if you're using the latest release.

This can be seen here: https://github.com/jetstack/version-checker/blob/c052ef39d526928b8a4cf6011358c57661ad1404/pkg/controller/checker/checker.go#L57-L68 and Here: https://github.com/jetstack/version-checker/blob/c052ef39d526928b8a4cf6011358c57661ad1404/pkg/controller/checker/checker.go#L159-L178

That being said, I can see how this is confusing and we may need to think of a better terminology or documentation on this.

Regarding the latest... I can see how this is an issue, As jellyfin/jellyfin is a multi-platform image, there are several images relating to 10.9.7:

Index: sha256:76930362d2c266e8f0b2f51f1c6b039a5207525d0e138a1cdbec870c66c34b0f AMD64: sha256:6203ac578fb69831038be6c9eac7a33575eb13c72b8a70d037147504b2806e8e ARM64/v8: sha256:10c61f5a0263a635b1b3b5c8dcd36c184b651d4055bbffdc0c13b63ff1945a73 ARM32/v7: sha256:647c6008646edf5f93d333443ee3d20a0266607daf739890167f7d234279d571

I am currently working on adding Multi-Platform/Arch support in the coming month(s), however, it is taking longer than expected...

I suspect you're actually hitting an issue here: https://github.com/jetstack/version-checker/blob/c052ef39d526928b8a4cf6011358c57661ad1404/pkg/controller/checker/checker.go#L149-L154

Where by you rightly say, are using the latest Tag, but the SHA isn't matching whats expected... This check is important as you may have a long-running pod within your cluster and the maintainer has published a new (patched) version, which could leave you with running vulnerabilities.

UntouchedWagons commented 1 month ago

Hmm I see. Okay so I'll remove the use-sha annotation. Some images like jellyfin/jellyfin have specific tags that are only for amd64 which I can use. Why though do images appear and disappear from the grafana dashboard?

davidcollom commented 1 month ago

Why though do images appear and disappear from the Grafana dashboard?

I'm not entirely sure, this may be more related to your Grafana / Prometheus setup and would be challenging to reproduce without any further details or logs from both Prometheus, Grafana and version-checker itself.

Some images like jellyfin/jellyfin have specific tags that are only for amd64 which I can use.

Sure, something like your existing annotation of: match-regex.version-checker.io/main: ^\d+\.\d+\.\d+-amd64$ might be a solution here also.

Unless there's anything else, I'm going to close this issue as there's a solution to your primary problem and the title no longer matches the issue as things were working as expected, please feel free to raise another issue/bug should you get any further information on the disappearing metrics.