search

jetstack / version-checker

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
https://jetstack.io
Apache License 2.0
706 stars 79 forks source link

[BUG] SHA comparison issue with ```match-regex.version-checker.io``` #228

Closed erwanval closed 1 month ago

erwanval commented 4 months ago

Describe the bug version-checker seems to not do the comparison properly sometimes, leading to the metrics stating it's not the latest while it is. I haven't tested with other registries, but it happens with docker.io, and the annotation match-regex.version-checker.io.

Here is a simple pod to test that scenario:

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: test-pod
  annotations:
    match-regex.version-checker.io/test: ^\d+.\d+.\d+-glibc
  name: test-pod
spec:
  containers:
  - image: docker.io/busybox:1.36.1-glibc
    name: test
    args:
    - sh
    - -c
    - "sleep infinity"

docker.io/busybox:1.36.1-glibc is currently the latest of the -glibc suffix.

The produced metric has the following labels, and its value is 0:

version_checker_is_latest_version{container="version-checker", container_type="container", current_version="1.36.1-glibc@sha256:25e9fcbd3799fce9c0ec978303d35dbb18a6ffb1fc76fc9b181dd4e657e2cd13", endpoint="web", exported_container="test", exported_namespace="default", exported_pod="test-pod", image="docker.io/busybox", instance="100.64.6.176:8080", job="version-checker", latest_version="1.36.1-glibc@sha256:50aa4698fa6262977cff89181b2664b99d8a56dbca847bf62f2ef04854597cf8", namespace="infra", pod="version-checker-5757d8dc7-mw75h", service="version-checker"}

First thing to note is the current_version and latest_version contains the sha, so I assume it compares using the sha in that case, instead of just the tag. From my tests, I concluded that when the semVer doesn't match, version-checker immediately states it's not the latest (which makes sense). But when it matches, version-checker then compares using the sha. I'm not sure if I'm right about the behavior, nor if it's expected. In any case, when the semVer match, and sha is compared, both values are differents. Looking in docker hub, the "current_version" is matching the "Index digest", while "latest_version" is matching "Manifest digest", which are both different for the same image. I suppose that's why the metrics returns 0.

To Reproduce See above

Expected behavior version-checker should return current version match the latest

Screenshots ksnip_20240709-160208

Environment (please complete the following information):

Additional context Add any other context about the problem here.

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had any activity in the last 90 days. It will be closed if no further activity occurs. Thank you for your contributions.