Wrong digest Output after pushing to GCP Artifact

NikitaSemenovAiforia commented 2 months ago

What happened?

I set registries to GCP Artifact URL. The image was pushed. But digest Output is set to docker.io/library/sha256:. There are no other registries or exports except GitHub cache.

Example

repo_url = pulumi.Output.concat(
    f"{region}-docker.pkg.dev",
    "/",
    project_id,
    "/",
    migrator_repository_id,
)
image_name = repo_url.apply(
    lambda ru: f"{ru}/transport-layer-migrator:{github_sha}",
)
tl_migrator_image = docker_build.Image(
    resource_name="transport-layer-migrator-image",
    tags=[
        image_name,
        repo_url.apply(
            lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
        ),
    ],
    context=docker_build.BuildContextArgs(location="../"),
    target="migration",
    cache_from=[
        docker_build.CacheFromArgs(
            gha=docker_build.CacheFromGitHubActionsArgs(
                scope="transport-layer-migrator",
            ),
        ),
        docker_build.CacheFromArgs(
            registry=docker_build.CacheFromRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:cache",
                ),
            ),
        ),
        docker_build.CacheFromArgs(
            registry=docker_build.CacheFromRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
                ),
            ),
        ),
    ],
    cache_to=[
        docker_build.CacheToArgs(
            gha=docker_build.CacheToGitHubActionsArgs(
                mode=docker_build.CacheMode.MAX,
                scope="transport-layer-migrator",
            ),
        ),
        docker_build.CacheToArgs(
            registry=docker_build.CacheToRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:cache",
                ),
                mode=docker_build.CacheMode.MAX,
            ),
        ),
        docker_build.CacheToArgs(
            registry=docker_build.CacheToRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
                ),
            ),
        ),
    ],
    push=True,
    registries=[
        docker_build.RegistryArgs(
            address=repo_url,
            username="oauth2accesstoken",
            password=google_access_token,
        ),
    ],
)

Output of `pulumi about`

CLI
Version 3.126.0 Go Version go1.22.5 Go Compiler gc

Plugins KIND NAME VERSION resource docker-build 0.0.6 resource gcp 7.38.0 language python unknown

Host
OS ubuntu Version 22.04 Arch x86_64

This project is written in python: python' version='3.12.1'

Dependencies: NAME VERSION pip 24.2 pulumi_docker_build 0.0.6 pulumi_gcp 7.38.0 pyright 1.1.378 setuptools 74.0.0 wheel 0.44.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

blampe commented 1 month ago

Hi @NikitaSemenovAiforia, a few clarifying questions.

Can you confirm the digest you're talking about is tl_migrator_image.digest?
What is the output of docker version?
Did you already have something cached when you built the image with Pulumi?

NikitaSemenovAiforia commented 1 month ago

Hi @NikitaSemenovAiforia, a few clarifying questions.
* Can you confirm the digest you're talking about is `tl_migrator_image.digest`?

Confirmed.

* What is the output of `docker version`?

Client: Docker Engine - Community Version: 26.1.3 API version: 1.45 Go version: go1.21.10 Git commit: b72abbb Built: Thu May 16 08:33:29 2024 OS/Arch: linux/amd64 Context: default

buildx v0.16.2

* Did you already have something cached when you built the image with Pulumi?

Yes. The old script for this job was running simultaneously. Here is the step:

- id: build_and_push
  name: Build and push
  uses: docker/build-push-action@v6
  with:
     push: true
     tags: ${{ vars.BASE_DOCKER_HUB_URL }}/${{ vars.PROJECT_NAME }}/docker-repository/transport-layer-migrator:k8s
     target: 'migration'
     cache-from: type=registry,ref=${{ vars.BASE_DOCKER_HUB_URL }}/${{ vars.PROJECT_NAME }}/docker-repository/transport-layer-migrator:k8s
     cache-to: type=inline

blampe commented 1 month ago

Super helpful context, thank you @NikitaSemenovAiforia!

I haven't been able to reproduce this yet -- the digest we use should be returned by the daemon whenever we export something to the registry. One thing you might try is changing this cache-to entry:

docker_build.CacheToArgs(
            registry=docker_build.CacheToRegistryArgs(
                ref=repo_url.apply(
                    lambda ru: f"{ru}/transport-layer-migrator:{github_ref_name}",
                ),
            ),
        ),

to an inline cache (inline=docker_build.CacheToInlineArgs()). Your code currently pushes an image tag and a cache manifest to transport-layer-migrator:{github_ref_name} and I suspect GCP might not be handling that well. Using an inline cache is the "right" way to use one tag for an image as well as a cache-from source.

pulumi / pulumi-docker-build