Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker image build always shows a resource to be updated #19

Closed
bobhenkel opened this issue Sep 17, 2018 · 3 comments
Closed

docker image build always shows a resource to be updated #19

bobhenkel opened this issue Sep 17, 2018 · 3 comments
Assignees
Labels
customer/feedback Feedback from customers
Milestone

Comments

@bobhenkel
Copy link

With the code below running pulumi up always shows the docker image needing to be updated, but nothing has changed. This happens even after saying yes and apping the perceived change needing to be applied. Logically this makes no sense, the sha on the image is the same value that is both on my local cache where the image was built and the same as the image pushed to the ECR registry from the previous time I ran this. Is there a reason for this behavior or a bug?

import * as aws from "@pulumi/aws";
import * as docker from "@pulumi/docker";
import * as pulumi from "@pulumi/pulumi";

  // AWS ECR
  const ecr = new aws.ecr.Repository("bob/ecr-login",{name: "bob/ecr-login"});

  // getRepository

  const ecrCreds = ecr.registryId.apply(async (registryId) => {
      const credentials = await aws.ecr.getCredentials({
          registryId: registryId,
      });
      const decodedCredentials = Buffer.from(credentials.authorizationToken, "base64").toString();
      const [username, password] = decodedCredentials.split(":");
      return { server: credentials.proxyEndpoint, username, password };
  });


  const image2 = new docker.Image("bob/ecr-logins", {
      imageName: "xyz.dkr.ecr.us-east-1.amazonaws.com/bob/ecr-login:bob-test-dont-usev31",
      build: ".",
      registry: ecrCreds,
    });
bob@puto ~/ecr-login> pulumi up
Previewing update of stack 'ecr-login'
Previewing changes:

     Type                   Name                       Plan          Info
 *   pulumi:pulumi:Stack    ecr-login-ecr-login        no change
 ~   └─ docker:image:Image  pnet-kube-crew/ecr-logins  update        changes: ~ registry, 2 info messages

Diagnostics:
  docker:image:Image: bob/ecr-logins
    info: Building container image 'xyz.dkr.ecr.us-east-1.amazonaws.com/bob/ecr-login:bob-test-dont-usev31': context=.

  docker:image:Image: bob/ecr-logins
    info: Sending build context to Docker daemon  90.34MB
    Step 1/2 : FROM scratch
     --->
    Step 2/2 : CMD ["echo x"]
     ---> Using cache
     ---> e66bbfc4c3a1
    Successfully built e66bbfc4c3a1
    Successfully tagged xyz.dkr.ecr.us-east-1.amazonaws.com/bob/ecr-login:bob-test-dont-usev31

info: 1 change previewed:
    ~ 1 resource to update
      2 resources unchanged

Do you want to perform this update?
  yes
> no
  details
@bobhenkel
Copy link
Author

May relate to #14

@lukehoban lukehoban self-assigned this Sep 18, 2018
@lukehoban lukehoban added this to the 0.18 milestone Sep 18, 2018
@lukehoban lukehoban added the customer/feedback Feedback from customers label Sep 18, 2018
@lukehoban lukehoban assigned hausdorff and unassigned lukehoban Oct 4, 2018
@CyrusNajmabadi
Copy link
Contributor

So, as far as i can tell this issue here comes down to:

const credentials = await aws.ecr.getCredentials({
          registryId: registryId,
      });
      const decodedCredentials = Buffer.from(credentials.authorizationToken, "base64").toString();
      const [username, password] = decodedCredentials.split(":");

Each time this is called, a fresh credentials string is returned, and the 'password' is different. From reading through docs, this is likely because hte auth information that comes back is only valid for 12 hours, and each time this is called, if gives you a fresh set of tokens good for those next 12 hours.

Because the Image object is then storing these creds in registry: ecrCreds,, this makes it seem as if things changed, and that causes a refresh.

--

@lukehoban Any thoughts on what we should be doing here? It feels like the registry credentials should not be considered part of the resource. Instead, they should just be used to build and push the data as appropriate.

@CyrusNajmabadi
Copy link
Contributor

Ok. I tried this out with us not storing credentials. And it seems to be doing the correct thing :) Going to go ahead with htat

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
customer/feedback Feedback from customers
Projects
None yet
Development

No branches or pull requests

4 participants