You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With the code below running pulumi up always shows the docker image needing to be updated, but nothing has changed. This happens even after saying yes and apping the perceived change needing to be applied. Logically this makes no sense, the sha on the image is the same value that is both on my local cache where the image was built and the same as the image pushed to the ECR registry from the previous time I ran this. Is there a reason for this behavior or a bug?
import * as aws from "@pulumi/aws";
import * as docker from "@pulumi/docker";
import * as pulumi from "@pulumi/pulumi";
// AWS ECR
const ecr = new aws.ecr.Repository("bob/ecr-login",{name: "bob/ecr-login"});
// getRepository
const ecrCreds = ecr.registryId.apply(async (registryId) => {
const credentials = await aws.ecr.getCredentials({
registryId: registryId,
});
const decodedCredentials = Buffer.from(credentials.authorizationToken, "base64").toString();
const [username, password] = decodedCredentials.split(":");
return { server: credentials.proxyEndpoint, username, password };
});
const image2 = new docker.Image("bob/ecr-logins", {
imageName: "xyz.dkr.ecr.us-east-1.amazonaws.com/bob/ecr-login:bob-test-dont-usev31",
build: ".",
registry: ecrCreds,
});
bob@puto ~/ecr-login> pulumi up
Previewing update of stack 'ecr-login'
Previewing changes:
Type Name Plan Info
* pulumi:pulumi:Stack ecr-login-ecr-login no change
~ └─ docker:image:Image pnet-kube-crew/ecr-logins update changes: ~ registry, 2 info messages
Diagnostics:
docker:image:Image: bob/ecr-logins
info: Building container image 'xyz.dkr.ecr.us-east-1.amazonaws.com/bob/ecr-login:bob-test-dont-usev31': context=.
docker:image:Image: bob/ecr-logins
info: Sending build context to Docker daemon 90.34MB
Step 1/2 : FROM scratch
--->
Step 2/2 : CMD ["echo x"]
---> Using cache
---> e66bbfc4c3a1
Successfully built e66bbfc4c3a1
Successfully tagged xyz.dkr.ecr.us-east-1.amazonaws.com/bob/ecr-login:bob-test-dont-usev31
info: 1 change previewed:
~ 1 resource to update
2 resources unchanged
Do you want to perform this update?
yes
> no
details
The text was updated successfully, but these errors were encountered:
Each time this is called, a fresh credentials string is returned, and the 'password' is different. From reading through docs, this is likely because hte auth information that comes back is only valid for 12 hours, and each time this is called, if gives you a fresh set of tokens good for those next 12 hours.
Because the Image object is then storing these creds in registry: ecrCreds,, this makes it seem as if things changed, and that causes a refresh.
--
@lukehoban Any thoughts on what we should be doing here? It feels like the registry credentials should not be considered part of the resource. Instead, they should just be used to build and push the data as appropriate.
With the code below running pulumi up always shows the docker image needing to be updated, but nothing has changed. This happens even after saying yes and apping the perceived change needing to be applied. Logically this makes no sense, the sha on the image is the same value that is both on my local cache where the image was built and the same as the image pushed to the ECR registry from the previous time I ran this. Is there a reason for this behavior or a bug?
The text was updated successfully, but these errors were encountered: