[image-builder] Forcing tags does not work #7053
Description
the bob-proxy forces the tag of the base-ref and target-ref by rewriting the downstream manifest URL. The intention is to limit the access users have to the images in the respective repositories.
This fails if one tries to access a multi-platform image, e.g. golang:latest.
Steps to reproduce
# run bob proxy cd components/image-builder-bob go run main.go proxy --base-ref golang:latest --target-ref localhost:5000/target:test --auth {} ## in a new terminal # install buildkit cd /tmp curl -OL https://github.com/moby/buildkit/releases/download/v0.9.0/buildkit-v0.9.0.linux-amd64.tar.gz tar xzfv buildkit-v0.9.0.linux-amd64.tar.gz sudo mv bin/* /usr/bin # build bob and run it cd /workspace/gitpod/components/image-builder-bob go install # Run bob. If the push to the target does not work, that's expected (unless you run a registry on that port). # However, the pull fails already. BOB_BASE_REF=localhost:8080/base:latest BOB_TARGET_REF=localhost:5000/target:latest sudo -E $(which bob) buildA more direct way to debug this is using the OCI tool:
# install oci-tool go install github.com/csweichel/oci-tool@latest # pull from bob proxy oci-tool fetch --insecure manifest --platform linux-amd64 localhost:8080/base:latestThe returned manifest will be empty rather than the actual manifest.
Possible solutions:
- we could abandon the "tag forcing", and specify it when parametrising bob akin to what we're doing for digests already.
- we could find out how to make this tag forcing work, which would likely work for digests, too.