Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for sha256 container image specifications #5233

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

adamf-db
Copy link

@adamf-db adamf-db commented Aug 8, 2023

What problem does this PR solve?

The operator doesn't work when the image spec includes a sha256 image reference.

For security reasons, I much prefer to use the sha256 method of retrieving container images, rather then tags. Eg, we want to do pingcap/tidb@sha256:deadbeef.... instead of pingcap/tidb:v7.1.0. However, this breaks the operator because the operator tests if it can set labels in https://github.com/pingcap/tidb-operator/blob/master/pkg/manager/member/tidb_member_manager.go#L1142 by checking if the version extracted from the container image spec is greater than v6.3.0.

When I use the sha256 method of container image specification this code reports that we can't set labels and bails on all the code after that check.

This change makes it so that any valid sha256 is considered a greater version number then any other, similar to the logic for handling latest or nightly.

What is changed and how does it work?

The logic in the semantic version comparison is changed to support sha256 values. A value is consider a sha256 if hex.DecodeString returns no error and the length of the string is 64.

Code changes

  • Has Go code change
  • Has CI related scripts change

Tests

  • Unit test
  • E2E test
  • Manual test
  • No code

Side effects

  • Breaking backward compatibility
  • Other side effects:
    There's a potential that people are using 6.3.0 or early with sha256 container image specs.

Related changes

  • Need to cherry-pick to the release branch
  • Need to update the documentation

Release Notes

Please refer to Release Notes Language Style Guide before writing the release note.


@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Aug 8, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign bornchanger for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot bot requested review from lichunzhu and shonge August 8, 2023 19:39
@sre-bot
Copy link
Contributor

sre-bot commented Aug 8, 2023

CLA assistant check
All committers have signed the CLA.

@ti-chi-bot
Copy link
Contributor

ti-chi-bot bot commented Aug 8, 2023

Welcome @adamf-db! It looks like this is your first PR to pingcap/tidb-operator 🎉

@ti-chi-bot ti-chi-bot bot added the size/M label Aug 8, 2023
@csuzhangxc
Copy link
Member

@adamf-db how about adding version stings as #5213

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants