Incorrect image regex.

[derrickburns]

velero refers to an image using a sha:

velero/velero@sha256:0c74f1d552ef25a4227e582f4c0e6b3db3402abe196595ee9442ceeb43b99696

That causes this warning in my flux Flux logs:

flux ts=2020-04-16T06:12:01.55743482Z caller=warming.go:180 component=warmer canonical_name=index.docker.io/velero/velero@sha256 auth={map[]} err="requesting tags: mux: variable \"velero/velero@sha256\" doesn't match, expected \"^(?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\\\\.(?:[a-zA-Z0-9]|[azA-Z0-9[][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$\""

I suspect that the regex needs to be updated.

[derrickburns]

I am still getting this using 1.19.0

[stefanprodan]

Flux does't support @sha256 image digests, it only works with image tags. You can use --registry-exclude-image=*velero* to stop Flux from parsing Velero images.

[alewis001]

Hi. Is that effectively a workaround for #885 if you just want flux to deploy exactly what's in the yaml and not monitor the registry for new images?

[alewis001]

I've used --registry-disable-scanning=true and that does appear to stop the error message above. In my particular case, I just want flux to deploy what's exactly in the yaml and not attempt to find new images for a tag, commit back to the config repo, etc. so this is a sufficient workaround for me fir the tag/digest issue in #885.

Thanks

[jpds]

I'm also having this issue with tekton pipeline manifests:

ts=2020-06-17T17:55:43.656757398Z caller=warming.go:180 component=warmer canonical_name=gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256 auth={map[]} err="requesting tags: mux: variable \"tekton-releases/github.com/tektoncd/triggers/cmd/controller@sha256\" doesn't match, expected \"^(?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])(?:(?:\\\\.(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9]))+)?(?::[0-9]+)?/)?[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?(?:(?:/[a-z0-9]+(?:(?:(?:[._]|__|[-]*)[a-z0-9]+)+)?)+)?$\""
ts=2020-06-17T17:56:25.841074267Z caller=images.go:39 resource=tekton-pipelines:deployment/tekton-pipelines-controller err="expected image name as either <image>:<tag> or just <image>: invalid image ID"
ts=2020-06-17T17:56:25.842193752Z caller=images.go:39 resource=tekton-pipelines:deployment/tekton-pipelines-webhook err="expected image name as either <image>:<tag> or just <image>: invalid image ID"

Their manifest is at https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.13.2/release.yaml .

Is there a reason why Kubernetes supports this, but not Flux?

[varac]

Checking image digests is a crucial and important security feature and flux should really support them. Please integrate this into flux.

[varac]

Btw, in my experience this is just a warning from flux, because the ingress-nginx chart deploys fine anyhow. It's just that there's no digest validation.

[Frizlab]

FWIW --registry-exclude-image="k8s.gcr.io/*","*@sha256" seems to do the trick to remove the warning for me (I’ve added "k8s.gcr.io/*" because it’s the default value and I don’t want to lose the default, I just want to add "*@sha256").

A support for @sha256 from Flux would be welcome 🙂