Docker Containers: Mistake in digest-storage on Quay

[PrivatePuffin]

Currently there exists this quay registry for the kube-rbac-proxy images:
https://quay.io/repository/brancz/kube-rbac-proxy?tab=tags&tag=latest

However, Quay has a quirk (one could call it a bug): It does NOT preserve older digests when new versions as pushed. Leading to set digests to disappear and become unreachable after a certain amount of time

To prevent this, kube-rbac-proxy, should be pushed with an extra tag on each push based on either the GitHub or container hash as tag. This ensures all digests on quay keep being available.

To be clear: this is not standard behavior, GHCR and Dockerhub work fine without this fix. It's purely a Quay.io bug/problem. However, digest retention is crucial for secure deployments of kube-rbac-proxy using Quay and digest pinning.

[ibihim]

OK, I will try to take a look in 2 weeks, if it isn't urgent.

[PrivatePuffin]

OK, I will try to take a look in 2 weeks, if it isn't urgent.

No worries!
The issue exists and won't go away, but also won't magically escalate into something worse either! :)

[ibihim]

But wait, do you have an example where this happened?

We push tagged images so the hash should stay available, no?

v0.20.1 amd64 has the hash ced29dfca22a.
If we don't push a new container image with the same version tag, this one should stay up and available, no?

[PrivatePuffin]

If we don't push a new container image with the same version tag, this one should stay up and available, no?

Correct, basically each hash (its called a digest btw), needs to permanently have a tag assigned to stay available.
As long as you ensure it does it should stay.

But the best practice would be to just also push a hash-tag to ensure that even if you did ever repush on the same digest, it guarantees you dont accidentilly break things