Skip to content

Commit 2d1e3c6

Browse files
Fix cache digest comparison by using oras manifest fetch instead of client-side hash
get_image_digest computes a client-side sha256 of the raw manifest bytes from skopeo, which doesn't match the registry-assigned digest stored in the OpenShift ImageStream. Additionally, skopeo inspect without --raw fails entirely on ORAS artifacts. Replace with oras manifest fetch --descriptor which returns the registry-assigned digest, matching what oc import-image stores in the ImageStream. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 7bfc2eb commit 2d1e3c6

2 files changed

Lines changed: 27 additions & 9 deletions

File tree

iib/workers/tasks/oras_utils.py

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
# SPDX-License-Identifier: GPL-3.0-or-later
22
"""This file contains functions for ORAS (OCI Registry As Storage) operations."""
3+
import json
34
import logging
45
import os
56
import re
@@ -265,7 +266,16 @@ def verify_indexdb_cache_sync(tag: str) -> bool:
265266
registry=conf['iib_index_db_artifact_registry'], tag=tag
266267
)
267268

268-
quay_digest = get_image_digest(artifact_pullspec)
269+
oras_exclusive_auth_path = conf['iib_index_db_oras_auth_path']
270+
cmd_args = []
271+
if oras_exclusive_auth_path and os.path.exists(oras_exclusive_auth_path):
272+
cmd_args = ['--registry-config', oras_exclusive_auth_path]
273+
274+
descriptor = run_cmd(
275+
['oras', 'manifest', 'fetch', '--descriptor', *cmd_args, artifact_pullspec],
276+
exc_msg=f'Failed to fetch manifest descriptor for {artifact_pullspec}',
277+
)
278+
quay_digest = json.loads(descriptor)['digest']
269279
is_digest = get_image_stream_digest(tag)
270280

271281
return quay_digest == is_digest

tests/test_workers/test_tasks/test_oras_utils.py

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -432,41 +432,49 @@ def test_get_image_stream_digest_failure(mock_run_cmd):
432432

433433
@mock.patch('iib.workers.tasks.oras_utils.get_worker_config')
434434
@mock.patch('iib.workers.tasks.oras_utils.get_image_stream_digest')
435-
@mock.patch('iib.workers.tasks.oras_utils.get_image_digest')
436-
def test_verify_indexdb_cache_sync_match(mock_get_image_digest, mock_get_is_digest, mock_gwc):
435+
@mock.patch('iib.workers.tasks.oras_utils.run_cmd')
436+
def test_verify_indexdb_cache_sync_match(mock_run_cmd, mock_get_is_digest, mock_gwc):
437437
"""Test successful verification when digests match."""
438438
mock_gwc.return_value = {
439439
'iib_index_db_artifact_registry': 'test-artifact-registry',
440440
'iib_index_db_artifact_template': '{registry}/index-db:{tag}',
441+
'iib_index_db_oras_auth_path': '',
441442
}
442-
mock_get_image_digest.return_value = 'sha256:abc'
443+
mock_run_cmd.return_value = '{"digest": "sha256:abc"}'
443444
mock_get_is_digest.return_value = 'sha256:abc'
444445
tag = 'test-tag'
445446

446447
result = verify_indexdb_cache_sync(tag)
447448

448449
assert result is True
449-
mock_get_image_digest.assert_called_once_with('test-artifact-registry/index-db:test-tag')
450+
mock_run_cmd.assert_called_once_with(
451+
['oras', 'manifest', 'fetch', '--descriptor', 'test-artifact-registry/index-db:test-tag'],
452+
exc_msg='Failed to fetch manifest descriptor for test-artifact-registry/index-db:test-tag',
453+
)
450454
mock_get_is_digest.assert_called_once_with(tag)
451455

452456

453457
@mock.patch('iib.workers.tasks.oras_utils.get_worker_config')
454458
@mock.patch('iib.workers.tasks.oras_utils.get_image_stream_digest')
455-
@mock.patch('iib.workers.tasks.oras_utils.get_image_digest')
456-
def test_verify_indexdb_cache_sync_no_match(mock_get_image_digest, mock_get_is_digest, mock_gwc):
459+
@mock.patch('iib.workers.tasks.oras_utils.run_cmd')
460+
def test_verify_indexdb_cache_sync_no_match(mock_run_cmd, mock_get_is_digest, mock_gwc):
457461
"""Test successful verification when digests don't match."""
458462
mock_gwc.return_value = {
459463
'iib_index_db_artifact_registry': 'test-artifact-registry',
460464
'iib_index_db_artifact_template': '{registry}/index-db:{tag}',
465+
'iib_index_db_oras_auth_path': '',
461466
}
462-
mock_get_image_digest.return_value = 'sha256:abc'
467+
mock_run_cmd.return_value = '{"digest": "sha256:abc"}'
463468
mock_get_is_digest.return_value = 'sha256:xyz'
464469
tag = 'test-tag'
465470

466471
result = verify_indexdb_cache_sync(tag)
467472

468473
assert result is False
469-
mock_get_image_digest.assert_called_once_with('test-artifact-registry/index-db:test-tag')
474+
mock_run_cmd.assert_called_once_with(
475+
['oras', 'manifest', 'fetch', '--descriptor', 'test-artifact-registry/index-db:test-tag'],
476+
exc_msg='Failed to fetch manifest descriptor for test-artifact-registry/index-db:test-tag',
477+
)
470478
mock_get_is_digest.assert_called_once_with(tag)
471479

472480

0 commit comments

Comments
 (0)