Documentation
¶
Overview ¶
Package imagecheck verifies container image availability locally.
Index ¶
Constants ¶
This section is empty.
Variables ¶
ErrDigestUnavailable is returned when a digest cannot be resolved for an image — e.g. the engine does not expose one at task-spec construction time (Kubernetes resolves digests in the kubelet pull status, not before the pod exists). Callers treat this as "fall back to the literal tag": a cache miss is always safe, so an unresolved digest never produces a stale hit, it only declines the extra tamper-evidence for that step.
Functions ¶
This section is empty.
Types ¶
type DigestFunc ¶
DigestFunc resolves a single image reference to its content digest (sha256:...). Implementations may perform network I/O (a registry pull or inspect); the Resolver wraps them with a short-TTL cache so steady-state runs pay the cost at most once per TTL window.
type Resolver ¶
type Resolver struct {
// contains filtered or unexported fields
}
Resolver resolves image tags to content digests and caches the mapping with a short, per-call TTL. It is safe for concurrent use. Resolution is engine-aware: each supported engine supplies a DigestFunc; engines without one (or with a nil func) report ErrDigestUnavailable so the caller falls back to the tag.
The TTL is supplied per Resolve call (not fixed on the Resolver) so different jobs can demand different freshness against the same warm cache — e.g. a job with digestTTL: 0 re-resolves every check (immediate moved-tag detection) while others reuse the steady-state default and pay no registry round-trip.
func Default ¶
func Default() *Resolver
Default returns a process-wide shared Resolver, built lazily on first call. Sharing one instance means the tag->digest cache is warm across runs, so steady-state execution pays no per-task registry round-trip. The cache TTL is supplied per Resolve call, so the shared instance can serve jobs with different freshness requirements.
func NewResolver ¶
func NewResolver(opts ...ResolverOption) *Resolver
NewResolver builds a Resolver. By default the Docker engine resolves via the local Docker daemon: it inspects the image (using its content config digest / RepoDigests) and, only if the image is not already present locally, pulls it first so a digest is available. The cache TTL is supplied per Resolve call.
Registry auth limitation: the pull-if-absent path uses an anonymous pull (no RegistryAuth is sent), so digest resolution for an image that must be pulled from a *private* registry will fail and the step falls back to the literal tag — which is always safe (a cache miss is never a stale hit). Images already present locally (the steady-state case, and any image the runtime already pulled) resolve without auth. Wiring RegistryAuth from the secret providers is a tracked follow-up. Podman and Kubernetes have no pre-run digest source wired here yet, so they also fall back to the tag.
func (*Resolver) Resolve ¶
func (r *Resolver) Resolve(ctx context.Context, engine models.AtomEngine, imageRef string, ttl time.Duration) (string, error)
Resolve returns the content digest (sha256:...) for the image run by the given engine. On any resolution failure it returns ErrDigestUnavailable (the underlying cause is logged), so callers can fall back to the tag without special-casing every engine.
ttl bounds how long a resolved tag->digest mapping is reused. It is a perf cache: within the window a moved tag is NOT re-detected (the prior digest is served). A ttl of 0 (or negative) disables the cache for this call — the digest is re-resolved every time, so a moved tag is detected immediately at the cost of a registry round-trip per check. Different callers may pass different TTLs against the same shared, warm cache.
type ResolverOption ¶
type ResolverOption func(*Resolver)
ResolverOption configures a Resolver.
func WithClock ¶
func WithClock(now func() time.Time) ResolverOption
WithClock overrides the clock used for TTL expiry (test seam).
func WithEngineDigestFunc ¶
func WithEngineDigestFunc(engine models.AtomEngine, fn DigestFunc) ResolverOption
WithEngineDigestFunc registers (or overrides) the DigestFunc for an engine. Primarily a test seam; production wiring uses NewResolver's defaults.