fix(recipes): fully-qualify image refs in component manifests#761
Merged
Conversation
Closes #743. Two real fixes plus a regression test that prevents the class of bug going forward: 1. gke-nccl-tcpxo init container pinned: was \`image: \"ubuntu\"\` (no tag, resolved to :latest from Docker Hub), now \`ubuntu:24.04@sha256:c4a8...\` so the deployed bytes are reproducible. 2. BOM tool now combines CRD-style triplets. The \`image:\`/\`repository:\` /\`version:\` siblings used by NicClusterPolicy (network-operator) and Skyhook Package (nodewright-customizations) are not concatenated in YAML — the operator combines them at reconcile time. The previous extractor saw only \`image: doca-driver\` and reported it as untagged. walkForImages now collects the three siblings up front and emits a fully-qualified ref, e.g. \`nvcr.io/nvidia/mellanox/doca-driver:doca3.2.0-25.10-1.2.8.0-2\`. 3. New TestComponentManifestImagesAreFullyQualified walks every components/*/manifests/*.yaml via the embedded recipes.FS and asserts every extracted image has a :tag or @digest. 13 image refs verified. This catches future bare \`image: foo\` regressions in CI. The deployed image set is unchanged — versions for the network-operator and nodewright-customizations refs were already pinned in adjacent \`version:\` fields; this PR just makes the BOM reflect them correctly.
Contributor
Coverage Report ✅
Coverage BadgeMerging this branch will increase overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. |
This comment was marked as resolved.
This comment was marked as resolved.
25 tasks
Addresses CodeRabbit's correctness finding on combineCRDTriplet. The previous logic bailed out of the repository prepend whenever \`image\` contained any slash, which silently dropped the registry for inputs shaped like: repository: nvcr.io image: nvidia/mellanox/doca-driver version: v1.0 That produced \`nvidia/mellanox/doca-driver:v1.0\`, which ParseImageRef then defaulted to docker.io — wrong registry, no warning. Fix: only treat \`image\` as already-qualified when its first path segment is an actual registry host (contains '.', ':', or equals 'localhost'), reusing the existing isRegistryHost helper. This pattern doesn't appear in our current manifests today (NicClusterPolicy splits at the registry boundary, so \`image\` is single-segment), but the failure mode would silently corrupt the BOM for a plausible future contribution. New regression test pins the corrected behavior.
lockwobr
approved these changes
May 5, 2026
ayuskauskas
approved these changes
May 5, 2026
This was referenced May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #743. Two real fixes plus a regression test that prevents the class of bug going forward.
Motivation / Context
Inspection of
recipes/components/*/manifests/*.yaml(driven by the BOM tool from #747) flagged a handful of image references as "untagged" — risk of silent:latestdrift in production. Investigation showed only one was a real bug; the rest were a BOM-tool false positive against a CRD pattern.Fixes: #743
Refs: #739
Type of Change
Component(s) Affected
recipes/components/gke-nccl-tcpxo/manifests/)pkg/bom)recipes/manifest_images_test.go)Implementation Notes
1. Real fix: gke-nccl-tcpxo init container. Was
image: \"ubuntu\"with no tag — resolved to:latestfrom Docker Hub. Now pinned toubuntu:24.04@sha256:c4a8...for byte-level reproducibility.2. BOM tool: handle CRD-style triplets.
NicClusterPolicy(network-operator) and Skyhook Package (nodewright-customizations) declare the deployed image as three sibling fields:The operator combines them at reconcile time. The previous BOM extractor only saw
image: doca-driverand flagged it as untagged.walkForImagesnow collects sibling scalars up front and emits a fully-qualified ref (nvcr.io/nvidia/mellanox/doca-driver:doca3.2.0-25.10-1.2.8.0-2). The new logic:imageis already fully qualified (contains/or has its own tag), it's used as-is.repositoryis prepended when present, andversionis appended as a tag whenimagedoesn't already carry one.3. Regression test.
TestComponentManifestImagesAreFullyQualifiedwalks everycomponents/*/manifests/*.yamlvia the embeddedrecipes.FSand asserts every extracted image has a:tagor@digest. Currently verifies 13 image refs across the registry. This is the lint rule the issue asked for, but in test form so it runs as part ofmake qualify.Image set unchanged in production. The versions for the previously "untagged" refs were already pinned in adjacent
version:fields; this PR just makes the BOM reflect them correctly. The only deployed-byte change is theubuntuinit container, which now uses 24.04 LTS at a specific digest.Testing
make bomafter the change shows fully-qualified refs everywhere:pkg/bomcoverage held at 87.7%.Risk Assessment
Rollout notes: the new
TestComponentManifestImagesAreFullyQualifiedtest will gate future PRs that introduce bareimage: fooreferences in component manifests.Checklist
make testwith-race)make lint)git commit -S)