New image policy markers not picked up when using different checkout and push branch #964
Description
I am not sure if this is a bug, but at least the behavior is rather unintuitive. When using the ImageUpdateAutomation with different spec.git.checkout.ref.branch and spec.git.push.branch, newly added image policy markers (on the checkout branch) are not picked up by the image-automation-controller, if the push branch already exists.
Steps to reproduce:
- Create an ImageUpdateAutomation similar to this one:
apiVersion: image.toolkit.fluxcd.io/v1beta2
kind: ImageUpdateAutomation
metadata:
name: buggy-image-update-automation
namespace: flux-system
spec:
interval: 5m
sourceRef:
kind: GitRepository
name: gitrepo
git:
checkout:
ref:
branch: main
commit:
author:
email: [email protected]
name: fluxcdbot
push:
branch: flux-image-updates
update:
path: .
strategy: Setters- Wait for the automation to pickup changes for existing image policies and to create the
flux-image-updatesbranch. - Add a new image repo & image policy and image policy markers referencing those.
- On the next reconciliation only the image policy markers existing before step 3 will be picked up by the image-automation-contoller. (can be seen when running the image-automation-controller with
--log-level=trace)
Expected Behavior
The image policy markers added in step 4 should be picked up by the image-automation-controller as well.
Flux Setup
flux: v2.6.4
► checking prerequisites
✔ Kubernetes 1.32.6 >=1.31.0-0
► checking version in cluster
✔ distribution: flux-v2.6.4
✔ bootstrapped: false
► checking controllers
✔ image-automation-controller: deployment ready
► ghcr.io/fluxcd/image-automation-controller:v0.41.2
✔ image-reflector-controller: deployment ready
► ghcr.io/fluxcd/image-reflector-controller:v0.35.2
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v1.6.1
✔ source-controller: deployment ready
►ghcr.io/fluxcd/source-controller:v1.6.2
► checking crds
✔ buckets.source.toolkit.fluxcd.io/v1
✔ gitrepositories.source.toolkit.fluxcd.io/v1
✔ helmcharts.source.toolkit.fluxcd.io/v1
✔ helmrepositories.source.toolkit.fluxcd.io/v1
✔ imagepolicies.image.toolkit.fluxcd.io/v1beta2
✔ imagerepositories.image.toolkit.fluxcd.io/v1beta2
✔ imageupdateautomations.image.toolkit.fluxcd.io/v1beta2
✔ kustomizations.kustomize.toolkit.fluxcd.io/v1
✔ ocirepositories.source.toolkit.fluxcd.io/v1
✔ all checks passed
Git Provider
Enterprise GitHub
Container Registry Provider
Azure Container Registry
Context
For context:
- The image repo is able to retrieve all image tags.
- The image policy is able to decide the latest semver tag.
- The image update automation is able to pickup the latest semver tag from the image policy.
- The image-automation-controller has the appropriate permission to push/create the branch.
I have already had a look into the source code and from my limited study of the source code this behavior might stem from the following code in (internal/source/source.go:229-233):
func (sm *SourceManager) CheckoutSource(ctx context.Context, options ...CheckoutOption) (*git.Commit, error) {
//...
if sm.srcCfg.switchBranch {
if err := sm.gitClient.SwitchBranch(gitOpCtx, sm.srcCfg.pushBranch); err != nil {
return nil, err
}
}
//...
}This code seems to run before scanning for image policy markers and switches the cloned repository to the push branch. This causes the image-automation-controller to miss the newly added image-policy-marker available only on the checkout branch.
If i am mistaken and this is not a bug, but rather intended behavior and/or it is already part of the documentation and i just missed it or if further information/clarifications are necessary please let me know.