Made the image digest exporter report image digest if there is only o…

…ne image. Currently the image digest exporter does not implemented the behavior described in the resources doc, which says "if there are multiple versions of the image, the latest will be used." Instead, it reports the digest of `index.json`, which is an image index. This behavior introduces a usability issue: one of the major public container registry --- dockerhub --- does not support OCI image indices, and there are very few tools (if any) that support converting OCI image indices to docker manifest lists. Skopeo currently only support pushing an OCI image index that contain only one image. If the index has more than one images, it requires the user to specify one: containers/skopeo#107 containers/image#400 Essentially, these limitations make the image digest exporter useless. To make this feature useful, the exporter could instead implement the following behavior: 1. If there is only one image in `index.json`, report the image's digest. 2. If there are multiple images, report the digest of the full index. The advantage of this behavior is that, we can immediately use it (in conjunction of GoogleContainerTools/kaniko#744), yet if multi-image manifests are more widely supported, the image digest exporter can still support that without any modification.
tektoncd · tekton-robot · Sep 6, 2019 · Aug 23, 2019 · Sep 4, 2019 · Sep 4, 2019
commit 86aa9ed1a9cc6b73bff37ee1a70fb2bef8ac4ab7
diff --git a/cmd/imagedigestexporter/main.go b/cmd/imagedigestexporter/main.go
@@ -22,6 +22,7 @@ import (
 	"log"
 	"os"
 
+	"github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	v1alpha1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 )
@@ -55,9 +56,19 @@ func main() {
 			log.Printf("ImageResource %s doesn't have an index.json file: %s", imageResource.Name, err)
 			continue
 		}
-		digest, err := ii.Digest()
+		// If there is only one image in the index, report the digest of the image; otherwise, report the digest of the whole index.
+		digest, err := func() (v1.Hash, error) {
+			im, err := ii.IndexManifest()
+			if err != nil {
+				return v1.Hash{}, err
+			}
+			if len(im.Manifests) == 1 {
+				return im.Manifests[0].Digest, nil
+			}
+			return ii.Digest()
+		}()
 		if err != nil {
-			log.Fatalf("Unexpected error getting image digest %v: %v", imageResource, err)
+			log.Fatalf("Unexpected error getting image digest for %s: %v", imageResource.Name, err)
 		}
 		output = append(output, v1alpha1.PipelineResourceResult{Name: imageResource.Name, Digest: digest.String()})
 	}

diff --git a/docs/resources.md b/docs/resources.md
@@ -289,9 +289,9 @@ To surface the image digest in the output of the `taskRun` the builder tool
 should produce this information in a
 [OCI Image Spec](https://github.com/opencontainers/image-spec/blob/master/image-layout.md)
 `index.json` file. This file should be placed on a location as specified in the
-task definition under the resource `outputImageDir`. Annotations in `index.json`
-will be ignored, and if there are multiple versions of the image, the latest
-will be used.
+task definition under the resource `outputImageDir`. If there is only one image
+in the `index.json` file, the digest of that image is exported; otherwise, the
+digest of the whole image index would be exported.
 
 For example this build-push task defines the `outputImageDir` for the
 `builtImage` resource in `/workspace/buildImage`