Skip to content

[deckhouse-cli] Skip database pulling when they don't exist#327

Draft
Glitchy-Sheep wants to merge 3 commits intomainfrom
fix/ambiguous-security-images-logs
Draft

[deckhouse-cli] Skip database pulling when they don't exist#327
Glitchy-Sheep wants to merge 3 commits intomainfrom
fix/ambiguous-security-images-logs

Conversation

@Glitchy-Sheep
Copy link
Copy Markdown
Contributor

@Glitchy-Sheep Glitchy-Sheep commented Apr 14, 2026

Problem

When running d8 mirror pull for editions without security databases (CE, BE, SE), the logs are contradictory:

  1. "Skipping pull of security databases"
  2. for each of the 4 databases - "Not found in registry, skipping pull"
  3. "All required Security Databases are pulled!"
  4. After pulling - an empty security.tar is created with no actual data.

The user sees "skipping" and "all pulled" at the same time and cannot understand what actually happened.

Root cause

validateSecurityAccess detects missing security images in the registry, logs "Skipping", but returns nil.

  • The caller cannot distinguish "images exist" from "images not found" - both cases return err == nil.
  • It proceeds with the pull, making 4 unnecessary requests to the registry and packing empty OCI layouts into security.tar.

Fix

Rename validateSecurityAccess with securityDatabasesAvailable which returns (bool, error).
When !available, the entire pull is skipped - no unnecessary requests, no contradictory logs, no empty security.tar.

Before (Pulling non existing security)

2026-04-14 AT 17 29

After (Pulling non existing security)

2026-04-14 AT 17 29

After - (Pulling existing security)

2026-04-14 AT 17 31

@Glitchy-Sheep Glitchy-Sheep self-assigned this Apr 14, 2026
@Glitchy-Sheep Glitchy-Sheep added the bug Something isn't working label Apr 14, 2026
@Glitchy-Sheep
Skip security databases pull for editions without them
8db4601 
- Editions without security databases (CE, BE, SE) produced contradictory logs: "Skipping pull" followed by "All required databases are pulled" and an empty security.tar
- securityDatabasesAvailable now returns (bool, error) so the caller can distinguish "images exist" from "images not found" and skip the entire pull early

Signed-off-by: Roman Berezkin <roman.berezkin@flant.com>
@Glitchy-Sheep Glitchy-Sheep force-pushed the fix/ambiguous-security-images-logs branch from c906111 to 8db4601 Compare April 14, 2026 14:44
@Glitchy-Sheep
Update "pull security" tests according to new behavior
468604c 
Signed-off-by: Roman Berezkin <roman.berezkin@flant.com>
@Glitchy-Sheep
Add security pull test for "skip when unavailable" behavior
ff8bb6a 
Signed-off-by: Roman Berezkin <roman.berezkin@flant.com>
@Glitchy-Sheep Glitchy-Sheep marked this pull request as ready for review April 14, 2026 15:16
@Glitchy-Sheep Glitchy-Sheep marked this pull request as draft April 15, 2026 09:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ldmonster ldmonster Awaiting requested review from ldmonster ldmonster is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@Glitchy-Sheep Glitchy-Sheep

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Glitchy-Sheep