feat: add retries to image push (#3718)

AustinAbro321 · web-flow · commit f64329e47a5c · 2025-04-23T11:39:46.000Z
Signed-off-by: Austin Abro &lt;AustinAbro321@gmail.com&gt;
diff --git a/src/internal/packager/images/push.go b/src/internal/packager/images/push.go
@@ -7,13 +7,15 @@ package images
 import (
 	"context"
 	"fmt"
+	"time"
 
+	"github.com/avast/retry-go/v4"
 	"oras.land/oras-go/v2"
 	"oras.land/oras-go/v2/content/oci"
 	"oras.land/oras-go/v2/registry"
 	orasRemote "oras.land/oras-go/v2/registry/remote"
 	"oras.land/oras-go/v2/registry/remote/auth"
-	"oras.land/oras-go/v2/registry/remote/retry"
+	orasRetry "oras.land/oras-go/v2/registry/remote/retry"
 
 	"github.com/defenseunicorns/pkg/helpers/v2"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -23,41 +25,20 @@ import (
 	"github.com/zarf-dev/zarf/src/pkg/transform"
 )
 
+const defaultRetries = 3
+
 // Push pushes images to a registry.
 func Push(ctx context.Context, cfg PushConfig) error {
+	if cfg.Retries < 1 {
+		cfg.Retries = defaultRetries
+	}
 	cfg.ImageList = helpers.Unique(cfg.ImageList)
+	toPush := map[string]struct{}{}
+	for _, img := range cfg.ImageList {
+		toPush[img.Reference] = struct{}{}
+	}
 	l := logger.From(ctx)
 	registryURL := cfg.RegistryInfo.Address
-	var tunnel *cluster.Tunnel
-	c, _ := cluster.NewCluster()
-	if c != nil {
-		var err error
-		registryURL, tunnel, err = c.ConnectToZarfRegistryEndpoint(ctx, cfg.RegistryInfo)
-		if err != nil {
-			return err
-		}
-		if tunnel != nil {
-			defer tunnel.Close()
-		}
-	}
-	client := &auth.Client{
-		Client: retry.DefaultClient,
-		Cache:  auth.NewCache(),
-		Credential: auth.StaticCredential(registryURL, auth.Credential{
-			Username: cfg.RegistryInfo.PushUsername,
-			Password: cfg.RegistryInfo.PushPassword,
-		}),
-	}
-
-	plainHTTP := cfg.PlainHTTP
-
-	if dns.IsLocalhost(registryURL) && !cfg.PlainHTTP {
-		var err error
-		plainHTTP, err = shouldUsePlainHTTP(ctx, registryURL, client)
-		if err != nil {
-			return err
-		}
-	}
 	err := addRefNameAnnotationToImages(cfg.SourceDirectory)
 	if err != nil {
 		return err
@@ -68,53 +49,98 @@ func Push(ctx context.Context, cfg PushConfig) error {
 		return fmt.Errorf("failed to instantiate oci directory: %w", err)
 	}
 
-	pushImage := func(srcName, dstName string) error {
-		remoteRepo := &orasRemote.Repository{
-			PlainHTTP: plainHTTP,
-			Client:    client,
-		}
-		remoteRepo.Reference, err = registry.ParseReference(dstName)
-		if err != nil {
-			return fmt.Errorf("failed to parse ref %s: %w", dstName, err)
-		}
-		defaultPlatform := &ocispec.Platform{
-			Architecture: cfg.Arch,
-			OS:           "linux",
+	// The user may or may not have a cluster available, if it's available then use it to connect to the registry
+	c, _ := cluster.NewCluster()
+	err = retry.Do(func() error {
+		// Include tunnel connection in case the port forward breaks, for example, a registry pod could spin down / restart
+		var tunnel *cluster.Tunnel
+		if c != nil {
+			var err error
+			registryURL, tunnel, err = c.ConnectToZarfRegistryEndpoint(ctx, cfg.RegistryInfo)
+			if err != nil {
+				return err
+			}
+			if tunnel != nil {
+				defer tunnel.Close()
+			}
 		}
-		if tunnel != nil {
-			return tunnel.Wrap(func() error {
-				return copyImage(ctx, src, remoteRepo, srcName, dstName, cfg.OCIConcurrency, defaultPlatform)
-			})
+		client := &auth.Client{
+			Client: orasRetry.DefaultClient,
+			Cache:  auth.NewCache(),
+			Credential: auth.StaticCredential(registryURL, auth.Credential{
+				Username: cfg.RegistryInfo.PushUsername,
+				Password: cfg.RegistryInfo.PushPassword,
+			}),
 		}
-		return copyImage(ctx, src, remoteRepo, srcName, dstName, cfg.OCIConcurrency, defaultPlatform)
-	}
 
-	for _, img := range cfg.ImageList {
-		l.Info("pushing image", "name", img.Reference)
-		// If this is not a no checksum image push it for use with the Zarf agent
-		if !cfg.NoChecksum {
-			offlineNameCRC, err := transform.ImageTransformHost(registryURL, img.Reference)
+		plainHTTP := cfg.PlainHTTP
+
+		if dns.IsLocalhost(registryURL) && !cfg.PlainHTTP {
+			var err error
+			plainHTTP, err = shouldUsePlainHTTP(ctx, registryURL, client)
 			if err != nil {
 				return err
 			}
+		}
 
-			if err = pushImage(img.Reference, offlineNameCRC); err != nil {
-				return err
+		pushImage := func(srcName, dstName string) error {
+			remoteRepo := &orasRemote.Repository{
+				PlainHTTP: plainHTTP,
+				Client:    client,
 			}
+			remoteRepo.Reference, err = registry.ParseReference(dstName)
+			if err != nil {
+				return fmt.Errorf("failed to parse ref %s: %w", dstName, err)
+			}
+			defaultPlatform := &ocispec.Platform{
+				Architecture: cfg.Arch,
+				OS:           "linux",
+			}
+			if tunnel != nil {
+				return tunnel.Wrap(func() error {
+					return copyImage(ctx, src, remoteRepo, srcName, dstName, cfg.OCIConcurrency, defaultPlatform)
+				})
+			}
+			return copyImage(ctx, src, remoteRepo, srcName, dstName, cfg.OCIConcurrency, defaultPlatform)
 		}
+		pushed := []string{}
+		// Delete the images that were already successfully pushed so that they aren't attempted on the next retry
+		defer func() {
+			for _, refInfo := range pushed {
+				delete(toPush, refInfo)
+			}
+		}()
+		for img := range toPush {
+			l.Info("pushing image", "name", img)
+			// If this is not a no checksum image push it for use with the Zarf agent
+			if !cfg.NoChecksum {
+				offlineNameCRC, err := transform.ImageTransformHost(registryURL, img)
+				if err != nil {
+					return err
+				}
+
+				if err = pushImage(img, offlineNameCRC); err != nil {
+					return err
+				}
+			}
 
-		// To allow for other non-zarf workloads to easily see the images upload a non-checksum version
-		// (this may result in collisions but this is acceptable for this use case)
-		offlineName, err := transform.ImageTransformHostWithoutChecksum(registryURL, img.Reference)
-		if err != nil {
-			return err
-		}
+			// To allow for other non-zarf workloads to easily see the images upload a non-checksum version
+			// (this may result in collisions but this is acceptable for this use case)
+			offlineName, err := transform.ImageTransformHostWithoutChecksum(registryURL, img)
+			if err != nil {
+				return err
+			}
 
-		if err = pushImage(img.Reference, offlineName); err != nil {
-			return err
+			if err = pushImage(img, offlineName); err != nil {
+				return err
+			}
+			pushed = append(pushed, img)
 		}
+		return nil
+	}, retry.Context(ctx), retry.Attempts(uint(cfg.Retries)), retry.Delay(500*time.Millisecond))
+	if err != nil {
+		return err
 	}
-
 	return nil
 }
 
diff --git a/src/internal/packager2/mirror.go b/src/internal/packager2/mirror.go
@@ -39,7 +39,7 @@ type MirrorOptions struct {
 
 // Mirror mirrors the package contents to the given registry and git server.
 func Mirror(ctx context.Context, opt MirrorOptions) error {
-	err := pushImagesToRegistry(ctx, opt.PkgLayout, opt.RegistryInfo, opt.NoImageChecksum, opt.PlainHTTP, opt.OCIConcurrency)
+	err := pushImagesToRegistry(ctx, opt.PkgLayout, opt.RegistryInfo, opt.NoImageChecksum, opt.PlainHTTP, opt.OCIConcurrency, opt.Retries)
 	if err != nil {
 		return err
 	}
@@ -50,7 +50,7 @@ func Mirror(ctx context.Context, opt MirrorOptions) error {
 	return nil
 }
 
-func pushImagesToRegistry(ctx context.Context, pkgLayout *layout.PackageLayout, registryInfo types.RegistryInfo, noImgChecksum bool, plainHTTP bool, concurrency int) error {
+func pushImagesToRegistry(ctx context.Context, pkgLayout *layout.PackageLayout, registryInfo types.RegistryInfo, noImgChecksum bool, plainHTTP bool, concurrency int, retries int) error {
 	refs := []transform.Image{}
 	for _, component := range pkgLayout.Pkg.Components {
 		for _, img := range component.Images {
@@ -72,6 +72,7 @@ func pushImagesToRegistry(ctx context.Context, pkgLayout *layout.PackageLayout,
 		PlainHTTP:       plainHTTP,
 		NoChecksum:      noImgChecksum,
 		Arch:            pkgLayout.Pkg.Build.Architecture,
+		Retries:         retries,
 	}
 	err := images.Push(ctx, pushConfig)
 	if err != nil {
