charts/osm: use image digest for default images

shashankram · shashankram · commit 3e5364479e0c · 2021-09-14T10:05:35.000-07:00
Default images corresponding to the latest released image should use the image digest instead of tags to avoid supply chain attacks, which tags are vulernable to due to being mutatble. Image digests are immutable. Image tags will be used only if specified. Part of #3715 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
diff --git a/charts/osm/README.md b/charts/osm/README.md
@@ -100,9 +100,15 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.fluentBit.workspaceId | string | `""` | WorkspaceId for Fluent Bit output plugin to Log Analytics |
 | OpenServiceMesh.grafana.enableRemoteRendering | bool | `false` | Enable Remote Rendering in Grafana |
 | OpenServiceMesh.grafana.port | int | `3000` | Grafana service's port |
-| OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy |
-| OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry |
-| OpenServiceMesh.image.tag | string | `"v0.9.2"` | Container image tag |
+| OpenServiceMesh.image.digest | object | `{"osmBootstrap":"","osmCRDs":"","osmController":"sha256:f77659d771d82c8f053bf008fd513574bde5021ea344289ffd47de863fac4461","osmInjector":"sha256:c3ded5e1cd4b02474aac573a7437c8e8a91ada556e05060701af4be3982c02b2","osmSidecarInit":"sha256:3717f5054f835ccefc751c6fe5d4b2824038dc49514e811bf867093206ec2ce1"}` | Image digest (defaults to latest release) |
+| OpenServiceMesh.image.digest.osmBootstrap | string | `""` | osm-boostrap's image digest for v0.9.2 (not available) |
+| OpenServiceMesh.image.digest.osmCRDs | string | `""` | osm-crds' image digest for v0.9.2 (not available) |
+| OpenServiceMesh.image.digest.osmController | string | `"sha256:f77659d771d82c8f053bf008fd513574bde5021ea344289ffd47de863fac4461"` | osm-controller's image digest for v0.9.2 |
+| OpenServiceMesh.image.digest.osmInjector | string | `"sha256:c3ded5e1cd4b02474aac573a7437c8e8a91ada556e05060701af4be3982c02b2"` | osm-injector's image digest for v0.9.2 |
+| OpenServiceMesh.image.digest.osmSidecarInit | string | `"sha256:3717f5054f835ccefc751c6fe5d4b2824038dc49514e811bf867093206ec2ce1"` | Sidecar init container's image digest for v0.9.2 |
+| OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy for control plane containers |
+| OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry for control plane images |
+| OpenServiceMesh.image.tag | string | `""` | Container image tag for control plane images |
 | OpenServiceMesh.imagePullSecrets | list | `[]` | `osm-controller` image pull secret |
 | OpenServiceMesh.inboundPortExclusionList | list | `[]` | Specifies a global list of ports to exclude from inbound traffic interception by the sidecar proxy. If specified, must be a list of positive integers. |
 | OpenServiceMesh.injector.autoScale | object | `{"enable":false,"maxReplicas":5,"minReplicas":1,"targetAverageUtilization":80}` | Auto scale configuration |
diff --git a/charts/osm/templates/cleanup-hook.yaml b/charts/osm/templates/cleanup-hook.yaml
@@ -128,7 +128,11 @@ spec:
       restartPolicy: Never
       containers:
         - name: garbage-collector
+          {{- if .Values.OpenServiceMesh.image.tag }}
           image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds:{{ .Values.OpenServiceMesh.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds@{{ .Values.OpenServiceMesh.image.digest.osmCRDs }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           command:
             - sh
diff --git a/charts/osm/templates/osm-bootstrap-deployment.yaml b/charts/osm/templates/osm-bootstrap-deployment.yaml
@@ -33,15 +33,23 @@ spec:
         kubernetes.io/os: linux
       initContainers:
         - name: init-osm-bootstrap
+          {{- if .Values.OpenServiceMesh.image.tag }}
           image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds:{{ .Values.OpenServiceMesh.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds@{{ .Values.OpenServiceMesh.image.digest.osmCRDs }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           args:
           - apply
           - -f
           - /osm-crds
       containers:
         - name: osm-bootstrap
+          {{- if .Values.OpenServiceMesh.image.tag }}
           image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-bootstrap:{{ .Values.OpenServiceMesh.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-bootstrap@{{ .Values.OpenServiceMesh.image.digest.osmBootstrap }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "tls"
diff --git a/charts/osm/templates/osm-deployment.yaml b/charts/osm/templates/osm-deployment.yaml
@@ -47,7 +47,11 @@ spec:
             done
       containers:
         - name: osm-controller
+          {{- if .Values.OpenServiceMesh.image.tag }}
           image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-controller:{{ .Values.OpenServiceMesh.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-controller@{{ .Values.OpenServiceMesh.image.digest.osmController }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "admin-port"
diff --git a/charts/osm/templates/osm-injector-deployment.yaml b/charts/osm/templates/osm-injector-deployment.yaml
@@ -46,7 +46,11 @@ spec:
             done
       containers:
         - name: osm-injector
+          {{- if .Values.OpenServiceMesh.image.tag }}
           image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-injector:{{ .Values.OpenServiceMesh.image.tag }}"
+          {{- else }}
+          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-injector@{{ .Values.OpenServiceMesh.image.digest.osmInjector }}"
+          {{- end }}
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "sidecar-inject"
diff --git a/charts/osm/templates/preset-mesh-config.yaml b/charts/osm/templates/preset-mesh-config.yaml
@@ -12,7 +12,11 @@ data:
         "maxDataPlaneConnections": {{.Values.OpenServiceMesh.maxDataPlaneConnections}},
         "envoyImage": "{{.Values.OpenServiceMesh.sidecarImage}}",
         "envoyWindowsImage": "{{.Values.OpenServiceMesh.sidecarWindowsImage}}",
+        {{- if .Values.OpenServiceMesh.image.tag }}
         "initContainerImage": "{{ .Values.OpenServiceMesh.image.registry }}/init:{{ .Values.OpenServiceMesh.image.tag }}",
+        {{- else }}
+        "initContainerImage": "{{ .Values.OpenServiceMesh.image.registry }}/init@{{ .Values.OpenServiceMesh.image.digest.osmSidecarInit }}",
+        {{- end }}
         "configResyncInterval": "{{.Values.OpenServiceMesh.configResyncInterval}}"
       },
       "traffic": {
diff --git a/charts/osm/values.schema.json b/charts/osm/values.schema.json
@@ -214,7 +214,8 @@
                     "required": [
                         "registry",
                         "pullPolicy",
-                        "tag"
+                        "tag",
+                        "digest"
                     ],
                     "properties": {
                         "registry": {
@@ -244,6 +245,51 @@
                             "examples": [
                                 "v0.4.2"
                             ]
+                        },
+                        "digest": {
+                            "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest",
+                            "type": "object",
+                            "title": "Default image digests",
+                            "description": "Default image digests for control plane.",
+                            "required": [
+                                "osmController",
+                                "osmInjector",
+                                "osmSidecarInit",
+                                "osmCRDs",
+                                "osmBootstrap"
+                            ],
+                            "properties": {
+                                "osmController": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmController",
+                                    "type": "string",
+                                    "title": "osm-controller's image digest",
+                                    "description": "osm-controller container's image digest."
+                                },
+                                "osmInjector": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmInjector",
+                                    "type": "string",
+                                    "title": "osm-injector's image digest",
+                                    "description": "osm-injector container's image digest."
+                                },
+                                "osmSidecarInit": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmSidecarInit",
+                                    "type": "string",
+                                    "title": "osm-osmSidecarInit's image digest",
+                                    "description": "osm-osmSidecarInit container's image digest."
+                                },
+                                "osmCRDs": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmCRDs",
+                                    "type": "string",
+                                    "title": "osm-crds' image digest",
+                                    "description": "osm-crds container's image digest."
+                                },
+                                "osmBootstrap": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmBootstrap",
+                                    "type": "string",
+                                    "title": "osm-boostrap's image digest",
+                                    "description": "osm-bootstrap container's image digest."
+                                }
+                            }
                         }
                     },
                     "additionalProperties": false
diff --git a/charts/osm/values.yaml b/charts/osm/values.yaml
@@ -7,12 +7,25 @@ OpenServiceMesh:
   #
   # -- OSM control plane image parameters
   image:
-    # -- Container image registry
+    # -- Container image registry for control plane images
     registry: openservicemesh
-    # -- Container image pull policy
+    # -- Container image pull policy for control plane containers
     pullPolicy: IfNotPresent
-    # -- Container image tag
-    tag: v0.9.2
+    # -- Container image tag for control plane images
+    tag: ""
+    # -- Image digest (defaults to latest release)
+    digest:
+      # -- osm-controller's image digest for v0.9.2
+      osmController: "sha256:f77659d771d82c8f053bf008fd513574bde5021ea344289ffd47de863fac4461"
+      # -- osm-injector's image digest for v0.9.2
+      osmInjector: "sha256:c3ded5e1cd4b02474aac573a7437c8e8a91ada556e05060701af4be3982c02b2"
+      # -- Sidecar init container's image digest for v0.9.2
+      osmSidecarInit: "sha256:3717f5054f835ccefc751c6fe5d4b2824038dc49514e811bf867093206ec2ce1"
+      # -- osm-crds' image digest for v0.9.2 (not available)
+      osmCRDs: ""
+      # -- osm-boostrap's image digest for v0.9.2 (not available)
+      osmBootstrap: ""
+
 
   # -- `osm-controller` image pull secret
   imagePullSecrets: []
diff --git a/docs/release_guide.md b/docs/release_guide.md
@@ -54,13 +54,13 @@ If there are other commits on the `main` branch to be included in the release (s
 
 Create a new commit on the patch branch to update the hardcoded version information in the following locations:
 
-* The container image tag in [charts/osm/values.yaml](/charts/osm/values.yaml)
+* The container image digests `OpenServiceMesh.image.digest` for images in [charts/osm/values.yaml](/charts/osm/values.yaml)
 * The chart and app version in [charts/osm/Chart.yaml](/charts/osm/Chart.yaml)
 * The default osm image tag in [osm cli mesh upgrade](/cmd/cli/mesh_upgrade.go)
 * The Helm chart [README.md](/charts/osm/README.md)
   - Necessary changes should be made automatically by running `make chart-readme`
-* The init container image version in [charts/osm/crds/meshconfig.yaml](/charts/osm/crds/meshconfig.yaml)
-* The init container image version in [pkg/constants/constants.go](/pkg/constants/constants.go)
+* The init container image digest in [charts/osm/crds/meshconfig.yaml](/charts/osm/crds/meshconfig.yaml)
+* The init container image digest in [pkg/constants/constants.go](/pkg/constants/constants.go)
 * The image versions contained in tests.
   - [pkg/configurator/methods_test.go](/pkg/configurator/methods_test.go)
 * The container image versions used in the examples.
diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
@@ -67,7 +67,7 @@ const (
 	DefaultEnvoyWindowsImage = "envoyproxy/envoy-windows@sha256:c904fda95891ebbccb9b1f24c1a9482c8d01cbca215dd081fc8c8db36db85f85"
 
 	// DefaultInitContainerImage is the default init container image if not defined in the osm MeshConfig
-	DefaultInitContainerImage = "openservicemesh/init:v0.9.2"
+	DefaultInitContainerImage = "openservicemesh/init@sha256:3717f5054f835ccefc751c6fe5d4b2824038dc49514e811bf867093206ec2ce1"
 
 	// EnvoyPrometheusInboundListenerPort is Envoy's inbound listener port number for prometheus
 	EnvoyPrometheusInboundListenerPort = 15010
