charts/osm: use image digest for default images

shashankram · shashankram · commit cc6a97a0c0cf · 2021-09-21T10:50:02.000-07:00
Default images corresponding to the latest released image should use the image digest instead of tags to avoid supply chain attacks, which tags are vulernable to due to being mutatble. Image digests are immutable. This change updates the way images are published during a release and also the release workflow as noted in the release guide. The change does the following: 1. Uses image digests for the control plane images instead of tags when the digests are specified. The digests must always be specified in release branches, while the code in the main branch can continue to use tags for better compatibility between the charts and images. As a result of this change, all images in the main branch will leverage the `latest-main` tag instead of release tags. This is necessary because the CLI/charts are not backward compatible with the previous release and thus unusable. The image refs in the main branch will thus use the `latest-main` tag. 2. Updates the release workflow to include a pre-release step to publish the control plane images for the release prior to the final release being cut. This is necessary because the image digests for the released images published to the container registry must be included in the charts and CLI as a part of the final release step. The release step will not rebuild the control plane images, but instead encode them into the charts/CLI and upload the release binaries. 3. Updates the release guide to reflect the new release process. Part of #3715 Signed-off-by: Shashank Ram <shashr2204@gmail.com>
diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -0,0 +1,57 @@
+name: Pre-release
+on:
+  push:
+    tags:
+      - "pre-rel-v*"
+
+jobs:
+  version:
+    name: Set Version from git ref
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - id: version
+        run: echo "::set-output name=version::$(sed 's#^refs/tags/pre-rel-\(.*\)#\1#' <<< '${{ github.ref }}')"
+
+  images:
+    name: Docker Images
+    runs-on: ubuntu-latest
+    needs: version
+    env:
+      DOCKER_USER: ${{ secrets.RELEASE_DOCKER_USER }}
+      DOCKER_PASS: ${{ secrets.RELEASE_DOCKER_PASS }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Restore Module Cache
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-gomod2-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gomod2-
+      - name: Restore Build Cache
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-gobuild-${{ hashFiles('**/*.go') }}
+      - name: Setup Go 1.16
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.16
+      - name: Docker Login
+        run: docker login --username "$DOCKER_USER" --password-stdin <<< "$DOCKER_PASS"
+      - name: Push images with version tag
+        env:
+          CTR_TAG: ${{ needs.version.outputs.version }}
+        run: make docker-push VERIFY_TAGS=1
+      - name: Push images with latest tag
+        env:
+          CTR_TAG: latest
+        run: make docker-push
+      - name: Upload image digest
+        uses: actions/upload-artifact@v2
+        with:
+          name: osm_image_digests
+          path: /tmp/osm_image_digest_*
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -105,40 +105,3 @@ jobs:
           asset_path: _dist/sha256sums.txt
           asset_name: sha256sums.txt
           asset_content_type: text/plain
-
-  images:
-    name: Docker Images
-    runs-on: ubuntu-latest
-    needs: version
-    env:
-      DOCKER_USER: ${{ secrets.RELEASE_DOCKER_USER }}
-      DOCKER_PASS: ${{ secrets.RELEASE_DOCKER_PASS }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Module Cache
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-gomod2-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gomod2-
-      - name: Restore Build Cache
-        uses: actions/cache@v2
-        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-gobuild-${{ hashFiles('**/*.go') }}
-      - name: Setup Go 1.16
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.16
-      - name: Docker Login
-        run: docker login --username "$DOCKER_USER" --password-stdin <<< "$DOCKER_PASS"
-      - name: Push images with version tag
-        env:
-          CTR_TAG: ${{ needs.version.outputs.version }}
-        run: make docker-push VERIFY_TAGS=1
-      - name: Push images with latest tag
-        env:
-          CTR_TAG: latest
-        run: make docker-push
diff --git a/Makefile b/Makefile
@@ -5,7 +5,7 @@ BINNAME         ?= osm
 DIST_DIRS       := find * -type d -exec
 CTR_REGISTRY    ?= openservicemesh
 CTR_TAG         ?= latest
-CTR_DIGEST_FILE ?= /tmp/osm_image_digest
+CTR_DIGEST_FILE ?= /tmp/osm_image_digest_$(CTR_TAG).txt
 VERIFY_TAGS ?= 0
 
 GOPATH = $(shell go env GOPATH)
@@ -253,7 +253,7 @@ DOCKER_PUSH_CONTROL_PLANE_TARGETS = $(addprefix docker-push-, init osm-controlle
 .PHONY: $(DOCKER_PUSH_CONTROL_PLANE_TARGETS)
 $(DOCKER_PUSH_CONTROL_PLANE_TARGETS): NAME=$(@:docker-push-%=%)
 $(DOCKER_PUSH_CONTROL_PLANE_TARGETS):
-	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh $(NAME) "linux"; fi
+	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh "$(NAME)" "linux" "$(CTR_REGISTRY)"; fi
 	@docker images --digests | grep "$(CTR_REGISTRY)/$(NAME)\s*$(CTR_TAG)" >> "$(CTR_DIGEST_FILE)"
 
 
@@ -262,15 +262,15 @@ DOCKER_PUSH_LINUX_TARGETS = $(addprefix docker-push-, $(DEMO_TARGETS))
 .PHONY: $(DOCKER_PUSH_LINUX_TARGETS)
 $(DOCKER_PUSH_LINUX_TARGETS): NAME=$(@:docker-push-%=%)
 $(DOCKER_PUSH_LINUX_TARGETS):
-	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh $(NAME) "linux"; fi
+	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh "$(NAME)" "linux" "$(CTR_REGISTRY)"; fi
 
 
 # Windows demo applications
 DOCKER_PUSH_WINDOWS_TARGETS = $(addprefix docker-push-windows-, $(DEMO_TARGETS))
 .PHONY: $(DOCKER_PUSH_WINDOWS_TARGETS)
 $(DOCKER_PUSH_WINDOWS_TARGETS): NAME=$(@:docker-push-%=%)
 $(DOCKER_PUSH_WINDOWS_TARGETS):
-	@if [ $(VERIFY_TAGS) != 1 ]; then make ARGS=--output=type=registry docker-build-$(NAME); else bash scripts/publish-image.sh $(addprefix windows-, $(NAME)) "windows"; fi
+	@if [ $(VERIFY_TAGS) != 1 ]; then make ARGS=--output=type=registry docker-build-$(NAME); else bash scripts/publish-image.sh "$(NAME)" "windows" "$(CTR_REGISTRY)"; fi
 
 
 .PHONY: docker-control-plane-push
diff --git a/charts/osm/Chart.yaml b/charts/osm/Chart.yaml
@@ -18,7 +18,7 @@ version: 0.9.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v0.9.2
+appVersion: latest-main
 
 # This specifies the minimum Kubernetes version OSM is compatible with.
 kubeVersion: ">= 1.19.0-0"
diff --git a/charts/osm/README.md b/charts/osm/README.md
@@ -101,9 +101,15 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.fluentBit.workspaceId | string | `""` | WorkspaceId for Fluent Bit output plugin to Log Analytics |
 | OpenServiceMesh.grafana.enableRemoteRendering | bool | `false` | Enable Remote Rendering in Grafana |
 | OpenServiceMesh.grafana.port | int | `3000` | Grafana service's port |
-| OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy |
-| OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry |
-| OpenServiceMesh.image.tag | string | `"v0.9.2"` | Container image tag |
+| OpenServiceMesh.image.digest | object | `{"osmBootstrap":"","osmCRDs":"","osmController":"","osmInjector":"","osmSidecarInit":""}` | Image digest (defaults to latest compatible tag) |
+| OpenServiceMesh.image.digest.osmBootstrap | string | `""` | osm-boostrap's image digest |
+| OpenServiceMesh.image.digest.osmCRDs | string | `""` | osm-crds' image digest |
+| OpenServiceMesh.image.digest.osmController | string | `""` | osm-controller's image digest |
+| OpenServiceMesh.image.digest.osmInjector | string | `""` | osm-injector's image digest |
+| OpenServiceMesh.image.digest.osmSidecarInit | string | `""` | Sidecar init container's image digest |
+| OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy for control plane containers |
+| OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry for control plane images |
+| OpenServiceMesh.image.tag | string | `"latest-main"` | Container image tag for control plane images |
 | OpenServiceMesh.imagePullSecrets | list | `[]` | `osm-controller` image pull secret |
 | OpenServiceMesh.inboundPortExclusionList | list | `[]` | Specifies a global list of ports to exclude from inbound traffic interception by the sidecar proxy. If specified, must be a list of positive integers. |
 | OpenServiceMesh.injector.autoScale | object | `{"enable":false,"maxReplicas":5,"minReplicas":1,"targetAverageUtilization":80}` | Auto scale configuration |
diff --git a/charts/osm/templates/_helpers.tpl b/charts/osm/templates/_helpers.tpl
@@ -38,4 +38,49 @@ securityContext:
 {{- define "osm.validatorWebhookConfigName" -}}
 {{- $validatorWebhookConfigName := printf "osm-validator-mesh-%s" .Values.OpenServiceMesh.meshName -}}
 {{ default $validatorWebhookConfigName .Values.OpenServiceMesh.validatorWebhook.webhookConfigurationName}}
+{{- end -}}
+
+{{/* osm-controller image */}}
+{{- define "osmController.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmController -}}
+{{- printf "%s/osm-controller@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmController -}}
+{{- else -}}
+{{- printf "%s/osm-controller:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* osm-injector image */}}
+{{- define "osmInjector.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmInjector -}}
+{{- printf "%s/osm-injector@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmInjector -}}
+{{- else -}}
+{{- printf "%s/osm-injector:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Sidecar init image */}}
+{{- define "osmSidecarInit.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmSidecarInit -}}
+{{- printf "%s/init@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmSidecarInit -}}
+{{- else -}}
+{{- printf "%s/init:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* osm-bootstrap image */}}
+{{- define "osmBootstrap.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmBootstrap -}}
+{{- printf "%s/osm-bootstrap@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmBootstrap -}}
+{{- else -}}
+{{- printf "%s/osm-bootstrap:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* osm-crds image */}}
+{{- define "osmCRDs.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmCRDs -}}
+{{- printf "%s/osm-crds@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmCRDs -}}
+{{- else -}}
+{{- printf "%s/osm-crds:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
 {{- end -}}
diff --git a/charts/osm/templates/cleanup-hook.yaml b/charts/osm/templates/cleanup-hook.yaml
@@ -128,7 +128,7 @@ spec:
       restartPolicy: Never
       containers:
         - name: garbage-collector
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmCRDs.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           command:
             - sh
diff --git a/charts/osm/templates/osm-bootstrap-deployment.yaml b/charts/osm/templates/osm-bootstrap-deployment.yaml
@@ -33,15 +33,15 @@ spec:
         kubernetes.io/os: linux
       initContainers:
         - name: init-osm-bootstrap
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmBootstrap.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           args:
           - apply
           - -f
           - /osm-crds
       containers:
         - name: osm-bootstrap
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-bootstrap:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmBootstrap.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "tls"
diff --git a/charts/osm/templates/osm-deployment.yaml b/charts/osm/templates/osm-deployment.yaml
@@ -47,7 +47,7 @@ spec:
             done
       containers:
         - name: osm-controller
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-controller:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmController.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "admin-port"
diff --git a/charts/osm/templates/osm-injector-deployment.yaml b/charts/osm/templates/osm-injector-deployment.yaml
@@ -46,7 +46,7 @@ spec:
             done
       containers:
         - name: osm-injector
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-injector:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmInjector.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "sidecar-inject"
diff --git a/charts/osm/templates/preset-mesh-config.yaml b/charts/osm/templates/preset-mesh-config.yaml
@@ -12,7 +12,7 @@ data:
         "maxDataPlaneConnections": {{.Values.OpenServiceMesh.maxDataPlaneConnections}},
         "envoyImage": "{{.Values.OpenServiceMesh.sidecarImage}}",
         "envoyWindowsImage": "{{.Values.OpenServiceMesh.sidecarWindowsImage}}",
-        "initContainerImage": "{{ .Values.OpenServiceMesh.image.registry }}/init:{{ .Values.OpenServiceMesh.image.tag }}",
+        "initContainerImage": "{{ include "osmSidecarInit.image" . }}",
         "configResyncInterval": "{{.Values.OpenServiceMesh.configResyncInterval}}"
       },
       "traffic": {
diff --git a/charts/osm/values.schema.json b/charts/osm/values.schema.json
@@ -215,7 +215,8 @@
                     "required": [
                         "registry",
                         "pullPolicy",
-                        "tag"
+                        "tag",
+                        "digest"
                     ],
                     "properties": {
                         "registry": {
@@ -245,6 +246,51 @@
                             "examples": [
                                 "v0.4.2"
                             ]
+                        },
+                        "digest": {
+                            "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest",
+                            "type": "object",
+                            "title": "Default image digests",
+                            "description": "Default image digests for control plane.",
+                            "required": [
+                                "osmController",
+                                "osmInjector",
+                                "osmSidecarInit",
+                                "osmCRDs",
+                                "osmBootstrap"
+                            ],
+                            "properties": {
+                                "osmController": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmController",
+                                    "type": "string",
+                                    "title": "osm-controller's image digest",
+                                    "description": "osm-controller container's image digest."
+                                },
+                                "osmInjector": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmInjector",
+                                    "type": "string",
+                                    "title": "osm-injector's image digest",
+                                    "description": "osm-injector container's image digest."
+                                },
+                                "osmSidecarInit": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmSidecarInit",
+                                    "type": "string",
+                                    "title": "osm-osmSidecarInit's image digest",
+                                    "description": "osm-osmSidecarInit container's image digest."
+                                },
+                                "osmCRDs": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmCRDs",
+                                    "type": "string",
+                                    "title": "osm-crds' image digest",
+                                    "description": "osm-crds container's image digest."
+                                },
+                                "osmBootstrap": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmBootstrap",
+                                    "type": "string",
+                                    "title": "osm-boostrap's image digest",
+                                    "description": "osm-bootstrap container's image digest."
+                                }
+                            }
                         }
                     },
                     "additionalProperties": false
diff --git a/charts/osm/values.yaml b/charts/osm/values.yaml
@@ -7,12 +7,25 @@ OpenServiceMesh:
   #
   # -- OSM control plane image parameters
   image:
-    # -- Container image registry
+    # -- Container image registry for control plane images
     registry: openservicemesh
-    # -- Container image pull policy
+    # -- Container image pull policy for control plane containers
     pullPolicy: IfNotPresent
-    # -- Container image tag
-    tag: v0.9.2
+    # -- Container image tag for control plane images
+    tag: "latest-main"
+    # -- Image digest (defaults to latest compatible tag)
+    digest:
+      # -- osm-controller's image digest
+      osmController: ""
+      # -- osm-injector's image digest
+      osmInjector: ""
+      # -- Sidecar init container's image digest
+      osmSidecarInit: ""
+      # -- osm-crds' image digest
+      osmCRDs: ""
+      # -- osm-boostrap's image digest
+      osmBootstrap: ""
+
 
   # -- `osm-controller` image pull secret
   imagePullSecrets: []
diff --git a/cmd/cli/mesh_upgrade.go b/cmd/cli/mesh_upgrade.go
@@ -15,7 +15,7 @@ import (
 
 const (
 	defaultContainerRegistry = "openservicemesh"
-	defaultOsmImageTag       = "v0.9.2"
+	defaultOsmImageTag       = "latest-main"
 )
 
 const upgradeDesc = `
diff --git a/cmd/osm-bootstrap/osm-bootstrap_test.go b/cmd/osm-bootstrap/osm-bootstrap_test.go
@@ -26,7 +26,7 @@ func TestCreateDefaultMeshConfig(t *testing.T) {
   "logLevel": "error",
   "maxDataPlaneConnections": 0,
   "envoyImage": "envoyproxy/envoy-alpine@sha256:6502a637c6c5fba4d03d0672d878d12da4bcc7a0d0fb3f1d506982dde0039abd",
-  "initContainerImage": "openservicemesh/init:v0.9.2",
+  "initContainerImage": "openservicemesh/init:latest-main",
   "configResyncInterval": "2s"
 },
 "traffic": {
diff --git a/docs/example/manifests/apps/bookbuyer.yaml b/docs/example/manifests/apps/bookbuyer.yaml
@@ -31,7 +31,7 @@ spec:
         kubernetes.io/os: linux
       containers:
         - name: bookbuyer
-          image: openservicemesh/bookbuyer:v0.9.2
+          image: openservicemesh/bookbuyer:latest-main
           imagePullPolicy: Always
           command: ["/bookbuyer"]
           env:
diff --git a/docs/example/manifests/apps/bookstore-v2.yaml b/docs/example/manifests/apps/bookstore-v2.yaml
@@ -46,7 +46,7 @@ spec:
         kubernetes.io/os: linux
       containers:
         - name: bookstore
-          image: openservicemesh/bookstore:v0.9.2
+          image: openservicemesh/bookstore:latest-main
           imagePullPolicy: Always
           ports:
             - containerPort: 14001
diff --git a/docs/example/manifests/apps/bookstore.yaml b/docs/example/manifests/apps/bookstore.yaml
diff --git a/docs/example/manifests/apps/bookthief.yaml b/docs/example/manifests/apps/bookthief.yaml
diff --git a/docs/example/manifests/apps/bookwarehouse.yaml b/docs/example/manifests/apps/bookwarehouse.yaml
diff --git a/docs/example/manifests/meshconfig/mesh-config.yaml b/docs/example/manifests/meshconfig/mesh-config.yaml
diff --git a/docs/release_guide.md b/docs/release_guide.md
diff --git a/scripts/publish-image.sh b/scripts/publish-image.sh

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ import (`
`15`	`15`
`16`	`16`	`const (`
`17`	`17`	`defaultContainerRegistry = "openservicemesh"`
`18`		`- defaultOsmImageTag = "v0.9.2"`
	`18`	`+ defaultOsmImageTag = "latest-main"`
`19`	`19`	`)`
`20`	`20`
`21`	`21`	const upgradeDesc = `