charts/osm: use image digest for default images

.github/workflows/pre-release.yml

@@ -0,0 +1,57 @@
+name: Pre-release
+on:
+  push:
+    tags:
+      - "pre-rel-v*"
+
+jobs:
+  version:
+    name: Set Version from git ref
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - id: version
+        run: echo "::set-output name=version::$(sed 's#^refs/tags/pre-rel-\(.*\)#\1#' <<< '${{ github.ref }}')"
+
+  images:
+    name: Docker Images
+    runs-on: ubuntu-latest
+    needs: version
+    env:
+      DOCKER_USER: ${{ secrets.RELEASE_DOCKER_USER }}
+      DOCKER_PASS: ${{ secrets.RELEASE_DOCKER_PASS }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Restore Module Cache
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-gomod2-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gomod2-
+      - name: Restore Build Cache
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-gobuild-${{ hashFiles('**/*.go') }}
+      - name: Setup Go 1.16
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.16
+      - name: Docker Login
+        run: docker login --username "$DOCKER_USER" --password-stdin <<< "$DOCKER_PASS"
+      - name: Push images with version tag
+        env:
+          CTR_TAG: ${{ needs.version.outputs.version }}
+        run: make docker-push VERIFY_TAGS=1
+      - name: Push images with latest tag
+        env:
+          CTR_TAG: latest
+        run: make docker-push
+      - name: Upload image digest
+        uses: actions/upload-artifact@v2
+        with:
+          name: osm_image_digests
+          path: /tmp/osm_image_digest_*

.github/workflows/release.yml

@@ -105,40 +105,3 @@ jobs:
           asset_path: _dist/sha256sums.txt
           asset_name: sha256sums.txt
           asset_content_type: text/plain
-
-  images:
-    name: Docker Images
-    runs-on: ubuntu-latest
-    needs: version
-    env:
-      DOCKER_USER: ${{ secrets.RELEASE_DOCKER_USER }}
-      DOCKER_PASS: ${{ secrets.RELEASE_DOCKER_PASS }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Module Cache
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-gomod2-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gomod2-
-      - name: Restore Build Cache
-        uses: actions/cache@v2
-        with:
-          path: ~/.cache/go-build
-          key: ${{ runner.os }}-gobuild-${{ hashFiles('**/*.go') }}
-      - name: Setup Go 1.16
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.16
-      - name: Docker Login
-        run: docker login --username "$DOCKER_USER" --password-stdin <<< "$DOCKER_PASS"
-      - name: Push images with version tag
-        env:
-          CTR_TAG: ${{ needs.version.outputs.version }}
-        run: make docker-push VERIFY_TAGS=1
-      - name: Push images with latest tag
-        env:
-          CTR_TAG: latest
-        run: make docker-push

Makefile

@@ -5,7 +5,7 @@ BINNAME         ?= osm
 DIST_DIRS       := find * -type d -exec
 CTR_REGISTRY    ?= openservicemesh
 CTR_TAG         ?= latest
-CTR_DIGEST_FILE ?= /tmp/osm_image_digest
+CTR_DIGEST_FILE ?= /tmp/osm_image_digest_$(CTR_TAG).txt
 VERIFY_TAGS ?= 0
 
 GOPATH = $(shell go env GOPATH)
@@ -253,7 +253,7 @@ DOCKER_PUSH_CONTROL_PLANE_TARGETS = $(addprefix docker-push-, init osm-controlle
 .PHONY: $(DOCKER_PUSH_CONTROL_PLANE_TARGETS)
 $(DOCKER_PUSH_CONTROL_PLANE_TARGETS): NAME=$(@:docker-push-%=%)
 $(DOCKER_PUSH_CONTROL_PLANE_TARGETS):
-	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh $(NAME) "linux"; fi
+	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh "$(NAME)" "linux" "$(CTR_REGISTRY)"; fi
 	@docker images --digests | grep "$(CTR_REGISTRY)/$(NAME)\s*$(CTR_TAG)" >> "$(CTR_DIGEST_FILE)"
 
 
@@ -262,15 +262,15 @@ DOCKER_PUSH_LINUX_TARGETS = $(addprefix docker-push-, $(DEMO_TARGETS))
 .PHONY: $(DOCKER_PUSH_LINUX_TARGETS)
 $(DOCKER_PUSH_LINUX_TARGETS): NAME=$(@:docker-push-%=%)
 $(DOCKER_PUSH_LINUX_TARGETS):
-	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh $(NAME) "linux"; fi
+	@if [ $(VERIFY_TAGS) != 1 ]; then make docker-build-$(NAME) && docker push "$(CTR_REGISTRY)/$(NAME):$(CTR_TAG)"; else bash scripts/publish-image.sh "$(NAME)" "linux" "$(CTR_REGISTRY)"; fi
 
 
 # Windows demo applications
 DOCKER_PUSH_WINDOWS_TARGETS = $(addprefix docker-push-windows-, $(DEMO_TARGETS))
 .PHONY: $(DOCKER_PUSH_WINDOWS_TARGETS)
 $(DOCKER_PUSH_WINDOWS_TARGETS): NAME=$(@:docker-push-%=%)
 $(DOCKER_PUSH_WINDOWS_TARGETS):
-	@if [ $(VERIFY_TAGS) != 1 ]; then make ARGS=--output=type=registry docker-build-$(NAME); else bash scripts/publish-image.sh $(addprefix windows-, $(NAME)) "windows"; fi
+	@if [ $(VERIFY_TAGS) != 1 ]; then make ARGS=--output=type=registry docker-build-$(NAME); else bash scripts/publish-image.sh "$(NAME)" "windows" "$(CTR_REGISTRY)"; fi
 
 
 .PHONY: docker-control-plane-push

charts/osm/Chart.yaml

@@ -18,7 +18,7 @@ version: 0.9.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v0.9.2
+appVersion: latest-main
 
 # This specifies the minimum Kubernetes version OSM is compatible with.
 kubeVersion: ">= 1.19.0-0"

charts/osm/README.md

@@ -101,9 +101,15 @@ The following table lists the configurable parameters of the osm chart and their
 | OpenServiceMesh.fluentBit.workspaceId | string | `""` | WorkspaceId for Fluent Bit output plugin to Log Analytics |
 | OpenServiceMesh.grafana.enableRemoteRendering | bool | `false` | Enable Remote Rendering in Grafana |
 | OpenServiceMesh.grafana.port | int | `3000` | Grafana service's port |
-| OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy |
-| OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry |
-| OpenServiceMesh.image.tag | string | `"v0.9.2"` | Container image tag |
+| OpenServiceMesh.image.digest | object | `{"osmBootstrap":"","osmCRDs":"","osmController":"","osmInjector":"","osmSidecarInit":""}` | Image digest (defaults to latest compatible tag) |
+| OpenServiceMesh.image.digest.osmBootstrap | string | `""` | osm-boostrap's image digest |
+| OpenServiceMesh.image.digest.osmCRDs | string | `""` | osm-crds' image digest |
+| OpenServiceMesh.image.digest.osmController | string | `""` | osm-controller's image digest |
+| OpenServiceMesh.image.digest.osmInjector | string | `""` | osm-injector's image digest |
+| OpenServiceMesh.image.digest.osmSidecarInit | string | `""` | Sidecar init container's image digest |
+| OpenServiceMesh.image.pullPolicy | string | `"IfNotPresent"` | Container image pull policy for control plane containers |
+| OpenServiceMesh.image.registry | string | `"openservicemesh"` | Container image registry for control plane images |
+| OpenServiceMesh.image.tag | string | `"latest-main"` | Container image tag for control plane images |
 | OpenServiceMesh.imagePullSecrets | list | `[]` | `osm-controller` image pull secret |
 | OpenServiceMesh.inboundPortExclusionList | list | `[]` | Specifies a global list of ports to exclude from inbound traffic interception by the sidecar proxy. If specified, must be a list of positive integers. |
 | OpenServiceMesh.injector.autoScale | object | `{"enable":false,"maxReplicas":5,"minReplicas":1,"targetAverageUtilization":80}` | Auto scale configuration |

charts/osm/templates/_helpers.tpl

@@ -38,4 +38,49 @@ securityContext:
 {{- define "osm.validatorWebhookConfigName" -}}
 {{- $validatorWebhookConfigName := printf "osm-validator-mesh-%s" .Values.OpenServiceMesh.meshName -}}
 {{ default $validatorWebhookConfigName .Values.OpenServiceMesh.validatorWebhook.webhookConfigurationName}}
+{{- end -}}
+
+{{/* osm-controller image */}}
+{{- define "osmController.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmController -}}
+{{- printf "%s/osm-controller@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmController -}}
+{{- else -}}
+{{- printf "%s/osm-controller:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* osm-injector image */}}
+{{- define "osmInjector.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmInjector -}}
+{{- printf "%s/osm-injector@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmInjector -}}
+{{- else -}}
+{{- printf "%s/osm-injector:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* Sidecar init image */}}
+{{- define "osmSidecarInit.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmSidecarInit -}}
+{{- printf "%s/init@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmSidecarInit -}}
+{{- else -}}
+{{- printf "%s/init:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* osm-bootstrap image */}}
+{{- define "osmBootstrap.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmBootstrap -}}
+{{- printf "%s/osm-bootstrap@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmBootstrap -}}
+{{- else -}}
+{{- printf "%s/osm-bootstrap:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/* osm-crds image */}}
+{{- define "osmCRDs.image" -}}
+{{- if .Values.OpenServiceMesh.image.digest.osmCRDs -}}
+{{- printf "%s/osm-crds@%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.digest.osmCRDs -}}
+{{- else -}}
+{{- printf "%s/osm-crds:%s" .Values.OpenServiceMesh.image.registry .Values.OpenServiceMesh.image.tag -}}
+{{- end -}}
 {{- end -}}

charts/osm/templates/cleanup-hook.yaml

@@ -128,7 +128,7 @@ spec:
       restartPolicy: Never
       containers:
         - name: garbage-collector
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmCRDs.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           command:
             - sh

charts/osm/templates/osm-bootstrap-deployment.yaml

@@ -33,15 +33,15 @@ spec:
         kubernetes.io/os: linux
       initContainers:
         - name: init-osm-bootstrap
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-crds:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmCRDs.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           args:
           - apply
           - -f
           - /osm-crds
       containers:
         - name: osm-bootstrap
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-bootstrap:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmBootstrap.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "tls"

charts/osm/templates/osm-deployment.yaml

@@ -47,7 +47,7 @@ spec:
             done
       containers:
         - name: osm-controller
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-controller:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmController.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "admin-port"

charts/osm/templates/osm-injector-deployment.yaml

@@ -46,7 +46,7 @@ spec:
             done
       containers:
         - name: osm-injector
-          image: "{{ .Values.OpenServiceMesh.image.registry }}/osm-injector:{{ .Values.OpenServiceMesh.image.tag }}"
+          image: "{{ include "osmInjector.image" . }}"
           imagePullPolicy: {{ .Values.OpenServiceMesh.image.pullPolicy }}
           ports:
             - name: "sidecar-inject"

charts/osm/templates/preset-mesh-config.yaml

@@ -12,7 +12,7 @@ data:
         "maxDataPlaneConnections": {{.Values.OpenServiceMesh.maxDataPlaneConnections}},
         "envoyImage": "{{.Values.OpenServiceMesh.sidecarImage}}",
         "envoyWindowsImage": "{{.Values.OpenServiceMesh.sidecarWindowsImage}}",
-        "initContainerImage": "{{ .Values.OpenServiceMesh.image.registry }}/init:{{ .Values.OpenServiceMesh.image.tag }}",
+        "initContainerImage": "{{ include "osmSidecarInit.image" . }}",
         "configResyncInterval": "{{.Values.OpenServiceMesh.configResyncInterval}}"
       },
       "traffic": {

charts/osm/values.schema.json

@@ -215,7 +215,8 @@
                     "required": [
                         "registry",
                         "pullPolicy",
-                        "tag"
+                        "tag",
+                        "digest"
                     ],
                     "properties": {
                         "registry": {
@@ -245,6 +246,51 @@
                             "examples": [
                                 "v0.4.2"
                             ]
+                        },
+                        "digest": {
+                            "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest",
+                            "type": "object",
+                            "title": "Default image digests",
+                            "description": "Default image digests for control plane.",
+                            "required": [
+                                "osmController",
+                                "osmInjector",
+                                "osmSidecarInit",
+                                "osmCRDs",
+                                "osmBootstrap"
+                            ],
+                            "properties": {
+                                "osmController": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmController",
+                                    "type": "string",
+                                    "title": "osm-controller's image digest",
+                                    "description": "osm-controller container's image digest."
+                                },
+                                "osmInjector": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmInjector",
+                                    "type": "string",
+                                    "title": "osm-injector's image digest",
+                                    "description": "osm-injector container's image digest."
+                                },
+                                "osmSidecarInit": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmSidecarInit",
+                                    "type": "string",
+                                    "title": "osm-osmSidecarInit's image digest",
+                                    "description": "osm-osmSidecarInit container's image digest."
+                                },
+                                "osmCRDs": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmCRDs",
+                                    "type": "string",
+                                    "title": "osm-crds' image digest",
+                                    "description": "osm-crds container's image digest."
+                                },
+                                "osmBootstrap": {
+                                    "$id": "#/properties/OpenServiceMesh/properties/image/properties/digest/properties/osmBootstrap",
+                                    "type": "string",
+                                    "title": "osm-boostrap's image digest",
+                                    "description": "osm-bootstrap container's image digest."
+                                }
+                            }
                         }
                     },
                     "additionalProperties": false

charts/osm/values.yaml

@@ -7,12 +7,25 @@ OpenServiceMesh:
   #
   # -- OSM control plane image parameters
   image:
-    # -- Container image registry
+    # -- Container image registry for control plane images
     registry: openservicemesh
-    # -- Container image pull policy
+    # -- Container image pull policy for control plane containers
     pullPolicy: IfNotPresent
-    # -- Container image tag
-    tag: v0.9.2
+    # -- Container image tag for control plane images
+    tag: "latest-main"
+    # -- Image digest (defaults to latest compatible tag)
+    digest:
+      # -- osm-controller's image digest
+      osmController: ""
+      # -- osm-injector's image digest
+      osmInjector: ""
+      # -- Sidecar init container's image digest
+      osmSidecarInit: ""
+      # -- osm-crds' image digest
+      osmCRDs: ""
+      # -- osm-boostrap's image digest
+      osmBootstrap: ""
+
 
   # -- `osm-controller` image pull secret
   imagePullSecrets: []

cmd/cli/mesh_upgrade.go

@@ -15,7 +15,7 @@ import (
 
 const (
 	defaultContainerRegistry = "openservicemesh"
-	defaultOsmImageTag       = "v0.9.2"
+	defaultOsmImageTag       = "latest-main"
 )
 
 const upgradeDesc = `

cmd/osm-bootstrap/osm-bootstrap_test.go

@@ -26,7 +26,7 @@ func TestCreateDefaultMeshConfig(t *testing.T) {
   "logLevel": "error",
   "maxDataPlaneConnections": 0,
   "envoyImage": "envoyproxy/envoy-alpine@sha256:6502a637c6c5fba4d03d0672d878d12da4bcc7a0d0fb3f1d506982dde0039abd",
-  "initContainerImage": "openservicemesh/init:v0.9.2",
+  "initContainerImage": "openservicemesh/init:latest-main",
   "configResyncInterval": "2s"
 },
 "traffic": {

docs/example/manifests/apps/bookbuyer.yaml

@@ -31,7 +31,7 @@ spec:
         kubernetes.io/os: linux
       containers:
         - name: bookbuyer
-          image: openservicemesh/bookbuyer:v0.9.2
+          image: openservicemesh/bookbuyer:latest-main
           imagePullPolicy: Always
           command: ["/bookbuyer"]
           env:

docs/example/manifests/apps/bookstore-v2.yaml

@@ -46,7 +46,7 @@ spec:
         kubernetes.io/os: linux
       containers:
         - name: bookstore
-          image: openservicemesh/bookstore:v0.9.2
+          image: openservicemesh/bookstore:latest-main
           imagePullPolicy: Always
           ports:
             - containerPort: 14001