Publish Charts with Image Digests

[guydc]

Version

1.11.x (latest stable)

Is your feature request related to a problem? Please describe.

Pulling images by digest can be beneficial: [1], [2].

Describe the solution you'd like

The Gloo Edge Charts should have optional support for image pulling by digest instead of tags.

Describe alternatives you've considered

No response

Additional Context

No response

[chrisgaun]

We did something similar around image validation in Gloo Mesh. I need to research exactly what we did there.

[kcbabo]

Ideal solution here would be to support image coordinates in our Helm chart that include digest value. This could take two forms:

1. Augment existing name + label to also include digest.
2. Parameterize the image coordinates in our Helm charts so that users opt in for using name:tag@digest instead of the default name:tag.

Option (2) seems to be the safest option in terms of backward compatibility with existing users. A concern with (1) is if users have created their own tooling based on the current Helm chart, then adding digest could theoretically break that tooling if they are dependent on the exact coordinate structure (name + tag without digest) used today.

[guydc]

@kcbabo - was this also implemented for EE charts?

[kcbabo]

The change is actually to a helper in the Gloo OSS chart that's imported by the EE chart. So should be good to go for both OSS and EE with this change.

[guydc]

Thanks @kcbabo. Can this be ported to 1.11 ?

[kcbabo]

Ashish backported it to 1.11 on Thursday and it got released in Gloo OSS 1.11.24.. Now we just need a new Gloo EE 1.11.x release that picks up Gloo OSS 1.11.24 - I checked and Gloo EE 1.11.30 is pulling in Gloo OSS 1.11.23.

We can either wait for the next Gloo EE 1.11.x release to pick it up or trigger another release to pick up this fix. In the former case, I'd guess we'd have another release in the next week or so.

[kcbabo]

Actually, scratch the part about waiting for another Gloo EE release. Jenny let me know that we actually did bump to Gloo 1.11.24 in the latest Gloo EE 1.11.30 release.

[guydc]

Hi @kcbabo . I think that we maybe had a small miscommunication here. https://github.com/solo-io/gloo/pull/6761 created a dedicated value for digests. Prior to this change, it was already possible to specify digests by overriding the tag attribute with helm chart values.

The expectation was that charts would already have built-in digests (same as tags). Consumers can decide to use either tags or digests, without having to fetch the digest themselves and provide them as values. Digests would be encoded into the chart as part of your build process.

[gunnar-solo]

Hello! This feature has been released/published to our gloo-ee helm repo under 1.13.0-beta6, 1.11.45, and 1.12.28.

For this particular feature, in order to test it, it is sufficient to... a) look at image: fields in rendered helm chart, and verify that, yes, they consume sha256 paths b) verify a basic install, to ensure that image digests are pullable (and also not malformed)

Breakdown of testing/verification:

# download new chart
helm repo add gloo-ee https://storage.googleapis.com/gloo-ee-helm
helm repo update

# observe chart's solo-io images make use of digests
helm template gloo-ee/gloo-ee --version 1.11.45 | grep image: | grep solo-io
>      - image: quay.io/solo-io/gloo-fed-apiserver:1.11.45@sha256:a9026c4a40528cb1ca29e08e30b30854238de4f2ebcb0aa55067baac7f7a2cb6
>        image: quay.io/solo-io/gloo-federation-console:1.11.45@sha256:c66717f1110d5d324dfcc586bb2b41d8e95efad5cbc68284ab99fe4d62cb9a8d
>        image: quay.io/solo-io/gloo-fed-apiserver-envoy:1.11.45@sha256:9569c8b1f57439a63d93d6ff96f711d7fa60fba1d4047d949229303c7548d485
>      - image: quay.io/solo-io/gloo-fed:1.11.45@sha256:7c909040c3ab4c61814c4d33d1af9dc94db93a03c540aba844192e6a07f767f7
>      - image: quay.io/solo-io/gloo-ee:1.11.45@sha256:beb23c56d71051719254fe6487a268e19bda0874c7ae789cc5ba5f5e94f61a45
>      - image: quay.io/solo-io/discovery-ee:1.11.45@sha256:176ca585682c2f16481c32b59b5c0b60c76619d5b42bfb8deb1910138169e0b3
>      - image: quay.io/solo-io/gateway:1.11.39@sha256:41b8f4d8051a027b8970fe292a0665a39dddd4d2ec5571b96fca1836865a9745
>        image: quay.io/solo-io/gloo-ee-envoy-wrapper:1.11.45@sha256:f280165f982cc861fa83107f629727fd80489e6d1cbe2c3feef4dcabc0ab036b
>        - image: quay.io/solo-io/rate-limit-ee:1.11.45@sha256:048bf8d70c7f83dd5fdba97120a7045493704f67a49745698d1432bcd1946aee
>      - image: quay.io/solo-io/extauth-ee:1.11.45@sha256:3acb54ee01d69c7e673cbc9250ef037d5ffafc76c8d8f5e443f90835d4f912d3
>        - image: quay.io/solo-io/observability-ee:1.11.45@sha256:5b44ebcfb723df60a72b69d74b260d9fdac99fe4bf80c48bd3b344e10c30f222
>          image: quay.io/solo-io/kubectl:1.11.39@sha256:ed960c3a98b11354a47423104f2834e372e5595291ec542e7d341d7dd3f2ae14
>          image: quay.io/solo-io/kubectl:1.11.39@sha256:ed960c3a98b11354a47423104f2834e372e5595291ec542e7d341d7dd3f2ae14
>          image: quay.io/solo-io/kubectl:1.11.39@sha256:ed960c3a98b11354a47423104f2834e372e5595291ec542e7d341d7dd3f2ae14
>        - image: quay.io/solo-io/certgen:1.11.39@sha256:0e4f179db5acf10096d93cd6ba36e171ab3fe37a27286cf43d278de7541e7d7a
>          image: quay.io/solo-io/kubectl:1.11.39@sha256:ed960c3a98b11354a47423104f2834e372e5595291ec542e7d341d7dd3f2ae14
# observe chart's non-solo-io images _don't_ make use of digests
helm template gloo-ee/gloo-ee --version 1.11.45 | grep image: | grep -v solo-io
>          image: "grafana/grafana:8.2.1"
>        image: "quay.io/coreos/kube-state-metrics:v1.9.7"
>          image: "jimmidyson/configmap-reload:v0.5.0"
>          image: "quay.io/prometheus/prometheus:v2.24.0"
>          image: docker.io/busybox:1.28
>        - image: docker.io/redis:6.2.4

# verify install is functional
helm install -n gloo-system gloo-ee gloo-ee/gloo-ee --create-namespace --version 1.11.45 --set-string license_key=$GLOO_LICENSE_KEY
kubectl -n gloo-system get pods

> NAME                                                  READY   STATUS             RESTARTS   AGE
> discovery-6f9d856f5d-nnmr8                            1/1     Running            0          2m56s
> extauth-66d8cbbdd-pbmzq                               1/1     Running            0          2m55s
> gateway-774847f54b-mqgz8                              1/1     Running            0          2m56s
> gateway-proxy-55b69dfd45-qs7wr                        1/1     Running            0          2m56s
> gloo-6b9488fcbc-svwcm                                 1/1     Running            0          2m56s
> gloo-fed-5cc5545d75-jf8w8                             1/1     Running            0          2m56s
> gloo-fed-console-d745cd6bf-x4krw                      3/3     Running            0          2m56s
> glooe-grafana-7f474dc4c4-v457m                        1/1     Running            0          2m56s
> glooe-prometheus-kube-state-metrics-664455697-97kcd   1/1     Running            0          2m56s
> glooe-prometheus-server-57d685fd64-5zjhx              1/2     Running            0          2m56s
> observability-79564654b7-z88kj                        1/1     Running            0          2m56s
> rate-limit-fc487f86f-ptsl6                            1/1     Running            0          2m56s
> redis-57fd559c5c-9r86k                                1/1     Running            0          2m56s