gitops icon indicating copy to clipboard operation
gitops copied to clipboard

Published 20 hours ago verified publisher icon hashbang

Hash lock all images

Open daurnimator opened this issue 4 years ago • 4 comments

Many of our resources only select a particular image tag; rather than an exact hash.

  • Use kustomization image field to hashlock
  • Check any operators for additional images they may bring in
kubectl get pods --all-namespaces -o json | jq '.items[].spec.containers[].image' | grep -v sha256 | sort -u
  • [ ] digitalocean/do-csi-plugin:v4.2.0
  • [ ] docker.io/cilium/cilium:v1.10.4
  • [ ] docker.io/cilium/operator:v1.10.4
  • [ ] docker.io/coredns/coredns:1.8.4
  • [ ] docker.io/digitalocean/arp-flusher:v0.0.2
  • [ ] docker.io/digitalocean/do-agent:3.11.0
  • [ ] docker.io/digitalocean/do-csi-plugin:v4.4.1
  • [ ] hashbang/hashbangctl
  • [ ] k8s.gcr.io/sig-storage/csi-attacher:v3.5.0
  • [ ] k8s.gcr.io/sig-storage/csi-provisioner:v3.2.1
  • [ ] k8s.gcr.io/sig-storage/csi-resizer:v1.5.0
  • [ ] k8s.gcr.io/sig-storage/csi-snapshotter:v6.0.1
  • [ ] nginx:1.21.0
  • [ ] quay.io/jetstack/cert-manager-cainjector:v1.11.2
  • [ ] quay.io/jetstack/cert-manager-controller:v1.11.2
  • [ ] quay.io/jetstack/cert-manager-webhook:v1.11.2
  • [ ] registry.k8s.io/kube-proxy:v1.24.12
  • [ ] registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0
  • [x] 42wim/matterbridge:1.26.0
  • [x] drgrove/mtls-server:v0.20.0
  • [x] drgrove/wkd:v2.2.2
  • [x] eu.gcr.io/k8s-artifacts-prod/external-dns/external-dns:v0.13.4
  • [x] ghcr.io/dexidp/dex:v2.36.0-distroless
  • [x] ghcr.io/ergochat/ergo:v2.11.1
  • [x] hashbang/book:latest
  • [x] hashbang/hashbang.sh:latest
  • [x] hashbang/webirc:latest
  • [x] k8s.gcr.io/sig-storage/csi-node-driver-registrar
  • [x] k8s.gcr.io/sig-storage/snapshot-controller
  • [x] k8s.gcr.io/sig-storage/snapshot-validation-webhook
  • [x] kiwigrid/k8s-sidecar:1.24.0
  • [x] postgrest/postgrest:v11.0.1
  • [x] quay.io/argoproj/argocd:v2.7.2
  • [x] redis:7.0.11-alpine
  • [x] redis:7.0.5-alpine
  • [x] registry.k8s.io/ingress-nginx/controller:v1.7.1
  • [x] thatonecalculator/calckey:v13.1.4.1

daurnimator avatar May 27 '20 02:05 daurnimator

Trying to hashlock the ingress controller fails with: Error: render error in "ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml": template: ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml:2:4: executing "ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml" at <include "isControllerTagValid" .>: error calling include: template: ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl:121:12: executing "isControllerTagValid" at <semverCompare ">=0.27.0-0" .Values.controller.image.tag>: error calling semverCompare: Invalid Semantic Version

daurnimator avatar Jun 01 '20 12:06 daurnimator

https://github.com/coreos/prometheus-operator/issues/3262

daurnimator avatar Jun 03 '20 03:06 daurnimator

Updated the list

KellerFuchs avatar May 15 '23 13:05 KellerFuchs

From what I can tell, the only things which aren't hash-locked are either:

  • hashbangctl, or
  • DO-managed things (network, storage, ingress, etc.)

I don't think it makes sense to make giant kustomize files to set hashes on the latter, but I'll do something about hashbangctl.

PS: "Presumably doesn't make sense" since DO manages what's precisely deployed in those cases, and we need to trust DO anyhow.

KellerFuchs avatar May 15 '23 13:05 KellerFuchs