[release/v1.64] Update tinkerbell images#2034
Merged
kubermatic-bot merged 2 commits intoMay 25, 2026
Merged
Conversation
* Update images in Tinkerbell template Signed-off-by: Daniel Kraus <daniel.kraus@kubermatic.com> * Mirror Tinkerbell images to quay.io/kubermatic-mirror All 7 container images used in Tinkerbell templates are now pinned by sha256 digest and mirrored to quay.io/kubermatic-mirror via a new `hack/mirror-images.yaml` manifest and `crane`-based mirror script. A presubmit validator enforces digest-only versions in the manifest, and a postsubmit job mirrors images on merge to main. Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> shfmt Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> install crane if its missing Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> * Fix mirror-images validator and enforce template.go sync Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> * embed mirror-images.yaml as single source of truth for Tinkerbell image refs Move mirror-images.yaml next to template.go and load it via go:embed at package init. Replace seven hardcoded image constants with a mirrorImage() lookup. Use QUAY_IO_USERNAME/QUAY_IO_PASSWORD from the Prow preset for registry auth, with Vault as local-dev fallback. Drop the cross-file sync check from the validator since drift is now impossible. Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> * extract mirror image loader into shared `pkg/mirror` package Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> * update templating tests Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> --------- Signed-off-by: Daniel Kraus <daniel.kraus@kubermatic.com> Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> Co-authored-by: Daniel Kraus <daniel.kraus@kubermatic.com> (cherry picked from commit 4214762)
) * fix mirror-images 403 by dropping wrong-org push preset `preset-docker-push-kubermatic` injects `QUAY_IO_USERNAME`/`QUAY_IO_PASSWORD` scoped to the `kubermatic/*` org, which causes `hack/mirror-images.sh` to skip its runtime credential resolution and attempt pushes to `kubermatic-mirror/*` with insufficient permissions. Removes that preset from the postsubmit job, adds a temporary presubmit to validate the fix on PR, and documents the constraint in both job specs and the script. Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> * mirror images with human-readable tags instead of digest-only destinations Add a `tag` field to the image manifest and push mirrored images under human-readable tags so they are browsable in the Quay UI. The source pull remains digest-pinned for anti-tamper; crane copy preserves the digest addressable manifest so existing digest-based pulls keep working. Adds a preflight verification script that resolves both digest and tag references upstream to catch stale tag/digest pairs before mirroring. Validates tags against the OCI distribution spec regex and guards against empty fields that would push undeclared tags to the registry. Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> * remove temporary job Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> --------- Signed-off-by: Burak Sekili <32663655+buraksekili@users.noreply.github.com> (cherry picked from commit ccc3f12)
kubermatic-bot
added
release-note
Contributor
|
LGTM label has been added. DetailsGit tree hash: f2895e0fae7beb38a155eb761b82ac0352bbfcec |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kron4eg The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubermatic-bot
added
the
approved
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Manual cherry pick of #2022 and #2023
Which issue(s) this PR fixes:
Fixes #
What type of PR is this?
Special notes for your reviewer:
Does this PR introduce a user-facing change? Then add your Release Note here:
Documentation: