Use SHA digests instead of tags in operator bundle (#848)

minio · Sep 19, 2023 · 71eda9f · 71eda9f
1 parent 64ca50d
commit 71eda9f
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 7 deletions.
diff --git a/operator/bundle/manifests/minio-directpv-operator-rhmp.clusterserviceversion.yaml b/operator/bundle/manifests/minio-directpv-operator-rhmp.clusterserviceversion.yaml
@@ -222,7 +222,7 @@ spec:
                 - --upstream=http://127.0.0.1:8080/
                 - --logtostderr=true
                 - --v=0
-                image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
+                image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522
                 name: kube-rbac-proxy
                 ports:
                 - containerPort: 8443
@@ -245,7 +245,7 @@ spec:
                 - --metrics-bind-address=127.0.0.1:8080
                 - --leader-elect
                 - --leader-election-id=directpv-operator
-                image: quay.io/minio/directpv-operator:4.0.7
+                image: quay.io/minio/directpv-operator@sha256:dadf28674b15c256bc5dec3e99d90f811ea3ac1fdee17c51e2928063a5341e5e
                 livenessProbe:
                   httpGet:
                     path: /healthz

diff --git a/operator/config/default/manager_auth_proxy_patch.yaml b/operator/config/default/manager_auth_proxy_patch.yaml
@@ -31,7 +31,7 @@ spec:
           capabilities:
             drop:
               - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
+        image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522
         args:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"

diff --git a/operator/config/manager/kustomization.yaml b/operator/config/manager/kustomization.yaml
@@ -3,6 +3,6 @@ resources:
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
-- name: controller
-  newName: quay.io/cniackz4/directpv-operator
-  newTag: 4.0.7
+- digest: sha256:dadf28674b15c256bc5dec3e99d90f811ea3ac1fdee17c51e2928063a5341e5e
+  name: controller
+  newName: quay.io/minio/directpv-operator
diff --git a/release-operator.sh b/release-operator.sh
@@ -114,6 +114,9 @@ function update_charts() {
 function make_release() {
     export IMAGE_TAG_BASE=quay.io/minio/directpv-operator
     export IMG="${IMAGE_TAG_BASE}:${BUILD_VERSION}"
+    SHA_DIGEST=$("${PODMAN}" pull "${IMAGE_TAG_BASE}":"${BUILD_VERSION}" | grep Digest | awk -F ' ' '{print $2}')
+    export SHA_DIGEST
+    export DIGEST="${IMAGE_TAG_BASE}@${SHA_DIGEST}"
     export BUNDLE_GEN_FLAGS="-q --overwrite --version ${BUILD_VERSION} --package minio-directpv-operator-rhmp"
     export BUNDLE_IMG="${IMAGE_TAG_BASE}-bundle:v${BUILD_VERSION}"
 
@@ -124,7 +127,11 @@ function make_release() {
     git_commit "Update operator for v${BUILD_VERSION}"
 
     "${OPERATOR_SDK}" generate kustomize manifests --quiet --package minio-directpv-operator-rhmp
-    (cd config/manager && "${KUSTOMIZE}" edit set image controller="${IMG}")
+    # Controller image, should be in SHA Digest form for RHMP to pass test:
+    # verify-pinned-digest where all your container images should use SHA digests instead of tags.
+    # Example:
+    # (cd config/manager && kustomize edit set image controller=quay.io/cniackz4/directpv-operator@sha256:04fec2fbd0d17f449a17c0f509b359c18d6c662e0a22e84cd625b538ca2a1af2)
+    (cd config/manager && "${KUSTOMIZE}" edit set image controller="${DIGEST}")
     # shellcheck disable=SC2086
     "${KUSTOMIZE}" build config/manifests | "${OPERATOR_SDK}" generate bundle ${BUNDLE_GEN_FLAGS}
     # Since above line overwrites our redhat annotation,