fix(kustomize): handle sha256 digests (#7987)

lib/manager/kustomize/__fixtures__/sha.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: hasura
+
+commonLabels:
+  app.kubernetes.io/name: hasura
+
+bases:
+  - ../base/
+
+patchesStrategicMerge:
+  - patches/deployment.yaml
+
+images:
+  - name: postgres
+    newTag: sha256:b0cfe264cb1143c7c660ddfd5c482464997d62d6bc9f97f8fdf3deefce881a8c

lib/manager/kustomize/__snapshots__/extract.spec.ts.snap

@@ -34,6 +34,21 @@ Array [
 ]
 `;
 
+exports[`manager/kustomize/extract extractPackageFile() extracts sha256 instead of tag 1`] = `
+Object {
+  "deps": Array [
+    Object {
+      "currentDigest": "sha256:b0cfe264cb1143c7c660ddfd5c482464997d62d6bc9f97f8fdf3deefce881a8c",
+      "currentValue": undefined,
+      "datasource": "docker",
+      "depName": "postgres",
+      "replaceString": "sha256:b0cfe264cb1143c7c660ddfd5c482464997d62d6bc9f97f8fdf3deefce881a8c",
+      "versioning": "docker",
+    },
+  ],
+}
+`;
+
 exports[`manager/kustomize/extract extractPackageFile() extracts ssh dependency 1`] = `
 Array [
   Object {
@@ -72,33 +87,43 @@ Array [
 exports[`manager/kustomize/extract extractPackageFile() should extract out image versions 1`] = `
 Array [
   Object {
+    "currentDigest": undefined,
     "currentValue": "v0.1.0",
     "datasource": "docker",
     "depName": "node",
+    "replaceString": "v0.1.0",
     "versioning": "docker",
   },
   Object {
+    "currentDigest": undefined,
     "currentValue": "v0.0.1",
     "datasource": "docker",
     "depName": "group/instance",
+    "replaceString": "v0.0.1",
     "versioning": "docker",
   },
   Object {
+    "currentDigest": undefined,
     "currentValue": "v0.0.2",
     "datasource": "docker",
     "depName": "quay.io/test/repo",
+    "replaceString": "v0.0.2",
     "versioning": "docker",
   },
   Object {
+    "currentDigest": undefined,
     "currentValue": "v0.0.3",
     "datasource": "docker",
     "depName": "gitlab.com/org/suborg/image",
+    "replaceString": "v0.0.3",
     "versioning": "docker",
   },
   Object {
+    "currentDigest": undefined,
     "currentValue": "v0.0.4",
     "datasource": "docker",
     "depName": "but.this.lives.on.local/private-registry",
+    "replaceString": "v0.0.4",
     "versioning": "docker",
   },
 ]

lib/manager/kustomize/extract.spec.ts

@@ -50,6 +50,8 @@ const kustomizeDepsInResources = readFileSync(
   'utf8'
 );
 
+const sha = readFileSync('lib/manager/kustomize/__fixtures__/sha.yaml', 'utf8');
+
 describe('manager/kustomize/extract', () => {
   it('should successfully parse a valid kustomize file', () => {
     const file = parseKustomize(kustomizeGitSSHBase);
@@ -147,8 +149,10 @@ describe('manager/kustomize/extract', () => {
     });
     it('should correctly extract a default image', () => {
       const sample = {
+        currentDigest: undefined,
         currentValue: 'v1.0.0',
         datasource: datasourceDocker.id,
+        replaceString: 'v1.0.0',
         versioning: dockerVersioning.id,
         depName: 'node',
       };
@@ -160,8 +164,10 @@ describe('manager/kustomize/extract', () => {
     });
     it('should correctly extract an image in a repo', () => {
       const sample = {
+        currentDigest: undefined,
         currentValue: 'v1.0.0',
         datasource: datasourceDocker.id,
+        replaceString: 'v1.0.0',
         versioning: dockerVersioning.id,
         depName: 'test/node',
       };
@@ -173,8 +179,10 @@ describe('manager/kustomize/extract', () => {
     });
     it('should correctly extract from a different registry', () => {
       const sample = {
+        currentDigest: undefined,
         currentValue: 'v1.0.0',
         datasource: datasourceDocker.id,
+        replaceString: 'v1.0.0',
         versioning: dockerVersioning.id,
         depName: 'quay.io/repo/image',
       };
@@ -186,9 +194,11 @@ describe('manager/kustomize/extract', () => {
     });
     it('should correctly extract from a different port', () => {
       const sample = {
+        currentDigest: undefined,
         currentValue: 'v1.0.0',
         datasource: datasourceDocker.id,
         versioning: dockerVersioning.id,
+        replaceString: 'v1.0.0',
         depName: 'localhost:5000/repo/image',
       };
       const pkg = extractImage({
@@ -199,7 +209,9 @@ describe('manager/kustomize/extract', () => {
     });
     it('should correctly extract from a multi-depth registry', () => {
       const sample = {
+        currentDigest: undefined,
         currentValue: 'v1.0.0',
+        replaceString: 'v1.0.0',
         datasource: datasourceDocker.id,
         versioning: dockerVersioning.id,
         depName: 'localhost:5000/repo/image/service',
@@ -260,5 +272,8 @@ describe('manager/kustomize/extract', () => {
       expect(res.deps[1].currentValue).toEqual('1.19.0');
       expect(res.deps[1].depName).toEqual('fluxcd/flux');
     });
+    it('extracts sha256 instead of tag', () => {
+      expect(extractPackageFile(sha)).toMatchSnapshot();
+    });
   });
 });

lib/manager/kustomize/extract.ts

@@ -48,11 +48,22 @@ export function extractBase(base: string): PackageDependency | null {
 
 export function extractImage(image: Image): PackageDependency | null {
   if (image?.name && image.newTag) {
+    const replaceString = image.newTag;
+    let currentValue;
+    let currentDigest;
+    if (replaceString.startsWith('sha256:')) {
+      currentDigest = replaceString;
+      currentValue = undefined;
+    } else {
+      currentValue = replaceString;
+    }
     return {
       datasource: datasourceDocker.id,
       versioning: dockerVersioning.id,
       depName: image.newName ?? image.name,
-      currentValue: image.newTag,
+      currentValue,
+      currentDigest,
+      replaceString,
     };
   }