DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow pulling images by digest

Browse source 
The digest uniquely identifies a specific version of the image, so it is
never updated by Kubernetes unless you change the digest value. This is
desirable for security to gain confidence that no unvetted changes are
pulled to a deployment.
This commit is contained in:
Graham McGregor 2020-05-20 11:34:18 -04:00
parent 0cbe783f43
commit 2205edb16b
7 changed files with 19 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
charts/ingress-nginx/Chart.yaml
View file

@ -1,6 +1,6 @@
apiVersion: v1
name: ingress-nginx
version: 2.2.0
version: 2.3.0
appVersion: 0.32.0
home: https://github.com/kubernetes/ingress-nginx
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

3
charts/ingress-nginx/README.md
View file

@ -49,6 +49,7 @@ Parameter | Description | Default
--- | --- | ---
`controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller`
`controller.image.tag` | controller container image tag | `0.30.0`
`controller.image.digest` | controller container image digest | `""`
`controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent`
`controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. | `101`
`controller.containerPort.http` | The port that the controller container listens on for http connections. | `80`
@ -164,6 +165,7 @@ Parameter | Description | Default
`controller.admissionWebhooks.patch.enabled` | If true, will use a pre and post install hooks to generate a CA and certificate to use for the prometheus operator tls proxy, and patch the created webhooks with the CA. | `true`
`controller.admissionWebhooks.patch.image.repository` | Repository to use for the webhook integration jobs | `jettech/kube-webhook-certgen`
`controller.admissionWebhooks.patch.image.tag` | Tag to use for the webhook integration jobs | `v1.2.0`
`controller.admissionWebhooks.patch.image.digest` | Digest to use for the webhook integration jobs | `""`
`controller.admissionWebhooks.patch.image.pullPolicy` | Image pull policy for the webhook integration jobs | `IfNotPresent`
`controller.admissionWebhooks.patch.priorityClassName` | Priority class for the webhook integration jobs | `""`
`controller.admissionWebhooks.patch.podAnnotations` | Annotations for the webhook job pods | `{}`
@ -183,6 +185,7 @@ Parameter | Description | Default
`defaultBackend.enabled` | Use default backend component | `false`
`defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend-amd64`
`defaultBackend.image.tag` | default backend container image tag | `1.5`
`defaultBackend.image.digest` | default backend container image digest | `""`
`defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent`
`defaultBackend.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses nobody user. | `65534`
`defaultBackend.extraArgs` | Additional default backend container arguments | `{}`

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
View file

@ -32,7 +32,9 @@ spec:
{{- end }}
containers:
- name: create
image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
{{- with .Values.controller.admissionWebhooks.patch.image }}
image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- create

4
charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
View file

@ -32,7 +32,9 @@ spec:
{{- end }}
containers:
- name: patch
image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }}
{{- with .Values.controller.admissionWebhooks.patch.image }}
image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }}
args:
- patch

4
charts/ingress-nginx/templates/controller-daemonset.yaml
View file

@ -47,7 +47,9 @@ spec:
{{- end }}
containers:
- name: controller
image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
{{- with .Values.controller.image }}
image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}

4
charts/ingress-nginx/templates/controller-deployment.yaml
View file

@ -51,7 +51,9 @@ spec:
{{- end }}
containers:
- name: controller
image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }}
{{- with .Values.controller.image }}
image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- if .Values.controller.lifecycle }}
lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }}

4
charts/ingress-nginx/templates/default-backend-deployment.yaml
View file

@ -36,7 +36,9 @@ spec:
{{- end }}
containers:
- name: {{ template "ingress-nginx.name" . }}-default-backend
image: {{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }}
{{- with .Values.defaultBackend.image }}
image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}"
{{- end }}
imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }}
{{- if .Values.defaultBackend.extraArgs }}
args: