From 2205edb16b0a27b7eb84d86422d3fb9cc8bef715 Mon Sep 17 00:00:00 2001 From: Graham McGregor Date: Wed, 20 May 2020 11:34:18 -0400 Subject: [PATCH] Allow pulling images by digest The digest uniquely identifies a specific version of the image, so it is never updated by Kubernetes unless you change the digest value. This is desirable for security to gain confidence that no unvetted changes are pulled to a deployment. --- charts/ingress-nginx/Chart.yaml | 2 +- charts/ingress-nginx/README.md | 3 +++ .../admission-webhooks/job-patch/job-createSecret.yaml | 4 +++- .../admission-webhooks/job-patch/job-patchWebhook.yaml | 4 +++- charts/ingress-nginx/templates/controller-daemonset.yaml | 4 +++- charts/ingress-nginx/templates/controller-deployment.yaml | 4 +++- .../ingress-nginx/templates/default-backend-deployment.yaml | 4 +++- 7 files changed, 19 insertions(+), 6 deletions(-) diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 09f51d4d5..3d5d36a91 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: ingress-nginx -version: 2.2.0 +version: 2.3.0 appVersion: 0.32.0 home: https://github.com/kubernetes/ingress-nginx description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 860ad802c..222d92f42 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -49,6 +49,7 @@ Parameter | Description | Default --- | --- | --- `controller.image.repository` | controller container image repository | `quay.io/kubernetes-ingress-controller/nginx-ingress-controller` `controller.image.tag` | controller container image tag | `0.30.0` +`controller.image.digest` | controller container image digest | `""` `controller.image.pullPolicy` | controller container image pull policy | `IfNotPresent` `controller.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. | `101` `controller.containerPort.http` | The port that the controller container listens on for http connections. | `80` @@ -164,6 +165,7 @@ Parameter | Description | Default `controller.admissionWebhooks.patch.enabled` | If true, will use a pre and post install hooks to generate a CA and certificate to use for the prometheus operator tls proxy, and patch the created webhooks with the CA. | `true` `controller.admissionWebhooks.patch.image.repository` | Repository to use for the webhook integration jobs | `jettech/kube-webhook-certgen` `controller.admissionWebhooks.patch.image.tag` | Tag to use for the webhook integration jobs | `v1.2.0` +`controller.admissionWebhooks.patch.image.digest` | Digest to use for the webhook integration jobs | `""` `controller.admissionWebhooks.patch.image.pullPolicy` | Image pull policy for the webhook integration jobs | `IfNotPresent` `controller.admissionWebhooks.patch.priorityClassName` | Priority class for the webhook integration jobs | `""` `controller.admissionWebhooks.patch.podAnnotations` | Annotations for the webhook job pods | `{}` @@ -183,6 +185,7 @@ Parameter | Description | Default `defaultBackend.enabled` | Use default backend component | `false` `defaultBackend.image.repository` | default backend container image repository | `k8s.gcr.io/defaultbackend-amd64` `defaultBackend.image.tag` | default backend container image tag | `1.5` +`defaultBackend.image.digest` | default backend container image digest | `""` `defaultBackend.image.pullPolicy` | default backend container image pull policy | `IfNotPresent` `defaultBackend.image.runAsUser` | User ID of the controller process. Value depends on the Linux distribution used inside of the container image. By default uses nobody user. | `65534` `defaultBackend.extraArgs` | Additional default backend container arguments | `{}` diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index d067efd6f..3b43946b8 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -32,7 +32,9 @@ spec: {{- end }} containers: - name: create - image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }} + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}" + {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - create diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index f16c1ecc3..7afd03f2f 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -32,7 +32,9 @@ spec: {{- end }} containers: - name: patch - image: {{ .Values.controller.admissionWebhooks.patch.image.repository }}:{{ .Values.controller.admissionWebhooks.patch.image.tag }} + {{- with .Values.controller.admissionWebhooks.patch.image }} + image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}" + {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - patch diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index e0f4800a4..cccd56eb7 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -47,7 +47,9 @@ spec: {{- end }} containers: - name: controller - image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + {{- with .Values.controller.image }} + image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}" + {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 72d62cb00..e6b612179 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -51,7 +51,9 @@ spec: {{- end }} containers: - name: controller - image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag }} + {{- with .Values.controller.image }} + image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}" + {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index 63ffe4544..dac925b1b 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -36,7 +36,9 @@ spec: {{- end }} containers: - name: {{ template "ingress-nginx.name" . }}-default-backend - image: {{ .Values.defaultBackend.image.repository }}:{{ .Values.defaultBackend.image.tag }} + {{- with .Values.defaultBackend.image }} + image: "{{.repository}}{{- if (.digest) -}} @{{.digest}} {{- else -}} :{{ .tag }} {{- end -}}" + {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} {{- if .Values.defaultBackend.extraArgs }} args: