diff --git a/charts/cf-runtime/.ci/image-digests.sh b/charts/cf-runtime/.ci/image-digests.sh new file mode 100755 index 00000000..2dc3ca33 --- /dev/null +++ b/charts/cf-runtime/.ci/image-digests.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -eux +MYDIR=$(dirname $0) +REPO_ROOT="${MYDIR}/../../.." + +echo "Update image digests" +docker run \ + -v "$REPO_ROOT:/venona" \ + -u $(id -u) \ + --rm \ + quay.io/codefresh/codefresh-shell:0.0.20 \ + /bin/bash /venona/scripts/update_values_with_digests.sh \ No newline at end of file diff --git a/charts/cf-runtime/Chart.yaml b/charts/cf-runtime/Chart.yaml index b7f78027..3a7f463c 100644 --- a/charts/cf-runtime/Chart.yaml +++ b/charts/cf-runtime/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 description: A Helm chart for Codefresh Runner name: cf-runtime -version: 6.4.8 +version: 6.4.9 keywords: - codefresh - runner @@ -18,8 +18,8 @@ annotations: # Supported kinds: `added`, `changed`, `deprecated`, `removed`, `fixed`, `security`: artifacthub.io/changes: | - kind: added - description: "updating cf-git-cloner image, adding SKIP_TAGS_ON_UPDATE env var to skip tags on update" + description: "Added digests for images" dependencies: - name: cf-common repository: oci://quay.io/codefresh/charts - version: 0.16.0 + version: 0.21.0 diff --git a/charts/cf-runtime/README.md b/charts/cf-runtime/README.md index 4cc1f0b7..435a5a62 100644 --- a/charts/cf-runtime/README.md +++ b/charts/cf-runtime/README.md @@ -1,6 +1,6 @@ ## Codefresh Runner -![Version: 6.4.8](https://img.shields.io/badge/Version-6.4.8-informational?style=flat-square) +![Version: 6.4.9](https://img.shields.io/badge/Version-6.4.9-informational?style=flat-square) Helm chart for deploying [Codefresh Runner](https://codefresh.io/docs/docs/installation/codefresh-runner/) to Kubernetes. @@ -1003,7 +1003,7 @@ Go to [https:///admin/runtime-environments/system](http | Repository | Name | Version | |------------|------|---------| -| oci://quay.io/codefresh/charts | cf-common | 0.16.0 | +| oci://quay.io/codefresh/charts | cf-common | 0.21.0 | ## Values @@ -1012,7 +1012,7 @@ Go to [https:///admin/runtime-environments/system](http | appProxy.affinity | object | `{}` | Set affinity | | appProxy.enabled | bool | `false` | Enable app-proxy | | appProxy.env | object | `{}` | Add additional env vars | -| appProxy.image | object | `{"registry":"quay.io","repository":"codefresh/cf-app-proxy","tag":"0.0.47"}` | Set image | +| appProxy.image | object | `{"digest":"sha256:324a9b89924152cce195c7239ddd8501c8aa5f901d19bc4d9f3936cbe5dac14f","registry":"quay.io","repository":"codefresh/cf-app-proxy","tag":"0.0.47"}` | Set image | | appProxy.ingress.annotations | object | `{}` | Set extra annotations for ingress object | | appProxy.ingress.class | string | `""` | Set ingress class | | appProxy.ingress.host | string | `""` | Set DNS hostname the ingress will use | @@ -1040,7 +1040,7 @@ Go to [https:///admin/runtime-environments/system](http | event-exporter.affinity | object | `{}` | Set affinity | | event-exporter.enabled | bool | `false` | Enable event-exporter | | event-exporter.env | object | `{}` | Add additional env vars | -| event-exporter.image | object | `{"registry":"docker.io","repository":"codefresh/k8s-event-exporter","tag":"latest"}` | Set image | +| event-exporter.image | object | `{"digest":"sha256:cf52048f1378fb6659dffd1394d68fdf23a7ea709585dc14b5007f3e5a1b7584","registry":"docker.io","repository":"codefresh/k8s-event-exporter","tag":"latest"}` | Set image | | event-exporter.nodeSelector | object | `{}` | Set node selector | | event-exporter.podAnnotations | object | `{}` | Set pod annotations | | event-exporter.podSecurityContext | object | See below | Set security context for the pod | @@ -1072,7 +1072,7 @@ Go to [https:///admin/runtime-environments/system](http | monitor.affinity | object | `{}` | Set affinity | | monitor.enabled | bool | `false` | Enable monitor Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component | | monitor.env | object | `{}` | Add additional env vars | -| monitor.image | object | `{"registry":"quay.io","repository":"codefresh/cf-k8s-agent","tag":"1.3.18"}` | Set image | +| monitor.image | object | `{"digest":"sha256:4e010ef4a0792b0953f97959a4ebfdc71d05446b8b19d5007a51ab57a011e19b","registry":"quay.io","repository":"codefresh/cf-k8s-agent","tag":"1.3.18"}` | Set image | | monitor.nodeSelector | object | `{}` | Set node selector | | monitor.podAnnotations | object | `{}` | Set pod annotations | | monitor.podSecurityContext | object | `{}` | | @@ -1099,8 +1099,8 @@ Go to [https:///admin/runtime-environments/system](http | runner.affinity | object | `{}` | Set affinity | | runner.enabled | bool | `true` | Enable the runner | | runner.env | object | `{}` | Add additional env vars | -| runner.image | object | `{"registry":"quay.io","repository":"codefresh/venona","tag":"1.10.2"}` | Set image | -| runner.init | object | `{"image":{"registry":"quay.io","repository":"codefresh/cli","tag":"0.85.0-rootless"},"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"0.2","memory":"256Mi"}}}` | Init container | +| runner.image | object | `{"digest":"sha256:f7768390d3368aff0843519368c10a0a97cf98a98f2753a89509cf8f6c9798e1","registry":"quay.io","repository":"codefresh/venona","tag":"1.10.2"}` | Set image | +| runner.init | object | `{"image":{"digest":"sha256:27281df44814d837fbcc41ba53ee8010ce5496eb758c29f775958d713c79c41a","registry":"quay.io","repository":"codefresh/cli","tag":"0.85.0-rootless"},"resources":{"limits":{"cpu":"1","memory":"512Mi"},"requests":{"cpu":"0.2","memory":"256Mi"}}}` | Init container | | runner.nodeSelector | object | `{}` | Set node selector | | runner.podAnnotations | object | `{}` | Set pod annotations | | runner.podSecurityContext | object | See below | Set security context for the pod | @@ -1114,17 +1114,17 @@ Go to [https:///admin/runtime-environments/system](http | runner.serviceAccount.annotations | object | `{}` | Additional service account annotations | | runner.serviceAccount.create | bool | `true` | Create service account | | runner.serviceAccount.name | string | `""` | Override service account name | -| runner.sidecar | object | `{"enabled":false,"env":{"RECONCILE_INTERVAL":300},"image":{"registry":"quay.io","repository":"codefresh/codefresh-shell","tag":"0.0.2"},"resources":{}}` | Sidecar container Reconciles runtime spec from Codefresh API for drift detection | +| runner.sidecar | object | `{"enabled":false,"env":{"RECONCILE_INTERVAL":300},"image":{"digest":"sha256:1f2d1f9effa751601a004e69bc9059a848b7428df379d2ef0c3e7858dc5989d0","registry":"quay.io","repository":"codefresh/codefresh-shell","tag":"0.0.2"},"resources":{}}` | Sidecar container Reconciles runtime spec from Codefresh API for drift detection | | runner.tolerations | list | `[]` | Set tolerations | | runner.updateStrategy | object | `{"type":"RollingUpdate"}` | Upgrade strategy | | runtime | object | See below | Set runtime parameters | | runtime.accounts | list | `[]` | (for On-Premise only) Assign accounts to runtime (list of account ids) | | runtime.agent | bool | `true` | (for On-Premise only) Enable agent | | runtime.description | string | `""` | Runtime description | -| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). | +| runtime.dind | object | `{"affinity":{},"env":{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true},"image":{"digest":"sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"pvcs":{"dind":{"annotations":{},"name":"dind","reuseVolumeSelector":"codefresh-app,io.codefresh.accountName","reuseVolumeSortOrder":"pipeline_id","storageClassName":"{{ include \"dind-volume-provisioner.storageClassName\" . }}","volumeSize":"16Gi"}},"resources":{"limits":{"cpu":"400m","memory":"800Mi"},"requests":null},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":30,"tolerations":[],"userAccess":true,"userVolumeMounts":{},"userVolumes":{}}` | Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). | | runtime.dind.affinity | object | `{}` | Set affinity | | runtime.dind.env | object | `{"DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE":true}` | Set additional env vars. | -| runtime.dind.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"}` | Set dind image. | +| runtime.dind.image | object | `{"digest":"sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/dind","tag":"26.1.4-1.28.7"}` | Set dind image. | | runtime.dind.nodeSelector | object | `{}` | Set node selector. | | runtime.dind.podAnnotations | object | `{}` | Set pod annotations. | | runtime.dind.podLabels | object | `{}` | Set pod labels. | @@ -1144,7 +1144,7 @@ Go to [https:///admin/runtime-environments/system](http | runtime.dind.userVolumeMounts | object | `{}` | Add extra volume mounts | | runtime.dind.userVolumes | object | `{}` | Add extra volumes | | runtime.dindDaemon | object | See below | DinD pod daemon config | -| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100},"image":{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.13"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"COMPOSE_IMAGE":"quay.io/codefresh/compose:v2.28.1-1.5.0","CONTAINER_LOGGER_IMAGE":"quay.io/codefresh/cf-container-logger:1.11.7","COSIGN_IMAGE_SIGNER_IMAGE":"quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2","CR_6177_FIXER":"quay.io/codefresh/alpine:edge","DOCKER_BUILDER_IMAGE":"quay.io/codefresh/cf-docker-builder:1.3.14","DOCKER_PULLER_IMAGE":"quay.io/codefresh/cf-docker-puller:8.0.18","DOCKER_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-pusher:6.0.16","DOCKER_TAG_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-tag-pusher:1.3.14","FS_OPS_IMAGE":"quay.io/codefresh/fs-ops:1.2.3","GC_BUILDER_IMAGE":"quay.io/codefresh/cf-gc-builder:0.5.3","GIT_CLONE_IMAGE":"quay.io/codefresh/cf-git-cloner:10.2.0","KUBE_DEPLOY":"quay.io/codefresh/cf-deploy-kubernetes:16.1.11","PIPELINE_DEBUGGER_IMAGE":"quay.io/codefresh/cf-debugger:1.3.6","TEMPLATE_ENGINE":"quay.io/codefresh/pikolo:0.14.1"},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | +| runtime.engine | object | `{"affinity":{},"command":["npm","run","start"],"env":{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100},"image":{"digest":"sha256:cc152545999f7df33e72e454823ac12f2ec1748f361b0bba1c9b39b3133cbea3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.13"},"nodeSelector":{},"podAnnotations":{},"podLabels":{},"resources":{"limits":{"cpu":"1000m","memory":"2048Mi"},"requests":{"cpu":"100m","memory":"128Mi"}},"runtimeImages":{"COMPOSE_IMAGE":"quay.io/codefresh/compose:v2.28.1-1.5.0@sha256:362977564c096b7c2c007b8478ec87cac13d781839adc271d858290213bd89f2","CONTAINER_LOGGER_IMAGE":"quay.io/codefresh/cf-container-logger:1.11.7@sha256:1e7bcee65203f9fdfc7ee5231cb4d29b179479d70dd42ec9855d20c57ab43c48","COSIGN_IMAGE_SIGNER_IMAGE":"quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2@sha256:5e0993207aa809c25ed70cf89af444d9720892fb4a29deb82db45618b0cae4a9","CR_6177_FIXER":"alpine:edge@sha256:b93f4f6834d5c6849d859a4c07cc88f5a7d8ce5fb8d2e72940d8edd8be343c04","DOCKER_BUILDER_IMAGE":"quay.io/codefresh/cf-docker-builder:1.3.14@sha256:e61f0694fb7477244014be971a0bad724242e4fdefe810f38e58990d7db6bdc5","DOCKER_PULLER_IMAGE":"quay.io/codefresh/cf-docker-puller:8.0.18@sha256:1a15c3ae0952d3986de7866a3def8ac7e3e39f668fe87fd46c63d886ca06c6d7","DOCKER_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-pusher:6.0.16@sha256:05efc1af8b1196f1b9b3f0781b4dcc1aa2cdd0ffc1347ee5fa81b16d029ec5c2","DOCKER_TAG_PUSHER_IMAGE":"quay.io/codefresh/cf-docker-tag-pusher:1.3.14@sha256:801caf9100218c9ed638fb5ca205fcc133f54d00468ed81093b22a4f0a0ffae9","FS_OPS_IMAGE":"quay.io/codefresh/fs-ops:1.2.3@sha256:57374ccd5275325fc36b237fb38c77dd1f65c84d5aebfe88c9ea0e434ea20fc9","GC_BUILDER_IMAGE":"quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875","GIT_CLONE_IMAGE":"quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515","KUBE_DEPLOY":"quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76","PIPELINE_DEBUGGER_IMAGE":"quay.io/codefresh/cf-debugger:1.3.6@sha256:4892d72afc0e27718134eff2cb3c1276f731f3d2a41fd76cd73b500310326e47","TEMPLATE_ENGINE":"quay.io/codefresh/pikolo:0.14.1@sha256:fb7173cfed7536f7de68e75996106e2ce3a0a204e6c5609cba0d7eb62c9db9e1"},"schedulerName":"","serviceAccount":"codefresh-engine","terminationGracePeriodSeconds":180,"tolerations":[],"userEnvVars":[],"workflowLimits":{"MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS":600,"MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION":86400,"MAXIMUM_ELECTED_STATE_AGE_ALLOWED":900,"MAXIMUM_RETRY_ATTEMPTS_ALLOWED":20,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED":900,"MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE":300,"TIME_ENGINE_INACTIVE_UNTIL_TERMINATION":300,"TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY":60,"TIME_INACTIVE_UNTIL_TERMINATION":2700}}` | Parameters for Engine pod (aka "pipeline" orchestrator). | | runtime.engine.affinity | object | `{}` | Set affinity | | runtime.engine.command | list | `["npm","run","start"]` | Set container command. | | runtime.engine.env | object | `{"CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS":1000,"DOCKER_REQUEST_TIMEOUT_MS":30000,"FORCE_COMPOSE_SERIAL_PULL":false,"LOGGER_LEVEL":"debug","LOG_OUTGOING_HTTP_REQUESTS":false,"METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS":false,"METRICS_PROMETHEUS_ENABLED":true,"METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS":false,"METRICS_PROMETHEUS_HOST":"0.0.0.0","METRICS_PROMETHEUS_PORT":9100}` | Set additional env vars. | @@ -1158,7 +1158,7 @@ Go to [https:///admin/runtime-environments/system](http | runtime.engine.env.METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS | bool | `false` | Enable legacy metrics | | runtime.engine.env.METRICS_PROMETHEUS_HOST | string | `"0.0.0.0"` | Host for Prometheus metrics server | | runtime.engine.env.METRICS_PROMETHEUS_PORT | int | `9100` | Port for Prometheus metrics server | -| runtime.engine.image | object | `{"pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.13"}` | Set image. | +| runtime.engine.image | object | `{"digest":"sha256:cc152545999f7df33e72e454823ac12f2ec1748f361b0bba1c9b39b3133cbea3","pullPolicy":"IfNotPresent","registry":"quay.io","repository":"codefresh/engine","tag":"1.174.13"}` | Set image. | | runtime.engine.nodeSelector | object | `{}` | Set node selector. | | runtime.engine.podAnnotations | object | `{}` | Set pod annotations. | | runtime.engine.podLabels | object | `{}` | Set pod labels. | @@ -1212,7 +1212,7 @@ Go to [https:///admin/runtime-environments/system](http | volumeProvisioner.dind-lv-monitor | object | See below | `dind-lv-monitor` DaemonSet parameters (local volumes cleaner) | | volumeProvisioner.enabled | bool | `true` | Enable volume-provisioner | | volumeProvisioner.env | object | `{}` | Add additional env vars | -| volumeProvisioner.image | object | `{"registry":"quay.io","repository":"codefresh/dind-volume-provisioner","tag":"1.35.0"}` | Set image | +| volumeProvisioner.image | object | `{"digest":"sha256:c036ad717391debdf43f8da337b81b5df0e79de274d2d9af1425c675b0296dda","registry":"quay.io","repository":"codefresh/dind-volume-provisioner","tag":"1.35.0"}` | Set image | | volumeProvisioner.nodeSelector | object | `{}` | Set node selector | | volumeProvisioner.podAnnotations | object | `{}` | Set pod annotations | | volumeProvisioner.podSecurityContext | object | See below | Set security context for the pod | diff --git a/charts/cf-runtime/tests/private-registry/private_registry_test.yaml b/charts/cf-runtime/tests/private-registry/private_registry_test.yaml index 36075332..a1165aa7 100644 --- a/charts/cf-runtime/tests/private-registry/private_registry_test.yaml +++ b/charts/cf-runtime/tests/private-registry/private_registry_test.yaml @@ -59,8 +59,8 @@ tests: KUBE_DEPLOY: 'somedomain.io/codefresh/cf-deploy-kubernetes:tagoverride' PIPELINE_DEBUGGER_IMAGE: 'somedomain.io/codefresh/cf-debugger:tagoverride' TEMPLATE_ENGINE: 'somedomain.io/codefresh/pikolo:tagoverride' - CR_6177_FIXER: 'somedomain.io/codefresh/alpine:edge' - GC_BUILDER_IMAGE: 'somedomain.io/codefresh/cf-gc-builder:0.5.3' + CR_6177_FIXER: 'somedomain.io/alpine:tagoverride' + GC_BUILDER_IMAGE: 'somedomain.io/codefresh/cf-gc-builder:tagoverride' COSIGN_IMAGE_SIGNER_IMAGE: 'somedomain.io/codefresh/cf-cosign-image-signer:tagoverride' workflowLimits: MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600 diff --git a/charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml b/charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml index f032d507..24d65db4 100644 --- a/charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml +++ b/charts/cf-runtime/tests/runtime/runtime_onprem_test.yaml @@ -69,8 +69,8 @@ tests: KUBE_DEPLOY: 'quay.io/codefresh/cf-deploy-kubernetes:tagoverride' PIPELINE_DEBUGGER_IMAGE: 'quay.io/codefresh/cf-debugger:tagoverride' TEMPLATE_ENGINE: 'quay.io/codefresh/pikolo:tagoverride' - CR_6177_FIXER: 'quay.io/codefresh/alpine:edge' - GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3' + CR_6177_FIXER: 'alpine:tagoverride' + GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:tagoverride' COSIGN_IMAGE_SIGNER_IMAGE: 'quay.io/codefresh/cf-cosign-image-signer:tagoverride' workflowLimits: MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600 diff --git a/charts/cf-runtime/tests/runtime/runtime_onprem_values.yaml b/charts/cf-runtime/tests/runtime/runtime_onprem_values.yaml index 113c26bc..2f41ff1f 100644 --- a/charts/cf-runtime/tests/runtime/runtime_onprem_values.yaml +++ b/charts/cf-runtime/tests/runtime/runtime_onprem_values.yaml @@ -16,6 +16,7 @@ runtime: dind: image: tag: tagoverride + digest: "" resources: requests: null limits: @@ -65,6 +66,7 @@ runtime: engine: image: tag: tagoverride + digest: "" command: - one - two @@ -88,6 +90,8 @@ runtime: KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:tagoverride PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:tagoverride TEMPLATE_ENGINE: quay.io/codefresh/pikolo:tagoverride + CR_6177_FIXER: alpine:tagoverride + GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:tagoverride COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:tagoverride env: FOO: BAR diff --git a/charts/cf-runtime/tests/runtime/runtime_test.yaml b/charts/cf-runtime/tests/runtime/runtime_test.yaml index e210da06..0aa9458b 100644 --- a/charts/cf-runtime/tests/runtime/runtime_test.yaml +++ b/charts/cf-runtime/tests/runtime/runtime_test.yaml @@ -70,8 +70,8 @@ tests: KUBE_DEPLOY: 'quay.io/codefresh/cf-deploy-kubernetes:tagoverride' PIPELINE_DEBUGGER_IMAGE: 'quay.io/codefresh/cf-debugger:tagoverride' TEMPLATE_ENGINE: 'quay.io/codefresh/pikolo:tagoverride' - CR_6177_FIXER: 'quay.io/codefresh/alpine:edge' - GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3' + CR_6177_FIXER: 'alpine:tagoverride' + GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:tagoverride' COSIGN_IMAGE_SIGNER_IMAGE: 'quay.io/codefresh/cf-cosign-image-signer:tagoverride' userEnvVars: - name: ALICE diff --git a/charts/cf-runtime/tests/runtime/runtime_values.yaml b/charts/cf-runtime/tests/runtime/runtime_values.yaml index 3b73f4f5..7622df74 100644 --- a/charts/cf-runtime/tests/runtime/runtime_values.yaml +++ b/charts/cf-runtime/tests/runtime/runtime_values.yaml @@ -3,6 +3,7 @@ runtime: image: tag: tagoverride pullPolicy: Always + digest: "" resources: requests: null limits: @@ -55,6 +56,7 @@ runtime: image: tag: tagoverride pullPolicy: Always + digest: "" command: - one - two @@ -78,6 +80,8 @@ runtime: KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:tagoverride PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:tagoverride TEMPLATE_ENGINE: quay.io/codefresh/pikolo:tagoverride + CR_6177_FIXER: alpine:tagoverride + GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:tagoverride COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:tagoverride env: FOO: BAR diff --git a/charts/cf-runtime/tests/values-private-registry.yaml b/charts/cf-runtime/tests/values-private-registry.yaml index b9613e3d..6e0271ea 100644 --- a/charts/cf-runtime/tests/values-private-registry.yaml +++ b/charts/cf-runtime/tests/values-private-registry.yaml @@ -6,6 +6,7 @@ runtime: engine: image: tag: tagoverride + digest: "" runtimeImages: COMPOSE_IMAGE: quay.io/codefresh/compose:tagoverride CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:tagoverride @@ -18,8 +19,11 @@ runtime: KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:tagoverride PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:tagoverride TEMPLATE_ENGINE: quay.io/codefresh/pikolo:tagoverride + CR_6177_FIXER: alpine:tagoverride + GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:tagoverride COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:tagoverride dind: image: tag: tagoverride + digest: "" diff --git a/charts/cf-runtime/values.yaml b/charts/cf-runtime/values.yaml index c69ecd78..6bf99fb2 100644 --- a/charts/cf-runtime/values.yaml +++ b/charts/cf-runtime/values.yaml @@ -2,7 +2,6 @@ nameOverride: "" # -- String to fully override cf-runtime.fullname template fullnameOverride: "" - # -- Global parameters # @default -- See below global: @@ -10,7 +9,6 @@ global: imageRegistry: "" # -- Global Docker registry secret names as array imagePullSecrets: [] - # -- URL of Codefresh Platform (required!) codefreshHost: "https://g.codefresh.io" # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!) @@ -19,7 +17,6 @@ global: codefreshToken: "" # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!) codefreshTokenSecretKeyRef: {} - # E.g. # codefreshTokenSecretKeyRef: # name: my-codefresh-api-token @@ -28,7 +25,6 @@ global: # -- Account ID (required!) # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information accountId: "" - # -- K8s context name (required!) context: "" # E.g. @@ -56,13 +52,10 @@ global: # agentTokenSecretKeyRef: # name: my-codefresh-agent-secret # key: codefresh-agent-token - # DEPRECATED -- Use `.Values.global.imageRegistry` instead dockerRegistry: "" - # DEPRECATED -- Use `.Values.runtime` instead re: {} - # -- Runner parameters # @default -- See below runner: @@ -75,20 +68,19 @@ runner: type: RollingUpdate # -- Set pod annotations podAnnotations: {} - # -- Set image image: registry: quay.io repository: codefresh/venona tag: 1.10.2 - + digest: sha256:f7768390d3368aff0843519368c10a0a97cf98a98f2753a89509cf8f6c9798e1 # -- Init container init: image: registry: quay.io repository: codefresh/cli tag: 0.85.0-rootless - + digest: sha256:27281df44814d837fbcc41ba53ee8010ce5496eb758c29f775958d713c79c41a resources: limits: memory: 512Mi @@ -96,7 +88,6 @@ runner: requests: memory: 256Mi cpu: '0.2' - # -- Sidecar container # Reconciles runtime spec from Codefresh API for drift detection sidecar: @@ -105,10 +96,10 @@ runner: registry: quay.io repository: codefresh/codefresh-shell tag: 0.0.2 + digest: sha256:1f2d1f9effa751601a004e69bc9059a848b7428df379d2ef0c3e7858dc5989d0 env: RECONCILE_INTERVAL: 300 resources: {} - # -- Add additional env vars env: {} # E.g. @@ -123,14 +114,12 @@ runner: name: "" # -- Additional service account annotations annotations: {} - # -- RBAC parameters rbac: # -- Create RBAC resources create: true # -- Add custom rule to the role rules: [] - # -- Set security context for the pod # @default -- See below podSecurityContext: @@ -138,7 +127,6 @@ runner: runAsUser: 10001 runAsGroup: 10001 fsGroup: 10001 - # -- Readiness probe configuration # @default -- See below readinessProbe: @@ -147,7 +135,6 @@ runner: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - # -- Set requests and limits resources: {} # -- Set node selector @@ -156,7 +143,6 @@ runner: tolerations: [] # -- Set affinity affinity: {} - # -- Volume Provisioner parameters # @default -- See below volumeProvisioner: @@ -169,12 +155,12 @@ volumeProvisioner: type: Recreate # -- Set pod annotations podAnnotations: {} - # -- Set image image: registry: quay.io repository: codefresh/dind-volume-provisioner tag: 1.35.0 + digest: sha256:c036ad717391debdf43f8da337b81b5df0e79de274d2d9af1425c675b0296dda # -- Add additional env vars env: {} # E.g. @@ -193,14 +179,12 @@ volumeProvisioner: # serviceAccount: # annotations: # eks.amazonaws.com/role-arn: "arn:aws:iam:::role/" - # -- RBAC parameters rbac: # -- Create RBAC resources create: true # -- Add custom rule to the role rules: [] - # -- Set security context for the pod # @default -- See below podSecurityContext: @@ -208,7 +192,6 @@ volumeProvisioner: runAsUser: 3000 runAsGroup: 3000 fsGroup: 3000 - # -- Set node selector nodeSelector: {} # -- Set resources @@ -217,7 +200,6 @@ volumeProvisioner: tolerations: [] # -- Set affinity affinity: {} - # -- `dind-lv-monitor` DaemonSet parameters # (local volumes cleaner) # @default -- See below @@ -227,6 +209,7 @@ volumeProvisioner: registry: quay.io repository: codefresh/dind-volume-utils tag: 1.29.4 + digest: sha256:42e5b032b743e191a1ee1077b8096d6ee298859d4593d3f4fa06fe7fa60061eb podAnnotations: {} podSecurityContext: enabled: true @@ -237,19 +220,19 @@ volumeProvisioner: resources: {} nodeSelector: {} tolerations: - - key: 'codefresh/dind' - operator: 'Exists' - effect: 'NoSchedule' + - key: 'codefresh/dind' + operator: 'Exists' + effect: 'NoSchedule' volumePermissions: enabled: true image: registry: docker.io repository: alpine tag: 3.18 + digest: sha256:3ddf7bf1d408188f9849efbf4f902720ae08f5131bb39013518b918aa056d0de resources: {} securityContext: runAsUser: 0 # auto - # `dind-volume-cleanup` CronJob parameters # (external volumes cleaner) # @default -- See below @@ -259,6 +242,7 @@ volumeProvisioner: registry: quay.io repository: codefresh/dind-volume-cleanup tag: 1.2.0 + digest: sha256:1af3e3ecc87bf2e26ba07ecef68f54ad100d7e3b5fcf074099f627fd5d917369 env: {} concurrencyPolicy: Forbid schedule: "*/10 * * * *" @@ -274,7 +258,6 @@ volumeProvisioner: nodeSelector: {} affinity: {} tolerations: [] - # Storage parameters for volume-provisioner # @default -- See below storage: @@ -282,14 +265,12 @@ storage: backend: local # -- Set filesystem type (`ext4`/`xfs`) fsType: "ext4" - # Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`) # https://kubernetes.io/docs/concepts/storage/volumes/#local # @default -- See below local: # -- Set volume path on the host filesystem volumeParentDir: /var/lib/codefresh/dind-volumes - # Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`) # https://aws.amazon.com/ebs/ # https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration @@ -303,7 +284,6 @@ storage: encrypted: "false" # -- Set KMS encryption key ID (optional) kmsKeyId: "" - # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional) # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions accessKeyId: "" @@ -323,27 +303,26 @@ storage: # secretAccessKeySecretKeyRef: # name: # key: - - # E.g. - # ebs: - # volumeType: gp3 - # availabilityZone: us-east-1c - # encrypted: false - # iops: "5000" - # # I/O operations per second. Only effetive when gp3 volume type is specified. - # # Default value - 3000. - # # Max - 16,000 - # throughput: "500" - # # Throughput in MiB/s. Only effective when gp3 volume type is specified. - # # Default value - 125. - # # Max - 1000. - # ebs: - # volumeType: gp2 - # availabilityZone: us-east-1c - # encrypted: true - # kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab" - # accessKeyId: "MYKEYID" - # secretAccessKey: "MYACCESSKEY" + # E.g. + # ebs: + # volumeType: gp3 + # availabilityZone: us-east-1c + # encrypted: false + # iops: "5000" + # # I/O operations per second. Only effetive when gp3 volume type is specified. + # # Default value - 3000. + # # Max - 16,000 + # throughput: "500" + # # Throughput in MiB/s. Only effective when gp3 volume type is specified. + # # Default value - 125. + # # Max - 1000. + # ebs: + # volumeType: gp2 + # availabilityZone: us-east-1c + # encrypted: true + # kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab" + # accessKeyId: "MYKEYID" + # secretAccessKey: "MYACCESSKEY" # Storage parameters example for gce disks # https://cloud.google.com/compute/docs/disks#pdspecs @@ -375,7 +354,6 @@ storage: # "auth_provider_x509_cert_url": "...", # "client_x509_cert_url": "..." # } - # Storage parameters example for Azure Disks # https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks # @default -- See below @@ -387,12 +365,9 @@ storage: # resourceGroup: # DiskIOPSReadWrite: 500 # DiskMBpsReadWrite: 100 - mountAzureJson: false - # -- Set runtime parameters # @default -- See below - runtime: # -- Set annotation on engine Service Account # Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster @@ -403,36 +378,33 @@ runtime: # serviceAccount: # annotations: # eks.amazonaws.com/role-arn: "arn:aws:iam:::role/" - # -- Set parent runtime to inherit. # Should not be changes. Parent runtime is controlled from Codefresh side. runtimeExtends: - system/default/hybrid/k8s_low_limits # -- Runtime description description: "" - # -- RBAC parameters rbac: # -- Create RBAC resources create: true # -- Add custom rule to the engine role rules: [] - # -- (for On-Premise only) Enable agent agent: true # -- (for On-Premise only) Set inCluster runtime inCluster: true # -- (for On-Premise only) Assign accounts to runtime (list of account ids) accounts: [] - # -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod). dind: # -- Set dind image. image: registry: quay.io repository: codefresh/dind - tag: 26.1.4-1.28.7 # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind + tag: 26.1.4-1.28.7 # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind pullPolicy: IfNotPresent + digest: sha256:ccaf26ab24db0e00760beba79ce1810a12aef5be296f538ceab416af9ec481f7 # -- Set dind resources. resources: requests: null @@ -501,7 +473,6 @@ runtime: # name: regctl-docker-registry # mountPath: /home/appuser/.docker/ # readOnly: true - # -- Parameters for Engine pod (aka "pipeline" orchestrator). engine: # -- Set image. @@ -510,6 +481,7 @@ runtime: repository: codefresh/engine tag: 1.174.13 pullPolicy: IfNotPresent + digest: sha256:cc152545999f7df33e72e454823ac12f2ec1748f361b0bba1c9b39b3133cbea3 # -- Set container command. command: - npm @@ -528,20 +500,20 @@ runtime: # -- Set system(base) runtime images. # @default -- See below. runtimeImages: - COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0 - CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.7 - DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.14 - DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.18 - DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16 - DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14 - FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3 - GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.2.0 - KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11 - PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.6 - TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1 - CR_6177_FIXER: quay.io/codefresh/alpine:edge - GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:0.5.3 - COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2 + COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0@sha256:362977564c096b7c2c007b8478ec87cac13d781839adc271d858290213bd89f2 + CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.7@sha256:1e7bcee65203f9fdfc7ee5231cb4d29b179479d70dd42ec9855d20c57ab43c48 + DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.14@sha256:e61f0694fb7477244014be971a0bad724242e4fdefe810f38e58990d7db6bdc5 + DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.18@sha256:1a15c3ae0952d3986de7866a3def8ac7e3e39f668fe87fd46c63d886ca06c6d7 + DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16@sha256:05efc1af8b1196f1b9b3f0781b4dcc1aa2cdd0ffc1347ee5fa81b16d029ec5c2 + DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14@sha256:801caf9100218c9ed638fb5ca205fcc133f54d00468ed81093b22a4f0a0ffae9 + FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3@sha256:57374ccd5275325fc36b237fb38c77dd1f65c84d5aebfe88c9ea0e434ea20fc9 + GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515 + KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76 + PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.6@sha256:4892d72afc0e27718134eff2cb3c1276f731f3d2a41fd76cd73b500310326e47 + TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1@sha256:fb7173cfed7536f7de68e75996106e2ce3a0a204e6c5609cba0d7eb62c9db9e1 + CR_6177_FIXER: alpine:edge@sha256:b93f4f6834d5c6849d859a4c07cc88f5a7d8ce5fb8d2e72940d8edd8be343c04 + GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875 + COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2@sha256:5e0993207aa809c25ed70cf89af444d9720892fb4a29deb82db45618b0cae4a9 # -- Set additional env vars. env: # -- Interval to check the exec status in the container-logger @@ -607,7 +579,6 @@ runtime: # secretKeyRef: # name: github-token # key: token - # -- Parameters for `runtime-patch` post-upgrade/install hook # @default -- See below patch: @@ -616,6 +587,7 @@ runtime: registry: quay.io repository: codefresh/cli tag: 0.85.0-rootless + digest: sha256:27281df44814d837fbcc41ba53ee8010ce5496eb758c29f775958d713c79c41a rbac: enabled: true annotations: {} @@ -627,7 +599,6 @@ runtime: ttlSecondsAfterFinished: 180 env: HOME: /tmp - # -- Parameters for `gencerts-dind` post-upgrade/install hook # @default -- See below gencerts: @@ -636,6 +607,7 @@ runtime: registry: quay.io repository: codefresh/kubectl tag: 1.28.4 + digest: sha256:753e434a8e51c58d3f5daca2dff88073bc7b3bde3a45e0f00d74181176302e37 rbac: enabled: true annotations: {} @@ -645,7 +617,6 @@ runtime: resources: {} tolerations: [] ttlSecondsAfterFinished: 180 - # -- DinD pod daemon config # @default -- See below dindDaemon: @@ -661,7 +632,6 @@ runtime: - 192.168.99.100:5000 metrics-addr: 0.0.0.0:9323 experimental: true - # App-Proxy parameters # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation # @default -- See below @@ -675,15 +645,14 @@ appProxy: type: RollingUpdate # -- Set pod annotations podAnnotations: {} - # -- Set image image: registry: quay.io repository: codefresh/cf-app-proxy tag: 0.0.47 + digest: sha256:324a9b89924152cce195c7239ddd8501c8aa5f901d19bc4d9f3936cbe5dac14f # -- Add additional env vars env: {} - # Set app-proxy ingress parameters # @default -- See below ingress: @@ -705,7 +674,6 @@ appProxy: # tlsSecret: "tls-cert-app-proxy" # annotations: # nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130 - # -- Service Account parameters serviceAccount: # -- Create service account @@ -716,7 +684,6 @@ appProxy: namespaced: true # -- Additional service account annotations annotations: {} - # -- RBAC parameters rbac: # -- Create RBAC resources @@ -725,10 +692,8 @@ appProxy: namespaced: true # -- Add custom rule to the role rules: [] - # -- Set security context for the pod podSecurityContext: {} - # -- Readiness probe configuration # @default -- See below readinessProbe: @@ -737,7 +702,6 @@ appProxy: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - # -- Set requests and limits resources: {} # -- Set node selector @@ -746,14 +710,12 @@ appProxy: tolerations: [] # -- Set affinity affinity: {} - # Monitor parameters # @default -- See below monitor: # -- Enable monitor # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component enabled: false - # -- Set number of pods replicasCount: 1 # -- Upgrade strategy @@ -761,15 +723,14 @@ monitor: type: RollingUpdate # -- Set pod annotations podAnnotations: {} - # -- Set image image: registry: quay.io repository: codefresh/cf-k8s-agent tag: 1.3.18 + digest: sha256:4e010ef4a0792b0953f97959a4ebfdc71d05446b8b19d5007a51ab57a011e19b # -- Add additional env vars env: {} - # -- Service Account parameters serviceAccount: # -- Create service account @@ -778,7 +739,6 @@ monitor: name: "" # -- Additional service account annotations annotations: {} - # -- RBAC parameters rbac: # -- Create RBAC resources @@ -787,7 +747,6 @@ monitor: namespaced: true # -- Add custom rule to the role rules: [] - # -- Readiness probe configuration # @default -- See below readinessProbe: @@ -796,9 +755,7 @@ monitor: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - podSecurityContext: {} - # -- Set node selector nodeSelector: {} # -- Set resources @@ -807,7 +764,6 @@ monitor: tolerations: [] # -- Set affinity affinity: {} - # -- Add serviceMonitor # @default -- See below serviceMonitor: @@ -819,12 +775,11 @@ serviceMonitor: matchLabels: app: dind endpoints: - - path: /metrics - targetPort: 9100 - relabelings: - - action: labelmap - regex: __meta_kubernetes_pod_label_(.+) - + - path: /metrics + targetPort: 9100 + relabelings: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) # -- Add podMonitor (for engine pods) # @default -- See below podMonitor: @@ -836,9 +791,8 @@ podMonitor: matchLabels: app: runtime podMetricsEndpoints: - - path: /metrics - targetPort: 9100 - + - path: /metrics + targetPort: 9100 runner: # -- Enable pod monitor for runner pod enabled: false @@ -847,9 +801,8 @@ podMonitor: matchLabels: codefresh.io/application: runner podMetricsEndpoints: - - path: /metrics - targetPort: 8080 - + - path: /metrics + targetPort: 8080 volume-provisioner: # -- Enable pod monitor for volumeProvisioner pod enabled: false @@ -858,9 +811,8 @@ podMonitor: matchLabels: codefresh.io/application: volume-provisioner podMetricsEndpoints: - - path: /metrics - targetPort: 8080 - + - path: /metrics + targetPort: 8080 # -- Event exporter parameters # @default -- See below event-exporter: @@ -873,15 +825,14 @@ event-exporter: type: Recreate # -- Set pod annotations podAnnotations: {} - # -- Set image image: registry: docker.io repository: codefresh/k8s-event-exporter tag: latest + digest: sha256:cf52048f1378fb6659dffd1394d68fdf23a7ea709585dc14b5007f3e5a1b7584 # -- Add additional env vars env: {} - # -- Service Account parameters serviceAccount: # -- Create service account @@ -890,19 +841,16 @@ event-exporter: name: "" # -- Additional service account annotations annotations: {} - # -- RBAC parameters rbac: # -- Create RBAC resources create: true # -- Add custom rule to the role rules: [] - # -- Set security context for the pod # @default -- See below podSecurityContext: enabled: false - # -- Set node selector nodeSelector: {} # -- Set resources @@ -911,7 +859,6 @@ event-exporter: tolerations: [] # -- Set affinity affinity: {} - # -- Array of extra objects to deploy with the release extraResources: [] # E.g. diff --git a/scripts/update_values_with_digests.sh b/scripts/update_values_with_digests.sh new file mode 100755 index 00000000..4d9933cc --- /dev/null +++ b/scripts/update_values_with_digests.sh @@ -0,0 +1,44 @@ +#!/bin/bash +set -eou xtrace + +MYDIR=$(dirname $0) +CHARTDIR="${MYDIR}/../charts/cf-runtime" +VALUES_FILE="${CHARTDIR}/values.yaml" + +runtime_images=$(yq e '.runtime.engine.runtimeImages' $VALUES_FILE) + +while read -r line; do + key=${line%%:*} + full_image=${line#*: } + image=${full_image%%@*} + digest=$(regctl manifest digest $image) + yq e -i ".runtime.engine.runtimeImages.$key = \"$image@$digest\"" $VALUES_FILE +done <<< "$runtime_images" + +get_image_digest() { + local registry=$1 + local repository=$2 + local tag=$3 + + digest=$(regctl manifest digest "${registry}/${repository}:${tag}" 2>/dev/null) + + if [[ $? -ne 0 ]]; then + echo "Failed to get digest for ${registry}/${repository}:${tag}" + echo "" + else + echo "$digest" + fi +} + +yq eval-all '. as $item ireduce ({}; . * $item) | .. | select(has("image")) | path | join(".")' "$VALUES_FILE" | \ +while read -r path; do + registry=$(yq eval ".$path.image.registry" "$VALUES_FILE") + repository=$(yq eval ".$path.image.repository" "$VALUES_FILE") + tag=$(yq eval ".$path.image.tag" "$VALUES_FILE") + + digest=$(get_image_digest "$registry" "$repository" "$tag") + + if [[ -n "$digest" ]]; then + yq eval -i ".$path.image.digest = \"$digest\"" "$VALUES_FILE" + fi +done