feat: pin cert-manager image to sha256 checksum (#2721)

2024-10-01 01:36:09 -04:00 · 2023-12-18 09:28:50 +01:00 · 2023-12-18 09:28:50 +01:00 · 88d626d302
commit 88d626d302
parent 183c564483
2 changed files with 119 additions and 179 deletions
--- a/internal/constellation/helm/charts/cert-manager/values.yaml
+++ b/internal/constellation/helm/charts/cert-manager/values.yaml
@ -23,24 +23,19 @@ global:
    create: true
    # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
    aggregateClusterRoles: true
  podSecurityPolicy:
    enabled: false
    useAppArmor: true
  # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
  logLevel: 2
  leaderElection:
    # Override the namespace used for the leader election lease
    namespace: "kube-system"
    # The duration that non-leader candidates will wait after observing a
    # leadership renewal until attempting to acquire leadership of a led but
    # unrenewed leader slot. This is effectively the maximum duration that a
    # leader can be stopped before it is replaced by another candidate.
    # leaseDuration: 60s
 # The interval between attempts by the acting master to renew a leadership
 # slot before it stops leading. This must be less than or equal to the
 # lease duration.
@ -49,11 +44,8 @@ global:
 # The duration the clients should wait between attempting acquisition and
 # renewal of a leadership.
 # retryPeriod: 15s
 installCRDs: false
 replicaCount: 1
 strategy: {}
 # type: RollingUpdate
 # rollingUpdate:
@ -62,10 +54,8 @@ strategy: {}
 podDisruptionBudget:
  enabled: false
  minAvailable: 1
  # maxUnavailable: 1
 # minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
 # or a percentage value (e.g. 25%)
@ -75,10 +65,8 @@ podDisruptionBudget:
 # https://github.com/cert-manager/cert-manager/pull/6093
 # Use webhook.extraArgs to pass --feature-gates flag directly instead.
 featureGates: ""
 # The maximum number of challenges that can be scheduled as 'processing' at once
 maxConcurrentChallenges: 60
 image:
  repository: quay.io/jetstack/cert-manager-controller
  # You can manage a registry with
@ -92,17 +80,15 @@ image:
  # Setting a digest will override any tag
  # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
  pullPolicy: IfNotPresent
-
+  digest: sha256:fb2546fe51e49206dbf72bb0d6f909a0018eda0c2b024547b03d3f3d604e4c5e
 # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
 # resources. By default, the same namespace as cert-manager is deployed within is
 # used. This namespace will not be automatically created by the Helm chart.
 clusterResourceNamespace: ""
 # This namespace allows you to define where the services will be installed into
 # if not set then they will use the namespace of the release
 # This is helpful when installing cert manager as a chart dependency (sub chart)
 namespace: ""
 serviceAccount:
  # Specifies whether a service account should be created
  create: true
@ -115,23 +101,19 @@ serviceAccount:
  # Optional additional labels to add to the controller's ServiceAccount
  # labels: {}
  automountServiceAccountToken: true
 # Automounting API credentials for a particular pod
 # automountServiceAccountToken: true
 # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
 enableCertificateOwnerRef: false
 # Setting Nameservers for DNS01 Self Check
 # See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
 # Comma separated string with host and port of the recursive nameservers cert-manager should query
 dns01RecursiveNameservers: ""
 # Forces cert-manager to only use the recursive nameservers for verification.
 # Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
 dns01RecursiveNameserversOnly: false
 # Additional command line flags to pass to cert-manager controller binary.
 # To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
 extraArgs: []
@ -153,7 +135,6 @@ securityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
 # Container Security Context to be set on the controller component container
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 containerSecurityContext:
@ -163,20 +144,14 @@ containerSecurityContext:
      - ALL
      # readOnlyRootFilesystem: true
      # runAsNonRoot: true
 volumes: []
 volumeMounts: []
 # Optional additional annotations to add to the controller Deployment
 # deploymentAnnotations: {}
 # Optional additional annotations to add to the controller Pods
 # podAnnotations: {}
 podLabels: {}
 # Optional annotations to add to the controller Service
 # serviceAnnotations: {}
@ -193,10 +168,8 @@ podLabels: {}
 #   nameservers:
 #     - "1.1.1.1"
 #     - "8.8.8.8"
 nodeSelector:
  kubernetes.io/os: linux
 ingressShim: {}
 # defaultIssuerName: ""
 # defaultIssuerKind: ""
@ -214,7 +187,6 @@ prometheus:
    labels: {}
    annotations: {}
    honorLabels: false
 # Use these variables to configure the HTTP_PROXY environment variables
 # http_proxy: "http://proxy:8080"
 # https_proxy: "https://proxy:8080"
@ -232,7 +204,6 @@ prometheus:
 #            values:
 #            - master
 affinity: {}
 # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
 # for example:
 #   tolerations:
@ -241,7 +212,6 @@ affinity: {}
 #     value: master
 #     effect: NoSchedule
 tolerations: []
 # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
 # for example:
 #   topologySpreadConstraints:
@ -253,7 +223,6 @@ tolerations: []
 #         app.kubernetes.io/instance: cert-manager
 #         app.kubernetes.io/component: controller
 topologySpreadConstraints: []
 # LivenessProbe settings for the controller container of the controller Pod.
 #
 # Disabled by default, because the controller has a leader election mechanism
@ -269,11 +238,9 @@ livenessProbe:
  timeoutSeconds: 15
  successThreshold: 1
  failureThreshold: 8
 webhook:
  replicaCount: 1
  timeoutSeconds: 10
  # Used to configure options for the webhook pod.
  # This allows setting options that'd usually be provided via flags.
  # An APIVersion and Kind must be specified in your values.yaml file.
@ -290,7 +257,6 @@ webhook:
  # This should be uncommented and set as a default by the chart once we graduate
  # the apiVersion of WebhookConfiguration past v1alpha1.
  # securePort: 10250
  strategy: {}
  # type: RollingUpdate
  # rollingUpdate:
@ -303,13 +269,10 @@ webhook:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  podDisruptionBudget:
    enabled: false
    minAvailable: 1
    # maxUnavailable: 1
  # minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
  # or a percentage value (e.g. 25%)
@ -322,7 +285,6 @@ webhook:
        - ALL
        # readOnlyRootFilesystem: true
        # runAsNonRoot: true
  # Optional additional annotations to add to the webhook Deployment
  # deploymentAnnotations: {}
@ -364,22 +326,15 @@ webhook:
    periodSeconds: 5
    successThreshold: 1
    timeoutSeconds: 1
  nodeSelector:
    kubernetes.io/os: linux
  affinity: {}
  tolerations: []
  topologySpreadConstraints: []
  # Optional additional labels to add to the Webhook Pods
  podLabels: {}
  # Optional additional labels to add to the Webhook Service
  serviceLabels: {}
  image:
    repository: quay.io/jetstack/cert-manager-webhook
    # You can manage a registry with
@ -392,9 +347,8 @@ webhook:
    # Setting a digest will override any tag
    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
    pullPolicy: IfNotPresent
-
+    digest: sha256:db0bb8c02c0b82f3055315fbc52ad41b90fbe94f82431a0d76666f7c6beeb7f0
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
@ -407,7 +361,6 @@ webhook:
    # labels: {}
    # Automount API credentials for a Service Account.
    automountServiceAccountToken: true
  # Automounting API credentials for a particular pod
  # automountServiceAccountToken: true
@ -417,7 +370,6 @@ webhook:
  # securePort: 10250, will work out of the box without needing to add firewall
  # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
  securePort: 10250
  # Specifies if the webhook should be started in hostNetwork mode.
  #
  # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
@ -428,7 +380,6 @@ webhook:
  # network, `webhook.securePort` should be changed to an available port if
  # running in hostNetwork mode.
  hostNetwork: false
  # Specifies how the service should be handled. Useful if you want to expose the
  # webhook to outside of the cluster. In some cases, the control plane cannot
  # reach internal services.
@ -464,14 +415,11 @@ webhook:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0
  volumes: []
  volumeMounts: []
 cainjector:
  enabled: true
  replicaCount: 1
  strategy: {}
  # type: RollingUpdate
  # rollingUpdate:
@ -484,13 +432,10 @@ cainjector:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  podDisruptionBudget:
    enabled: false
    minAvailable: 1
    # maxUnavailable: 1
  # minAvailable and maxUnavailable can either be set to an integer (e.g. 1)
  # or a percentage value (e.g. 25%)
@ -503,8 +448,6 @@ cainjector:
        - ALL
        # readOnlyRootFilesystem: true
        # runAsNonRoot: true
  # Optional additional annotations to add to the cainjector Deployment
  # deploymentAnnotations: {}
@ -524,16 +467,11 @@ cainjector:
  nodeSelector:
    kubernetes.io/os: linux
  affinity: {}
  tolerations: []
  topologySpreadConstraints: []
  # Optional additional labels to add to the CA Injector Pods
  podLabels: {}
  image:
    repository: quay.io/jetstack/cert-manager-cainjector
    # You can manage a registry with
@ -546,9 +484,8 @@ cainjector:
    # Setting a digest will override any tag
    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
    pullPolicy: IfNotPresent
-
+    digest: sha256:2a70d9497a645101210d077874c35dc0431233d8c6e53a851835ca301523d64b
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
@ -561,13 +498,10 @@ cainjector:
    # Optional additional labels to add to the cainjector's ServiceAccount
    # labels: {}
    automountServiceAccountToken: true
  # Automounting API credentials for a particular pod
  # automountServiceAccountToken: true
  volumes: []
  volumeMounts: []
 acmesolver:
  image:
    repository: quay.io/jetstack/cert-manager-acmesolver
@ -575,6 +509,7 @@ acmesolver:
    # registry: quay.io
    # repository: jetstack/cert-manager-acmesolver
    digest: sha256:12a62e54ba8defda94df71ef76f9c8fe68405d59370f665991734d6b692e35f2
 # Override the image tag to deploy by setting this variable.
 # If no value is set, the chart's appVersion will be used.
 # tag: canary
@ -591,14 +526,12 @@ acmesolver:
 # See https://github.com/cert-manager/cert-manager/pull/4414 for context.
 startupapicheck:
  enabled: true
  # Pod Security Context to be set on the startupapicheck component Pod
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  # Container Security Context to be set on the controller component container
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
  containerSecurityContext:
@ -608,26 +541,21 @@ startupapicheck:
        - ALL
        # readOnlyRootFilesystem: true
        # runAsNonRoot: true
  # Timeout for 'kubectl check api' command
  timeout: 1m
  # Job backoffLimit
  backoffLimit: 4
  # Optional additional annotations to add to the startupapicheck Job
  jobAnnotations:
    helm.sh/hook: post-install
    helm.sh/hook-weight: "1"
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  # Optional additional annotations to add to the startupapicheck Pods
  # podAnnotations: {}
  # Additional command line flags to pass to startupapicheck binary.
  # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
  extraArgs: []
  resources: {}
  # requests:
  #   cpu: 10m
@ -635,14 +563,10 @@ startupapicheck:
  nodeSelector:
    kubernetes.io/os: linux
  affinity: {}
  tolerations: []
  # Optional additional labels to add to the startupapicheck Pods
  podLabels: {}
  image:
    repository: quay.io/jetstack/cert-manager-ctl
    # You can manage a registry with
@ -655,23 +579,19 @@ startupapicheck:
    # Setting a digest will override any tag
    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
    pullPolicy: IfNotPresent
-
+    digest: sha256:1b988a4a2ae83aae995d396fa67fdb4c90bc55bc91ea74679f17c6c347541406
  rbac:
    # annotations for the startup API Check job RBAC and PSP resources
    annotations:
      helm.sh/hook: post-install
      helm.sh/hook-weight: "-5"
      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  # Automounting API credentials for a particular pod
  # automountServiceAccountToken: true
  serviceAccount:
    # Specifies whether a service account should be created
    create: true
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    # name: ""
@ -681,12 +601,9 @@ startupapicheck:
      helm.sh/hook: post-install
      helm.sh/hook-weight: "-5"
      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
    # Automount API credentials for a Service Account.
    automountServiceAccountToken: true
    # Optional additional labels to add to the startupapicheck's ServiceAccount
    # labels: {}
  volumes: []
  volumeMounts: []
--- a/internal/constellation/helm/generateCertManager.sh
+++ b/internal/constellation/helm/generateCertManager.sh
@ -5,17 +5,40 @@ set -o errtrace
 shopt -s inherit_errexit
 echo "Pulling cert-manager Helm chart..."
 version="1.12.6"
 function cleanup {
-  rm -r "charts/cert-manager/README.md" "charts/cert-manager-v1.12.6.tgz"
+  rm -r "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz"
 }
 trap cleanup EXIT
 helm pull cert-manager \
-  --version 1.12.6 \
+  --version "${version}" \
  --repo "https://charts.jetstack.io" \
  --untar \
  --untardir "charts"
 get_sha256_hash() {
  local component="$1"
  local url="https://quay.io/v2/jetstack/${component}/manifests/v${version}"
  curl -fsSL -H "Accept: application/vnd.docker.distribution.manifest.v2+json" "${url}" | sha256sum | awk '{print $1}'
 }
 echo "Pinning cert-manager images..."
 v=$(get_sha256_hash "cert-manager-controller")
 yq eval -i '.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 v=$(get_sha256_hash "cert-manager-webhook")
 yq eval -i '.webhook.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 v=$(get_sha256_hash "cert-manager-cainjector")
 yq eval -i '.cainjector.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 v=$(get_sha256_hash "cert-manager-acmesolver")
 yq eval -i '.acmesolver.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 v=$(get_sha256_hash "cert-manager-ctl")
 yq eval -i '.startupapicheck.image.digest = "sha256:'"${v}"'"' charts/cert-manager/values.yaml
 echo # final newline