Merge pull request #6447 from wallrj/fix-kindest-image-digests

Fix kindest image digests

hack/latest-kind-images.sh

@@ -64,7 +64,7 @@ LATEST_127_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_127_TAG)
 
 # k8s 1.28 is manually added to ensure that we use the exact documented tag as per kind recommendation
 LATEST_128_TAG=v1.28.0
-LATEST_128_DIGEST=sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+LATEST_128_DIGEST=sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31
 
 cat << EOF > ./make/kind_images.sh
 # Copyright 2022 The cert-manager Authors.

make/e2e-setup.mk

@@ -155,10 +155,10 @@ endef
 # get the message "warning: undefined variable 'CI'".
 .PHONY: preload-kind-image
 ifeq ($(shell printenv CI),)
-preload-kind-image: | $(NEEDS_CRANE)
+preload-kind-image:
 	@$(CTR) inspect $(IMAGE_kind_$(CRI_ARCH)) 2>/dev/null >&2 || (set -x; $(CTR) pull $(IMAGE_kind_$(CRI_ARCH)))
 else
-preload-kind-image: $(call image-tar,kind) | $(NEEDS_CRANE)
+preload-kind-image: $(call image-tar,kind)
 	$(CTR) inspect $(IMAGE_kind_$(CRI_ARCH)) 2>/dev/null >&2 || $(CTR) load -i $<
 endif
 
@@ -167,13 +167,28 @@ LOAD_TARGETS=load-$(call image-tar,ingressnginx) load-$(call image-tar,kyverno)
 $(LOAD_TARGETS): load-%: % $(BINDIR)/scratch/kind-exists | $(NEEDS_KIND)
 	$(KIND) load image-archive --name=$(shell cat $(BINDIR)/scratch/kind-exists) $*
 
+# Download a single-arch image
+#
+# The input variable IMAGE_example_ARCH must contain the digest of the single-arch image manifest,
+# NOT the multi-arch manifest.
+#
 # We use crane instead of docker when pulling images, which saves some time
 # since we don't care about having the image available to docker.
 #
 # We don't pull using both the digest and tag because crane replaces the
 # tag with "i-was-a-digest". We still check that the downloaded image
 # matches the digest.
-$(call image-tar,kind) $(call image-tar,vault) $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE)
+#
+# We check that the remote image tag and digest still match what is pinned in
+# the `IMAGE_example_arch` variables (above).
+# This is useful because:
+# 1. It tells us if the image maintainers have deliberately or maliciously
+#    pushed a different image and re-used an existing tag.
+# 2. It makes it easy to learn the new digest when updating the pinned image
+#    tag. The rule will fail and the new digest will be printed out.
+# 3. It prevents us accidentally using the wrong digest when we pin the images
+#    in the variables above.
+$(call image-tar,vault) $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE)
 	@$(eval IMAGE=$(subst +,:,$*))
 	@$(eval IMAGE_WITHOUT_DIGEST=$(shell cut -d@ -f1 <<<"$(IMAGE)"))
 	@$(eval DIGEST=$(subst $(IMAGE_WITHOUT_DIGEST)@,,$(IMAGE)))
@@ -181,6 +196,21 @@ $(call image-tar,kind) $(call image-tar,vault) $(call image-tar,kyverno) $(call
 	diff <(echo "$(DIGEST)  -" | cut -d: -f2) <($(CRANE) manifest --platform=linux/$(CRI_ARCH) $(IMAGE_WITHOUT_DIGEST) | sha256sum)
 	$(CRANE) pull $(IMAGE_WITHOUT_DIGEST) $@ --platform=linux/$(CRI_ARCH)
 
+# Download the Kind node image
+#
+# This is handled differently from the other image downloads, because:
+# 1. The pinned Kind image references are automatically generated using
+#    `hack/latest-kind-image.sh`.
+# 2. It uses digests that point to the multi-arch manifest, rather than the
+#    actual image.
+# 3. The Kind image tags DO change; each new Kind release has a set of Kind node
+#    images tagged using the Kubernetes version. Subsequent Kind releases may
+#    have an incompatible Kind node image format, but re-use the same Kubernetes
+#    version tags.
+$(call image-tar,kind): $(NEEDS_CRANE)
+	@mkdir -p $(dir $@)
+	$(CRANE) pull $(IMAGE_kind_$(CRI_ARCH)) $@ --platform linux/$(CRI_ARCH)
+
 # Since we dynamically install Vault via Helm during the end-to-end tests,
 # we need its image to be retagged to a well-known tag "local/vault:local".
 $(call local-image-tar,vaultretagged): $(call image-tar,vault)

make/kind_images.sh

@@ -22,7 +22,7 @@ KIND_IMAGE_K8S_126=docker.io/kindest/node@sha256:6e2d8b28a5b601defe327b98bd1c2d1
 KIND_IMAGE_K8S_127=docker.io/kindest/node@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
 
 # Manually set- see hack/latest-kind-images.sh for details
-KIND_IMAGE_K8S_128=docker.io/kindest/node@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+KIND_IMAGE_K8S_128=docker.io/kindest/node@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31
 
 # docker.io/kindest/node:v1.22.17
 KIND_IMAGE_SHA_K8S_122=sha256:f5b2e5698c6c9d6d0adc419c0deae21a425c07d81bbf3b6a6834042f25d4fba2
@@ -44,7 +44,7 @@ KIND_IMAGE_SHA_K8S_127=sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e9
 
 # Manually set - see hack/latest-kind-images.sh for details
 # docker.io/kindest/node:v1.28.0
-KIND_IMAGE_SHA_K8S_128=sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+KIND_IMAGE_SHA_K8S_128=sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31
 
 # note that these 'full' digests should be avoided since not all tools support them
 # prefer KIND_IMAGE_K8S_*** instead
@@ -56,5 +56,5 @@ KIND_IMAGE_FULL_K8S_126=docker.io/kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe
 KIND_IMAGE_FULL_K8S_127=docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
 
 # Manually set - see hack/latest-kind-images.sh for details
-KIND_IMAGE_FULL_K8S_128=docker.io/kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c
+KIND_IMAGE_FULL_K8S_128=docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31