From c8801e997a9cebb7d4c5f843436007deb72e482d Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 26 Oct 2023 14:34:04 +0100 Subject: [PATCH 1/3] Use the official multi-arch digest for K8S 1.28 on Kind 0.20.0 https://github.com/kubernetes-sigs/kind/releases/tag/v0.20.0 Signed-off-by: Richard Wall --- hack/latest-kind-images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/latest-kind-images.sh b/hack/latest-kind-images.sh index 0a139ed86..bac83f96a 100755 --- a/hack/latest-kind-images.sh +++ b/hack/latest-kind-images.sh @@ -64,7 +64,7 @@ LATEST_127_DIGEST=$(crane digest $KIND_IMAGE_REPO:$LATEST_127_TAG) # k8s 1.28 is manually added to ensure that we use the exact documented tag as per kind recommendation LATEST_128_TAG=v1.28.0 -LATEST_128_DIGEST=sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c +LATEST_128_DIGEST=sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 cat << EOF > ./make/kind_images.sh # Copyright 2022 The cert-manager Authors. From c08e34cab1e5d7c3b888fa3e6a286ebc9d38f271 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 26 Oct 2023 14:43:11 +0100 Subject: [PATCH 2/3] ./hack/latest-kind-images.sh Signed-off-by: Richard Wall --- make/kind_images.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/make/kind_images.sh b/make/kind_images.sh index 518012cde..c4102fbcf 100644 --- a/make/kind_images.sh +++ b/make/kind_images.sh @@ -22,7 +22,7 @@ KIND_IMAGE_K8S_126=docker.io/kindest/node@sha256:6e2d8b28a5b601defe327b98bd1c2d1 KIND_IMAGE_K8S_127=docker.io/kindest/node@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 # Manually set- see hack/latest-kind-images.sh for details -KIND_IMAGE_K8S_128=docker.io/kindest/node@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c +KIND_IMAGE_K8S_128=docker.io/kindest/node@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 # docker.io/kindest/node:v1.22.17 KIND_IMAGE_SHA_K8S_122=sha256:f5b2e5698c6c9d6d0adc419c0deae21a425c07d81bbf3b6a6834042f25d4fba2 @@ -44,7 +44,7 @@ KIND_IMAGE_SHA_K8S_127=sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e9 # Manually set - see hack/latest-kind-images.sh for details # docker.io/kindest/node:v1.28.0 -KIND_IMAGE_SHA_K8S_128=sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c +KIND_IMAGE_SHA_K8S_128=sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 # note that these 'full' digests should be avoided since not all tools support them # prefer KIND_IMAGE_K8S_*** instead @@ -56,5 +56,5 @@ KIND_IMAGE_FULL_K8S_126=docker.io/kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe KIND_IMAGE_FULL_K8S_127=docker.io/kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72 # Manually set - see hack/latest-kind-images.sh for details -KIND_IMAGE_FULL_K8S_128=docker.io/kindest/node:v1.28.0@sha256:9f3ff58f19dcf1a0611d11e8ac989fdb30a28f40f236f59f0bea31fb956ccf5c +KIND_IMAGE_FULL_K8S_128=docker.io/kindest/node:v1.28.0@sha256:b7a4cad12c197af3ba43202d3efe03246b3f0793f162afb40a33c923952d5b31 From 1329c71f27451d65cd2fb0285c56d67f9bb05581 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 26 Oct 2023 16:00:18 +0100 Subject: [PATCH 3/3] Add a dedicated rule for kindest node And explain why Signed-off-by: Richard Wall --- make/e2e-setup.mk | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 9cb5f5aa4..4468df780 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -155,10 +155,10 @@ endef # get the message "warning: undefined variable 'CI'". .PHONY: preload-kind-image ifeq ($(shell printenv CI),) -preload-kind-image: | $(NEEDS_CRANE) +preload-kind-image: @$(CTR) inspect $(IMAGE_kind_$(CRI_ARCH)) 2>/dev/null >&2 || (set -x; $(CTR) pull $(IMAGE_kind_$(CRI_ARCH))) else -preload-kind-image: $(call image-tar,kind) | $(NEEDS_CRANE) +preload-kind-image: $(call image-tar,kind) $(CTR) inspect $(IMAGE_kind_$(CRI_ARCH)) 2>/dev/null >&2 || $(CTR) load -i $< endif @@ -167,13 +167,28 @@ LOAD_TARGETS=load-$(call image-tar,ingressnginx) load-$(call image-tar,kyverno) $(LOAD_TARGETS): load-%: % $(BINDIR)/scratch/kind-exists | $(NEEDS_KIND) $(KIND) load image-archive --name=$(shell cat $(BINDIR)/scratch/kind-exists) $* +# Download a single-arch image +# +# The input variable IMAGE_example_ARCH must contain the digest of the single-arch image manifest, +# NOT the multi-arch manifest. +# # We use crane instead of docker when pulling images, which saves some time # since we don't care about having the image available to docker. # # We don't pull using both the digest and tag because crane replaces the # tag with "i-was-a-digest". We still check that the downloaded image # matches the digest. -$(call image-tar,kind) $(call image-tar,vault) $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE) +# +# We check that the remote image tag and digest still match what is pinned in +# the `IMAGE_example_arch` variables (above). +# This is useful because: +# 1. It tells us if the image maintainers have deliberately or maliciously +# pushed a different image and re-used an existing tag. +# 2. It makes it easy to learn the new digest when updating the pinned image +# tag. The rule will fail and the new digest will be printed out. +# 3. It prevents us accidentally using the wrong digest when we pin the images +# in the variables above. +$(call image-tar,vault) $(call image-tar,kyverno) $(call image-tar,kyvernopre) $(call image-tar,bind) $(call image-tar,projectcontour) $(call image-tar,sampleexternalissuer) $(call image-tar,ingressnginx): $(BINDIR)/downloaded/containers/$(CRI_ARCH)/%.tar: | $(NEEDS_CRANE) @$(eval IMAGE=$(subst +,:,$*)) @$(eval IMAGE_WITHOUT_DIGEST=$(shell cut -d@ -f1 <<<"$(IMAGE)")) @$(eval DIGEST=$(subst $(IMAGE_WITHOUT_DIGEST)@,,$(IMAGE))) @@ -181,6 +196,21 @@ $(call image-tar,kind) $(call image-tar,vault) $(call image-tar,kyverno) $(call diff <(echo "$(DIGEST) -" | cut -d: -f2) <($(CRANE) manifest --platform=linux/$(CRI_ARCH) $(IMAGE_WITHOUT_DIGEST) | sha256sum) $(CRANE) pull $(IMAGE_WITHOUT_DIGEST) $@ --platform=linux/$(CRI_ARCH) +# Download the Kind node image +# +# This is handled differently from the other image downloads, because: +# 1. The pinned Kind image references are automatically generated using +# `hack/latest-kind-image.sh`. +# 2. It uses digests that point to the multi-arch manifest, rather than the +# actual image. +# 3. The Kind image tags DO change; each new Kind release has a set of Kind node +# images tagged using the Kubernetes version. Subsequent Kind releases may +# have an incompatible Kind node image format, but re-use the same Kubernetes +# version tags. +$(call image-tar,kind): $(NEEDS_CRANE) + @mkdir -p $(dir $@) + $(CRANE) pull $(IMAGE_kind_$(CRI_ARCH)) $@ --platform linux/$(CRI_ARCH) + # Since we dynamically install Vault via Helm during the end-to-end tests, # we need its image to be retagged to a well-known tag "local/vault:local". $(call local-image-tar,vaultretagged): $(call image-tar,vault)