New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: kustomize image digests #11153
Conversation
If I understand correctly,
What I'm not sure is: is it the current digest for the existing tag (in which case the result is fully correct) or is it selecting the digest of the latest tag? I'd really like to update both, but ok with a mid step if it improves the situation. I'm a big fan of having both the informative tag plus synced normative digest. Also, would it be reasonable to support the combined tag@digest approach only and document that, if users want both updated in lockstep? |
@rarkins Yep, your assumptions are correct. When
With this proposed implementation+example, I think the latter: since the
This is definitely a mid-step; I was working on a solution that maintained both, but it awkwardly parsed the
I think that's the most reasonable middle ground, it's the compromise I was willing to make! I can take this PR in that direction.
Thanks for the feedback! |
I would prefer to avoid this behavior, because I think it's downside is far worse than what we have today. Today, we can mislead people that they updated from version X to version X+1 but actually nothing changed. In other words, they stay on a version which hopefully works. With this PR's change, we could be updating them to a completely non-working version for them, because sometimes Have I understood correctly and do you agree?
I think this is definitely best. I would only like to do a digest update if it matches
What if we intentionally skipped any extracted dependency which has both newTag and digest in separate fields and logged a warning that it's unsupported? i.e. support only one field at a time.
Considering how small these YAML files should be, we shouldn't be concerned with "optimization" of two parse-throughs. But if you think the logic itself is too convoluted then it's another matter.
Would that align with what I suggested earlier about intentionally skipping extracted deps with both fields defined? (And let's open a new issue for the advanced case of both fields present, so that one day someone may work out how to elegantly achieve it)
I think warning is best.
I think that's the only one we need. Thanks! |
I've already written some weird samples where it's not clear what should happen. |
This PR is still in progress - I'll edit the OP and mark RFR when it is. But an update: I've ported most of _viceice's cases to https://github.com/thepwagner/renovate-kustomize-image-digests. |
@thepwagner did you saw my previous work here: #8110 ? |
Yep! Sorry, I should have mentioned that. I liked the pattern of a regex to match multiple YAML keys. I figured that pattern would need to include That's what sent me look at pre-splitting the I abandoned the latter approach as - newTag: 3.12.2
name: alpine
digest: sha256:25f5332d060da2c7ea2c8a85d2eac623bd0b5f97d508b165f846c7d172897438
- digest: sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17
newTag: 1.32.1
name: busybox:1.30.0
- newName: amd64/busybox:1.30.1
name: busybox
digest: sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17 So when I realized |
The TODO implementation upstream made this clear, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand enough about these changes to confirm/deny that the docs changes are good.
I added a review comment with some things I noticed.
Co-authored-by: Michael Kriese <michael.kriese@visualon.de> Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
@viceice I've addressed comments, please take a look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ups, some small fix
This comment has been minimized.
This comment has been minimized.
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
🎉 This PR is included in version 27.4.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Changes:
Modifies the
kustomize
manager to:digest
,newTag
ornewName
field.newTag
anddigest
are both specified - as it's not clear what the user's expectation is here.newTag: sha256:...
which does not seem to be valid kustomize.This doesn't support injecting digests where they don't already exist, so it is not fully #8089 .
Context:
I'm using this test repository: https://github.com/thepwagner/renovate-kustomize-image-digests
Kustomize images are complicated, the updated README contains several example possibilities. Renovate's implementation was limited to updating the
newTag
field, but version and digest information might also be included innewName
ordigest
fields. This PR expands thekustomize
manager to integrate those fields.Edge cases exist when the user has provided additional information that kustomize won't use. Those are skipped, with a warning logged:
There's a bias towards formats that provide the version+digest within a single YAML value:
So this is not #8089 , but it is enough for my use case and should be backwards compatible.
Documentation (please check one with an [x])
How I've tested my work (please tick one)
I have verified these changes via: