Kustomize: support docker digest pinning

[rarkins]

What would you like Renovate to be able to do?

Pin digests for docker images in Kustomize

Did you already have any implementation ideas?

Likely we need to use autoReplaceStringTemplate

[daurnimator]

We'd love this feature (and infact it would be required to use renovate)!
Is there any way to jury-rig it?

[rarkins]

If you set a digest manually then you should find it updates fine after that. This FR is just to automate the state of going from no digest to digest.

[daurnimator]

If you set a digest manually then you should find it updates fine after that. This FR is just to automate the state of going from no digest to digest.

In https://github.com/hashbang/gitops/blob/4df5f4c7f815ed2e993c7e15122bb4f4f60926f2/argocd/kustomization.yaml the images section was not updated, it still contains:

  - name: argoproj/argocd:v1.7.7
    digest: sha256:b835999eb5cf75d01a2678cd971095926d9c2566c9ffe746d04b83a6a0a2849f

[viceice]

digest pinning is currently not supported on kustomize, you can workaround using regex manager. looking into it

[viceice]

It's partially supported if you put digest to newTag, see #7987

[rarkins]

We maybe don't support that particular syntax. Can you create a reproduction repo (ie as simple as possible) and crest a separate issue to track?

[viceice]

Kustomize images are more complicated than i initially thought.

This are all working samples taken from here

kind: Kustomization

resources:
- deployment.yaml

images:
  - name: renovate/renovate
    newTag: 19-slim

  - name: mariadb
    digest: sha256:3f18ce9e12e3ece07029895336f5497eeb2d9cb8fe148cc54d4905f77cbc062d

  - name: alpine
    newTag: 3.12.2
    digest: sha256:25f5332d060da2c7ea2c8a85d2eac623bd0b5f97d508b165f846c7d172897438

  - name: postgres
    newTag: 11@sha256:b0cfe264cb1143c7c660ddfd5c482464997d62d6bc9f97f8fdf3deefce881a8c

  - name: busybox:1.30.0
    digest: sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17
    newTag: 1.32.1

  - name: busybox
    newName: amd64/busybox:1.30.1

  - name: busybox:1.0.0@sha256:e1488cb900233d035575f0a7787448cb1fa93bed0ccc0d4efc1963d7d72a8f17
    newName: amd64/busybox:1.1.1@sha256:53071b97a88426d4db86d0e8436ac5c869124d2c414caf4c9e4a4e48769c7f37

For some of them it's not clear what renovate should do.

[viceice]

If both newTag and digest are set, newTag is ignored. not sure what happend if i add a newTagor digest property to last sample above. 🤔

[davidspek]

Just wanted to chime in here that I'd love to have this feature for my Kubeflow deployment repository. @viceice Is there any way I can help with #8110 to have this implemented?

[viceice]

@davidspek You can use my pr / branch as base and try to finish. But there are so many edge cases we need to define before any future work can be done. See my comments above.

[thepwagner]

#11153 is a tangential solution if anyone wants to try

It skips the hard bits that would fully support pinning:

• Existing digests are updated, but tagged images won't be converted to digests
• It skips instances where newTag: and digest: are both supported, suggesting newTag: tag@digest be used instead

Aside: it seems everyone who wants this is running Argo.

[github-actions]

Hi there,

Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.

Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on creating a minimal reproduction.

We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team