helm: Add the option to disable disgests (#10715)

Author: davidjumani

changelog/v1.19.0-beta15/disable-digest.yaml

@@ -0,0 +1,6 @@
+changelog:
+- type: HELM
+  issueLink: https://github.com/solo-io/gloo/issues/10690
+  resolvesIssue: false
+  description: Adds the new helm value `global.image.disableDigest` to disable adding the container image's hash digest. Defaults to false
+

docs/content/reference/values.txt

@@ -74,6 +74,7 @@ type Image struct {
 	FipsDigest           *string `json:"fipsDigest,omitempty"  desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant."`
 	DistrolessDigest     *string `json:"distrolessDigest,omitempty"  desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant."`
 	FipsDistrolessDigest *string `json:"fipsDistrolessDigest,omitempty"  desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest."`
+	DisableDigest        *bool   `json:"disableDigest,omitempty" desc:"Disables adding the container image's hash digest. Defaults to false"`
 	Registry             *string `json:"registry,omitempty" desc:"The image hostname prefix and registry, such as quay.io/solo-io."`
 	PullPolicy           *string `json:"pullPolicy,omitempty"  desc:"The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting"`
 	PullSecret           *string `json:"pullSecret,omitempty" desc:"The image pull secret to use for the container, in the same namespace as the container pod."`

install/helm/gloo/generate/values.go

@@ -59,23 +59,25 @@ for distroless or fips-distroless variants: add -distroless to the tag
 
 {{- define "gloo.image.digest" -}}
 {{- $digest := "" -}}
-{{- if or .fips (eq .variant "fips") -}}
-  {{- if .fipsDigest -}}
-    {{- $digest = .fipsDigest -}}
-  {{- end -}}{{- /* if .fipsDigest */ -}}
-{{- else if eq .variant "distroless" -}}
-  {{- if .distrolessDigest -}}
-    {{- $digest = .distrolessDigest -}}
-  {{- end -}}{{- /* if .distrolessDigest */ -}}
-{{- else if eq .variant "fips-distroless" -}}
-  {{- if .fipsDistrolessDigest -}}
-    {{- $digest = .fipsDistrolessDigest -}}
-  {{- end -}}{{- /* if .fipsDistrolessDigest */ -}}
-{{- else -}}
-  {{- if .digest -}}{{- /* standard image digest */ -}}
-    {{- $digest = .digest -}}
-  {{- end -}}{{- /* if .digest */ -}}
-{{- end -}}
+{{- if not .disableDigest -}}
+  {{- if or .fips (eq .variant "fips") -}}
+    {{- if .fipsDigest -}}
+      {{- $digest = .fipsDigest -}}
+    {{- end -}}{{- /* if .fipsDigest */ -}}
+  {{- else if eq .variant "distroless" -}}
+    {{- if .distrolessDigest -}}
+      {{- $digest = .distrolessDigest -}}
+    {{- end -}}{{- /* if .distrolessDigest */ -}}
+  {{- else if eq .variant "fips-distroless" -}}
+    {{- if .fipsDistrolessDigest -}}
+      {{- $digest = .fipsDistrolessDigest -}}
+    {{- end -}}{{- /* if .fipsDistrolessDigest */ -}}
+  {{- else -}}
+    {{- if .digest -}}{{- /* standard image digest */ -}}
+      {{- $digest = .digest -}}
+    {{- end -}}{{- /* if .digest */ -}}
+  {{- end -}}
+{{- end -}}{{- /* if not .disableDigests" */ -}}
 {{ $digest }}
 {{- end -}}{{- /* define "gloo.image.digest" */ -}}
 

install/helm/gloo/templates/_helpers.tpl

@@ -281,6 +281,7 @@ global:
   image:
     registry: quay.io/solo-io
     pullPolicy: IfNotPresent
+    disableDigest: false
   glooRbac:
     create: true
     namespaced: false

install/helm/gloo/values-template.yaml

@@ -177,6 +177,29 @@ var _ = Describe("Helm Test", func() {
 				})
 			})
 
+			It("should disableDigests if specified", func() {
+				shaTest := "sha256:1234123412341234123412341234213412341234123412341234123412341234"
+				prepareMakefile(namespace, glootestutils.HelmValues{
+					ValuesArgs: []string{
+						"gloo.deployment.image.digest=" + shaTest,
+						"global.image.disableDigest=true",
+					},
+				})
+				testManifest.SelectResources(func(resource *unstructured.Unstructured) bool {
+					return resource.GetKind() == "Deployment" && resource.GetName() == "gloo"
+				}).ExpectAll(func(deployment *unstructured.Unstructured) {
+					deploymentObject, err := kuberesource.ConvertUnstructured(deployment)
+					ExpectWithOffset(1, err).NotTo(HaveOccurred(), "Failed to render manifest")
+					structuredDeployment, ok := deploymentObject.(*appsv1.Deployment)
+					Expect(ok).To(BeTrue(), fmt.Sprintf("Deployment %+v should be able to cast to a structured deployment", deployment))
+
+					containers := structuredDeployment.Spec.Template.Spec.Containers
+					Expect(containers).To(HaveLen(1), "should have exactly 1 container")
+					image := containers[0].Image
+					Expect(image).ToNot(ContainSubstring(shaTest), "should not have sha digest in image")
+				})
+			})
+
 			It("should have all resources marked with a namespace", func() {
 				prepareMakefile(namespace, glootestutils.HelmValues{
 					ValuesArgs: []string{