Switch backend and frontend to use Digest instead of commit sha

backend/Makefile

@@ -4,7 +4,6 @@ HELM_CMD ?= helm upgrade --install
 
 CURRENT_COMMIT := $(shell git rev-parse --short=7 HEAD)
 ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
-ARO_HCP_IMAGE_REPOSITORY ?= arohcpbackend
 ARO_HCP_BACKEND_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(ARO_HCP_IMAGE_REPOSITORY)
 
 .DEFAULT_GOAL := backend
@@ -37,7 +36,7 @@ push: image
 .PHONY: push
 
 deploy:
-	IMAGE_TAG=$$(../get-tag.sh ${ARO_HCP_IMAGE_ACR} arohcpbackend) \
+	DIGEST=$$(../get-digest.sh ${ARO_HCP_IMAGE_ACR} arohcpbackend) \
 	BACKEND_MI_CLIENT_ID=$$(az identity show \
 			-g ${RESOURCEGROUP} \
 			-n backend \
@@ -51,9 +50,9 @@ deploy:
 		--set configMap.databaseUrl="$${DB_URL}" \
 		--set configMap.backendMiClientId="$${BACKEND_MI_CLIENT_ID}" \
 		--set serviceAccount.workloadIdentityClientId="$${BACKEND_MI_CLIENT_ID}" \
-		--set configMap.currentVersion=${ARO_HCP_BACKEND_IMAGE}:$${IMAGE_TAG} \
+		--set configMap.currentVersion=${ARO_HCP_BACKEND_IMAGE}:$${DIGEST} \
 		--set configMap.location=${LOCATION} \
-		--set deployment.imageName=${ARO_HCP_BACKEND_IMAGE}:$${IMAGE_TAG} \
+		--set deployment.imageName=${ARO_HCP_BACKEND_IMAGE}@$${DIGEST} \
 		--namespace aro-hcp
 .PHONY: deploy
 

backend/pipeline.yaml

@@ -24,7 +24,9 @@ resourceGroups:
       configRef: svc.aks.name
     - name: DB_NAME
       configRef: frontend.cosmosDB.name
-    - name: COMMIT
-      configRef: backend.imageTag
+    - name: IMAGE_DIGEST
+      configRef: backend.image.digest
+    - name: ARO_HCP_IMAGE_REPOSITORY
+      configRef: backend.image.repository
     - name: ISTO_TAG
       configRef: svc.istio.tag

config/config.msft.yaml

@@ -226,9 +226,13 @@ clouds:
           image:
             digest: sha256:4affed9ff6397a5c44e9d1451fd58667f56e826b122819ccb6e1e8e045803c18
       frontend:
-        imageTag: 8dab517
+        image:
+          repository: arohcpfrontend
+          digest: sha256:0c087b6cdcc34d6e66c252dc21880b53a99e869b0ebd928ddbd7a06f481140ca
       backend:
-        imageTag: 8dab517
+        image:
+          repository: arohcpbackend
+          digest: sha256:eba8cee29ab7367f0acc2856d5bf01e13d535b0fabe6899784a01378fdfe74a9
 
     environments:
       int:

config/config.schema.json

@@ -360,20 +360,20 @@
     "backend": {
       "type": "object",
       "properties": {
-        "imageTag": {
-          "type": "string"
+        "image": {
+          "$ref": "#/definitions/containerImage"
         }
       },
       "additionalProperties": false,
       "required": [
-        "imageTag"
+        "image"
       ]
     },
     "frontend": {
       "type": "object",
       "properties": {
-        "imageTag": {
-          "type": "string"
+        "image": {
+          "$ref": "#/definitions/containerImage"
         },
         "cosmosDB": {
           "type": "object",
@@ -421,7 +421,7 @@
       },
       "additionalProperties": false,
       "required": [
-        "imageTag",
+        "image",
         "cosmosDB",
         "cert"
       ]

config/config.yaml

@@ -228,10 +228,14 @@ clouds:
           digest: sha256:c802cd5c71b279926ed3f02871d5a414d0b852dd276406046fc4e893404d468f
       # Frontend
       frontend:
-        imageTag: '' # if empty uses commit sha of repo
+        image:
+          repository: arohcpfrontend
+          digest: '' # if empty uses commit sha of repo
       # Backend
       backend:
-        imageTag: '' # if empty uses commit sha of repo
+        image:
+          repository: arohcpbackend
+          digest: '' # if empty uses commit sha of repo
       # Shared SVC KV
       serviceKeyVault:
         name: 'aro-hcp-dev-svc-kv'

config/public-cloud-cs-pr.json

@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity",
   "backend": {
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Disabled"
     },
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-rollout-identity",

config/public-cloud-dev.json

@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity",
   "backend": {
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Disabled"
     },
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-rollout-identity",

config/public-cloud-msft-int.json

@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/5299e6b7-b23b-46c8-8277-dc1147807117/resourcegroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-ev2-identity",
   "backend": {
-    "imageTag": "8dab517"
+    "image": {
+      "digest": "sha256:eba8cee29ab7367f0acc2856d5bf01e13d535b0fabe6899784a01378fdfe74a9",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Auto"
     },
-    "imageTag": "8dab517"
+    "image": {
+      "digest": "sha256:0c087b6cdcc34d6e66c252dc21880b53a99e869b0ebd928ddbd7a06f481140ca",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-ev2-identity",

config/public-cloud-personal-dev.json

@@ -11,7 +11,10 @@
   "armHelperFPAPrincipalId": "47f69502-0065-4d9a-b19b-d403e183d2f4",
   "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity",
   "backend": {
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpbackend"
+    }
   },
   "clusterService": {
     "azureOperatorsManagedIdentities": {
@@ -87,7 +90,10 @@
       "private": false,
       "zoneRedundantMode": "Disabled"
     },
-    "imageTag": ""
+    "image": {
+      "digest": "",
+      "repository": "arohcpfrontend"
+    }
   },
   "global": {
     "globalMSIName": "global-rollout-identity",

frontend/Makefile

@@ -4,7 +4,6 @@ HELM_CMD ?= helm upgrade --install
 
 CURRENT_COMMIT := $(shell git rev-parse --short=7 HEAD)
 ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
-ARO_HCP_IMAGE_REPOSITORY ?= arohcpfrontend
 ARO_HCP_FRONTEND_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(ARO_HCP_IMAGE_REPOSITORY)
 
 .DEFAULT_GOAL := frontend
@@ -41,7 +40,7 @@ push: image
 	docker push ${ARO_HCP_FRONTEND_IMAGE}:${CURRENT_COMMIT}
 
 deploy:
-	IMAGE_TAG=$$(../get-tag.sh ${ARO_HCP_IMAGE_ACR} arohcpfrontend) \
+	DIGEST=$$(../get-digest.sh ${ARO_HCP_IMAGE_ACR} arohcpfrontend) \
 	FRONTEND_MI_CLIENT_ID=$$(az identity show \
 			-g ${RESOURCEGROUP} \
 			-n frontend \
@@ -79,9 +78,9 @@ deploy:
 		--set serviceAccount.workloadIdentityTenantId="$${FRONTEND_MI_TENANT_ID}" \
 		--set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \
 		--set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \
-		--set configMap.currentVersion=${ARO_HCP_FRONTEND_IMAGE}:$${IMAGE_TAG} \
+		--set configMap.currentVersion=${ARO_HCP_FRONTEND_IMAGE}:$${DIGEST} \
 		--set configMap.location=${LOCATION}  \
-		--set deployment.imageName=${ARO_HCP_FRONTEND_IMAGE}:$${IMAGE_TAG} \
+		--set deployment.imageName=${ARO_HCP_FRONTEND_IMAGE}@$${DIGEST} \
 		--set pullBinding.registry=${ARO_HCP_IMAGE_REGISTRY} \
 		--set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \
 		--set clusterService.namespace=${CS_NAMESPACE} \

frontend/pipeline.yaml

@@ -24,8 +24,10 @@ resourceGroups:
       configRef: svc.aks.name
     - name: DB_NAME
       configRef: frontend.cosmosDB.name
-    - name: COMMIT
-      configRef: frontend.imageTag
+    - name: IMAGE_DIGEST
+      configRef: frontend.image.digest
+    - name: ARO_HCP_IMAGE_REPOSITORY
+      configRef: frontend.image.repository
     - name: SERVICE_KEY_VAULT
       configRef: serviceKeyVault.name
     - name: CERTIFICATE_NAME

get-digest.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+if [ "$#" -ne 2 ]
+then
+    echo "Need ARO_HCP_IMAGE_ACR and REPOSITORY parameters"
+    exit 1
+fi
+
+aro_hcp_image_acr=${1}
+repository=${2}
+
+if [ -n "${IMAGE_DIGEST_OVERRIDE}" ];
+then
+    echo ${IMAGE_DIGEST_OVERRIDE}
+    exit 0
+fi
+
+if [ -n "${IMAGE_DIGEST}" ];
+then
+    echo ${IMAGE_DIGEST}
+    exit 0
+fi
+
+
+tags=$(mktemp)
+trap "rm ${tags}" EXIT
+
+az acr repository show-tags --orderby time_desc --n ${aro_hcp_image_acr} --repository ${repository} --detail > $tags
+
+suggested_digest=$(jq -r --arg TAG $(git rev-parse --short=7 HEAD) \
+    'first(.[] | select(.name==$TAG) | .digest)' $tags)
+if [ -n "${suggested_digest}" ];
+then
+    echo ${suggested_digest}
+    exit 0
+fi
+
+jq -r 'first(.[] | .digest)' $tags