Maestro use digest for deployment of images

config/config.msft.yaml

@@ -87,8 +87,10 @@ defaults:
       consumerName: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}
       loglevel: 4
       sidecar:
-        imageBase: mcr.microsoft.com/azurelinux/base/nginx
-        imageTag: '1.25'
+        image:
+          registry: mcr.microsoft.com
+          repository: azurelinux/base/nginx
+          digest: sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83
     eventGrid:
       name: arohcp-maestro-{{ .ctx.regionShort }}
       maxClientSessionsPerAuthName: 4
@@ -104,7 +106,8 @@ defaults:
       minTLSVersion: 'TLSV1.2'
       databaseName: maestro
     restrictIstioIngress: true
-    imageRepo: redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
+    image:
+      repository: redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
 
   # Cluster Service
   clusterService:
@@ -210,7 +213,8 @@ clouds:
     # the following vars need approprivate overrides:
     defaults:
       maestro:
-        imageTag: c9a36e110a32c0c25aa5025cfe6d51af797e6d4b
+        image:
+          digest: sha256:fe8dbccbadf3de107d362bf11f98b4fe89d474b3aa287276c1d48d582e863bf7
       clusterService:
         image:
           digest: sha256:2d8d8819267b01e34e8303a6904aa9e283c79a0a82d5b73f3c8c3afdb787e141

config/config.schema.json

@@ -643,11 +643,8 @@
             "sidecar": {
               "type:": "object",
               "properties": {
-                "imageBase": {
-                  "type": "string"
-                },
-                "imageTag": {
-                  "type": "string"
+                "image": {
+                  "$ref": "#/definitions/containerImage"
                 }
               }
             }
@@ -679,11 +676,8 @@
             "private"
           ]
         },
-        "imageRepo": {
-          "type": "string"
-        },
-        "imageTag": {
-          "type": "string"
+        "image": {
+          "$ref": "#/definitions/containerImage"
         },
         "postgres": {
           "type": "object",
@@ -735,8 +729,7 @@
         "agent",
         "server",
         "eventGrid",
-        "imageRepo",
-        "imageTag",
+        "image",
         "postgres",
         "restrictIstioIngress"
       ]

config/config.yaml

@@ -84,8 +84,10 @@ defaults:
       consumerName: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}
       loglevel: 4
       sidecar:
-        imageBase: mcr.microsoft.com/azurelinux/base/nginx
-        imageTag: '1.25'
+        image:
+          registry: mcr.microsoft.com
+          repository: azurelinux/base/nginx
+          digest: sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83
     eventGrid:
       name: arohcp-maestro-{{ .ctx.regionShort }}
       maxClientSessionsPerAuthName: 6
@@ -101,7 +103,8 @@ defaults:
       minTLSVersion: 'TLSV1.2'
       databaseName: maestro
     restrictIstioIngress: true
-    imageRepo: redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
+    image:
+      repository: redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
 
   pko:
     image: arohcpsvcdev.azurecr.io/package-operator/package-operator-package
@@ -197,7 +200,8 @@ clouds:
       armHelperCertName: armHelperCert2
       # Maestro
       maestro:
-        imageTag: 8244a76cbc7d020192648b17ac7b7467abf1f2cb
+        image:
+          digest: sha256:223f332a11d336b49243d886217a76809142b30f9ab8ef27bec80a4458b3c3a5
       # Cluster Service
       clusterService:
         image:

config/public-cloud-cs-pr.json

@@ -145,8 +145,11 @@
       "consumerName": "hcp-underlay-cspr-mgmt-1",
       "loglevel": 4,
       "sidecar": {
-        "imageBase": "mcr.microsoft.com/azurelinux/base/nginx",
-        "imageTag": "1.25"
+        "image": {
+          "digest": "sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83",
+          "registry": "mcr.microsoft.com",
+          "repository": "azurelinux/base/nginx"
+        }
       }
     },
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
@@ -156,8 +159,10 @@
       "name": "arohcp-maestro-cspr",
       "private": false
     },
-    "imageRepo": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "8244a76cbc7d020192648b17ac7b7467abf1f2cb",
+    "image": {
+      "digest": "sha256:223f332a11d336b49243d886217a76809142b30f9ab8ef27bec80a4458b3c3a5",
+      "repository": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro"
+    },
     "postgres": {
       "databaseName": "maestro",
       "deploy": true,

config/public-cloud-dev.json

@@ -145,8 +145,11 @@
       "consumerName": "hcp-underlay-dev-mgmt-1",
       "loglevel": 4,
       "sidecar": {
-        "imageBase": "mcr.microsoft.com/azurelinux/base/nginx",
-        "imageTag": "1.25"
+        "image": {
+          "digest": "sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83",
+          "registry": "mcr.microsoft.com",
+          "repository": "azurelinux/base/nginx"
+        }
       }
     },
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
@@ -156,8 +159,10 @@
       "name": "arohcp-maestro-dev",
       "private": false
     },
-    "imageRepo": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "8244a76cbc7d020192648b17ac7b7467abf1f2cb",
+    "image": {
+      "digest": "sha256:223f332a11d336b49243d886217a76809142b30f9ab8ef27bec80a4458b3c3a5",
+      "repository": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro"
+    },
     "postgres": {
       "databaseName": "maestro",
       "deploy": true,

config/public-cloud-msft-int.json

@@ -145,8 +145,11 @@
       "consumerName": "hcp-underlay-int-mgmt-1",
       "loglevel": 4,
       "sidecar": {
-        "imageBase": "mcr.microsoft.com/azurelinux/base/nginx",
-        "imageTag": "1.25"
+        "image": {
+          "digest": "sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83",
+          "registry": "mcr.microsoft.com",
+          "repository": "azurelinux/base/nginx"
+        }
       }
     },
     "certDomain": "",
@@ -156,8 +159,10 @@
       "name": "arohcp-maestro-int",
       "private": false
     },
-    "imageRepo": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "c9a36e110a32c0c25aa5025cfe6d51af797e6d4b",
+    "image": {
+      "digest": "sha256:fe8dbccbadf3de107d362bf11f98b4fe89d474b3aa287276c1d48d582e863bf7",
+      "repository": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro"
+    },
     "postgres": {
       "databaseName": "maestro",
       "deploy": true,

config/public-cloud-personal-dev.json

@@ -145,8 +145,11 @@
       "consumerName": "hcp-underlay-usw3tst-mgmt-1",
       "loglevel": 4,
       "sidecar": {
-        "imageBase": "mcr.microsoft.com/azurelinux/base/nginx",
-        "imageTag": "1.25"
+        "image": {
+          "digest": "sha256:f203d7e49ce778f8464f403d2558c5d7162b1b9189657c6b32d4f70a99e0fe83",
+          "registry": "mcr.microsoft.com",
+          "repository": "azurelinux/base/nginx"
+        }
       }
     },
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
@@ -156,8 +159,10 @@
       "name": "arohcp-maestro-usw3tst",
       "private": false
     },
-    "imageRepo": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "8244a76cbc7d020192648b17ac7b7467abf1f2cb",
+    "image": {
+      "digest": "sha256:223f332a11d336b49243d886217a76809142b30f9ab8ef27bec80a4458b3c3a5",
+      "repository": "redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro"
+    },
     "postgres": {
       "databaseName": "maestro",
       "deploy": false,

maestro/agent/Makefile

@@ -17,7 +17,8 @@ deploy:
 		--set azure.tenantId=$${TENANT_ID} \
 		--set image.registry=${ACR_NAME}.azurecr.io \
 		--set image.repository=${IMAGE_REPO} \
-		--set image.tag=${IMAGE_TAG} \
-		--set sideCar.imageBase=${SIDECAR_IMAGE_BASE} \
-		--set sideCar.imageTag=${SIDECAR_IMAGE_TAG}
+		--set image.digest=${IMAGE_DIGEST} \
+		--set sideCar.image.registry=${SIDECAR_IMAGE_REGISTRY} \
+		--set sideCar.image.repository=${SIDECAR_IMAGE_REPOSITORY} \
+		--set sideCar.image.digest=${SIDECAR_IMAGE_DIGEST}
 .PHONY: deploy

maestro/agent/helm/templates/maestro-agent.deployment.yaml

@@ -19,7 +19,7 @@ spec:
     spec:
       initContainers:
       - name: init
-        image: "{{ .Values.sideCar.imageBase }}:{{ .Values.sideCar.imageTag }}"
+        image: "{{ .Values.sideCar.image.registry }}/{{ .Values.sideCar.image.repository }}@{{ .Values.sideCar.image.digest }}"
         env:
           - name: TOKEN
             valueFrom:
@@ -38,7 +38,7 @@ spec:
           - cp /tmp/nginx/nginx.conf /etc/nginx/nginx.conf && sed -i "s/TOKEN/$TOKEN/g" /etc/nginx/nginx.conf
       containers:
       - name: metrics-proxy
-        image: "{{ .Values.sideCar.imageBase }}:{{ .Values.sideCar.imageTag }}"
+        image: "{{ .Values.sideCar.image.registry }}/{{ .Values.sideCar.image.repository }}@{{ .Values.sideCar.image.digest }}"
         ports:
         - containerPort: 8080
           name: metrics
@@ -56,7 +56,7 @@ spec:
         - --workload-source-config=/secrets/maestro/config.yaml
         - --cloudevents-client-id={{ .Values.consumerName }}-work-agent
         - -v={{ .Values.glog_v }}
-        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}"
         imagePullPolicy: IfNotPresent
         name: maestro-agent
         volumeMounts:

maestro/agent/helm/values.yaml

@@ -7,13 +7,15 @@ azure:
 image:
   registry: ""
   repository: ""
-  tag: ""
+  digest: ""
 credsKeyVault:
   name: ""
   secret: ""
 consumerName: ""
 glog_v: "4"
 installAppliedManifestWorkCRD: false
 sideCar:
-  imageBase: ""
-  imageTag: ""
+  image:
+    registry: ""
+    repository: ""
+    digest: ""

maestro/agent/pipeline.yaml

@@ -27,13 +27,15 @@ resourceGroups:
     - name: KEYVAULT_NAME
       configRef: mgmtKeyVault.name
     - name: IMAGE_REPO
-      configRef: maestro.imageRepo
-    - name: IMAGE_TAG
-      configRef: maestro.imageTag
-    - name: SIDECAR_IMAGE_BASE
-      configRef: maestro.agent.sidecar.imageBase
-    - name: SIDECAR_IMAGE_TAG
-      configRef: maestro.agent.sidecar.imageTag
+      configRef: maestro.image.repository
+    - name: IMAGE_DIGEST
+      configRef: maestro.image.digest
+    - name: SIDECAR_IMAGE_REGISTRY
+      configRef: maestro.agent.sidecar.image.registry
+    - name: SIDECAR_IMAGE_REPOSITORY
+      configRef: maestro.agent.sidecar.image.repository
+    - name: SIDECAR_IMAGE_DIGEST
+      configRef: maestro.agent.sidecar.image.digest
     - name: ACR_NAME
       configRef: svcAcrName
 - name: {{ .svc.rg }}

maestro/server/Makefile

@@ -22,7 +22,7 @@ deploy:
 		--set azure.clientId=$${MAESTRO_MI_CLIENT_ID} \
 		--set azure.tenantId=$${TENANT_ID} \
 		--set istio.restrictIngress=${ISTIO_RESTRICT_INGRESS} \
-		--set image.tag=${IMAGE_TAG} \
+		--set image.digest=${IMAGE_DIGEST} \
 		--set image.registry=${ACR_NAME}.azurecr.io \
 		--set image.repository=${IMAGE_REPO} \
 		--set database.host=$${DATABASE_HOST} \

maestro/server/helm/templates/maestro.deployment.yaml

@@ -41,7 +41,7 @@ spec:
             secretProviderClass: "maestro"
       initContainers:
       - name: migration
-        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}"
         imagePullPolicy: IfNotPresent
         volumeMounts:
         - name: db
@@ -61,7 +61,7 @@ spec:
         - --db-auth-method={{ .Values.database.authMethod }}
       containers:
       - name: service
-        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}@{{ .Values.image.digest }}"
         imagePullPolicy: IfNotPresent
         volumeMounts:
         - name: db

maestro/server/helm/values.yaml

@@ -42,7 +42,7 @@ azure:
 image:
   registry: ""
   repository: ""
-  tag: ""
+  digest: ""
 credsKeyVault:
   name: ""
   secret: "maestro-server"

maestro/server/pipeline.yaml

@@ -23,9 +23,9 @@ resourceGroups:
     - name: AKS_NAME
       configRef: svc.aks.name
     - name: IMAGE_REPO
-      configRef: maestro.imageRepo
-    - name: IMAGE_TAG
-      configRef: maestro.imageTag
+      configRef: maestro.image.repository
+    - name: IMAGE_DIGEST
+      configRef: maestro.image.digest
     - name: USE_AZURE_DB
       configRef: maestro.postgres.deploy
     - name: DATABASE_SERVER_NAME