From 66461e029c100276073d6f4ddf18f8104c9e9f1c Mon Sep 17 00:00:00 2001 From: David Jumani Date: Mon, 10 Feb 2025 12:36:47 -0500 Subject: [PATCH 1/6] fix: gwp does not respect image variant --- .../fix-gwp-fips-distroless.yaml | 6 +++ install/helm/gloo/templates/_gg-helpers.tpl | 29 ++++++++++- install/helm/gloo/templates/_helpers.tpl | 9 ++-- install/test/k8sgateway_test.go | 51 +++++++++++++++++++ 4 files changed, 89 insertions(+), 6 deletions(-) create mode 100644 changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml diff --git a/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml b/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml new file mode 100644 index 00000000000..5cbf4fa8244 --- /dev/null +++ b/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml @@ -0,0 +1,6 @@ +changelog: +- type: FIX + issueLink: https://github.com/solo-io/gloo/issues/10602 + resolvesIssue: false + description: Fixes the gateway params image to respect the fips and distroless variants specified by global.image.variant + diff --git a/install/helm/gloo/templates/_gg-helpers.tpl b/install/helm/gloo/templates/_gg-helpers.tpl index 2a5241a76c2..6712361a007 100644 --- a/install/helm/gloo/templates/_gg-helpers.tpl +++ b/install/helm/gloo/templates/_gg-helpers.tpl @@ -46,11 +46,36 @@ ref Image api in projects/gateway2/api/v1alpha1/kube/container.proto {{- if $image.registry }} registry: {{ $image.registry }} {{- end -}}{{/* if $image.registry */}} + +{{- /* This has been copied from _helpers.tpl and should be kept in sync */ -}} {{- if $image.repository }} -repository: {{ $image.repository }} +{{- $repository := $image.repository -}} +{{- /* +for fips or fips-distroless variants: add -fips to the image repo (name) +*/ -}} +{{- if or $image.fips (has $image.variant (list "fips" "fips-distroless")) -}} +{{- $fipsSupportedImages := list "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" -}} +{{- if (has $image.repository $fipsSupportedImages) -}} +{{- $repository = printf "%s-fips" $repository -}} +{{- end -}}{{- /* if (has .repository $fipsSupportedImages) */ -}} +{{- end -}}{{- /* if or .fips (has .variant (list "fips" "fips-distroless")) */ -}} +{{ printf "\n" }} +repository: {{ $repository }} {{- end -}}{{/* if $image.repository */}} + {{- if $image.tag }} -tag: {{ $image.tag }} +{{- $tag := $image.tag -}} +{{- /* +for distroless or fips-distroless variants: add -distroless to the tag +*/ -}} +{{- if has $image.variant (list "distroless" "fips-distroless") -}} +{{- $distrolessSupportedImages := list "gloo" "gloo-envoy-wrapper" "discovery" "sds" "certgen" "kubectl" "access-logger" "ingress" "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" "observability-ee" "caching-ee" -}} +{{- if (has $image.repository $distrolessSupportedImages) -}} +{{- $tag = printf "%s-distroless" $tag -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}} +{{- end -}}{{- /* if (has .repository $distrolessSupportedImages) */ -}} +{{- end }}{{- /* if and .tag (has .variant (list "distroless" "fips-distroless")) */ -}} +{{ printf "\n" }} +tag: {{ $tag }} {{- end -}}{{/* if $image.tag */}} {{- if $image.digest }} digest: {{ $image.digest }} diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index af7bf19e4b8..02b4ae8f58a 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -31,6 +31,7 @@ Construct a container image name from a registry, repository, tag, and digest. {{- define "gloo.image" -}} {{- $image := printf "%s/%s" .registry .repository -}} +{{- /* This has been copied over to _gg-helpers.tpl and should be kept in sync */ -}} {{- /* for fips or fips-distroless variants: add -fips to the image repo (name) */ -}} @@ -170,7 +171,7 @@ It takes 4 values: .defaults - the default securityContext for the pod or container .globalSec - global security settings, usually from .Values.global.securitySettings .indent - the number of spaces to indent the output. If not set, the output will not be indented. - The indentation argument is necessary because it is possible that no output will be rendered. + The indentation argument is necessary because it is possible that no output will be rendered. If that happens and the caller handles the indentation the result will be a line of whitespace, which gets caught by the whitespace tests Depending upon the value of .values.merge, the securityContext will be merged with the defaults or completely replaced. @@ -234,7 +235,7 @@ It takes 4 values: .podSecurityStandards - podSecurityStandard from values.yaml .globalSec - global security settings, usually from .Values.global.securitySettings .indent - the number of spaces to indent the output. If not set, the output will not be indented. - The indentation argument is necessary because it is possible that no output will be rendered. + The indentation argument is necessary because it is possible that no output will be rendered. If that happens and the caller handles the indentation the result will be a line of whitespace, which gets caught by the whitespace tests If .podSecurityStandards.container.enableRestrictedContainerDefaults is true, the defaults will be set to a restricted set of values. @@ -260,7 +261,7 @@ It takes 4 values: {{- end -}} {{- /* set default seccompProfileType */ -}} -{{- $pss_restricted_defaults := dict +{{- $pss_restricted_defaults := dict "runAsNonRoot" true "capabilities" (dict "drop" (list "ALL")) "allowPrivilegeEscalation" false }} @@ -280,7 +281,7 @@ It takes 4 values: {{- end -}} {{- end -}} {{- /* call general securityContext template */ -}} -{{- include "gloo.securityContext" (dict +{{- include "gloo.securityContext" (dict "values" $values "defaults" $defaults "indent" $indent diff --git a/install/test/k8sgateway_test.go b/install/test/k8sgateway_test.go index fdcb4e2b20c..0a882970195 100644 --- a/install/test/k8sgateway_test.go +++ b/install/test/k8sgateway_test.go @@ -487,6 +487,57 @@ var _ = Describe("Kubernetes Gateway API integration", func() { }) }) }) + + FContext("distroless and fips", func() { + DescribeTable("Uses the correct image for the sds-ee container", func(variant string, expectedImage string) { + extraValueArgs := []string{ + "kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.registry=my-sds-reg", + "kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.tag=my-sds-tag", + "kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.repository=sds-ee", + "global.image.variant=" + variant, + } + valuesArgs = append(valuesArgs, extraValueArgs...) + // Updated values so need to re-render + prepareHelmManifest(namespace, glootestutils.HelmValues{ValuesArgs: valuesArgs}) + + gwp := getDefaultGatewayParameters(testManifest) + gwpKube := gwp.Spec.Kube + Expect(gwpKube).ToNot(BeNil()) + sdsContainer := gwpKube.SdsContainer.Image + image := fmt.Sprintf("%s/%s:%s", *sdsContainer.Registry, *sdsContainer.Repository, *sdsContainer.Tag) + Expect(image).To(Equal(expectedImage)) + }, + Entry("No variant specified", "", "my-sds-reg/sds-ee:my-sds-tag"), + Entry("Standard variant", "standard", "my-sds-reg/sds-ee:my-sds-tag"), + Entry("Fips variant", "fips", "my-sds-reg/sds-ee-fips:my-sds-tag"), + Entry("Distroless variant", "distroless", "my-sds-reg/sds-ee:my-sds-tag-distroless"), + Entry("Fips-Distroless variant", "fips-distroless", "my-sds-reg/sds-ee-fips:my-sds-tag-distroless")) + + DescribeTable("Uses the correct image for the gloo-ee-envoy-wrapper container", func(variant string, expectedImage string) { + extraValueArgs := []string{ + "kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.registry=my-gloo-ee-envoy-wrapper-reg", + "kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.tag=my-gloo-ee-envoy-wrapper-tag", + "kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.repository=gloo-ee-envoy-wrapper", + "global.image.variant=" + variant, + } + valuesArgs = append(valuesArgs, extraValueArgs...) + // Updated values so need to re-render + prepareHelmManifest(namespace, glootestutils.HelmValues{ValuesArgs: valuesArgs}) + + gwp := getDefaultGatewayParameters(testManifest) + gwpKube := gwp.Spec.Kube + Expect(gwpKube).ToNot(BeNil()) + envoyContainer := gwpKube.EnvoyContainer.Image + image := fmt.Sprintf("%s/%s:%s", *envoyContainer.Registry, *envoyContainer.Repository, *envoyContainer.Tag) + Expect(image).To(Equal(expectedImage)) + }, + Entry("No variant specified", "", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper:my-gloo-ee-envoy-wrapper-tag"), + Entry("Standard variant", "standard", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper:my-gloo-ee-envoy-wrapper-tag"), + Entry("Fips variant", "fips", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper-fips:my-gloo-ee-envoy-wrapper-tag"), + Entry("Distroless variant", "distroless", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper:my-gloo-ee-envoy-wrapper-tag-distroless"), + Entry("Fips-Distroless variant", "fips-distroless", "my-gloo-ee-envoy-wrapper-reg/gloo-ee-envoy-wrapper-fips:my-gloo-ee-envoy-wrapper-tag-distroless")) + + }) }) When("kube gateway integration is disabled (default)", func() { From dbbc6bb313ded14d0ecc14a22eb60b6dd9267ffc Mon Sep 17 00:00:00 2001 From: David Jumani Date: Mon, 10 Feb 2025 13:15:18 -0500 Subject: [PATCH 2/6] unfocus tests --- install/test/k8sgateway_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/test/k8sgateway_test.go b/install/test/k8sgateway_test.go index 0a882970195..c2be672a433 100644 --- a/install/test/k8sgateway_test.go +++ b/install/test/k8sgateway_test.go @@ -488,7 +488,7 @@ var _ = Describe("Kubernetes Gateway API integration", func() { }) }) - FContext("distroless and fips", func() { + Context("distroless and fips", func() { DescribeTable("Uses the correct image for the sds-ee container", func(variant string, expectedImage string) { extraValueArgs := []string{ "kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.registry=my-sds-reg", From 53c28a652ce4b1da3a5269725b2691d560cf90f4 Mon Sep 17 00:00:00 2001 From: David Jumani Date: Tue, 11 Feb 2025 09:54:35 -0500 Subject: [PATCH 3/6] simplify --- .../fix-gwp-fips-distroless.yaml | 3 +- install/helm/gloo/templates/_gg-helpers.tpl | 33 ++-------- install/helm/gloo/templates/_helpers.tpl | 60 ++++++++++++------- 3 files changed, 43 insertions(+), 53 deletions(-) diff --git a/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml b/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml index 5cbf4fa8244..e34746f5d46 100644 --- a/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml +++ b/changelog/v1.19.0-beta7/fix-gwp-fips-distroless.yaml @@ -2,5 +2,4 @@ changelog: - type: FIX issueLink: https://github.com/solo-io/gloo/issues/10602 resolvesIssue: false - description: Fixes the gateway params image to respect the fips and distroless variants specified by global.image.variant - + description: Fixes the gateway params image to respect the fips and distroless variants specified by global.image.variant. This only applies to the kubernetes gateway proxy. diff --git a/install/helm/gloo/templates/_gg-helpers.tpl b/install/helm/gloo/templates/_gg-helpers.tpl index 6712361a007..55095a5a401 100644 --- a/install/helm/gloo/templates/_gg-helpers.tpl +++ b/install/helm/gloo/templates/_gg-helpers.tpl @@ -42,43 +42,18 @@ Images valid for the GatewayParameters ref Image api in projects/gateway2/api/v1alpha1/kube/container.proto */}} {{- define "gloo-gateway.gatewayParametersImage" -}} -{{- $image := . -}} +{{ $image := . }} {{- if $image.registry }} registry: {{ $image.registry }} {{- end -}}{{/* if $image.registry */}} - -{{- /* This has been copied from _helpers.tpl and should be kept in sync */ -}} {{- if $image.repository }} -{{- $repository := $image.repository -}} -{{- /* -for fips or fips-distroless variants: add -fips to the image repo (name) -*/ -}} -{{- if or $image.fips (has $image.variant (list "fips" "fips-distroless")) -}} -{{- $fipsSupportedImages := list "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" -}} -{{- if (has $image.repository $fipsSupportedImages) -}} -{{- $repository = printf "%s-fips" $repository -}} -{{- end -}}{{- /* if (has .repository $fipsSupportedImages) */ -}} -{{- end -}}{{- /* if or .fips (has .variant (list "fips" "fips-distroless")) */ -}} -{{ printf "\n" }} -repository: {{ $repository }} +repository: {{ template "gloo.image.repository" $image }} {{- end -}}{{/* if $image.repository */}} - {{- if $image.tag }} -{{- $tag := $image.tag -}} -{{- /* -for distroless or fips-distroless variants: add -distroless to the tag -*/ -}} -{{- if has $image.variant (list "distroless" "fips-distroless") -}} -{{- $distrolessSupportedImages := list "gloo" "gloo-envoy-wrapper" "discovery" "sds" "certgen" "kubectl" "access-logger" "ingress" "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" "observability-ee" "caching-ee" -}} -{{- if (has $image.repository $distrolessSupportedImages) -}} -{{- $tag = printf "%s-distroless" $tag -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}} -{{- end -}}{{- /* if (has .repository $distrolessSupportedImages) */ -}} -{{- end }}{{- /* if and .tag (has .variant (list "distroless" "fips-distroless")) */ -}} -{{ printf "\n" }} -tag: {{ $tag }} +tag: {{ template "gloo.image.tag" $image }} {{- end -}}{{/* if $image.tag */}} {{- if $image.digest }} -digest: {{ $image.digest }} +digest: {{ template "gloo.image.digest" $image }} {{- end -}}{{/* if $image.digest */}} {{- if $image.pullPolicy }} pullPolicy: {{ $image.pullPolicy }} diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index 02b4ae8f58a..490e362638c 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -25,60 +25,76 @@ ClusterRole {{- end -}} {{- end -}} -{{/* -Construct a container image name from a registry, repository, tag, and digest. -*/}} -{{- define "gloo.image" -}} -{{- $image := printf "%s/%s" .registry .repository -}} - -{{- /* This has been copied over to _gg-helpers.tpl and should be kept in sync */ -}} +{{- define "gloo.image.repository" -}} {{- /* for fips or fips-distroless variants: add -fips to the image repo (name) */ -}} +{{- if .repository -}} +{{- $repository := .repository -}} {{- if or .fips (has .variant (list "fips" "fips-distroless")) -}} {{- $fipsSupportedImages := list "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" -}} {{- if (has .repository $fipsSupportedImages) -}} -{{- $image = printf "%s-fips" $image -}} +{{- $repository = printf "%s-fips" $repository -}} {{- end -}}{{- /* if (has .repository $fipsSupportedImages) */ -}} {{- end -}}{{- /* if or .fips (has .variant (list "fips" "fips-distroless")) */ -}} +{{ $repository }} +{{- end -}}{{- /* if .repository */ -}} +{{- end -}}{{- /* define "gloo.image.repository" */ -}} -{{- /* -add tag, if it exists -*/ -}} +{{- define "gloo.image.tag" -}} {{- if .tag -}} -{{- $image = printf "%s:%s" $image .tag -}} -{{- end -}}{{- /* if .tag */ -}} - +{{- $tag := .tag -}} {{- /* for distroless or fips-distroless variants: add -distroless to the tag */ -}} {{- if and .tag (has .variant (list "distroless" "fips-distroless")) -}} {{- $distrolessSupportedImages := list "gloo" "gloo-envoy-wrapper" "discovery" "sds" "certgen" "kubectl" "access-logger" "ingress" "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" "observability-ee" "caching-ee" -}} {{- if (has .repository $distrolessSupportedImages) -}} -{{- $image = printf "%s-distroless" $image -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}} +{{- $tag = printf "%s-distroless" $tag -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}} {{- end -}}{{- /* if (has .repository $distrolessSupportedImages) */ -}} {{- end -}}{{- /* if and .tag (has .variant (list "distroless" "fips-distroless")) */ -}} +{{ $tag }} +{{- end -}}{{- /* if .tag */ -}} +{{- end -}}{{- /* define "gloo.image.tag" */ -}} -{{- /* -add digest for the chosen variant, if it exists -*/ -}} +{{- define "gloo.image.digest" -}} +{{- $digest := "" -}} {{- if or .fips (eq .variant "fips") -}} {{- if .fipsDigest -}} - {{- $image = printf "%s@%s" $image .fipsDigest -}} + {{- $digest = .fipsDigest -}} {{- end -}}{{- /* if .fipsDigest */ -}} {{- else if eq .variant "distroless" -}} {{- if .distrolessDigest -}} - {{- $image = printf "%s@%s" $image .distrolessDigest -}} + {{- $digest = .distrolessDigest -}} {{- end -}}{{- /* if .distrolessDigest */ -}} {{- else if eq .variant "fips-distroless" -}} {{- if .fipsDistrolessDigest -}} - {{- $image = printf "%s@%s" $image .fipsDistrolessDigest -}} + {{- $digest = .fipsDistrolessDigest -}} {{- end -}}{{- /* if .fipsDistrolessDigest */ -}} {{- else -}} {{- if .digest -}}{{- /* standard image digest */ -}} - {{- $image = printf "%s@%s" $image .digest -}} + {{- $image = .digest -}} {{- end -}}{{- /* if .digest */ -}} +{{ $digest }} {{- end -}} + +{{- end -}}{{- /* define "gloo.image.digest" */ -}} + + +{{/* +Construct a container image name from a registry, repository, tag, and digest. +*/}} +{{- define "gloo.image" -}} +{{- $repository := include "gloo.image.repository" . -}} +{{- $image := printf "%s/%s" .registry $repository -}} +{{- $tag := include "gloo.image.tag" . -}} +{{- if $tag -}} +{{- $image = printf "%s:%s" $image $tag -}} +{{- end -}}{{- /* if .tag */ -}} +{{- $digest := include "gloo.image.digest" . -}} +{{- if $digest -}} +{{- $image = printf "%s@%s" $image $digest -}} +{{- end -}}{{- /* if .digest */ -}} {{ $image }} {{- end -}}{{- /* define "gloo.image" */ -}} From 51fe37ab912034e1c005d7a75e6a941814addb63 Mon Sep 17 00:00:00 2001 From: David Jumani Date: Tue, 11 Feb 2025 09:57:37 -0500 Subject: [PATCH 4/6] fix digest --- install/helm/gloo/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index 490e362638c..27afbb45019 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -91,7 +91,7 @@ Construct a container image name from a registry, repository, tag, and digest. {{- if $tag -}} {{- $image = printf "%s:%s" $image $tag -}} {{- end -}}{{- /* if .tag */ -}} -{{- $digest := include "gloo.image.digest" . -}} +{{- $digest = include "gloo.image.digest" . -}} {{- if $digest -}} {{- $image = printf "%s@%s" $image $digest -}} {{- end -}}{{- /* if .digest */ -}} From 9fbde6f7297d2259fd5573840ec51e3312396c90 Mon Sep 17 00:00:00 2001 From: David Jumani Date: Tue, 11 Feb 2025 09:58:47 -0500 Subject: [PATCH 5/6] Revert "fix digest" This reverts commit 51fe37ab912034e1c005d7a75e6a941814addb63. --- install/helm/gloo/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index 27afbb45019..490e362638c 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -91,7 +91,7 @@ Construct a container image name from a registry, repository, tag, and digest. {{- if $tag -}} {{- $image = printf "%s:%s" $image $tag -}} {{- end -}}{{- /* if .tag */ -}} -{{- $digest = include "gloo.image.digest" . -}} +{{- $digest := include "gloo.image.digest" . -}} {{- if $digest -}} {{- $image = printf "%s@%s" $image $digest -}} {{- end -}}{{- /* if .digest */ -}} From b37853c431bb3938ab510776132230236837accf Mon Sep 17 00:00:00 2001 From: David Jumani Date: Tue, 11 Feb 2025 10:03:30 -0500 Subject: [PATCH 6/6] really fix digest --- install/helm/gloo/templates/_helpers.tpl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index 490e362638c..cfb9454252a 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -73,11 +73,10 @@ for distroless or fips-distroless variants: add -distroless to the tag {{- end -}}{{- /* if .fipsDistrolessDigest */ -}} {{- else -}} {{- if .digest -}}{{- /* standard image digest */ -}} - {{- $image = .digest -}} + {{- $digest = .digest -}} {{- end -}}{{- /* if .digest */ -}} -{{ $digest }} {{- end -}} - +{{ $digest }} {{- end -}}{{- /* define "gloo.image.digest" */ -}}