diff --git a/operator/bundle/manifests/minio-directpv-operator-rhmp.clusterserviceversion.yaml b/operator/bundle/manifests/minio-directpv-operator-rhmp.clusterserviceversion.yaml index 35cce159..8bb9702c 100644 --- a/operator/bundle/manifests/minio-directpv-operator-rhmp.clusterserviceversion.yaml +++ b/operator/bundle/manifests/minio-directpv-operator-rhmp.clusterserviceversion.yaml @@ -222,7 +222,7 @@ spec: - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522 name: kube-rbac-proxy ports: - containerPort: 8443 @@ -245,7 +245,7 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - --leader-election-id=directpv-operator - image: quay.io/minio/directpv-operator:4.0.7 + image: quay.io/minio/directpv-operator@sha256:dadf28674b15c256bc5dec3e99d90f811ea3ac1fdee17c51e2928063a5341e5e livenessProbe: httpGet: path: /healthz diff --git a/operator/config/default/manager_auth_proxy_patch.yaml b/operator/config/default/manager_auth_proxy_patch.yaml index 2bc97b93..02f9efc0 100644 --- a/operator/config/default/manager_auth_proxy_patch.yaml +++ b/operator/config/default/manager_auth_proxy_patch.yaml @@ -31,7 +31,7 @@ spec: capabilities: drop: - "ALL" - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + image: gcr.io/kubebuilder/kube-rbac-proxy@sha256:d4883d7c622683b3319b5e6b3a7edfbf2594c18060131a8bf64504805f875522 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/operator/config/manager/kustomization.yaml b/operator/config/manager/kustomization.yaml index 661b5759..c95bc25d 100644 --- a/operator/config/manager/kustomization.yaml +++ b/operator/config/manager/kustomization.yaml @@ -3,6 +3,6 @@ resources: apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: -- name: controller - newName: quay.io/cniackz4/directpv-operator - newTag: 4.0.7 +- digest: sha256:dadf28674b15c256bc5dec3e99d90f811ea3ac1fdee17c51e2928063a5341e5e + name: controller + newName: quay.io/minio/directpv-operator diff --git a/release-operator.sh b/release-operator.sh index 06c6e9f0..466cc5c2 100755 --- a/release-operator.sh +++ b/release-operator.sh @@ -114,6 +114,9 @@ function update_charts() { function make_release() { export IMAGE_TAG_BASE=quay.io/minio/directpv-operator export IMG="${IMAGE_TAG_BASE}:${BUILD_VERSION}" + SHA_DIGEST=$("${PODMAN}" pull "${IMAGE_TAG_BASE}":"${BUILD_VERSION}" | grep Digest | awk -F ' ' '{print $2}') + export SHA_DIGEST + export DIGEST="${IMAGE_TAG_BASE}@${SHA_DIGEST}" export BUNDLE_GEN_FLAGS="-q --overwrite --version ${BUILD_VERSION} --package minio-directpv-operator-rhmp" export BUNDLE_IMG="${IMAGE_TAG_BASE}-bundle:v${BUILD_VERSION}" @@ -124,7 +127,11 @@ function make_release() { git_commit "Update operator for v${BUILD_VERSION}" "${OPERATOR_SDK}" generate kustomize manifests --quiet --package minio-directpv-operator-rhmp - (cd config/manager && "${KUSTOMIZE}" edit set image controller="${IMG}") + # Controller image, should be in SHA Digest form for RHMP to pass test: + # verify-pinned-digest where all your container images should use SHA digests instead of tags. + # Example: + # (cd config/manager && kustomize edit set image controller=quay.io/cniackz4/directpv-operator@sha256:04fec2fbd0d17f449a17c0f509b359c18d6c662e0a22e84cd625b538ca2a1af2) + (cd config/manager && "${KUSTOMIZE}" edit set image controller="${DIGEST}") # shellcheck disable=SC2086 "${KUSTOMIZE}" build config/manifests | "${OPERATOR_SDK}" generate bundle ${BUNDLE_GEN_FLAGS} # Since above line overwrites our redhat annotation,