Use production ready service mesh proxy image for Kourier (#2959)

* Use production ready service mesh proxy image for Kourier Use image on registry.redhat.io [1] vs quay.io/maistra image [1] https://catalog.redhat.com/software/containers/openshift-service-mesh/proxyv2-rhel8 Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com> * Regen CSV Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com> --------- Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
openshift-knative · Oct 21, 2024 · a720677 · a720677
1 parent 48c0c66
commit a720677
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 76 deletions.
diff --git a/hack/generate/catalog.sh b/hack/generate/catalog.sh
@@ -142,6 +142,25 @@ EOF
  fi
 }
 
+function upgrade_service_mesh_proxy_image() {
+ sm_proxy_image=$(yq r olm-catalog/serverless-operator/project.yaml 'dependencies.service_mesh_proxy')
+ sm_proxy_image_stream=$(skopeo inspect --no-tags=true "docker://${sm_proxy_image}" | jq -r '.Labels.version')
+ sm_proxy_image_stream=${sm_proxy_image_stream%.*}
+ sm_proxy_image=$(latest_konflux_image_sha "${sm_proxy_image}" "${sm_proxy_image_stream}")
+ yq w --inplace olm-catalog/serverless-operator/project.yaml 'dependencies.service_mesh_proxy' "${sm_proxy_image}"
+}
+
+function upgrade_dependencies_images {
+ if [[ -n "${REGISTRY_REDHAT_IO_USERNAME:-}" ]] || [[ -n "${REGISTRY_REDHAT_IO_PASSWORD:-}" ]]; then
+ skopeo login registry.redhat.io -u "${REGISTRY_REDHAT_IO_USERNAME}" -p "${REGISTRY_REDHAT_IO_PASSWORD}"
+ fi
+
+ upgrade_service_mesh_proxy_image
+}
+
+logger.info "Upgrading registry.redhat.io images"
+upgrade_dependencies_images
+
 logger.info "Generating ImageContextSourcePolicy"
 create_image_content_source_policy "registry.ci.openshift.org/knative/${CURRENT_VERSION_IMAGES}:serverless-index" "$registry_redhat_io" "$registry_quay" "olm-catalog/serverless-operator-index/image_content_source_policy.yaml"
 

diff --git a/hack/lib/images.bash b/hack/lib/images.bash
@@ -212,7 +212,7 @@ function default_knative_ingress_images() {
  kourier_registry="${registry_prefix_quay}${kourier_app_version}/net-kourier"
 
  export KNATIVE_KOURIER_CONTROL=${KNATIVE_KOURIER_CONTROL:-$(latest_registry_redhat_io_image_sha "${kourier_registry}-kourier:${knative_kourier}")}
- export KNATIVE_KOURIER_GATEWAY=${KNATIVE_KOURIER_GATEWAY:-"quay.io/maistra-dev/proxyv2-ubi8:$(metadata.get dependencies.maistra)"}
+ export KNATIVE_KOURIER_GATEWAY=${KNATIVE_KOURIER_GATEWAY:-"$(metadata.get dependencies.service_mesh_proxy)"}
 
  knative_istio="$(metadata.get dependencies.net_istio)"
  istio_app_version=$(get_app_version_from_tag "${knative_istio}")
@@ -261,11 +261,12 @@ function latest_registry_redhat_io_image_sha() {
 
 function latest_konflux_image_sha() {
  input=${1:?"Provide image"}
+ tag=${2:-"latest"}
 
  image_without_tag=${input%:*} # Remove tag, if any
  image_without_tag=${image_without_tag%@*} # Remove sha, if any
 
- image=$(image_with_sha "${image_without_tag}:latest")
+ image=$(image_with_sha "${image_without_tag}:${tag}")
 
  if [ "${image}" = "" ]; then
  exit 1

diff --git a/olm-catalog/serverless-operator/manifests/serverless-operator.clusterserviceversion.yaml b/olm-catalog/serverless-operator/manifests/serverless-operator.clusterserviceversion.yaml
@@ -892,7 +892,7 @@ spec:
  - name: "IMAGE_storage-version-migration-serving-__migrate"
  value: "registry.redhat.io/openshift-serverless-1/kn-serving-storage-version-migration@sha256:eef790cc54e88e5cad4c5161f184230a5a1f751eb74c08cb528b440aaac1c78e"
  - name: "IMAGE_kourier-gateway"
- value: "quay.io/maistra-dev/proxyv2-ubi8:2.4-latest"
+ value: "registry.redhat.io/openshift-service-mesh/proxyv2-rhel8@sha256:02b834fd74da71ec37f6a5c0d10aac9a679d1a0f4e510c4f77723ef2367e858a"
  - name: "IMAGE_net-kourier-controller__controller"
  value: "registry.redhat.io/openshift-serverless-1/net-kourier-kourier@sha256:819ce44d87719ba9908f04e71ab1d591f4f67f6b49787554e51b464a51a4bf5b"
  - name: "IMAGE_net-istio-controller__controller"
@@ -1064,7 +1064,7 @@ spec:
  - name: "IMAGE_storage-version-migration-serving-__migrate"
  value: "registry.redhat.io/openshift-serverless-1/kn-serving-storage-version-migration@sha256:eef790cc54e88e5cad4c5161f184230a5a1f751eb74c08cb528b440aaac1c78e"
  - name: "IMAGE_kourier-gateway"
- value: "quay.io/maistra-dev/proxyv2-ubi8:2.4-latest"
+ value: "registry.redhat.io/openshift-service-mesh/proxyv2-rhel8@sha256:02b834fd74da71ec37f6a5c0d10aac9a679d1a0f4e510c4f77723ef2367e858a"
  - name: "IMAGE_net-kourier-controller__controller"
  value: "registry.redhat.io/openshift-serverless-1/net-kourier-kourier@sha256:819ce44d87719ba9908f04e71ab1d591f4f67f6b49787554e51b464a51a4bf5b"
  - name: "IMAGE_net-istio-controller__controller"
@@ -1339,7 +1339,7 @@ spec:
  - name: "IMAGE_storage-version-migration-serving-__migrate"
  image: "registry.redhat.io/openshift-serverless-1/kn-serving-storage-version-migration@sha256:eef790cc54e88e5cad4c5161f184230a5a1f751eb74c08cb528b440aaac1c78e"
  - name: "IMAGE_kourier-gateway"
- image: "quay.io/maistra-dev/proxyv2-ubi8:2.4-latest"
+ image: "registry.redhat.io/openshift-service-mesh/proxyv2-rhel8@sha256:02b834fd74da71ec37f6a5c0d10aac9a679d1a0f4e510c4f77723ef2367e858a"
  - name: "IMAGE_net-kourier-controller__controller"
  image: "registry.redhat.io/openshift-serverless-1/net-kourier-kourier@sha256:819ce44d87719ba9908f04e71ab1d591f4f67f6b49787554e51b464a51a4bf5b"
  - name: "IMAGE_net-istio-controller__controller"

diff --git a/olm-catalog/serverless-operator/project.yaml b/olm-catalog/serverless-operator/project.yaml
@@ -1,75 +1,75 @@
 project:
-  name: serverless-operator
-  # When bumping the Operator to a new version (major and minor), make sure to also update
-  # all components in `dependencies.previous` to the same versions as `dependencies` in the same PR.
-  # Otherwise, the upgrade tests will not pass, as we have a different SO version with the same bundle contents.
-  # Also make sure to update values under `olm.previous` by copying from `olm.replaces` and `olm.skipRange`.
-  version: 1.35.0
+ name: serverless-operator
+ # When bumping the Operator to a new version (major and minor), make sure to also update
+ # all components in `dependencies.previous` to the same versions as `dependencies` in the same PR.
+ # Otherwise, the upgrade tests will not pass, as we have a different SO version with the same bundle contents.
+ # Also make sure to update values under `olm.previous` by copying from `olm.replaces` and `olm.skipRange`.
+ version: 1.35.0
 olm:
-  replaces: 1.34.0
-  skipRange: '>=1.34.0 <1.35.0'
-  channels:
-  default: stable
-  list:
-  - stable
-  - stable-1.35
+ replaces: 1.34.0
+ skipRange: '>=1.34.0 <1.35.0'
+ channels:
+ default: stable
+ list:
+ - stable
+ - stable-1.35
 requirements:
-  kube:
-  # The min version validation in `vendor/knative.dev/pkg/version/version.go`
-  # is ignored as it is overridden by fake version via KUBERNETES_MIN_VERSION.
-  # This value is used for CSV's min version validation.
-  minVersion: 1.25.0
-  golang: '1.22'
-  nodejs: 20.x
-  ocpVersion:
-  list:
-  - "4.13"
-  - "4.14"
-  - "4.15"
-  - "4.16"
-  - "4.17"
-  min: '4.13'
-  max: '4.17'
-  label: 'v4.13'
+ kube:
+ # The min version validation in `vendor/knative.dev/pkg/version/version.go`
+ # is ignored as it is overridden by fake version via KUBERNETES_MIN_VERSION.
+ # This value is used for CSV's min version validation.
+ minVersion: 1.25.0
+ golang: '1.22'
+ nodejs: 20.x
+ ocpVersion:
+ list:
+ - "4.13"
+ - "4.14"
+ - "4.15"
+ - "4.16"
+ - "4.17"
+ min: '4.13'
+ max: '4.17'
+ label: 'v4.13'
 dependencies:
-  serving: knative-v1.15
-  # serving midstream branch name
-  serving_artifacts_branch: release-v1.15
-  # versions for networking components
-  kourier: knative-v1.15
-  net_kourier_artifacts_branch: release-v1.15
-  net_istio: knative-v1.15
-  net_istio_artifacts_branch: release-v1.15
-  redhat-knative-istio-authz-chart: 1.35.0
-  maistra: 2.4-latest
-  eventing: knative-v1.15
-  # eventing core midstream branch name
-  eventing_artifacts_branch: release-v1.15
-  # eventing-kafka-broker promotion tag
-  eventing_kafka_broker: knative-v1.15
-  # eventing-kafka-broker midstream branch or commit
-  eventing_kafka_broker_artifacts_branch: release-v1.15
-  # eventing-istio promotion tag
-  eventing_istio: knative-v1.15
-  # eventing-istio midstream branch or commit
-  eventing_istio_artifacts_branch: release-v1.15
-  # backstage-plugins promotion tag
-  backstage_plugins: knative-v1.15
-  # backstage-plugins midstream branch or commit
-  backstage_plugins_artifacts_branch: release-v1.15
-  cli: knative-v1.15
-  func:
-  promotion_tag: knative-v1.15
-  tekton_s2i: registry.redhat.io/source-to-image/source-to-image-rhel8@sha256:6a6025914296a62fdf2092c3a40011bd9b966a6806b094d51eec5e1bd5026ef4
-  tekton_buildah: registry.redhat.io/rhel8/buildah@sha256:3d505d9c0f5d4cd5a4ec03b8d038656c6cdbdf5191e00ce6388f7e0e4d2f1b74
-  nodejs_20_minimal: registry.access.redhat.com/ubi8/nodejs-20-minimal@sha256:a2a7e399aaf09a48c28f40820da16709b62aee6f2bc703116b9345fab5830861
-  openjdk_21: registry.access.redhat.com/ubi8/openjdk-21@sha256:441897a1f691c7d4b3a67bb3e0fea83e18352214264cb383fd057bbbd5ed863c
-  python-39: registry.access.redhat.com/ubi8/python-39@sha256:27e795fd6b1b77de70d1dc73a65e4c790650748a9cfda138fdbd194b3d6eea3d
-  operator: 1.15.4
-  # Previous versions required for downgrade testing
-  previous:
-  serving: knative-v1.14
-  eventing: knative-v1.14
-  eventing_kafka_broker: knative-v1.14
-  mustgather:
-  image: quay.io/openshift-knative/must-gather
+ serving: knative-v1.15
+ # serving midstream branch name
+ serving_artifacts_branch: release-v1.15
+ # versions for networking components
+ kourier: knative-v1.15
+ net_kourier_artifacts_branch: release-v1.15
+ net_istio: knative-v1.15
+ net_istio_artifacts_branch: release-v1.15
+ redhat-knative-istio-authz-chart: 1.35.0
+ service_mesh_proxy: registry.redhat.io/openshift-service-mesh/proxyv2-rhel8@sha256:02b834fd74da71ec37f6a5c0d10aac9a679d1a0f4e510c4f77723ef2367e858a
+ eventing: knative-v1.15
+ # eventing core midstream branch name
+ eventing_artifacts_branch: release-v1.15
+ # eventing-kafka-broker promotion tag
+ eventing_kafka_broker: knative-v1.15
+ # eventing-kafka-broker midstream branch or commit
+ eventing_kafka_broker_artifacts_branch: release-v1.15
+ # eventing-istio promotion tag
+ eventing_istio: knative-v1.15
+ # eventing-istio midstream branch or commit
+ eventing_istio_artifacts_branch: release-v1.15
+ # backstage-plugins promotion tag
+ backstage_plugins: knative-v1.15
+ # backstage-plugins midstream branch or commit
+ backstage_plugins_artifacts_branch: release-v1.15
+ cli: knative-v1.15
+ func:
+ promotion_tag: knative-v1.15
+ tekton_s2i: registry.redhat.io/source-to-image/source-to-image-rhel8@sha256:6a6025914296a62fdf2092c3a40011bd9b966a6806b094d51eec5e1bd5026ef4
+ tekton_buildah: registry.redhat.io/rhel8/buildah@sha256:3d505d9c0f5d4cd5a4ec03b8d038656c6cdbdf5191e00ce6388f7e0e4d2f1b74
+ nodejs_20_minimal: registry.access.redhat.com/ubi8/nodejs-20-minimal@sha256:a2a7e399aaf09a48c28f40820da16709b62aee6f2bc703116b9345fab5830861
+ openjdk_21: registry.access.redhat.com/ubi8/openjdk-21@sha256:441897a1f691c7d4b3a67bb3e0fea83e18352214264cb383fd057bbbd5ed863c
+ python-39: registry.access.redhat.com/ubi8/python-39@sha256:27e795fd6b1b77de70d1dc73a65e4c790650748a9cfda138fdbd194b3d6eea3d
+ operator: 1.15.4
+ # Previous versions required for downgrade testing
+ previous:
+ serving: knative-v1.14
+ eventing: knative-v1.14
+ eventing_kafka_broker: knative-v1.14
+ mustgather:
+ image: quay.io/openshift-knative/must-gather