diff --git a/changelog/v1.18.0-beta14/fix-image-digests.yaml b/changelog/v1.18.0-beta14/fix-image-digests.yaml new file mode 100644 index 00000000000..f51eb20aab5 --- /dev/null +++ b/changelog/v1.18.0-beta14/fix-image-digests.yaml @@ -0,0 +1,6 @@ +changelog: + - type: HELM + issueLink: https://github.com/solo-io/gloo/issues/9860 + resolvesIssue: false + description: >- + Ensure that image digests are set correctly for all image variants (standard, fips, distroless, fips-distroless). \ No newline at end of file diff --git a/docs/content/reference/values.txt b/docs/content/reference/values.txt index 15d6d539ad8..be71a31cf1b 100644 --- a/docs/content/reference/values.txt +++ b/docs/content/reference/values.txt @@ -4,13 +4,15 @@ |kubeGateway.enabled|bool|false|Enable the Gloo Gateway Kubernetes Gateway API controller.| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.tag|string||The image tag for the container.| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.repository|string|gloo-envoy-wrapper|The image repository (name) for the container.| -|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.envoyContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.add[]|string||| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.capabilities.drop[]|string||| |kubeGateway.gatewayParameters.glooGateway.envoyContainer.securityContext.privileged|bool||| @@ -38,13 +40,15 @@ |kubeGateway.gatewayParameters.glooGateway.service.type|string|LoadBalancer|K8s service type. If set to null, a default of LoadBalancer will be imposed.| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.tag|string||The image tag for the container.| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.repository|string|sds|The image repository (name) for the container.| -|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.sdsContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.capabilities.add[]|string||| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.capabilities.drop[]|string||| |kubeGateway.gatewayParameters.glooGateway.sdsContainer.securityContext.privileged|bool||| @@ -71,13 +75,15 @@ |kubeGateway.gatewayParameters.glooGateway.sdsContainer.sdsResources.requests.cpu|string||amount of CPUs| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.tag|string|1.22.0|The image tag for the container.| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.repository|string|proxyv2|The image repository (name) for the container.| -|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.registry|string|docker.io/istio|The image hostname prefix and registry, such as quay.io/solo-io.| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.capabilities.add[]|string||| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.capabilities.drop[]|string||| |kubeGateway.gatewayParameters.glooGateway.istio.istioProxyContainer.securityContext.privileged|bool||| @@ -109,13 +115,15 @@ |kubeGateway.gatewayParameters.glooGateway.aiExtension.enabled|bool|false|Enable the AI extension| |kubeGateway.gatewayParameters.glooGateway.aiExtension.image.tag|string||The image tag for the container.| |kubeGateway.gatewayParameters.glooGateway.aiExtension.image.repository|string|gloo-ai-extension|The image repository (name) for the container.| -|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |kubeGateway.gatewayParameters.glooGateway.aiExtension.image.registry|string|quay.io/solo-io|The image hostname prefix and registry, such as quay.io/solo-io.| |kubeGateway.gatewayParameters.glooGateway.aiExtension.image.pullPolicy|string|IfNotPresent|The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |kubeGateway.gatewayParameters.glooGateway.aiExtension.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|kubeGateway.gatewayParameters.glooGateway.aiExtension.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |kubeGateway.gatewayParameters.glooGateway.aiExtension.securityContext.capabilities.add[]|string||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.securityContext.capabilities.drop[]|string||| |kubeGateway.gatewayParameters.glooGateway.aiExtension.securityContext.privileged|bool||| @@ -169,13 +177,15 @@ |settings.integrations.knative.version|string|0.10.0|the version of knative installed to the cluster. if using version < 0.8.0, Gloo Edge will use Knative's ClusterIngress API for configuration rather than the namespace-scoped Ingress| |settings.integrations.knative.proxy.image.tag|string||The image tag for the container.| |settings.integrations.knative.proxy.image.repository|string|gloo-envoy-wrapper|The image repository (name) for the container.| -|settings.integrations.knative.proxy.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|settings.integrations.knative.proxy.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|settings.integrations.knative.proxy.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|settings.integrations.knative.proxy.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|settings.integrations.knative.proxy.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |settings.integrations.knative.proxy.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |settings.integrations.knative.proxy.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |settings.integrations.knative.proxy.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|settings.integrations.knative.proxy.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|settings.integrations.knative.proxy.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|settings.integrations.knative.proxy.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|settings.integrations.knative.proxy.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|settings.integrations.knative.proxy.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |settings.integrations.knative.proxy.httpPort|int|8080|HTTP port for the proxy| |settings.integrations.knative.proxy.httpsPort|int|8443|HTTPS port for the proxy| |settings.integrations.knative.proxy.tracing|string||tracing configuration| @@ -397,13 +407,15 @@ |gloo.deployment.kubeResourceOverride.NAME|interface||override fields in the generated resource by specifying the yaml structure to override under the top-level key.| |gloo.deployment.image.tag|string||The image tag for the container.| |gloo.deployment.image.repository|string|gloo|The image repository (name) for the container.| -|gloo.deployment.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|gloo.deployment.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|gloo.deployment.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|gloo.deployment.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|gloo.deployment.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |gloo.deployment.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |gloo.deployment.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |gloo.deployment.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|gloo.deployment.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|gloo.deployment.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|gloo.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|gloo.deployment.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|gloo.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |gloo.deployment.glooContainerSecurityContext.capabilities.add[]|string||| |gloo.deployment.glooContainerSecurityContext.capabilities.drop[]|string||| |gloo.deployment.glooContainerSecurityContext.privileged|bool||| @@ -436,13 +448,15 @@ |gloo.podDisruptionBudget.maxUnavailable|string||Corresponds directly with the _maxUnavailable_ field in the [PodDisruptionBudgetSpec](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/#PodDisruptionBudgetSpec). This value is mutually exclusive with _minAvailable_.| |discovery.deployment.image.tag|string||The image tag for the container.| |discovery.deployment.image.repository|string|discovery|The image repository (name) for the container.| -|discovery.deployment.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|discovery.deployment.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|discovery.deployment.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|discovery.deployment.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|discovery.deployment.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |discovery.deployment.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |discovery.deployment.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |discovery.deployment.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|discovery.deployment.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|discovery.deployment.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|discovery.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|discovery.deployment.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|discovery.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |discovery.deployment.stats.enabled|bool||Controls whether or not Envoy stats are enabled| |discovery.deployment.stats.routePrefixRewrite|string||The Envoy stats endpoint to which the metrics are written| |discovery.deployment.stats.setDatadogAnnotations|bool||Sets the default datadog annotations| @@ -542,13 +556,15 @@ |gateway.validation.livenessProbeEnabled|bool||Set to true to enable a liveness probe for the gateway (default is false). You must also set the 'Probes' value to true.| |gateway.certGenJob.image.tag|string||The image tag for the container.| |gateway.certGenJob.image.repository|string|certgen|The image repository (name) for the container.| -|gateway.certGenJob.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|gateway.certGenJob.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|gateway.certGenJob.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|gateway.certGenJob.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|gateway.certGenJob.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |gateway.certGenJob.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |gateway.certGenJob.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |gateway.certGenJob.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|gateway.certGenJob.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|gateway.certGenJob.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|gateway.certGenJob.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|gateway.certGenJob.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|gateway.certGenJob.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |gateway.certGenJob.restartPolicy|string|OnFailure|restart policy to use when the pod exits| |gateway.certGenJob.priorityClassName|string||name of a defined priority class| |gateway.certGenJob.nodeName|string||name of node to run on| @@ -649,13 +665,15 @@ |gateway.rolloutJob.enabled|bool|true|Enable the job that applies default Gloo Edge custom resources at install and upgrade time (default true).| |gateway.rolloutJob.image.tag|string||The image tag for the container.| |gateway.rolloutJob.image.repository|string|kubectl|The image repository (name) for the container.| -|gateway.rolloutJob.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|gateway.rolloutJob.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|gateway.rolloutJob.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|gateway.rolloutJob.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|gateway.rolloutJob.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |gateway.rolloutJob.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |gateway.rolloutJob.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |gateway.rolloutJob.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|gateway.rolloutJob.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|gateway.rolloutJob.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|gateway.rolloutJob.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|gateway.rolloutJob.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|gateway.rolloutJob.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |gateway.rolloutJob.resources.limits.memory|string||amount of memory| |gateway.rolloutJob.resources.limits.cpu|string||amount of CPUs| |gateway.rolloutJob.resources.requests.memory|string||amount of memory| @@ -706,13 +724,15 @@ |gateway.cleanupJob.enabled|bool|true|Enable the job that removes Gloo Edge custom resources when Gloo Edge is uninstalled (default true).| |gateway.cleanupJob.image.tag|string||The image tag for the container.| |gateway.cleanupJob.image.repository|string|kubectl|The image repository (name) for the container.| -|gateway.cleanupJob.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|gateway.cleanupJob.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|gateway.cleanupJob.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|gateway.cleanupJob.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|gateway.cleanupJob.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |gateway.cleanupJob.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |gateway.cleanupJob.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |gateway.cleanupJob.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|gateway.cleanupJob.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|gateway.cleanupJob.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|gateway.cleanupJob.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|gateway.cleanupJob.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|gateway.cleanupJob.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |gateway.cleanupJob.resources.limits.memory|string||amount of memory| |gateway.cleanupJob.resources.limits.cpu|string||amount of CPUs| |gateway.cleanupJob.resources.requests.memory|string||amount of memory| @@ -857,13 +877,15 @@ |gatewayProxies.NAME.podTemplate.podSecurityContext.mergePolicy|string||How to combine the defined security policy with the default security policy. Valid values are "", "no-merge", and "helm-merge". If defined as an empty string or "no-merge", use the defined security context as is. If "helm-merge", merge this security context with the default security context according to the logic of [the helm 'merge' function](https://helm.sh/docs/chart_template_guide/function_list/#merge-mustmerge). This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm's 'merge' function works, you can not override a 'true' value with a 'false' value, and for that case you will need to define the entire security context and set this value to false. Default value is "".| |gatewayProxies.NAME.podTemplate.image.tag|string||The image tag for the container.| |gatewayProxies.NAME.podTemplate.image.repository|string||The image repository (name) for the container.| -|gatewayProxies.NAME.podTemplate.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|gatewayProxies.NAME.podTemplate.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|gatewayProxies.NAME.podTemplate.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|gatewayProxies.NAME.podTemplate.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|gatewayProxies.NAME.podTemplate.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |gatewayProxies.NAME.podTemplate.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |gatewayProxies.NAME.podTemplate.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |gatewayProxies.NAME.podTemplate.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|gatewayProxies.NAME.podTemplate.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|gatewayProxies.NAME.podTemplate.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|gatewayProxies.NAME.podTemplate.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|gatewayProxies.NAME.podTemplate.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|gatewayProxies.NAME.podTemplate.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.capabilities.add[]|string||| |gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.capabilities.drop[]|string||| |gatewayProxies.NAME.podTemplate.glooContainerSecurityContext.privileged|bool||| @@ -1102,13 +1124,15 @@ |gatewayProxies.gatewayProxy.podTemplate.podSecurityContext.mergePolicy|string||How to combine the defined security policy with the default security policy. Valid values are "", "no-merge", and "helm-merge". If defined as an empty string or "no-merge", use the defined security context as is. If "helm-merge", merge this security context with the default security context according to the logic of [the helm 'merge' function](https://helm.sh/docs/chart_template_guide/function_list/#merge-mustmerge). This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm's 'merge' function works, you can not override a 'true' value with a 'false' value, and for that case you will need to define the entire security context and set this value to false. Default value is "".| |gatewayProxies.gatewayProxy.podTemplate.image.tag|string||The image tag for the container.| |gatewayProxies.gatewayProxy.podTemplate.image.repository|string|gloo-envoy-wrapper|The image repository (name) for the container.| -|gatewayProxies.gatewayProxy.podTemplate.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|gatewayProxies.gatewayProxy.podTemplate.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|gatewayProxies.gatewayProxy.podTemplate.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|gatewayProxies.gatewayProxy.podTemplate.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|gatewayProxies.gatewayProxy.podTemplate.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |gatewayProxies.gatewayProxy.podTemplate.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |gatewayProxies.gatewayProxy.podTemplate.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |gatewayProxies.gatewayProxy.podTemplate.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|gatewayProxies.gatewayProxy.podTemplate.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|gatewayProxies.gatewayProxy.podTemplate.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|gatewayProxies.gatewayProxy.podTemplate.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|gatewayProxies.gatewayProxy.podTemplate.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|gatewayProxies.gatewayProxy.podTemplate.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.capabilities.add[]|string||| |gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.capabilities.drop[]|string||| |gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext.privileged|bool||| @@ -1227,13 +1251,15 @@ |ingress.enabled|bool|false|| |ingress.deployment.image.tag|string||The image tag for the container.| |ingress.deployment.image.repository|string|ingress|The image repository (name) for the container.| -|ingress.deployment.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|ingress.deployment.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|ingress.deployment.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|ingress.deployment.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|ingress.deployment.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |ingress.deployment.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |ingress.deployment.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |ingress.deployment.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|ingress.deployment.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|ingress.deployment.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|ingress.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|ingress.deployment.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|ingress.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |ingress.deployment.runAsUser|float64||Explicitly set the user ID for the processes in the container to run as. Default is 10101.| |ingress.deployment.floatingUserId|bool||If true, allows the cluster to dynamically assign a user ID for the processes running in the container.| |ingress.deployment.extraIngressLabels.NAME|string||Optional extra key-value pairs to add to the spec.template.metadata.labels data of the ingress deployment.| @@ -1300,13 +1326,15 @@ |ingress.customIngressClass|bool||Only relevant when requireIngressClass is set to true. Setting this value will cause the Gloo Edge Ingress Controller to process only those Ingress objects which have their ingress class set to this value (e.g. 'kubernetes.io/ingress.class=SOMEVALUE').| |ingressProxy.deployment.image.tag|string||The image tag for the container.| |ingressProxy.deployment.image.repository|string|gloo-envoy-wrapper|The image repository (name) for the container.| -|ingressProxy.deployment.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|ingressProxy.deployment.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|ingressProxy.deployment.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|ingressProxy.deployment.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|ingressProxy.deployment.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |ingressProxy.deployment.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |ingressProxy.deployment.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |ingressProxy.deployment.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|ingressProxy.deployment.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|ingressProxy.deployment.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|ingressProxy.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|ingressProxy.deployment.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|ingressProxy.deployment.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |ingressProxy.deployment.httpPort|int|8080|HTTP port for the ingress container| |ingressProxy.deployment.httpsPort|int|8443|HTTPS port for the ingress container| |ingressProxy.deployment.extraPorts[]|interface||| @@ -1386,13 +1414,15 @@ |k8s.clusterName|string|cluster.local|cluster name to use when referencing services.| |accessLogger.image.tag|string||The image tag for the container.| |accessLogger.image.repository|string|access-logger|The image repository (name) for the container.| -|accessLogger.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|accessLogger.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|accessLogger.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|accessLogger.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|accessLogger.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |accessLogger.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |accessLogger.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |accessLogger.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|accessLogger.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|accessLogger.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|accessLogger.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|accessLogger.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|accessLogger.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |accessLogger.port|uint|8083|| |accessLogger.serviceName|string|AccessLog|| |accessLogger.enabled|bool|false|| @@ -1468,13 +1498,15 @@ |accessLogger.kubeResourceOverride.NAME|interface||override fields in the generated resource by specifying the yaml structure to override under the top-level key.| |global.image.tag|string||The image tag for the container.| |global.image.repository|string||The image repository (name) for the container.| -|global.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|global.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|global.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|global.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|global.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |global.image.registry|string|quay.io/solo-io|The image hostname prefix and registry, such as quay.io/solo-io.| |global.image.pullPolicy|string|IfNotPresent|The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |global.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|global.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|global.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|global.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|global.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|global.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |global.extensions|interface||| |global.glooRbac.create|bool|true|create rbac rules for the gloo-system service account| |global.glooRbac.namespaced|bool|false|use Roles instead of ClusterRoles| @@ -1489,13 +1521,15 @@ |global.glooMtls.enabled|bool|false|Enables internal mtls authentication| |global.glooMtls.sds.image.tag|string||The image tag for the container.| |global.glooMtls.sds.image.repository|string|sds|The image repository (name) for the container.| -|global.glooMtls.sds.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|global.glooMtls.sds.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|global.glooMtls.sds.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|global.glooMtls.sds.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|global.glooMtls.sds.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |global.glooMtls.sds.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |global.glooMtls.sds.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |global.glooMtls.sds.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|global.glooMtls.sds.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|global.glooMtls.sds.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|global.glooMtls.sds.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|global.glooMtls.sds.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|global.glooMtls.sds.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |global.glooMtls.sds.securityContext.capabilities.add[]|string||| |global.glooMtls.sds.securityContext.capabilities.drop[]|string||| |global.glooMtls.sds.securityContext.privileged|bool||| @@ -1523,13 +1557,15 @@ |global.glooMtls.sds.sdsResources.requests.cpu|string||amount of CPUs| |global.glooMtls.envoy.image.tag|string||The image tag for the container.| |global.glooMtls.envoy.image.repository|string|gloo-envoy-wrapper|The image repository (name) for the container.| -|global.glooMtls.envoy.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|global.glooMtls.envoy.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|global.glooMtls.envoy.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|global.glooMtls.envoy.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|global.glooMtls.envoy.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |global.glooMtls.envoy.image.registry|string||The image hostname prefix and registry, such as quay.io/solo-io.| |global.glooMtls.envoy.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |global.glooMtls.envoy.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|global.glooMtls.envoy.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|global.glooMtls.envoy.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|global.glooMtls.envoy.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|global.glooMtls.envoy.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|global.glooMtls.envoy.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |global.glooMtls.envoy.securityContext.capabilities.add[]|string||| |global.glooMtls.envoy.securityContext.capabilities.drop[]|string||| |global.glooMtls.envoy.securityContext.privileged|bool||| @@ -1552,13 +1588,15 @@ |global.glooMtls.envoy.securityContext.mergePolicy|string||How to combine the defined security policy with the default security policy. Valid values are "", "no-merge", and "helm-merge". If defined as an empty string or "no-merge", use the defined security context as is. If "helm-merge", merge this security context with the default security context according to the logic of [the helm 'merge' function](https://helm.sh/docs/chart_template_guide/function_list/#merge-mustmerge). This is intended to be used to modify a field in a security context, while using all other default values. Please note that due to how helm's 'merge' function works, you can not override a 'true' value with a 'false' value, and for that case you will need to define the entire security context and set this value to false. Default value is "".| |global.glooMtls.istioProxy.image.tag|string|1.22.0|The image tag for the container.| |global.glooMtls.istioProxy.image.repository|string|proxyv2|The image repository (name) for the container.| -|global.glooMtls.istioProxy.image.digest|string||The hash digest of the container's image, ie. sha256:12345....| +|global.glooMtls.istioProxy.image.digest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard.| +|global.glooMtls.istioProxy.image.fipsDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant.| +|global.glooMtls.istioProxy.image.distrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant.| +|global.glooMtls.istioProxy.image.fipsDistrolessDigest|string||The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest.| |global.glooMtls.istioProxy.image.registry|string|docker.io/istio|The image hostname prefix and registry, such as quay.io/solo-io.| |global.glooMtls.istioProxy.image.pullPolicy|string||The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting| |global.glooMtls.istioProxy.image.pullSecret|string||The image pull secret to use for the container, in the same namespace as the container pod.| -|global.glooMtls.istioProxy.image.variant|string||Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| -|global.glooMtls.istioProxy.image.fipsDigest|string||[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true| -|global.glooMtls.istioProxy.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| +|global.glooMtls.istioProxy.image.variant|string||Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)| +|global.glooMtls.istioProxy.image.fips|bool||[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)| |global.glooMtls.istioProxy.securityContext.capabilities.add[]|string||| |global.glooMtls.istioProxy.securityContext.capabilities.drop[]|string||| |global.glooMtls.istioProxy.securityContext.privileged|bool||| diff --git a/install/helm/gloo/generate/values.go b/install/helm/gloo/generate/values.go index 3f0e6357eea..ec9550a828d 100644 --- a/install/helm/gloo/generate/values.go +++ b/install/helm/gloo/generate/values.go @@ -63,15 +63,17 @@ type Rbac struct { // Common type Image struct { - Tag *string `json:"tag,omitempty" desc:"The image tag for the container."` - Repository *string `json:"repository,omitempty" desc:"The image repository (name) for the container."` - Digest *string `json:"digest,omitempty" desc:"The hash digest of the container's image, ie. sha256:12345...."` - Registry *string `json:"registry,omitempty" desc:"The image hostname prefix and registry, such as quay.io/solo-io."` - PullPolicy *string `json:"pullPolicy,omitempty" desc:"The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting"` - PullSecret *string `json:"pullSecret,omitempty" desc:"The image pull secret to use for the container, in the same namespace as the container pod."` - Variant *string `json:"variant,omitempty" desc:"Specifies the version of the data-plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)"` - FipsDigest *string `json:"fipsDigest,omitempty" desc:"[Deprecated] Use 'variant=fips' and 'digest=...' instead. The hash digest of the container's fips image, ie. sha256:12345.... Only consumed if fips=true"` - Fips *bool `json:"fips,omitempty" desc:"[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the data-plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)"` + Tag *string `json:"tag,omitempty" desc:"The image tag for the container."` + Repository *string `json:"repository,omitempty" desc:"The image repository (name) for the container."` + Digest *string `json:"digest,omitempty" desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=standard."` + FipsDigest *string `json:"fipsDigest,omitempty" desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips. If the image does not have a fips variant, this field will contain the digest for the standard image variant."` + DistrolessDigest *string `json:"distrolessDigest,omitempty" desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=distroless. If the image does not have a distroless variant, this field will contain the digest for the standard image variant."` + FipsDistrolessDigest *string `json:"fipsDistrolessDigest,omitempty" desc:"The container image's hash digest (e.g. 'sha256:12345...'), consumed when variant=fips-distroless. If the image does not have a fips-distroless variant, this field will contain either the fips variant's digest (if supported), else the distroless variant's digest (if supported), else the standard variant's digest."` + Registry *string `json:"registry,omitempty" desc:"The image hostname prefix and registry, such as quay.io/solo-io."` + PullPolicy *string `json:"pullPolicy,omitempty" desc:"The image pull policy for the container. For default values, see the Kubernetes docs: https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting"` + PullSecret *string `json:"pullSecret,omitempty" desc:"The image pull secret to use for the container, in the same namespace as the container pod."` + Variant *string `json:"variant,omitempty" desc:"Specifies the variant of the control plane and data plane containers to deploy. Can take the values 'standard', 'fips', 'distroless', 'fips-distroless'. Defaults to standard. (The 'fips' and 'fips-distroless' variants are an Enterprise-only feature)"` + Fips *bool `json:"fips,omitempty" desc:"[Deprecated] Use 'variant=fips' instead. If true, deploys a version of the control plane and data plane containers that is built with FIPS-compliant crypto libraries. (Enterprise-only feature)"` } type ResourceAllocation struct { diff --git a/install/helm/gloo/templates/_helpers.tpl b/install/helm/gloo/templates/_helpers.tpl index 07eac99920e..8abb3024c3b 100644 --- a/install/helm/gloo/templates/_helpers.tpl +++ b/install/helm/gloo/templates/_helpers.tpl @@ -26,37 +26,62 @@ ClusterRole {{- end -}} {{/* -Expand the name of a container image by adding the digest, and the -fips / -distroless suffix if configured. +Construct a container image name from a registry, repository, tag, and digest. */}} {{- define "gloo.image" -}} {{- $image := printf "%s/%s" .registry .repository -}} -{{- if and .fips .fipsDigest -}} + {{- /* -In consideration of https://github.com/solo-io/gloo/issues/7326, we want the ability for -fips images to use their own digests, -rather than falling back (incorrectly) onto the digests of non-fips images +for fips or fips-distroless variants: add -fips to the image repo (name) */ -}} -{{- $image = printf "%s-fips:%s@%s" $image .tag .fipsDigest -}} -{{- else -}} {{- /* if and .fips .fipsDigest */ -}} {{- if or .fips (has .variant (list "fips" "fips-distroless")) -}} {{- $fipsSupportedImages := list "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" -}} {{- if (has .repository $fipsSupportedImages) -}} {{- $image = printf "%s-fips" $image -}} {{- end -}}{{- /* if (has .repository $fipsSupportedImages) */ -}} -{{- end -}}{{- /* if .fips */ -}} +{{- end -}}{{- /* if or .fips (has .variant (list "fips" "fips-distroless")) */ -}} + +{{- /* +add tag, if it exists +*/ -}} +{{- if .tag -}} {{- $image = printf "%s:%s" $image .tag -}} -{{- if has .variant (list "distroless" "fips-distroless") -}} +{{- end -}}{{- /* if .tag */ -}} + +{{- /* +for distroless or fips-distroless variants: add -distroless to the tag +*/ -}} +{{- if and .tag (has .variant (list "distroless" "fips-distroless")) -}} {{- $distrolessSupportedImages := list "gloo" "gloo-envoy-wrapper" "discovery" "sds" "certgen" "kubectl" "access-logger" "ingress" "gloo-ee" "extauth-ee" "gloo-ee-envoy-wrapper" "rate-limit-ee" "discovery-ee" "sds-ee" "observability-ee" "caching-ee" -}} {{- if (has .repository $distrolessSupportedImages) -}} {{- $image = printf "%s-distroless" $image -}} {{- /* Add distroless suffix to the tag since it contains the same binaries in a different container */ -}} {{- end -}}{{- /* if (has .repository $distrolessSupportedImages) */ -}} -{{- end -}}{{- /* if .distroless */ -}} -{{- if .digest -}} -{{- $image = printf "%s@%s" $image .digest -}} -{{- end -}}{{- /* if .digest */ -}} -{{- end -}}{{- /* if and .fips .fipsDigest */ -}} +{{- end -}}{{- /* if and .tag (has .variant (list "distroless" "fips-distroless")) */ -}} + +{{- /* +add digest for the chosen variant, if it exists +*/ -}} +{{- if or .fips (eq .variant "fips") -}} + {{- if .fipsDigest -}} + {{- $image = printf "%s@%s" $image .fipsDigest -}} + {{- end -}}{{- /* if .fipsDigest */ -}} +{{- else if eq .variant "distroless" -}} + {{- if .distrolessDigest -}} + {{- $image = printf "%s@%s" $image .distrolessDigest -}} + {{- end -}}{{- /* if .distrolessDigest */ -}} +{{- else if eq .variant "fips-distroless" -}} + {{- if .fipsDistrolessDigest -}} + {{- $image = printf "%s@%s" $image .fipsDistrolessDigest -}} + {{- end -}}{{- /* if .fipsDistrolessDigest */ -}} +{{- else -}} + {{- if .digest -}}{{- /* standard image digest */ -}} + {{- $image = printf "%s@%s" $image .digest -}} + {{- end -}}{{- /* if .digest */ -}} +{{- end -}} {{ $image }} {{- end -}}{{- /* define "gloo.image" */ -}} + {{- define "gloo.pullSecret" -}} {{- if .pullSecret -}} imagePullSecrets: diff --git a/install/test/helm_suite_test.go b/install/test/helm_suite_test.go index 7b69651d316..404e37d06a1 100644 --- a/install/test/helm_suite_test.go +++ b/install/test/helm_suite_test.go @@ -4,30 +4,28 @@ import ( "bytes" "fmt" "os" - "os/exec" "path/filepath" - "strings" "testing" "text/template" - "github.com/pkg/errors" - "github.com/solo-io/k8s-utils/installutils/kuberesource" - rbacv1 "k8s.io/api/rbac/v1" - "github.com/ghodss/yaml" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "github.com/pkg/errors" "github.com/solo-io/gloo/pkg/cliutil/helm" "github.com/solo-io/gloo/projects/gloo/cli/pkg/cmd/install" "github.com/solo-io/gloo/projects/gloo/pkg/defaults" + "github.com/solo-io/gloo/test/makefile" glootestutils "github.com/solo-io/gloo/test/testutils" soloHelm "github.com/solo-io/go-utils/helmutils" "github.com/solo-io/go-utils/testutils" + "github.com/solo-io/k8s-utils/installutils/kuberesource" . "github.com/solo-io/k8s-utils/manifesttestutils" "helm.sh/helm/v3/pkg/action" "helm.sh/helm/v3/pkg/chart/loader" "helm.sh/helm/v3/pkg/release" corev1 "k8s.io/api/core/v1" + rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" ) @@ -54,10 +52,10 @@ func TestHelm(t *testing.T) { } var _ = BeforeSuite(func() { - version = MustGetVersion() + version = makefile.MustGetVersion(".", "-C", "../../") pullPolicy = corev1.PullIfNotPresent // generate the values.yaml and Chart.yaml files - MustMake(".", "-C", "../../", "generate-helm-files", "-B") + makefile.MustMake(".", "-C", "../../", "generate-helm-files", "-B") }) type renderTestCase struct { @@ -78,66 +76,6 @@ func runTests(callback func(testCase renderTestCase)) { } } -func MustMake(dir string, args ...string) { - makeCmd := exec.Command("make", args...) - makeCmd.Dir = dir - - makeCmd.Stdout = GinkgoWriter - makeCmd.Stderr = GinkgoWriter - err := makeCmd.Run() - - ExpectWithOffset(1, err).NotTo(HaveOccurred()) -} - -func MustMakeReturnStdout(dir string, args ...string) string { - makeCmd := exec.Command("make", args...) - makeCmd.Dir = dir - - var stdout bytes.Buffer - makeCmd.Stdout = &stdout - - makeCmd.Stderr = GinkgoWriter - err := makeCmd.Run() - - ExpectWithOffset(1, err).NotTo(HaveOccurred()) - - return stdout.String() -} - -// MustGetVersion returns the VERSION that will be used to build the chart -func MustGetVersion() string { - output := MustMakeReturnStdout(".", "-C", "../../", "print-VERSION") // use print-VERSION so version matches on forks - lines := strings.Split(output, "\n") - - // output from a fork: - // <[]string | len:4, cap:4>: [ - // "make[1]: Entering directory '/workspace/gloo'", - // "", - // "make[1]: Leaving directory '/workspace/gloo'", - // "", - // ] - - // output from the gloo repo: - // <[]string | len:2, cap:2>: [ - // "", - // "", - // ] - - if len(lines) == 4 { - // This is being executed from a fork - return lines[1] - } - - if len(lines) == 2 { - // This is being executed from the Gloo repo - return lines[0] - } - - // Error loudly to prevent subtle failures - Fail(fmt.Sprintf("print-VERSION output returned unknown format. %v", lines)) - return "version-not-found" -} - type ChartRenderer interface { // returns a TestManifest containing all resources RenderManifest(namespace string, values glootestutils.HelmValues) (TestManifest, error) diff --git a/install/test/helm_test.go b/install/test/helm_test.go index 247a2445f46..062bc8c4296 100644 --- a/install/test/helm_test.go +++ b/install/test/helm_test.go @@ -2949,21 +2949,78 @@ spec: testManifest.Expect("Deployment", namespace, "gateway-proxy").NotTo(BeNil()) }) - DescribeTable("supports deploying the specified variant of the envoy image", func(variant string) { + DescribeTable("supports deploying the specified tag, digest, and variant of the envoy image", func(registry, repo, tag, digest, variant, expectedImage string) { + vals := []string{ + "global.image.variant=" + variant, + "gatewayProxies.gatewayProxy.podTemplate.image.registry=" + registry, + "gatewayProxies.gatewayProxy.podTemplate.image.repository=" + repo, + "gatewayProxies.gatewayProxy.podTemplate.image.tag=" + tag, + } + // set the digest value corresponding to the variant + switch variant { + case "fips": + vals = append(vals, "gatewayProxies.gatewayProxy.podTemplate.image.fipsDigest="+digest) + case "distroless": + vals = append(vals, "gatewayProxies.gatewayProxy.podTemplate.image.distrolessDigest="+digest) + case "fips-distroless": + vals = append(vals, "gatewayProxies.gatewayProxy.podTemplate.image.fipsDistrolessDigest="+digest) + case "": + fallthrough + case "standard": + fallthrough + default: + vals = append(vals, "gatewayProxies.gatewayProxy.podTemplate.image.digest="+digest) + } prepareMakefile(namespace, glootestutils.HelmValues{ - ValuesArgs: []string{ - "global.image.variant=" + variant, - "gatewayProxies.gatewayProxy.podTemplate.image.repository=gloo-ee-envoy-wrapper", - }, + ValuesArgs: vals, }) - gatewayProxyDeployment.Spec.Template.Spec.Containers[0].Image = generateExpectedImage("quay.io/solo-io/gloo-ee-envoy-wrapper", version, variant) + + gatewayProxyDeployment.Spec.Template.Spec.Containers[0].Image = expectedImage testManifest.ExpectDeploymentAppsV1(gatewayProxyDeployment) }, - Entry("No variant specified", ""), - Entry("Standard variant", "standard"), - Entry("Fips variant", "fips"), - Entry("Distroless variant", "distroless"), - Entry("Fips-Distroless variant", "fips-distroless")) + // EE envoy image supports both fips and distroless + Entry("No tag, digest, or variant specified", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "", "", "quay.io/solo-io/gloo-ee-envoy-wrapper"), + Entry("Only tag specified", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "", "", "quay.io/solo-io/gloo-ee-envoy-wrapper:tag1"), + Entry("Only digest specified", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "digest1", "", "quay.io/solo-io/gloo-ee-envoy-wrapper@digest1"), + Entry("Only variant specified (standard)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "", "standard", "quay.io/solo-io/gloo-ee-envoy-wrapper"), + Entry("Only variant specified (fips)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "", "fips", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips"), + Entry("Only variant specified (distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "", "distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper"), + Entry("Only variant specified (fips-distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "", "fips-distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips"), + Entry("Tag and digest specified", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "digest1", "", "quay.io/solo-io/gloo-ee-envoy-wrapper:tag1@digest1"), + Entry("Tag and variant specified (standard)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "", "standard", "quay.io/solo-io/gloo-ee-envoy-wrapper:tag1"), + Entry("Tag and variant specified (fips)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "", "fips", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips:tag1"), + Entry("Tag and variant specified (distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "", "distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper:tag1-distroless"), + Entry("Tag and variant specified (fips-distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "", "fips-distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips:tag1-distroless"), + Entry("Digest and variant specified (standard)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "digest1", "standard", "quay.io/solo-io/gloo-ee-envoy-wrapper@digest1"), + Entry("Digest and variant specified (fips)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "digest1", "fips", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips@digest1"), + Entry("Digest and variant specified (distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "digest1", "distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper@digest1"), + Entry("Digest and variant specified (fips-distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "", "digest1", "fips-distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips@digest1"), + Entry("Tag, digest, and variant specified (standard)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "digest1", "standard", "quay.io/solo-io/gloo-ee-envoy-wrapper:tag1@digest1"), + Entry("Tag, digest, and variant specified (fips)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "digest1", "fips", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips:tag1@digest1"), + Entry("Tag, digest, and variant specified (distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "digest1", "distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper:tag1-distroless@digest1"), + Entry("Tag, digest, and variant specified (fips-distroless)", "quay.io/solo-io", "gloo-ee-envoy-wrapper", "tag1", "digest1", "fips-distroless", "quay.io/solo-io/gloo-ee-envoy-wrapper-fips:tag1-distroless@digest1"), + // OSS envoy image does not support fips, so whenever a fips variant is requested, it should use the standard repo name instead of -fips + Entry("No tag, digest, or variant specified", "quay.io/solo-io", "gloo-envoy-wrapper", "", "", "", "quay.io/solo-io/gloo-envoy-wrapper"), + Entry("Only tag specified", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "", "", "quay.io/solo-io/gloo-envoy-wrapper:tag1"), + Entry("Only digest specified", "quay.io/solo-io", "gloo-envoy-wrapper", "", "digest1", "", "quay.io/solo-io/gloo-envoy-wrapper@digest1"), + Entry("Only variant specified (standard)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "", "standard", "quay.io/solo-io/gloo-envoy-wrapper"), + Entry("Only variant specified (fips)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "", "fips", "quay.io/solo-io/gloo-envoy-wrapper"), + Entry("Only variant specified (distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "", "distroless", "quay.io/solo-io/gloo-envoy-wrapper"), + Entry("Only variant specified (fips-distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "", "fips-distroless", "quay.io/solo-io/gloo-envoy-wrapper"), + Entry("Tag and digest specified", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "digest1", "", "quay.io/solo-io/gloo-envoy-wrapper:tag1@digest1"), + Entry("Tag and variant specified (standard)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "", "standard", "quay.io/solo-io/gloo-envoy-wrapper:tag1"), + Entry("Tag and variant specified (fips)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "", "fips", "quay.io/solo-io/gloo-envoy-wrapper:tag1"), + Entry("Tag and variant specified (distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "", "distroless", "quay.io/solo-io/gloo-envoy-wrapper:tag1-distroless"), + Entry("Tag and variant specified (fips-distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "", "fips-distroless", "quay.io/solo-io/gloo-envoy-wrapper:tag1-distroless"), + Entry("Digest and variant specified (standard)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "digest1", "standard", "quay.io/solo-io/gloo-envoy-wrapper@digest1"), + Entry("Digest and variant specified (fips)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "digest1", "fips", "quay.io/solo-io/gloo-envoy-wrapper@digest1"), + Entry("Digest and variant specified (distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "digest1", "distroless", "quay.io/solo-io/gloo-envoy-wrapper@digest1"), + Entry("Digest and variant specified (fips-distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "", "digest1", "fips-distroless", "quay.io/solo-io/gloo-envoy-wrapper@digest1"), + Entry("Tag, digest, and variant specified (standard)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "digest1", "standard", "quay.io/solo-io/gloo-envoy-wrapper:tag1@digest1"), + Entry("Tag, digest, and variant specified (fips)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "digest1", "fips", "quay.io/solo-io/gloo-envoy-wrapper:tag1@digest1"), + Entry("Tag, digest, and variant specified (distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "digest1", "distroless", "quay.io/solo-io/gloo-envoy-wrapper:tag1-distroless@digest1"), + Entry("Tag, digest, and variant specified (fips-distroless)", "quay.io/solo-io", "gloo-envoy-wrapper", "tag1", "digest1", "fips-distroless", "quay.io/solo-io/gloo-envoy-wrapper:tag1-distroless@digest1"), + ) It("supports deploying the fips envoy image via the deprecated global.image.fips helm value", func() { prepareMakefile(namespace, glootestutils.HelmValues{ @@ -3470,7 +3527,65 @@ spec: Expect(gwpDepl.Spec.Template.Spec.Volumes[7]).To(Equal(corev1.Volume{Name: "workload-certs", VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}}})) }) - DescribeTable("Uses the correct image for the sds-ee container", func(variant string) { + DescribeTable("supports deploying the specified tag, digest, and variant of the istioProxy image", func(registry, repo, tag, digest, variant, expectedImage string) { + vals := []string{ + "global.glooMtls.enabled=true", + "global.istioSDS.enabled=true", + "global.image.variant=" + variant, + "global.glooMtls.istioProxy.image.registry=" + registry, + "global.glooMtls.istioProxy.image.repository=" + repo, + "global.glooMtls.istioProxy.image.tag=" + tag, + } + // set the digest value corresponding to the variant + switch variant { + case "fips": + vals = append(vals, "global.glooMtls.istioProxy.image.fipsDigest="+digest) + case "distroless": + vals = append(vals, "global.glooMtls.istioProxy.image.distrolessDigest="+digest) + case "fips-distroless": + vals = append(vals, "global.glooMtls.istioProxy.image.fipsDistrolessDigest="+digest) + case "": + fallthrough + case "standard": + fallthrough + default: + vals = append(vals, "global.glooMtls.istioProxy.image.digest="+digest) + } + prepareMakefile(namespace, glootestutils.HelmValues{ + ValuesArgs: vals, + }) + + gwpDepl := getDeployment(testManifest, namespace, "gateway-proxy") + Expect(gwpDepl.Spec.Template.Spec.Containers).To(HaveLen(3)) + + istioProxyContainer := gwpDepl.Spec.Template.Spec.Containers[2] + Expect(istioProxyContainer.Name).To(Equal("istio-proxy")) + Expect(istioProxyContainer.Image).To(Equal(expectedImage)) + }, + // there is no fips or distroless version of the istioProxy image so we don't add the -fips or -distroless suffixes for any variants + Entry("No tag, digest, or variant specified", "my-istio-reg", "my-istio-repo", "", "", "", "my-istio-reg/my-istio-repo"), + Entry("Only tag specified", "my-istio-reg", "my-istio-repo", "tag1", "", "", "my-istio-reg/my-istio-repo:tag1"), + Entry("Only digest specified", "my-istio-reg", "my-istio-repo", "", "digest1", "", "my-istio-reg/my-istio-repo@digest1"), + Entry("Only variant specified (standard)", "my-istio-reg", "my-istio-repo", "", "", "standard", "my-istio-reg/my-istio-repo"), + Entry("Only variant specified (fips)", "my-istio-reg", "my-istio-repo", "", "", "fips", "my-istio-reg/my-istio-repo"), + Entry("Only variant specified (distroless)", "my-istio-reg", "my-istio-repo", "", "", "distroless", "my-istio-reg/my-istio-repo"), + Entry("Only variant specified (fips-distroless)", "my-istio-reg", "my-istio-repo", "", "", "fips-distroless", "my-istio-reg/my-istio-repo"), + Entry("Tag and digest specified", "my-istio-reg", "my-istio-repo", "tag1", "digest1", "", "my-istio-reg/my-istio-repo:tag1@digest1"), + Entry("Tag and variant specified (standard)", "my-istio-reg", "my-istio-repo", "tag1", "", "standard", "my-istio-reg/my-istio-repo:tag1"), + Entry("Tag and variant specified (fips)", "my-istio-reg", "my-istio-repo", "tag1", "", "fips", "my-istio-reg/my-istio-repo:tag1"), + Entry("Tag and variant specified (distroless)", "my-istio-reg", "my-istio-repo", "tag1", "", "distroless", "my-istio-reg/my-istio-repo:tag1"), + Entry("Tag and variant specified (fips-distroless)", "my-istio-reg", "my-istio-repo", "tag1", "", "fips-distroless", "my-istio-reg/my-istio-repo:tag1"), + Entry("Digest and variant specified (standard)", "my-istio-reg", "my-istio-repo", "", "digest1", "standard", "my-istio-reg/my-istio-repo@digest1"), + Entry("Digest and variant specified (fips)", "my-istio-reg", "my-istio-repo", "", "digest1", "fips", "my-istio-reg/my-istio-repo@digest1"), + Entry("Digest and variant specified (distroless)", "my-istio-reg", "my-istio-repo", "", "digest1", "distroless", "my-istio-reg/my-istio-repo@digest1"), + Entry("Digest and variant specified (fips-distroless)", "my-istio-reg", "my-istio-repo", "", "digest1", "fips-distroless", "my-istio-reg/my-istio-repo@digest1"), + Entry("Tag, digest, and variant specified (standard)", "my-istio-reg", "my-istio-repo", "tag1", "digest1", "standard", "my-istio-reg/my-istio-repo:tag1@digest1"), + Entry("Tag, digest, and variant specified (fips)", "my-istio-reg", "my-istio-repo", "tag1", "digest1", "fips", "my-istio-reg/my-istio-repo:tag1@digest1"), + Entry("Tag, digest, and variant specified (distroless)", "my-istio-reg", "my-istio-repo", "tag1", "digest1", "distroless", "my-istio-reg/my-istio-repo:tag1@digest1"), + Entry("Tag, digest, and variant specified (fips-distroless)", "my-istio-reg", "my-istio-repo", "tag1", "digest1", "fips-distroless", "my-istio-reg/my-istio-repo:tag1@digest1"), + ) + + DescribeTable("Uses the correct image for the sds-ee container", func(variant string, expectedImage string) { prepareMakefile(namespace, glootestutils.HelmValues{ ValuesArgs: []string{ "global.glooMtls.enabled=true", @@ -3486,14 +3601,14 @@ spec: sdsContainer := gwpDepl.Spec.Template.Spec.Containers[1] Expect(sdsContainer.Name).To(Equal("sds")) - Expect(sdsContainer.Image).To(Equal(generateExpectedImage("my-sds-reg/sds-ee", "my-sds-tag", variant))) + Expect(sdsContainer.Image).To(Equal(expectedImage)) Expect(sdsContainer.ImagePullPolicy).To(Equal(corev1.PullIfNotPresent)) }, - Entry("No variant specified", ""), - Entry("Standard variant", "standard"), - Entry("Fips variant", "fips"), - Entry("Distroless variant", "distroless"), - Entry("Fips-Distroless variant", "fips-distroless")) + Entry("No variant specified", "", "my-sds-reg/sds-ee:my-sds-tag"), + Entry("Standard variant", "standard", "my-sds-reg/sds-ee:my-sds-tag"), + Entry("Fips variant", "fips", "my-sds-reg/sds-ee-fips:my-sds-tag"), + Entry("Distroless variant", "distroless", "my-sds-reg/sds-ee:my-sds-tag-distroless"), + Entry("Fips-Distroless variant", "fips-distroless", "my-sds-reg/sds-ee-fips:my-sds-tag-distroless")) It("adds readConfig annotations", func() { gatewayProxyDeployment.Spec.Template.Annotations["readconfig-stats"] = "/stats" @@ -5123,22 +5238,24 @@ metadata: }) }) - DescribeTable("supports deploying the correct discovery-ee image variant", func(variant string) { - discoveryDeployment.Spec.Template.Spec.Containers[0].Image = generateExpectedImage("quay.io/solo-io/discovery-ee", version, variant) + DescribeTable("supports deploying the correct discovery-ee image variant", func(variant string, expectedImage string) { + discoveryDeployment.Spec.Template.Spec.Containers[0].Image = expectedImage prepareMakefile(namespace, glootestutils.HelmValues{ ValuesArgs: []string{ "global.image.variant=" + variant, + "discovery.deployment.image.tag=1.2.3", "discovery.deployment.image.repository=discovery-ee", }, }) testManifest.ExpectDeploymentAppsV1(discoveryDeployment) }, - Entry("No variant specified", ""), - Entry("Standard variant", "standard"), - Entry("Fips variant", "fips"), - Entry("Distroless variant", "distroless"), - Entry("Fips-Distroless variant", "fips-distroless")) + Entry("No variant specified", "", "quay.io/solo-io/discovery-ee:1.2.3"), + Entry("Standard variant", "standard", "quay.io/solo-io/discovery-ee:1.2.3"), + Entry("Fips variant", "fips", "quay.io/solo-io/discovery-ee-fips:1.2.3"), + Entry("Distroless variant", "distroless", "quay.io/solo-io/discovery-ee:1.2.3-distroless"), + Entry("Fips-Distroless variant", "fips-distroless", "quay.io/solo-io/discovery-ee-fips:1.2.3-distroless"), + ) It("can set log level env var", func() { discoveryDeployment.Spec.Template.Spec.Containers[0].Env = append( @@ -7306,20 +7423,3 @@ func getSslGatewayName(name string) string { func getFailoverGatewayName(name string) string { return name + "-failover" } - -func generateExpectedImage(name string, version string, variant string) string { - switch variant { - case "fips": - return fmt.Sprintf("%s-fips:%s", name, version) - case "distroless": - return fmt.Sprintf("%s:%s-distroless", name, version) - case "fips-distroless": - return fmt.Sprintf("%s-fips:%s-distroless", name, version) - case "": - fallthrough - case "standard": - fallthrough - default: - return fmt.Sprintf("%s:%s", name, version) - } -} diff --git a/test/make/make_suite_test.go b/test/makefile/make_suite_test.go similarity index 97% rename from test/make/make_suite_test.go rename to test/makefile/make_suite_test.go index d1b1d2c7f75..b6c9556f8da 100644 --- a/test/make/make_suite_test.go +++ b/test/makefile/make_suite_test.go @@ -1,4 +1,4 @@ -package make_test +package makefile_test import ( "fmt" diff --git a/test/make/make_test.go b/test/makefile/make_test.go similarity index 98% rename from test/make/make_test.go rename to test/makefile/make_test.go index aac723b0e48..7d1be29cc85 100644 --- a/test/make/make_test.go +++ b/test/makefile/make_test.go @@ -1,4 +1,4 @@ -package make_test +package makefile_test import ( . "github.com/onsi/ginkgo/v2" diff --git a/test/makefile/makefile.go b/test/makefile/makefile.go new file mode 100644 index 00000000000..fc6e199ba44 --- /dev/null +++ b/test/makefile/makefile.go @@ -0,0 +1,74 @@ +package makefile + +import ( + "bytes" + "fmt" + "os/exec" + "strings" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +// MustMake runs a make command +func MustMake(dir string, args ...string) { + makeCmd := exec.Command("make", args...) + makeCmd.Dir = dir + + makeCmd.Stdout = GinkgoWriter + makeCmd.Stderr = GinkgoWriter + err := makeCmd.Run() + + ExpectWithOffset(1, err).NotTo(HaveOccurred()) +} + +// MustMakeReturnStdout runs a make command and returns the stdout output +func MustMakeReturnStdout(dir string, args ...string) string { + makeCmd := exec.Command("make", args...) + makeCmd.Dir = dir + + var stdout bytes.Buffer + makeCmd.Stdout = &stdout + + makeCmd.Stderr = GinkgoWriter + err := makeCmd.Run() + + ExpectWithOffset(1, err).NotTo(HaveOccurred()) + + return stdout.String() +} + +// MustGetVersion returns the VERSION that will be used to build the chart +func MustGetVersion(dir string, args ...string) string { + args = append(args, "print-VERSION") // use print-VERSION so version matches on forks + output := MustMakeReturnStdout(dir, args...) + lines := strings.Split(output, "\n") + + // output from a fork: + // <[]string | len:4, cap:4>: [ + // "make[1]: Entering directory '/workspace/gloo'", + // "", + // "make[1]: Leaving directory '/workspace/gloo'", + // "", + // ] + + // output from the gloo repo: + // <[]string | len:2, cap:2>: [ + // "", + // "", + // ] + + if len(lines) == 4 { + // This is being executed from a fork + return lines[1] + } + + if len(lines) == 2 { + // This is being executed from the Gloo repo + return lines[0] + } + + // Error loudly to prevent subtle failures + Fail(fmt.Sprintf("print-VERSION output returned unknown format. %v", lines)) + return "version-not-found" +}