Skip to content

Commit 6a829fe

Browse files
karlkfikarlkfi
committed
Pin kustomize image in cockroachdb example
- Pin to v5.4.1 with sha256 as example of how to ensure supply-chain security. Pulling the latest kustomize image or source is insecure without checksum validation. - Bump example image tag to v0.1.1
1 parent e244b83 commit 6a829fe

File tree

2 files changed

+23
-9
lines changed

2 files changed

+23
-9
lines changed

functions/examples/template-heredoc-cockroachdb/Makefile

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,27 @@
11
# Copyright 2019 The Kubernetes Authors.
22
# SPDX-License-Identifier: Apache-2.0
33

4-
.PHONY: image
4+
# This example uses a pinned version of the kustomize image, as an example of
5+
# what users should do downstream, to ensure supply chain security.
6+
#
7+
# Whenever KUSTOMIZE_IMAGE_TAG & KUSTOMIZE_IMAGE_SHA are updated,
8+
# EXAMPLE_IMAGE_TAG should also be updated to a new patch version.
9+
# For reference, see
10+
# https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-kustomize/images.yaml
11+
EXAMPLE_IMAGE_TAG=v0.1.1
12+
KUSTOMIZE_IMAGE_TAG=v5.4.1
13+
KUSTOMIZE_IMAGE_SHA=sha256:7492c35d6fbe64e05100009915167a37b285ca7391067fa0c7bec9a7d1856882
514

615
all:
716
true
817

9-
image:
10-
docker build image -t gcr.io/kustomize-functions/example-cockroachdb:v0.1.0
11-
docker push gcr.io/kustomize-functions/example-cockroachdb:v0.1.0
18+
.PHONY: image-build
19+
image-build:
20+
docker build image \
21+
--build-arg "KUSTOMIZE_IMAGE_TAG=$(KUSTOMIZE_IMAGE_TAG)" \
22+
--build-arg "KUSTOMIZE_IMAGE_SHA=$(KUSTOMIZE_IMAGE_SHA)" \
23+
-t gcr.io/kustomize-functions/example-cockroachdb:$(EXAMPLE_IMAGE_TAG)
24+
25+
.PHONY: image
26+
image: image-build
27+
docker push gcr.io/kustomize-functions/example-cockroachdb:$(EXAMPLE_IMAGE_TAG)

functions/examples/template-heredoc-cockroachdb/image/Dockerfile

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,10 @@
11
# Copyright 2019 The Kubernetes Authors.
22
# SPDX-License-Identifier: Apache-2.0
33

4-
FROM golang:1.21-bullseye
5-
ENV CGO_ENABLED=0
6-
RUN go get -v sigs.k8s.io/kustomize/kustomize
4+
ARG KUSTOMIZE_IMAGE_TAG
5+
ARG KUSTOMIZE_IMAGE_SHA
76

8-
FROM alpine:latest
7+
FROM registry.k8s.io/kustomize/kustomize:${KUSTOMIZE_IMAGE_TAG}@${KUSTOMIZE_IMAGE_SHA}
98
RUN apk add --no-cache bash
10-
COPY --from=0 /go/bin/kustomize /usr/local/bin
119
COPY cockroachdb-template.sh /usr/local/bin/config-function
1210
CMD ["config-function"]

0 commit comments

Comments
 (0)