From 25397d83d6c59ecd8aece4f8bd31c32112e56ac8 Mon Sep 17 00:00:00 2001
From: Pudong <tianshi8650@gmail.com>
Date: Tue, 11 Jun 2024 23:02:08 +0800
Subject: [PATCH] [installer] use image digest for redis image (#19483)

* [installer] use image digest for redis image

* Add how to test and preview env

* sync with latest in dedecated prod
---
 .github/workflows/update-image-digest.yml     | 25 ++++++++++++++++---
 install/installer/cmd/mirror_list.go          |  2 +-
 install/installer/go.mod                      |  4 +--
 install/installer/pkg/common/render.go        | 14 ++++++++++-
 .../pkg/components/redis/constants.go         |  4 +--
 .../pkg/components/redis/deployment.go        |  4 +--
 6 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/update-image-digest.yml b/.github/workflows/update-image-digest.yml
index 435b2276c48662..7d0f4f28408f28 100644
--- a/.github/workflows/update-image-digest.yml
+++ b/.github/workflows/update-image-digest.yml
@@ -63,6 +63,14 @@ jobs:
             fi
           done < <(find "$(pwd)" -type f \( -name "*.yaml" -o -name "*.yml" -o -name "Dockerfile*" -o -name "leeway.Dockerfile" \) -print0)
 
+          # update for chainguard redis
+          redisImageDigest=$(crane digest cgr.dev/chainguard/redis:latest)
+          redisExporterDigest=$(crane digest cgr.dev/chainguard/prometheus-redis-exporter:latest)
+
+
+          sed -i -e "s/^\(\s*ImageDigest\s*=\s*\)\".*\"/\1\"$redisImageDigest\"/" install/installer/pkg/components/redis/constants.go
+          sed -i -e "s/^\(\s*ExporterImageDigest\s*=\s*\)\".*\"/\1\"$redisExporterDigest\"/" install/installer/pkg/components/redis/constants.go
+          go fmt install/installer/pkg/components/redis/constants.go
       - name: Check workspace
         id: create_pr
         shell: bash
@@ -81,9 +89,20 @@ jobs:
           body: |
             Update images digests using the latest version available for image/s
 
-            ```release-note
-            NONE
-            ```
+            ## How to test
+            - [ ] Start a workspace in the preview environment and verify that it functions properly.
+
+            <details>
+            <summary>Preview Environment / Integration Tests</summary>
+
+            - [x] /werft with-preview
+            - [x] /werft with-gce-vm
+                  If enabled this will create the environment on GCE infra
+            - [x] /werft preemptible
+                  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
+            - [x] with-integration-tests=ssh
+                  Valid options are `all`, `workspace`, `webapp`, `ide`, `jetbrains`, `vscode`, `ssh`. If enabled, `with-preview` and `with-large-vm` will be enabled.
+            </details>
           labels: automated pr, kind/cleanup, release-note-none
           branch: update-digests
           delete-branch: true
diff --git a/install/installer/cmd/mirror_list.go b/install/installer/cmd/mirror_list.go
index 26e04953e49933..10556df488b19f 100644
--- a/install/installer/cmd/mirror_list.go
+++ b/install/installer/cmd/mirror_list.go
@@ -11,7 +11,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"github.com/gitpod-io/gitpod/installer/pkg/common"
 	configv1 "github.com/gitpod-io/gitpod/installer/pkg/config/v1"
 	"github.com/spf13/cobra"
diff --git a/install/installer/go.mod b/install/installer/go.mod
index 7886110d93d53e..fcf6de7ca9461b 100644
--- a/install/installer/go.mod
+++ b/install/installer/go.mod
@@ -5,7 +5,7 @@ go 1.22.2
 require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/cert-manager/trust-manager v0.9.1
-	github.com/docker/distribution v2.8.3+incompatible
+	github.com/distribution/reference v0.5.0
 	github.com/fatih/structtag v1.2.0
 	github.com/gitpod-io/gitpod/agent-smith v0.0.0-00010101000000-000000000000
 	github.com/gitpod-io/gitpod/blobserve v0.0.0-00010101000000-000000000000
@@ -108,8 +108,8 @@ require (
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/distribution/reference v0.5.0 // indirect
 	github.com/docker/cli v25.0.1+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v23.0.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
diff --git a/install/installer/pkg/common/render.go b/install/installer/pkg/common/render.go
index dfaa85ae9eca31..8c5f2c0f1f5397 100644
--- a/install/installer/pkg/common/render.go
+++ b/install/installer/pkg/common/render.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/docker/distribution/reference"
+	"github.com/distribution/reference"
 	"helm.sh/helm/v3/pkg/cli/values"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/pointer"
@@ -123,6 +123,18 @@ func (r *RenderContext) ImageName(repo, name, tag string) string {
 	return ref
 }
 
+func (r *RenderContext) ImageDigest(repo, name, digest string) string {
+	ref := fmt.Sprintf("%s@%s", r.RepoName(repo, name), digest)
+	pref, err := reference.ParseNamed(ref)
+	if err != nil {
+		panic(fmt.Sprintf("cannot parse image ref %s: %v", ref, err))
+	}
+	if _, ok := pref.(reference.Digested); !ok {
+		panic(fmt.Sprintf("image ref %s has no digest: %v", ref, err))
+	}
+	return ref
+}
+
 // generateValues generates the random values used throughout the context
 // todo(sje): find a way of persisting these values for updates
 func (r *RenderContext) generateValues() error {
diff --git a/install/installer/pkg/components/redis/constants.go b/install/installer/pkg/components/redis/constants.go
index ecdb9174d6f08f..209b847a47cae9 100644
--- a/install/installer/pkg/components/redis/constants.go
+++ b/install/installer/pkg/components/redis/constants.go
@@ -14,10 +14,10 @@ const (
 	RegistryImage = "chainguard/redis"
 
 	ContainerName = "redis"
-	ImageTag      = "latest"
+	ImageDigest   = "sha256:faafcc4f149997127c3402565fcaf018980e2a1803ef0ef2256ee6b11c1972b9"
 
 	ExporterRegistryImage = "chainguard/prometheus-redis-exporter"
-	ExporterImageTag      = "latest"
+	ExporterImageDigest   = "sha256:ca22acb4dd6046bec280361a7ad262fee8d69a5beb7dc1ea2f9009f53b0773b5"
 
 	ExporterContainerName = "exporter"
 	ExporterPortName      = "exporter"
diff --git a/install/installer/pkg/components/redis/deployment.go b/install/installer/pkg/components/redis/deployment.go
index 80a24cc9b16ec5..a09305bdfa7e85 100644
--- a/install/installer/pkg/components/redis/deployment.go
+++ b/install/installer/pkg/components/redis/deployment.go
@@ -58,7 +58,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 						Containers: []corev1.Container{
 							{
 								Name:            ContainerName,
-								Image:           ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), RegistryImage, ImageTag),
+								Image:           ctx.ImageDigest(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), RegistryImage, ImageDigest),
 								ImagePullPolicy: corev1.PullIfNotPresent,
 								Command: []string{
 									"redis-server",
@@ -104,7 +104,7 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 							},
 							{
 								Name:            ExporterContainerName,
-								Image:           ctx.ImageName(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), ExporterRegistryImage, ExporterImageTag),
+								Image:           ctx.ImageDigest(common.ThirdPartyContainerRepo(ctx.Config.Repository, RegistryRepo), ExporterRegistryImage, ExporterImageDigest),
 								ImagePullPolicy: corev1.PullIfNotPresent,
 								Env: common.CustomizeEnvvar(ctx, Component, common.MergeEnv(
 									[]v1.EnvVar{