diff --git a/internal/constellation/helm/charts/coredns/templates/deployment.yaml b/internal/constellation/helm/charts/coredns/templates/deployment.yaml index b26c1ddea39..d908c27e3ba 100644 --- a/internal/constellation/helm/charts/coredns/templates/deployment.yaml +++ b/internal/constellation/helm/charts/coredns/templates/deployment.yaml @@ -37,7 +37,7 @@ spec: - args: - -conf - /etc/coredns/Corefile - image: registry.k8s.io/coredns/coredns:v1.11.1 + image: registry.k8s.io/coredns/coredns:v1.11.1@sha256:1eeb4c7316bacb1d4c8ead65571cd92dd21e27359f0d4917f1a5822a73b75db1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 5 diff --git a/internal/constellation/helm/corednsgen/main.go b/internal/constellation/helm/corednsgen/main.go index 6e8d002e88e..679e8f38490 100644 --- a/internal/constellation/helm/corednsgen/main.go +++ b/internal/constellation/helm/corednsgen/main.go @@ -1,13 +1,21 @@ package main import ( + "context" "flag" + "fmt" "log" "os" "path/filepath" + "strings" + "github.com/edgelesssys/constellation/v2/internal/versions" + "github.com/regclient/regclient" + "github.com/regclient/regclient/types/ref" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" + "k8s.io/kubernetes/cmd/kubeadm/app/images" kubedns "k8s.io/kubernetes/cmd/kubeadm/app/phases/addons/dns" kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" "sigs.k8s.io/yaml" @@ -20,13 +28,14 @@ const ( valuesYAML = "clusterIP: 10.96.0.10\ndnsDomain: cluster.local\n" ) +var image string + func main() { if err := os.RemoveAll(relativePath()); err != nil { log.Fatalf("Could not remove chart dir: %v", err) } - if err := os.MkdirAll(relativePath("templates"), 0o755); err != nil { - log.Fatalf("Could not create chart dir: %v", err) - } + + image = pinnedImage() writeFile([]byte(chartYAML), "Chart.yaml") writeFile([]byte(valuesYAML), "values.yaml") @@ -40,19 +49,6 @@ func main() { writeFile(patchedDeployment(), "templates", "deployment.yaml") } -/* - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - effect: NoSchedule - key: node.cloudprovider.kubernetes.io/uninitialized - value: "true" - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 10 - -*/ - func patchedDeployment() []byte { var d appsv1.Deployment if err := yaml.Unmarshal(parseTemplate(kubedns.CoreDNSDeployment), &d); err != nil { @@ -61,6 +57,7 @@ func patchedDeployment() []byte { tolerations := []corev1.Toleration{ {Key: "node-role.kubernetes.io/control-plane", Effect: corev1.TaintEffectNoSchedule}, + // TODO(burgerdev): test whether we need the tolerations below. {Key: "node.cloudprovider.kubernetes.io/uninitialized", Value: "true", Effect: corev1.TaintEffectNoSchedule}, {Key: "node.kubernetes.io/unreachable", Operator: corev1.TolerationOpExists, Effect: corev1.TaintEffectNoExecute, TolerationSeconds: toPtr(int64(10))}, {Key: "node.kubernetes.io/not-ready", Effect: corev1.TaintEffectNoSchedule}, @@ -73,6 +70,26 @@ func patchedDeployment() []byte { return out } +func pinnedImage() string { + cfg := &kubeadm.ClusterConfiguration{ + KubernetesVersion: string(versions.Default), + ImageRepository: "registry.k8s.io", + } + img := images.GetDNSImage(cfg) + regRep, tag, _ := strings.Cut(img, ":") // TODO(burgerdev): use my code from k8s? + reg, rep, _ := strings.Cut(regRep, "/") + ref := ref.Ref{Scheme: "reg", Registry: reg, Repository: rep, Tag: tag} + log.Printf("Getting hash for image %#v", ref) + + rc := regclient.New() + m, err := rc.ManifestGet(context.Background(), ref) + if err != nil { + log.Fatalf("Could not obtain image manifest: %v", err) + } + + return fmt.Sprintf("%s/%s:%s@%s", ref.Registry, ref.Repository, ref.Tag, m.GetDescriptor().Digest.String()) +} + func relativePath(elems ...string) string { return filepath.Join(append([]string{*chartDir, "coredns"}, elems...)...) } @@ -96,7 +113,7 @@ func parseTemplate(tmpl string) []byte { DeploymentName: "coredns", DNSDomain: `{{ .Values.dnsDomain }}`, DNSIP: `"{{ .Values.clusterIP }}"`, - Image: "registry.k8s.io/coredns/coredns:v1.11.1", // images.GetDNSImage(cfg), + Image: image, ControlPlaneTaintKey: "node-role.kubernetes.io/control-plane", Replicas: toPtr(int32(2)), }