Switched images to sha256 references for better security and enabled …

…overridding of all images
drewbernetes · Mar 18, 2024 · ad96d2c · ad96d2c
1 parent 3dd91bb
commit ad96d2c
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 40 deletions.
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -72,7 +72,7 @@ jobs:
         with:
           version: latest
           skip-cache: true
-          args: --timeout=3m
+          args: --timeout=3m --skip-dirs=charts
   test-golang:
     name: Run tests
     runs-on: 'ubuntu-22.04'

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,13 +6,6 @@ repos:
       - id: trailing-whitespace
       - id: end-of-file-fixer
       - id: check-added-large-files
-  - repo: https://github.com/drewbernetes/pre-commits.git
-    rev: v0.1.0
-    hooks:
-      - id: trivy
-        args:
-          - fs
-          - .
   - repo: https://github.com/norwoodj/helm-docs.git
     rev: v1.13.1
     hooks:
@@ -24,30 +17,37 @@ repos:
       - id: chart-lint
         name: Run Chart Lint Test
         language: system
-        entry: 'ct lint --all --validate-maintainers=false --config .github/ct.yaml'
-  - repo: local
-    hooks:
-      - id: go-test
-        name: Run Go Test
-        language: system
-        entry: 'go test -v -cover ./...'
-  - repo: local
-    hooks:
-      - id: golangci-lint
-        name: Run Golangci-lint
-        language: system
-        entry: 'golangci-lint run --out-format=github-actions --timeout=3m'
+        entry: 'ct lint --all --validate-maintainers=false --config .github/ct.yaml charts/'
+#  - repo: local
+#    hooks:
+#      - id: go-test
+#        name: Run Go Test
+#        language: system
+#        entry: 'go test -v -cover ./...'
+#  - repo: local
+#    hooks:
+#      - id: golangci-lint
+#        name: Run Golangci-lint
+#        language: system
+#        entry: "golangci-lint run --out-format=github-actions --timeout=3m --skip-dirs=charts --skip-files '\\*.[yaml|md]'"
   - repo: https://github.com/drewbernetes/pre-commits.git
     rev: v0.1.0
     hooks:
       - id: docker
         args:
           - --image-name
-          - e2e-tools
+          - dogkat
           - --dockerfile-path
           - ./docker/Dockerfile
           - --context
           - .
+  - repo: https://github.com/drewbernetes/pre-commits.git
+    rev: v0.1.0
+    hooks:
+      - id: trivy
+        args:
+          - fs
+          - .
   - repo: https://github.com/drewbernetes/pre-commits.git
     rev: v0.1.0
     hooks:
@@ -58,4 +58,4 @@ repos:
           - HIGH,CRITICAL
           - --ignorefile
           - .trivyignore
-          - local/e2e-tools:0.0.0
+          - local/dogkat:0.0.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,13 @@
 
 ### Deprecated
 
+## [ 2024/03/18 - v0.1.7 ]
+
+### Changed
+
+* CHART: Enabled overriding of images to deploy
+* CHART: Set default images to SHA256 instead of tags to improve security
+
 ## [ 2024/03/15 - v0.1.6 ]
 
 ### Changed

diff --git a/charts/dogkat/README.md b/charts/dogkat/README.md
@@ -29,19 +29,21 @@ The following table lists the configurable parameters of the chart and the defau
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | core.enabled | bool | `false` |  |
-| core.nginx.image.repo | string | `"nginx"` | The repo to be used |
-| core.nginx.image.tag | string | `"1.25-alpine"` | The tag to be used |
+| core.nginx.exporterImage.repo | string | `"nginx/nginx-prometheus-exporter@sha256"` | The repo to be used |
+| core.nginx.exporterImage.tag | string | `"d710e0ff2505a7037dd21e47eae07025010c0de08a6247d1a704824823becfd0"` | The tag to be used |
+| core.nginx.image.repo | string | `"nginx@sha256"` | The repo to be used |
+| core.nginx.image.tag | string | `"02d8d94023878cedf3e3acc55372932a9ba1478b6e2f3357786d916c2af743ba"` | The tag to be used |
 | core.nginx.resources | object | `{}` |  |
 | core.nginx.serviceAccountName | string | `"nginx"` |  |
-| core.php.image.repo | string | `"drewviles/php-pdo"` | The repo to be used |
-| core.php.image.tag | string | `"v1.1.0"` | The tag to be used |
-| core.postgres.image.repo | string | `"postgres"` | The repo to be used |
-| core.postgres.image.tag | string | `"16-alpine"` | The tag to be used |
+| core.php.image.repo | string | `"drewviles/php-pdo@sha256"` | The repo to be used |
+| core.php.image.tag | string | `"253465d95c3fa68871c2ccc6c67d4ed5ee500563fbbfee3b54a9544f8025d1d6"` | The tag to be used |
+| core.postgres.image.repo | string | `"postgres@sha256"` | The repo to be used |
+| core.postgres.image.tag | string | `"sha256:49fd8c13fbd0eb92572df9884ca41882a036beac0f12e520274be85e7e7806e9"` | The tag to be used |
 | core.postgres.statefulSet.persistentData.enabled | bool | `true` |  |
 | core.postgres.statefulSet.persistentData.storageClassName | string | `"cinder"` |  |
 | gpu.enabled | bool | `false` |  |
-| gpu.image.repo | string | `"nvidia/samples"` | The repo to be used |
-| gpu.image.tag | string | `"vectoradd-cuda11.2.1"` | The tag to be used |
+| gpu.image.repo | string | `"nvcr.io/nvidia/k8s/cuda-sample@sha256"` | The repo to be used |
+| gpu.image.tag | string | `"04a20bfaf69363ec3f15fc1cdb0abc0efabeb6fb6b3a1b9cf4a575ae7b1d81d1"` | The tag to be used |
 | gpu.nodeLabelSelectors."nvidia.com/gpu.present" | string | `"true"` |  |
 | gpu.numberOfGPUs | int | `1` |  |
 | gpu.resources | object | `{}` |  |

diff --git a/charts/dogkat/templates/nginx-deploy.yaml b/charts/dogkat/templates/nginx-deploy.yaml
@@ -109,7 +109,7 @@ spec:
             - name: index-html
               mountPath: /usr/share/nginx/html
         - name: nginx-prometheus
-          image: nginx/nginx-prometheus-exporter
+          image: {{.Values.core.nginx.exporterImage.repo}}:{{.Values.core.nginx.exporterImage.tag}}
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 9113

diff --git a/charts/dogkat/values.yaml b/charts/dogkat/values.yaml
@@ -7,9 +7,14 @@ core:
   nginx:
     image:
       # -- The repo to be used
-      repo: nginx
+      repo: nginx@sha256
       # -- The tag to be used
-      tag: 1.25-alpine
+      tag: 02d8d94023878cedf3e3acc55372932a9ba1478b6e2f3357786d916c2af743ba  # 1.25.4-alpine
+    exporterImage:
+      # -- The repo to be used
+      repo: nginx/nginx-prometheus-exporter@sha256
+      # -- The tag to be used
+      tag: d710e0ff2505a7037dd21e47eae07025010c0de08a6247d1a704824823becfd0  # 1.1.0
     serviceAccountName: "nginx"
     resources: {}
     # requests:
@@ -21,16 +26,16 @@ core:
   php:
     image:
       # -- The repo to be used
-      repo: drewviles/php-pdo
+      repo: drewviles/php-pdo@sha256
       # -- The tag to be used
-      tag: v1.1.0
+      tag: 253465d95c3fa68871c2ccc6c67d4ed5ee500563fbbfee3b54a9544f8025d1d6  # v1.1.0
 
   postgres:
     image:
       # -- The repo to be used
-      repo: postgres
+      repo: postgres@sha256
       # -- The tag to be used
-      tag: 16-alpine
+      tag: sha256:49fd8c13fbd0eb92572df9884ca41882a036beac0f12e520274be85e7e7806e9  # 16.2-alpine
     statefulSet:
       persistentData:
         enabled: true
@@ -41,9 +46,9 @@ gpu:
   numberOfGPUs: 1
   image:
     # -- The repo to be used
-    repo: nvidia/samples
+    repo: nvcr.io/nvidia/k8s/cuda-sample@sha256
     # -- The tag to be used
-    tag: vectoradd-cuda11.2.1
+    tag: 04a20bfaf69363ec3f15fc1cdb0abc0efabeb6fb6b3a1b9cf4a575ae7b1d81d1  # 11.7.1
   resources: {}
   nodeLabelSelectors:
     nvidia.com/gpu.present: "true"