New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pin kustomize version in cockroachdb example #5534
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: karlkfi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
d84fab4
to
aa322ed
Compare
a9bb2e0
to
a357ecf
Compare
0afc689
to
7bd3f4a
Compare
- Use tools/go.mod to pin the kustomize version to v5.3.0. For most modules, we would want to use the tools pinned in hack/go.mod, but for examples we want to show users how to pin kustomize within the scope of their function repository. As an example, this example's pinned version of kustomize doesn't really need to stay current, unless the install process changes. - Increment example version to v0.1.1
7bd3f4a
to
22ac1d4
Compare
Rebased and ready to go |
We release a container image to contain the kustomize binary when creating a new kustomize release. I think using those containers is enough to pin the kustomize version when running the container. for example
|
I'm dealing with a bit of security theater here. I've got a scanner and policy that wants not just a pinned version but also some kind of checksum to confirm that the version is exactly the content you expected. If we could use a package manager, like apt or apk we could let that handle the checksum and verification, but kustomize isn't published there. If we use go.mod we can let go install handle verifying the checksum in go.sum. But if we use a docker image, we also need the image checksum, not just the tag. Since this is just an example, the risk is minimal, but the scanner still picks it up unless I configure an exception, and I don't really want to carry forward patches on a fork indefinitely. So I'm just trying to find a way to validate a checksum that isn't a huge pain to maintain. |
I think we also released SHA256. Does this not work for your use case? |
My first draft of this PR used the image sha and you told me not to. Thats why I switched to using go.mod. Would you prefer the image sha instead? |
I didn't read your comment below, and I didn't know why you are using digest for the pull container. I thought this was just an application example.
I think so because I checked the below page, but maybe you are right.
I think you have a special reason. That is a good way! |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Replaced by #5691 |
For most modules, we would want to use the tools pinned in
hack/go.mod, but for examples we want to show users how to pin
kustomize within the scope of their function repository.
As an example, this example's pinned version of kustomize doesn't
really need to stay current, unless the install process changes.