diff --git a/config/config.schema.json b/config/config.schema.json index 29f6b27079..5c2e650775 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -752,19 +752,7 @@ "additionalProperties": false, "properties": { "image": { - "type": "object", - "additionalProperties": false, - "properties": { - "registry": { - "type": "string" - }, - "repository": { - "type": "string" - }, - "tag": { - "type": "string" - } - } + "$ref": "#/definitions/containerImageSha" } } } diff --git a/config/config.yaml b/config/config.yaml index ec92871e39..d8491b8472 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -420,7 +420,7 @@ defaults: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c # v1.6.7 (2026-01-29 12:24) # MGMT cluster specifics mgmt: hcpBackups: @@ -537,7 +537,7 @@ defaults: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c # v1.6.7 (2026-01-29 12:24) # Backend backend: image: diff --git a/config/rendered/dev/cspr/westus3.yaml b/config/rendered/dev/cspr/westus3.yaml index 0047677d57..8895deb0be 100755 --- a/config/rendered/dev/cspr/westus3.yaml +++ b/config/rendered/dev/cspr/westus3.yaml @@ -503,7 +503,7 @@ mgmt: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 @@ -788,7 +788,7 @@ svc: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 diff --git a/config/rendered/dev/dev/westus3.yaml b/config/rendered/dev/dev/westus3.yaml index 7507979ecb..522fd679e2 100755 --- a/config/rendered/dev/dev/westus3.yaml +++ b/config/rendered/dev/dev/westus3.yaml @@ -503,7 +503,7 @@ mgmt: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 @@ -788,7 +788,7 @@ svc: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 diff --git a/config/rendered/dev/perf/westus3.yaml b/config/rendered/dev/perf/westus3.yaml index 96576febe8..abd6a9bdbc 100755 --- a/config/rendered/dev/perf/westus3.yaml +++ b/config/rendered/dev/perf/westus3.yaml @@ -503,7 +503,7 @@ mgmt: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 @@ -788,7 +788,7 @@ svc: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 diff --git a/config/rendered/dev/pers/westus3.yaml b/config/rendered/dev/pers/westus3.yaml index 015f5fa032..08f9682327 100755 --- a/config/rendered/dev/pers/westus3.yaml +++ b/config/rendered/dev/pers/westus3.yaml @@ -505,7 +505,7 @@ mgmt: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 @@ -792,7 +792,7 @@ svc: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 diff --git a/config/rendered/dev/prow/westus3.yaml b/config/rendered/dev/prow/westus3.yaml index 1c97e9f1f6..2cd16e12fa 100755 --- a/config/rendered/dev/prow/westus3.yaml +++ b/config/rendered/dev/prow/westus3.yaml @@ -505,7 +505,7 @@ mgmt: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 @@ -792,7 +792,7 @@ svc: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 diff --git a/config/rendered/dev/swft/uksouth.yaml b/config/rendered/dev/swft/uksouth.yaml index 59ca8c83aa..ec29e74bce 100755 --- a/config/rendered/dev/swft/uksouth.yaml +++ b/config/rendered/dev/swft/uksouth.yaml @@ -505,7 +505,7 @@ mgmt: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 @@ -790,7 +790,7 @@ svc: image: registry: arohcpsvcdev.azurecr.io repository: k8s-cache/ingress-nginx/kube-webhook-certgen - tag: v1.5.2 + sha: 7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c kubeStateMetrics: image: digest: sha256:c3621782e405e59b40e1b64e8b8722855f5c348a9b6fe3ac58c54ad1a34afbb9 diff --git a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_mgmt_1_arohcp_monitor.yaml b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_mgmt_1_arohcp_monitor.yaml index 1d75ff6ab8..5f7525893a 100644 --- a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_mgmt_1_arohcp_monitor.yaml +++ b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_mgmt_1_arohcp_monitor.yaml @@ -71153,7 +71153,7 @@ spec: spec: containers: - name: create - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - create @@ -71219,7 +71219,7 @@ spec: spec: containers: - name: patch - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - patch diff --git a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_arohcp_monitor.yaml b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_arohcp_monitor.yaml index fbce5ef04e..551c3a692a 100644 --- a/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_arohcp_monitor.yaml +++ b/dev-infrastructure/zz_fixture_TestHelmTemplate_dev_westus3_svc_1_arohcp_monitor.yaml @@ -71153,7 +71153,7 @@ spec: spec: containers: - name: create - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - create @@ -71219,7 +71219,7 @@ spec: spec: containers: - name: patch - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - patch diff --git a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources.yaml b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources.yaml index 71d6145605..12678220ee 100644 --- a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources.yaml +++ b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources.yaml @@ -71160,7 +71160,7 @@ spec: spec: containers: - name: create - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - create @@ -71226,7 +71226,7 @@ spec: spec: containers: - name: patch - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - patch diff --git a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources_unset.yaml b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources_unset.yaml index 7eaf0d5a2f..4074cde020 100644 --- a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources_unset.yaml +++ b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_mgmt_resources_unset.yaml @@ -71153,7 +71153,7 @@ spec: spec: containers: - name: create - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - create @@ -71219,7 +71219,7 @@ spec: spec: containers: - name: patch - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - patch diff --git a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources.yaml b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources.yaml index 2a75288176..573628fa4e 100644 --- a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources.yaml +++ b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources.yaml @@ -71160,7 +71160,7 @@ spec: spec: containers: - name: create - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - create @@ -71226,7 +71226,7 @@ spec: spec: containers: - name: patch - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - patch diff --git a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources_unset.yaml b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources_unset.yaml index 49aa73c2c8..e3c0e0fa16 100644 --- a/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources_unset.yaml +++ b/observability/prometheus/testdata/zz_fixture_TestHelmTemplate_helmtest_svc_resources_unset.yaml @@ -71153,7 +71153,7 @@ spec: spec: containers: - name: create - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - create @@ -71219,7 +71219,7 @@ spec: spec: containers: - name: patch - image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2 + image: arohcpsvcdev.azurecr.io/k8s-cache/ingress-nginx/kube-webhook-certgen:v1.5.2@sha256:7c74a715af2c94cb734785b4d3ea1357b4f02b88e1e123c622a9cb68b62f669c imagePullPolicy: IfNotPresent args: - patch diff --git a/observability/prometheus/values-mgmt.yaml b/observability/prometheus/values-mgmt.yaml index 89117f95c1..61fec74d99 100644 --- a/observability/prometheus/values-mgmt.yaml +++ b/observability/prometheus/values-mgmt.yaml @@ -64,7 +64,7 @@ kube-prometheus-stack: image: registry: "{{ .acr.svc.name }}.{{ .acrDNSSuffix }}" repository: "{{ .mgmt.prometheus.admissionWebhook.patch.image.repository }}" - tag: "{{ .mgmt.prometheus.admissionWebhook.patch.image.tag }}" + sha: "{{ .mgmt.prometheus.admissionWebhook.patch.image.sha }}" ## Setting to true produces cleaner resource names, but requires a data migration because the name of the persistent volume changes. Therefore this should only be set once on initial installation. cleanPrometheusOperatorObjectNames: true # config for kube-state-metrics subchart that is imported by the kube-prometheus-stack chart conditionally diff --git a/observability/prometheus/values-svc.yaml b/observability/prometheus/values-svc.yaml index a2fee2e0a2..f4b3990f48 100644 --- a/observability/prometheus/values-svc.yaml +++ b/observability/prometheus/values-svc.yaml @@ -64,7 +64,7 @@ kube-prometheus-stack: image: registry: "{{ .acr.svc.name }}.{{ .acrDNSSuffix }}" repository: "{{ .svc.prometheus.admissionWebhook.patch.image.repository }}" - tag: "{{ .svc.prometheus.admissionWebhook.patch.image.tag }}" + sha: "{{ .svc.prometheus.admissionWebhook.patch.image.sha }}" ## Setting to true produces cleaner resource names, but requires a data migration because the name of the persistent volume changes. Therefore this should only be set once on initial installation. cleanPrometheusOperatorObjectNames: true # config for kube-state-metrics subchart that is imported by the kube-prometheus-stack chart conditionally diff --git a/tooling/image-updater/config.yaml b/tooling/image-updater/config.yaml index f7980e8f21..600d4fc0af 100644 --- a/tooling/image-updater/config.yaml +++ b/tooling/image-updater/config.yaml @@ -231,8 +231,9 @@ images: source: image: registry.k8s.io/ingress-nginx/kube-webhook-certgen tagPattern: "^v\\d+\\.\\d+\\.\\d+$" + multiArch: true # This image only publishes multi-arch manifests targets: - - jsonPath: defaults.svc.ingress.controller.admissionWebhook.patch.image.sha + - jsonPath: defaults.svc.prometheus.admissionWebhook.patch.image.sha filePath: ../../config/config.yaml - - jsonPath: defaults.mgmt.ingress.controller.admissionWebhook.patch.image.sha + - jsonPath: defaults.mgmt.prometheus.admissionWebhook.patch.image.sha filePath: ../../config/config.yaml