Support specifying image digests

Refs https://gitlab.com/components/opentofu/-/issues/34 Changelog: feature

Support specifying image digests
e6460418 · Timo Furrer · 4011db89 · e6460418 · e6460418 · e6460418
Unverified Commit e6460418 authored 9 months ago by Timo Furrer
--- a/.gitlab/release-notes.md.template
+++ b/.gitlab/release-notes.md.template
@@ -52,6 +52,10 @@ cosign verify \
  --certificate-oidc-issuer "https://gitlab.com"
 ```

+The `image_digest` input can be used to strictly pull by the image digest.
+The `image_digest` input value needs to have the format of `@<type>:<hash>`
+where `<type>:<hash>` is the `digest` value from the images list above.
+
 > **Note:**
 >
 > When using the component with the inputs `version` and `opentofu_version`,<br>

--- a/templates/apply.yml
+++ b/templates/apply.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -101,6 +106,6 @@ spec:
    TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
    TF_PLAN_NAME: $[[ inputs.plan_name ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu apply
--- a/templates/custom-command.yml
+++ b/templates/custom-command.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -80,7 +85,7 @@ spec:
    __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
    TF_ROOT: $[[ inputs.root_dir ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu $[[ inputs.command ]]

--- a/templates/destroy.yml
+++ b/templates/destroy.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -100,6 +105,6 @@ spec:
    TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
    TF_PLAN_NAME: $[[ inputs.plan_name ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu apply -destroy
--- a/templates/fmt.yml
+++ b/templates/fmt.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -88,6 +93,6 @@ spec:
    __CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
    TF_ROOT: $[[ inputs.root_dir ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu fmt
--- a/templates/full-pipeline.yml
+++ b/templates/full-pipeline.yml
@@ -67,6 +67,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -98,6 +103,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
  - local: '/templates/validate.yml'
    inputs:
@@ -108,6 +114,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/test.yml'
@@ -119,6 +126,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
    rules:
@@ -133,6 +141,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      artifacts_access: $[[ inputs.plan_artifacts_access ]]
@@ -145,6 +154,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      auto_apply: $[[ inputs.auto_apply ]]
@@ -157,6 +167,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      auto_destroy: $[[ inputs.auto_destroy ]]

--- a/templates/graph.yml
+++ b/templates/graph.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -86,7 +91,7 @@ spec:
    TF_ROOT: $[[ inputs.root_dir ]]
    TF_STATE_NAME: $[[ inputs.state_name ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu graph > "$[[ inputs.graph_file ]]"
  artifacts:

--- a/templates/job-templates.yml
+++ b/templates/job-templates.yml
@@ -67,6 +67,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    job_name_prefix:
      default: '.opentofu:'
@@ -98,6 +103,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
  - local: '/templates/validate.yml'
    inputs:
@@ -108,6 +114,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/graph.yml'
@@ -129,6 +136,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/plan.yml'
@@ -140,6 +148,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/apply.yml'
@@ -151,6 +160,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      auto_apply: $[[ inputs.auto_apply ]]
@@ -163,6 +173,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      auto_destroy: $[[ inputs.auto_destroy ]]

--- a/templates/plan.yml
+++ b/templates/plan.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -110,7 +115,7 @@ spec:
    TF_STATE_NAME: $[[ inputs.state_name ]]
    TF_PLAN_NAME: $[[ inputs.plan_name ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - "args=\"\"\nif [ \"$[[ inputs.destroy ]]\" == \"true\" ]; then \n  echo \"Planning for a destroy\"\n  args=\"-destroy\"\nfi\n"
    - gitlab-tofu plan $args

--- a/templates/test.yml
+++ b/templates/test.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -86,6 +91,6 @@ spec:
    TF_ROOT: $[[ inputs.root_dir ]]
    TF_STATE_NAME: $[[ inputs.state_name ]]
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu test
--- a/templates/validate-plan-apply.yml
+++ b/templates/validate-plan-apply.yml
@@ -61,6 +61,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -88,6 +93,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
  - local: '/templates/validate.yml'
    inputs:
@@ -98,6 +104,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/plan.yml'
@@ -109,6 +116,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      artifacts_access: $[[ inputs.plan_artifacts_access ]]
@@ -121,6 +129,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      auto_apply: $[[ inputs.auto_apply ]]
--- a/templates/validate-plan-destroy.yml
+++ b/templates/validate-plan-destroy.yml
@@ -61,6 +61,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -91,6 +96,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
  - local: '/templates/validate.yml'
    inputs:
@@ -101,6 +107,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/plan.yml'
@@ -112,6 +119,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      plan_name: $[[ inputs.plan_name ]]
@@ -126,6 +134,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      no_plan: false

--- a/templates/validate-plan.yml
+++ b/templates/validate-plan.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -81,6 +86,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
  - local: '/templates/validate.yml'
    inputs:
@@ -91,6 +97,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
  - local: '/templates/plan.yml'
@@ -102,6 +109,7 @@ include:
      opentofu_version: $[[ inputs.opentofu_version ]]
      image_registry_base: $[[ inputs.image_registry_base ]]
      image_name: $[[ inputs.image_name ]]
+      image_digest: $[[ inputs.image_digest ]]
      root_dir: $[[ inputs.root_dir ]]
      state_name: $[[ inputs.state_name ]]
      artifacts_access: $[[ inputs.artifacts_access ]]
--- a/templates/validate.yml
+++ b/templates/validate.yml
@@ -58,6 +58,11 @@ spec:
      default: 'gitlab-opentofu'
      description: 'Image name for the job images. Hosted under `image_registry_base`.'

+    image_digest:
+      default: ''
+      regex: '^(@sha256:[a-z0-9]{64})?$'
+      description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
    # Configuration
    root_dir:
      default: ${CI_PROJECT_DIR}
@@ -86,6 +91,6 @@ spec:
    TF_STATE_NAME: $[[ inputs.state_name ]]
    TF_IGNORE_INIT_ERRORS: 'true' # Tofu can report errors which might be the reason init failed.
  image:
-    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+    name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
  script:
    - gitlab-tofu validate