diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 126b046ad5..53c0c402cc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,7 @@ updates: directories: - /tools/docker/envoy-gateway/ - /site + - "/examples/*" schedule: interval: weekly - package-ecosystem: github-actions diff --git a/examples/backend-utilization/Dockerfile b/examples/backend-utilization/Dockerfile index 1a18f07e7d..c0363348ed 100644 --- a/examples/backend-utilization/Dockerfile +++ b/examples/backend-utilization/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder ARG GO_LDFLAGS="" @@ -14,7 +14,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g GOARCH=${TARGETARCH} \ go build -o /bin/backend-utilization -ldflags "${GO_LDFLAGS}" . -FROM gcr.io/distroless/static-debian11 +FROM gcr.io/distroless/static-debian11@sha256:1dbe426d60caed5d19597532a2d74c8056cd7b1674042b88f7328690b5ead8ed COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /bin/backend-utilization / diff --git a/examples/dynamic-module-test/Dockerfile b/examples/dynamic-module-test/Dockerfile index 1f3a978fde..95d3400331 100644 --- a/examples/dynamic-module-test/Dockerfile +++ b/examples/dynamic-module-test/Dockerfile @@ -1,8 +1,4 @@ -# ENVOY_VERSION must match the SDK version in go.mod to ensure ABI compatibility. -# Update both together when changing the target Envoy version. -ARG ENVOY_VERSION=dev - -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder WORKDIR /build COPY go.mod go.sum ./ @@ -13,6 +9,6 @@ COPY . ./ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod \ CGO_ENABLED=1 go build -buildmode=c-shared -o /build/libheader_mutation.so . -ARG ENVOY_VERSION -FROM docker.io/envoyproxy/envoy:distroless-${ENVOY_VERSION} +# Envoy image tag and digest are updated by tools/hack/bump-envoy-dynamic-modules.sh during releases. +FROM docker.io/envoyproxy/envoy:distroless-dev@sha256:1679d1bb44c7f90aca4a0f5e33f7c7c5723e96a90b38f9ad5a5b158ed4c95a40 COPY --from=builder /build/libheader_mutation.so /usr/local/lib/libheader_mutation.so diff --git a/examples/dynamic-module-test/Makefile b/examples/dynamic-module-test/Makefile index f8a4fe925d..01c859ee20 100644 --- a/examples/dynamic-module-test/Makefile +++ b/examples/dynamic-module-test/Makefile @@ -2,8 +2,7 @@ IMAGE_PREFIX ?= envoyproxy/gateway- APP_NAME ?= dynamic-module-test TAG ?= latest -ENVOY_VERSION ?= dev .PHONY: docker-buildx docker-buildx: - docker buildx build . --build-arg ENVOY_VERSION=$(ENVOY_VERSION) -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --load + docker buildx build . -t $(IMAGE_PREFIX)$(APP_NAME):$(TAG) --load diff --git a/examples/envoy-ext-auth/Dockerfile b/examples/envoy-ext-auth/Dockerfile index 91fa49fe13..9eaf46527d 100644 --- a/examples/envoy-ext-auth/Dockerfile +++ b/examples/envoy-ext-auth/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder ARG GO_LDFLAGS="" @@ -15,7 +15,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g go build -o /bin/envoy-ext-auth -ldflags "${GO_LDFLAGS}" . # Make our production image -FROM gcr.io/distroless/static-debian11:nonroot +FROM gcr.io/distroless/static-debian11:nonroot@sha256:63ebe035fbdd056ed682e6a87b286d07d3f05f12cb46f26b2b44fc10fc4a59ed COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /bin/envoy-ext-auth / diff --git a/examples/grpc-ext-proc/Dockerfile b/examples/grpc-ext-proc/Dockerfile index 42ea24253a..d94cac429d 100644 --- a/examples/grpc-ext-proc/Dockerfile +++ b/examples/grpc-ext-proc/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder ARG GO_LDFLAGS="" @@ -15,7 +15,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g go build -o /bin/grpc-ext-proc -ldflags "${GO_LDFLAGS}" . # Need root user for UDS -FROM gcr.io/distroless/static-debian11 +FROM gcr.io/distroless/static-debian11@sha256:1dbe426d60caed5d19597532a2d74c8056cd7b1674042b88f7328690b5ead8ed COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /bin/grpc-ext-proc / diff --git a/examples/preserve-case-backend/Dockerfile b/examples/preserve-case-backend/Dockerfile index ab9dbcab0f..d813f8f35f 100644 --- a/examples/preserve-case-backend/Dockerfile +++ b/examples/preserve-case-backend/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder ARG GO_LDFLAGS="" @@ -15,7 +15,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g go build -o /bin/preserve-case-backend -ldflags "${GO_LDFLAGS}" . # Need root user for UDS -FROM gcr.io/distroless/static-debian11 +FROM gcr.io/distroless/static-debian11@sha256:1dbe426d60caed5d19597532a2d74c8056cd7b1674042b88f7328690b5ead8ed COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /bin/preserve-case-backend / diff --git a/examples/simple-extension-server/Dockerfile b/examples/simple-extension-server/Dockerfile index bf639ea828..33cdbe9e7d 100644 --- a/examples/simple-extension-server/Dockerfile +++ b/examples/simple-extension-server/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder ARG GO_LDFLAGS="" @@ -15,7 +15,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g go build -o /bin/simple-extension-server -ldflags "${GO_LDFLAGS}" . # Need root user for UDS -FROM gcr.io/distroless/static-debian11 +FROM gcr.io/distroless/static-debian11@sha256:1dbe426d60caed5d19597532a2d74c8056cd7b1674042b88f7328690b5ead8ed COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /bin/simple-extension-server / diff --git a/examples/static-file-server/Dockerfile b/examples/static-file-server/Dockerfile index 0483a869d5..e8fb010437 100644 --- a/examples/static-file-server/Dockerfile +++ b/examples/static-file-server/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.26.1 AS builder +FROM golang:1.26.1@sha256:595c7847cff97c9a9e76f015083c481d26078f961c9c8dca3923132f51fe12f1 AS builder ARG GO_LDFLAGS="" @@ -15,7 +15,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/g go build -o /bin/static-file-server -ldflags "${GO_LDFLAGS}" . # Need root user for UDS -FROM gcr.io/distroless/static-debian11 +FROM gcr.io/distroless/static-debian11@sha256:1dbe426d60caed5d19597532a2d74c8056cd7b1674042b88f7328690b5ead8ed COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /bin/static-file-server / COPY files/ files/ diff --git a/site/content/en/contributions/RELEASING.md b/site/content/en/contributions/RELEASING.md index 968062d5c4..990b6c83ef 100644 --- a/site/content/en/contributions/RELEASING.md +++ b/site/content/en/contributions/RELEASING.md @@ -69,7 +69,7 @@ export GITHUB_REMOTE=origin (+v1.8.x only) After updating the Envoy proxy image tag, update the dynamic module SDK and example dependencies: ```shell - make update-dynamic-module-deps ENVOY_VERSION=v${ENVOY_PROXY_VERSION} + make update-dynamic-module-deps ``` 10. Sign, commit, and push your changes to your fork. diff --git a/tools/hack/bump-envoy-dynamic-modules.sh b/tools/hack/bump-envoy-dynamic-modules.sh index 1dd6fd8036..1483fc5522 100755 --- a/tools/hack/bump-envoy-dynamic-modules.sh +++ b/tools/hack/bump-envoy-dynamic-modules.sh @@ -4,7 +4,16 @@ set -euo pipefail -ENVOY_VERSION="${1:?Usage: $0 }" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ROOT_DIR="$(cd "${SCRIPT_DIR}/../.." && pwd)" + +# Read envoy version from DefaultEnvoyProxyImage in source code. +# On main this is "distroless-dev" (no version), on release branches it's "distroless-vX.Y.Z". +ENVOY_VERSION=$(grep 'DefaultEnvoyProxyImage' "${ROOT_DIR}/api/v1alpha1/shared_types.go" | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+' || true) +if [ -z "${ENVOY_VERSION}" ]; then + echo "No envoy release version found in DefaultEnvoyProxyImage (dev image?) — skipping." >&2 + exit 0 +fi # Extract major.minor from version (e.g., v1.37.0 -> 1.37) MAJOR_MINOR=$(echo "${ENVOY_VERSION}" | sed 's/^v//' | cut -d. -f1,2) @@ -26,28 +35,28 @@ echo "Resolved ${ENVOY_VERSION} (release/v${MAJOR_MINOR}) to commit ${COMMIT_SHA GNU_SED=$(sed --version >/dev/null 2>&1 && echo "yes" || echo "no") # Find all dynamic module example directories -DYNAMIC_MODULE_DIRS=$(find examples -name "go.mod" \ +DYNAMIC_MODULE_DIRS=$(find "${ROOT_DIR}/examples" -name "go.mod" \ -exec grep -l "envoy/source/extensions/dynamic_modules" {} \; \ | xargs -I{} dirname {}) for dir in $DYNAMIC_MODULE_DIRS; do echo "Updating ${dir}..." - # Update Dockerfile ARG ENVOY_VERSION + # Update Dockerfile envoy image FROM line if [ -f "${dir}/Dockerfile" ]; then - if [ "$GNU_SED" = "yes" ]; then - sed -i'' "s/^ARG ENVOY_VERSION=.*/ARG ENVOY_VERSION=${ENVOY_VERSION}/" "${dir}/Dockerfile" - else - sed -i '' "s/^ARG ENVOY_VERSION=.*/ARG ENVOY_VERSION=${ENVOY_VERSION}/" "${dir}/Dockerfile" + ENVOY_IMAGE="docker.io/envoyproxy/envoy:distroless-${ENVOY_VERSION}" + ENVOY_DIGEST=$(docker buildx imagetools inspect "${ENVOY_IMAGE}" 2>/dev/null | grep -m1 'Digest:' | awk '{print $2}') + if [ -z "${ENVOY_DIGEST}" ]; then + echo "Error: Could not resolve digest for ${ENVOY_IMAGE}" >&2 + exit 1 fi - fi - # Update Makefile ENVOY_VERSION - if [ -f "${dir}/Makefile" ]; then + NEW_FROM="FROM ${ENVOY_IMAGE}@${ENVOY_DIGEST}" + if [ "$GNU_SED" = "yes" ]; then - sed -i'' "s/^ENVOY_VERSION ?=.*/ENVOY_VERSION ?= ${ENVOY_VERSION}/" "${dir}/Makefile" + sed -i'' "s|^FROM docker.io/envoyproxy/envoy:distroless.*|${NEW_FROM}|" "${dir}/Dockerfile" else - sed -i '' "s/^ENVOY_VERSION ?=.*/ENVOY_VERSION ?= ${ENVOY_VERSION}/" "${dir}/Makefile" + sed -i '' "s|^FROM docker.io/envoyproxy/envoy:distroless.*|${NEW_FROM}|" "${dir}/Dockerfile" fi fi diff --git a/tools/make/examples.mk b/tools/make/examples.mk index ca1f592b7a..d871ebdb85 100644 --- a/tools/make/examples.mk +++ b/tools/make/examples.mk @@ -2,10 +2,6 @@ EXAMPLE_APPS := simple-extension-server extension-server envoy-ext-auth grpc-ext EXAMPLE_IMAGE_PREFIX ?= envoyproxy/gateway- EXAMPLE_TAG ?= latest -# Extract envoy proxy version from DefaultEnvoyProxyImage (e.g., "distroless-v1.37.0" -> "v1.37.0"). -# Empty on main branch where the image is "distroless-dev". -ENVOY_PROXY_VERSION := $(shell grep 'DefaultEnvoyProxyImage' api/v1alpha1/shared_types.go | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+') - kube-generate-examples: @$(LOG_TARGET) @pushd $(ROOT_DIR)/examples/extension-server; \ @@ -17,11 +13,7 @@ kube-build-examples-image: @$(LOG_TARGET) @for app in $(EXAMPLE_APPS); do \ pushd $(ROOT_DIR)/examples/$$app; \ - if [ -n "$(ENVOY_PROXY_VERSION)" ]; then \ - make docker-buildx ENVOY_VERSION=$(ENVOY_PROXY_VERSION); \ - else \ - make docker-buildx; \ - fi; \ + make docker-buildx; \ popd; \ done @@ -44,4 +36,4 @@ go.mod.tidy.examples: .PHONY: update-dynamic-module-deps update-dynamic-module-deps: ## Update dynamic module SDK and envoy version in examples @$(LOG_TARGET) - @tools/hack/bump-envoy-dynamic-modules.sh $(ENVOY_VERSION) + @tools/hack/bump-envoy-dynamic-modules.sh