Merge pull request #252 from cert-manager/self-upgrade-main

[CI] Merge self-upgrade-main into main

Author: cert-manager-prow[bot]

OWNERS_ALIASES

@@ -11,3 +11,4 @@ aliases:
     - irbekrm
     - sgtcodfish
     - inteon
+    - thatsmrtalbot

klone.yaml

@@ -10,65 +10,65 @@ targets:
     - folder_name: boilerplate
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/boilerplate
     - folder_name: cert-manager
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/cert-manager
     - folder_name: controller-gen
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/controller-gen
     - folder_name: generate-verify
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/generate-verify
     - folder_name: go
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/go
     - folder_name: helm
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/helm
     - folder_name: help
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/help
     - folder_name: kind
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/kind
     - folder_name: klone
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/klone
     - folder_name: oci-build
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/oci-build
     - folder_name: oci-publish
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/oci-publish
     - folder_name: repository-base
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/repository-base
     - folder_name: tools
       repo_url: https://github.com/cert-manager/makefile-modules.git
       repo_ref: main
-      repo_hash: ed50ac284f8e2a389ee33d4dcb90eb4de108bb98
+      repo_hash: c112512ba05d8a5b09ba5e997fd9db8cbb79f154
       repo_path: modules/tools

make/_shared/cert-manager/00_mod.mk

@@ -15,14 +15,14 @@
 images_amd64 ?=
 images_arm64 ?=
 
-cert_manager_version := v1.14.4
+cert_manager_version := v1.14.5
 
-images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:f84edf06327f84ed2ca056776659aa144cf3cc982c5403650c24553c5a44b03d
-images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:8267563833c31cc428b9ae460b890d079a1da09a4d8d00ec299a47dd613fbd24
-images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:ba5469d1a77b1cb04a703199b0e69bc25644a00498adc3694a0369c87375b4ca
-images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:2a1545099cf6386ab08e979a58a6280fe123d091c69f8222bfb22c597003a3f0
+images_amd64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:f37f460aaa7598ba251ff1cbe7438012fd56c4acc94be64245e8a836203c5542
+images_amd64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:6d9ebced61371cc903f7934690923034382456f3ce6e0fe2b692c40dbd67d523
+images_amd64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:ac34b1905a2ff20789fde27115d3e1aa7b3d09f57efba4e91ae2ba1744de4ad2
+images_amd64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:5c74e4e37586dc5c35442515f43ecf222e961b65e954798428ac9239408bc0f3
 
-images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:39a6e9e699b3dacb8b92538efbaff85c16d4b30343ebeaaf2f35772ff3cebf53
-images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:956aac21371499fdcc8811b4b5fc8e2e0d6e552b15723c783fe56270347fc9e0
-images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:8ea8462c1daa7604f4f2e71e0cdeef3dd5d7e0f04341982a05dc296299766126
-images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:f4cd54540f8813e63a2f53b5b210454ae2a5fe0949b9f55d8f1270162ebad9a8
+images_arm64 += quay.io/jetstack/cert-manager-controller:$(cert_manager_version)@sha256:96668890d162a743407c0ef14d7769e970aa16655959b5f5cab0c595167148fa
+images_arm64 += quay.io/jetstack/cert-manager-cainjector:$(cert_manager_version)@sha256:719aec5d99e86377829261451985592bc4129c5ca8dcb7f20b32170742f2b29b
+images_arm64 += quay.io/jetstack/cert-manager-webhook:$(cert_manager_version)@sha256:874da5701a98e352fa28d88470671eb792a472737a3cf2b7ce9966817e962de8
+images_arm64 += quay.io/jetstack/cert-manager-startupapicheck:$(cert_manager_version)@sha256:35d35b325b980cc702324e52b443cc7eb1df7211ce4e8e91d96da4eff4b6c894

make/_shared/oci-build/image_tool/append_layers.go

@@ -30,6 +30,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/match"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/spf13/cobra"
 )
 
@@ -45,16 +46,33 @@ var CommandAppendLayers = cobra.Command{
 			return
 		}
 
+		path, err := layout.FromPath(oci)
+		must("could not load oci directory", err)
+
+		index, err := path.ImageIndex()
+		must("could not load oci image index", err)
+
+		indexMediaType, err := index.MediaType()
+		must("could not get image index media type", err)
+
+		layerType := types.DockerLayer
+		if indexMediaType == types.OCIImageIndex {
+			layerType = types.OCILayer
+		}
+
 		layers := []v1.Layer{}
 		for _, path := range extra {
-			layers = append(layers, loadLayerFromDirOrTarball(path))
+			layers = append(layers, loadLayerFromDirOrTarball(path, layerType))
 		}
 
-		appendLayersToAllImages(oci, layers...)
+		index = appendLayersToImageIndex(index, layers)
+
+		_, err = layout.Write(oci, index)
+		must("could not write image", err)
 	},
 }
 
-func loadLayerFromDirOrTarball(path string) v1.Layer {
+func loadLayerFromDirOrTarball(path string, mediaType types.MediaType) v1.Layer {
 	stat, err := os.Stat(path)
 	must("could not open directory or tarball", err)
 
@@ -102,31 +120,24 @@ func loadLayerFromDirOrTarball(path string) v1.Layer {
 
 		byts := buf.Bytes()
 
-		layer, err = tarball.LayerFromOpener(func() (io.ReadCloser, error) {
-			return io.NopCloser(bytes.NewReader(byts)), nil
-		})
+		layer, err = tarball.LayerFromOpener(
+			func() (io.ReadCloser, error) {
+				return io.NopCloser(bytes.NewReader(byts)), nil
+			},
+			tarball.WithMediaType(mediaType),
+		)
 
 	} else {
-		layer, err = tarball.LayerFromFile(path)
+		layer, err = tarball.LayerFromFile(
+			path,
+			tarball.WithMediaType(mediaType),
+		)
 	}
 
 	must("could not open directory or tarball", err)
 	return layer
 }
 
-func appendLayersToAllImages(oci string, layers ...v1.Layer) {
-	path, err := layout.FromPath(oci)
-	must("could not load oci directory", err)
-
-	index, err := path.ImageIndex()
-	must("could not load oci image index", err)
-
-	index = appendLayersToImageIndex(index, layers)
-
-	_, err = layout.Write(oci, index)
-	must("could not write image", err)
-}
-
 func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIndex {
 	manifest, err := index.IndexManifest()
 	must("could not load oci image manifest", err)
@@ -145,11 +156,15 @@ func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIn
 			digest, err := img.Digest()
 			must("could not get image digest", err)
 
+			size, err := img.Size()
+			must("could not get image size", err)
+
 			slog.Info("appended layers to image", "old_digest", descriptor.Digest, "digest", digest, "platform", descriptor.Platform)
 
 			index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest))
 
 			descriptor.Digest = digest
+			descriptor.Size = size
 			index = mutate.AppendManifests(index, mutate.IndexAddendum{
 				Add:        img,
 				Descriptor: descriptor,
@@ -159,16 +174,20 @@ func appendLayersToImageIndex(index v1.ImageIndex, layers []v1.Layer) v1.ImageIn
 			slog.Info("found image index", "digest", descriptor.Digest)
 
 			child, err := index.ImageIndex(descriptor.Digest)
-			must("could not load oci image manifest", err)
+			must("could not load oci index manifest", err)
 
 			child = appendLayersToImageIndex(child, layers)
 
 			digest, err := child.Digest()
-			must("could not get image digest", err)
+			must("could not get index digest", err)
+
+			size, err := child.Size()
+			must("could not get index size", err)
 
 			index = mutate.RemoveManifests(index, match.Digests(descriptor.Digest))
 
 			descriptor.Digest = digest
+			descriptor.Size = size
 			index = mutate.AppendManifests(index, mutate.IndexAddendum{
 				Add:        child,
 				Descriptor: descriptor,

make/_shared/oci-publish/01_mod.mk

@@ -19,8 +19,8 @@ sanitize_target = $(subst :,-,$1)
 registry_for = $(firstword $(subst /, ,$1))
 
 # Utility variables
-current_makefile = $(lastword $(MAKEFILE_LIST))
-current_makefile_directory = $(dir $(current_makefile))
+current_makefile_directory := $(dir $(lastword $(MAKEFILE_LIST)))
+image_exists_script := $(current_makefile_directory)/image-exists.sh
 
 # Validate globals that are required
 $(call fatal_if_undefined,bin_dir)
@@ -78,10 +78,10 @@ $(call sanitize_target,oci-push-$2): oci-build-$1 | $(NEEDS_CRANE)
 
 .PHONY: $(call sanitize_target,oci-maybe-push-$2)
 $(call sanitize_target,oci-maybe-push-$2): oci-build-$1 | $(NEEDS_CRANE)
-	$$(CRANE) $(crane_flags_$1) manifest $2:$(call oci_image_tag_for,$1) > /dev/null 2>&1 || (\
-		$$(CRANE) $(crane_flags_$1) push "$(oci_layout_path_$1)" "$2:$(call oci_image_tag_for,$1)" && \
-		$(if $(filter true,$(oci_sign_on_push_$1)),$(MAKE) $(call sanitize_target,oci-sign-$2)) \
-	)
+	CRANE="$$(CRANE) $(crane_flags_$1)" \
+	source $(image_exists_script) $2:$(call oci_image_tag_for,$1); \
+		$$(CRANE) $(crane_flags_$1) push "$(oci_layout_path_$1)" "$2:$(call oci_image_tag_for,$1)"; \
+		$(if $(filter true,$(oci_sign_on_push_$1)),$(MAKE) $(call sanitize_target,oci-sign-$2))
 
 oci-push-$1: $(call sanitize_target,oci-push-$2)
 oci-maybe-push-$1: $(call sanitize_target,oci-maybe-push-$2)

make/_shared/oci-publish/image-exists.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The cert-manager Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# This script checks if a given image exists in the upstream registry, and if it
+# does, whether it contains all the expected architectures.
+
+crane=${CRANE:-}
+
+FULL_IMAGE=${1:-}
+
+function print_usage() {
+	echo "usage: $0 <full-image> [commands...]"
+}
+
+if [[ -z $FULL_IMAGE ]]; then
+	print_usage
+	echo "Missing full-image"
+	exit 1
+fi
+
+if [[ -z $crane ]]; then
+    echo "CRANE environment variable must be set to the path of the crane binary"
+    exit 1
+fi
+
+shift 1
+
+manifest=$(mktemp)
+trap 'rm -f "$manifest"' EXIT SIGINT
+
+manifest_error=$(mktemp)
+trap 'rm -f "$manifest_error"' EXIT SIGINT
+
+echo "+++ searching for $FULL_IMAGE in upstream registry"
+
+set +o errexit
+$crane manifest "$FULL_IMAGE" > "$manifest" 2> "$manifest_error"
+exit_code=$?
+set -o errexit
+
+manifest_error_data=$(cat "$manifest_error")
+if [[ $exit_code -eq 0 ]]; then
+    echo "+++ upstream registry appears to contain $FULL_IMAGE, exiting"
+	exit 0
+
+elif [[ "$manifest_error_data" == *"MANIFEST_UNKNOWN"* ]]; then
+    echo "+++ upstream registry does not contain $FULL_IMAGE, will build and push"
+    # fall through to run the commands passed to this script
+
+else
+	echo "FATAL: upstream registry returned an unexpected error: $manifest_error_data, exiting"
+	exit 1
+fi

make/_shared/repository-base/base/OWNERS_ALIASES

@@ -11,3 +11,4 @@ aliases:
     - irbekrm
     - sgtcodfish
     - inteon
+    - thatsmrtalbot

make/_shared/tools/00_mod.mk

@@ -150,7 +150,7 @@ ADDITIONAL_TOOLS ?=
 tools += $(ADDITIONAL_TOOLS)
 
 # https://go.dev/dl/
-VENDORED_GO_VERSION := 1.22.2
+VENDORED_GO_VERSION := 1.22.3
 
 # Print the go version which can be used in GH actions
 .PHONY: print-go-version
@@ -359,10 +359,10 @@ $(call for_each_kv,go_dependency,$(go_dependencies))
 # File downloads #
 ##################
 
-go_linux_amd64_SHA256SUM=5901c52b7a78002aeff14a21f93e0f064f74ce1360fce51c6ee68cd471216a17
-go_linux_arm64_SHA256SUM=36e720b2d564980c162a48c7e97da2e407dfcc4239e1e58d98082dfa2486a0c1
-go_darwin_amd64_SHA256SUM=33e7f63077b1c5bce4f1ecadd4d990cf229667c40bfb00686990c950911b7ab7
-go_darwin_arm64_SHA256SUM=660298be38648723e783ba0398e90431de1cb288c637880cdb124f39bd977f0d
+go_linux_amd64_SHA256SUM=8920ea521bad8f6b7bc377b4824982e011c19af27df88a815e3586ea895f1b36
+go_linux_arm64_SHA256SUM=6c33e52a5b26e7aa021b94475587fce80043a727a54ceb0eee2f9fc160646434
+go_darwin_amd64_SHA256SUM=dd5b9303f612379caebfd12eb19e6cadee653b300443eac3a5aca341b05ad7e9
+go_darwin_arm64_SHA256SUM=58d2838f28631038ed5583c5aefb73ea4e5b13040983df21c647880f4f7dd381
 
 .PRECIOUS: $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz
 $(DOWNLOAD_DIR)/tools/go@$(VENDORED_GO_VERSION)_$(HOST_OS)_$(HOST_ARCH).tar.gz: | $(DOWNLOAD_DIR)/tools