`flux install` / `bootstrap` should support digest-pinned controller images in generated manifests

[ytausch]

Issue Description

flux install --export generates controller manifests that reference Flux controller images by tag, for example:

    spec:
      containers:
        image: ghcr.io/fluxcd/source-controller:v1.8.2

These tags are mutable from a supply-chain perspective. Registries such as GHCR do not provide an immutable guarantee for tags alone.

This means the generated manifests are not pinned to a specific image digest, so a first pull or a pull on a new node may retrieve different content than what the operator originally reviewed. Importantly, this poses an unnecessary supply chain risk: A malicious actor could, if gained write access to fluxcd's GHCR artifacts, overwrite released artifacts to contain malware. Flux clusters would download these artifacts and execute them without any further intervention.

Suggested Solution

flux install --export should emit image tags that look like this:

    spec:
      containers:
        image: ghcr.io/fluxcd/source-controller:v1.8.2@sha256:f2f6fd483b9a8b8c69f8ebe9f2277be23093a2b552b3578a6db15710d736bb0e

This way, immutability is guaranteed from a cluster operator's perspective. Since flux should be secure by default, I suggest this behaviour to become the new default. If, for whatever reason, the old behaviour is still needed in some scenarios, one could think about introducing a flag --no-pin-digest, but I don't see a reason why it should make sense.

[stefanprodan]

We do support this feature in Flux Operator when you deploy the Flux controllers in a declarative manner using the FluxInstance CRD. See here the migration guide from CLI bootstrap to the operator: https://fluxoperator.dev/docs/guides/migration/

[ytausch]

Thanks for pointing that out; however, I'm currently looking for a setup that is as simple as possible. So I think it would still make sense to adopt in flux install/bootstrap directly.

[stefanprodan]

There is no simple solution to this, the manifests the CLI uses are automatically vendored from each controller repo, the digests are known after a controller release, it's not possible to alter the release assets as they are immutable (git tag refs + release assets). We would need to rethink our release procedure across all repos. For the record I'm not against this, I just don't have time to spend on this compared to other priorities in the roadmap. To change the release process, all the Flux maintainers have to agree it's worth it and dedicated time to it.

[ytausch]

Could we not look up the hashes at runtime of the CLI? Of course, baking them into the release binary would be nice, but I think this would already solve 99% of the problem.

[rycli]

FWIW, an 'easy' way to implement this is to use (generated) images entries in the flux-system/kustomization.yaml, or equivalent in your repo. A similar requirement/hardening practice is substituting the registry to use a pull-through cache/private mirror; you can achieve that too with the kustomization transformers.

[stefanprodan]

FWIW, an 'easy' way to implement this is to use (generated) images entries in the flux-system/kustomization.yaml

The image patches with digests (what Flux Operator uses) are made public here, you can use them as-is: https://github.com/controlplaneio-fluxcd/distribution/blob/main/images/v2.8.5/upstream-alpine.yaml

To automate the patches, see this example https://github.com/controlplaneio-fluxcd/distribution/blob/main/actions/update/action.yaml