Upgrade Varnish to 9.0.3 and document custom container images

Dockerfile.controller

@@ -1,4 +1,5 @@
 ARG BUILDPLATFORM=linux/amd64
+ARG VARNISH_VERSION_NUMBER=9.0.3-1
 FROM --platform=$BUILDPLATFORM golang:1.26-bookworm AS builder
 
 ENV DEBIAN_FRONTEND=noninteractive INSTALL_DIRECTORY=/usr/local/bin
@@ -28,24 +29,14 @@ RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
     ./cmd/varnish-controller/
 
 
-FROM --platform=$BUILDPLATFORM debian:trixie-slim AS binary
-
-RUN apt-get update && apt-get install -y --no-install-recommends varnish \
-    && rm -rf /var/lib/apt/lists/*
-
-
-# Build Final Varnish image
 FROM --platform=$BUILDPLATFORM debian:trixie-slim
 LABEL maintainer="Alex Lytvynenko <oleksandr.lytvynenko@ibm.com>, Tomash Sidei <tomash.sidei@ibm.com>"
 
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
-    libc6 libedit2 libncursesw6 libtinfo6 libvarnishapi3 varnish \
-    && rm -rf /var/lib/apt/lists/* \
-                    /etc/varnish/* \
-    && mkdir -p /etc/varnish /var/lib/varnish \
-    && chown -R varnish:varnish /etc/varnish /var/lib/varnish
+COPY docker/install-varnish-9.sh /tmp/install-varnish-9.sh
+RUN chmod +x /tmp/install-varnish-9.sh \
+    && VARNISH_VERSION_NUMBER="${VARNISH_VERSION_NUMBER}" /tmp/install-varnish-9.sh tools \
+    && rm /tmp/install-varnish-9.sh
 
-COPY --from=binary /usr/bin/varnishadm /usr/bin/varnishstat /usr/bin/
 COPY --from=builder /go/src/github.com/cin/varnish-operator/varnish-controller /varnish-controller
 RUN chown varnish:varnish /varnish-controller /usr/bin/varnishadm /usr/bin/varnishstat
 

Dockerfile.exporter

@@ -1,4 +1,5 @@
 ARG BUILDPLATFORM=linux/amd64
+ARG VARNISH_VERSION_NUMBER=9.0.3-1
 FROM --platform=$BUILDPLATFORM golang:1.26-bookworm AS builder
 ARG TARGETOS=linux
 ARG TARGETARCH=amd64
@@ -14,15 +15,14 @@ WORKDIR /src/prometheus_varnish_exporter
 
 RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /prometheus-varnish-exporter .
 
+
 FROM --platform=$BUILDPLATFORM debian:trixie-slim
 LABEL maintainer="Alex Lytvynenko <oleksandr.lytvynenko@ibm.com>, Tomash Sidei <tomash.sidei@ibm.com>"
 
-# Install varnish so varnishstat and the varnish/vcache users match the varnishd image (VSM access).
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
-    libc6 libedit2 libncursesw6 libtinfo6 libvarnishapi3 varnish \
-    && rm -rf /var/lib/apt/lists/* /etc/varnish/* \
-    && mkdir -p /etc/varnish /var/lib/varnish \
-    && chown -R varnish:varnish /etc/varnish /var/lib/varnish
+COPY docker/install-varnish-9.sh /tmp/install-varnish-9.sh
+RUN chmod +x /tmp/install-varnish-9.sh \
+    && VARNISH_VERSION_NUMBER="${VARNISH_VERSION_NUMBER}" /tmp/install-varnish-9.sh tools \
+    && rm /tmp/install-varnish-9.sh
 
 COPY --from=builder /prometheus-varnish-exporter /usr/bin/
 RUN chown varnish:varnish /usr/bin/prometheus-varnish-exporter

Dockerfile.varnishd

@@ -1,13 +1,13 @@
 ARG BUILDPLATFORM=linux/amd64
+ARG VARNISH_VERSION_NUMBER=9.0.3-1
 FROM --platform=$BUILDPLATFORM debian:trixie-slim
 LABEL maintainer="Alex Lytvynenko <oleksandr.lytvynenko@ibm.com>, Tomash Sidei <tomash.sidei@ibm.com>"
 
-RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
-    varnish \
-    varnish-modules \
-    && rm -rf /var/lib/apt/lists/* /etc/varnish/* \
-    && chown -R varnish:varnish /etc/varnish /var/lib/varnish
+COPY docker/install-varnish-9.sh /tmp/install-varnish-9.sh
+RUN chmod +x /tmp/install-varnish-9.sh \
+    && VARNISH_VERSION_NUMBER="${VARNISH_VERSION_NUMBER}" /tmp/install-varnish-9.sh minimal \
+    && rm /tmp/install-varnish-9.sh
 
 USER varnish
 
-ENTRYPOINT ["varnishd"]
+ENTRYPOINT ["/usr/sbin/varnishd"]

Makefile

@@ -93,9 +93,12 @@ endif
 varnish-controller: fmt vet
 	go build -o ${ROOT_DIR}bin/varnish-controller ${ROOT_DIR}cmd/varnish-controller/
 
+VARNISH_VERSION_NUMBER ?= 9.0.3-1
+
 # Build the docker image with varnishd itself and varnish modules
 docker-build-varnish:
-	docker build --platform ${PLATFORM} ${ROOT_DIR} -t ${VARNISH_IMG} -f Dockerfile.varnishd
+	docker build --platform ${PLATFORM} ${ROOT_DIR} -t ${VARNISH_IMG} -f Dockerfile.varnishd \
+		--build-arg VARNISH_VERSION_NUMBER=${VARNISH_VERSION_NUMBER}
 
 docker-tag-push-varnish:
 ifndef PUBLISH
@@ -108,7 +111,8 @@ endif
 
 # Build the docker image with varnish controller
 docker-build-varnish-controller: fmt vet
-	docker build --platform ${PLATFORM} ${ROOT_DIR} -t ${VARNISH_CONTROLLER_IMG} -f Dockerfile.controller
+	docker build --platform ${PLATFORM} ${ROOT_DIR} -t ${VARNISH_CONTROLLER_IMG} -f Dockerfile.controller \
+		--build-arg VARNISH_VERSION_NUMBER=${VARNISH_VERSION_NUMBER}
 
 docker-tag-push-varnish-controller:
 ifndef PUBLISH
@@ -123,6 +127,7 @@ endif
 PROMETHEUS_VARNISH_EXPORTER_VERSION ?= v1.8.3
 docker-build-varnish-exporter:
 	docker build --platform ${PLATFORM} ${ROOT_DIR} -t ${VARNISH_METRICS_IMG} -f Dockerfile.exporter \
+		--build-arg VARNISH_VERSION_NUMBER=${VARNISH_VERSION_NUMBER} \
 		--build-arg PROMETHEUS_VARNISH_EXPORTER_VERSION=${PROMETHEUS_VARNISH_EXPORTER_VERSION}
 
 docker-tag-push-varnish-exporter:

README.md

@@ -9,7 +9,7 @@ The purpose of the project is to provide a convenient way to deploy and manage V
 
 Kubernetes version `>=1.29.0` is supported (see the operator bundle `minKubeVersion`). CI runs e2e against Kubernetes 1.34.3 and 1.35.1, and unit tests use envtest 1.36.0—see [docs/development.md](docs/development.md#kubernetes-versions-in-tests) for why those version numbers differ.
 
-Varnish version 7.x is supported (container images ship Debian trixie packages, currently Varnish 7.7).
+Varnish version 9.x is supported (container images ship Varnish 9.0.3 from [packages.varnish-software.com](https://packages.varnish-software.com/) on Debian trixie).
 
 Full documentation can be found [here](https://cin.github.io/varnish-operator/)
 
@@ -34,4 +34,5 @@ The operator manages the whole lifecycle of the cluster: creating, deleting and
 ### Further reading
 
 * [QuickStart](https://cin.github.io/varnish-operator/quick-start.html)
+* [Custom container images](https://cin.github.io/varnish-operator/custom-images.html)
 * [Contributing](https://cin.github.io/varnish-operator/development.html)

api/v1alpha1/varnishcluster_types.go

@@ -53,9 +53,9 @@ const (
 	VarnishSecretVolume              = "secret"
 	// VarnishWorkDir is the shared emptyDir mount for varnishd and varnishstat (must match -n).
 	VarnishWorkDir = "/var/lib/varnish"
-	// VarnishRunAsUID and VarnishRunAsGID match the varnish system user from the Debian varnish package in our images.
-	VarnishRunAsUID = 997
-	VarnishRunAsGID = 997
+	// VarnishRunAsUID and VarnishRunAsGID match the varnish user from packages.varnish-software.com (Varnish 9 images).
+	VarnishRunAsUID = 1000
+	VarnishRunAsGID = 1000
 
 	VarnishUpdateStrategyDelayedRollingUpdate = "DelayedRollingUpdate"
 

config/samples/varnishcluster.yaml

@@ -9,9 +9,11 @@ spec:
 #  updateStrategy:
 #    type: "OnDelete" #can be "OnDelete", "RollingUpdate" and "DelayedRollingUpdate"
   varnish:
-    # path to image + tag
-#    image: cinple/varnish:0.27.2
+    # Optional: override images (tag = operator release, e.g. 0.38.0 or local—not Varnish 9.0.3).
+    # Sidecars default to varnish-controller:<tag> and varnish-metrics-exporter:<tag>. See docs/custom-images.md.
+#    image: cinple/varnish:0.38.0
 #    imagePullPolicy: Always
+#    imagePullSecret: regcred
     # Resources allocated to the Varnish pod through Kubernetes. It is strongly recommended that you specify resources,
     # since Varnish is an in-memory cache, and you do not want it restarting frequently.
     #resources:
@@ -28,7 +30,7 @@ spec:
     # and defines the container's resources allocation.
 #    controller:
       #  # path to image + tag to override, by default it refers to varnish.image with "-controller" suffix image.
-#      image: cinple/varnish-controller:0.27.2
+#      image: cinple/varnish-controller:0.38.0
       #  # imagePullPolicy controls how the varnish-controller image will be pulled for new containers
       #  imagePullPolicy: Always
       #  # Resources allocated to the Varnish controller container through Kubernetes.
@@ -44,7 +46,7 @@ spec:
 
 #    metricsExporter:
       #  # path to image + tag to override, by default it refers to varnish.image with "-metrics-exporter" suffix image.
-#      image: cinple/varnish-metrics-exporter:0.27.2
+#      image: cinple/varnish-metrics-exporter:0.38.0
       #  # imagePullPolicy controls how the varnish-metrics-exporter image will be pulled for new containers
       #  imagePullPolicy: Always
       #  # Resources allocated to the Varnish metrics exporter container through Kubernetes.

docker/install-varnish-9.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+# Install pinned Varnish 9.x from packages.varnish-software.com on Debian trixie.
+# Usage: install-varnish-9.sh [minimal|tools]
+#   minimal — varnishd image: varnish + varnish-modules
+#   tools   — controller/exporter: varnish CLI/libs only (no vmods)
+set -ex
+
+MODE="${1:-minimal}"
+VARNISH_VERSION_NUMBER="${VARNISH_VERSION_NUMBER:-9.0.3-1}"
+REPO_FINGERPRINT="${REPO_FINGERPRINT:-694566269779DFAC975ED9BDD0525EAE838B3344}"
+
+. /etc/os-release
+VARNISH_VERSION="${VARNISH_VERSION_NUMBER}~${VERSION_CODENAME}"
+
+export DEBIAN_FRONTEND=noninteractive
+export DEBCONF_NONINTERACTIVE_SEEN=true
+
+apt-get update
+apt-get install -y --no-install-recommends curl ca-certificates gnupg
+
+mkdir -p /etc/apt/keyrings
+gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "${REPO_FINGERPRINT}"
+gpg --batch --armor --export "${REPO_FINGERPRINT}" > /etc/apt/keyrings/varnish.gpg
+echo "deb [signed-by=/etc/apt/keyrings/varnish.gpg] https://packages.varnish-software.com/varnish/${ID} ${VERSION_CODENAME} main" \
+  > /etc/apt/sources.list.d/varnish.list
+
+apt-get update
+
+# Match official varnish/docker-varnish UID layout (not Debian stock 997).
+adduser --uid 1000 --quiet --system --no-create-home --home /nonexistent --group varnish
+adduser --uid 1001 --quiet --system --no-create-home --home /nonexistent --ingroup varnish vcache
+adduser --uid 1002 --quiet --system --no-create-home --home /nonexistent --ingroup varnish varnishlog
+
+if [ "${MODE}" = "minimal" ]; then
+  PACKAGES="varnish=${VARNISH_VERSION} varnish-modules=${VARNISH_VERSION}"
+else
+  PACKAGES="varnish=${VARNISH_VERSION}"
+fi
+
+apt-get install -y --no-install-recommends ${PACKAGES}
+
+apt-mark hold varnish
+rm -rf /var/lib/apt/lists/* /etc/varnish/* ~/.gnupg
+mkdir -p /etc/varnish /var/lib/varnish
+chown -R varnish:varnish /etc/varnish /var/lib/varnish
+mkdir -p -m 1777 /var/lib/varnish/varnishd
+chown varnish /var/lib/varnish/varnishd

docs/README.md

@@ -40,7 +40,7 @@ spec:
     port: 80
 ```
 
-See the [VarnishCluster configuration section](varnish-cluster-configuration.md) for more details about the `VarnishCluster` spec.
+See the [VarnishCluster configuration section](varnish-cluster-configuration.md) for more details about the `VarnishCluster` spec. To use your own `varnish` / sidecar images, see [Custom container images](custom-images.md).
 
 ### VCL configuration
 
@@ -59,6 +59,7 @@ See the [VCL files configuration](vcl-configuration.md) section for more details
 
 * [Quickstart](quick-start.md)
 * [VarnishCluster configuration](varnish-cluster-configuration.md)
+* [Custom container images](custom-images.md)
 * [Varnish operator configuration](operator-configuration.md)
 * [VCL files configuration](vcl-configuration.md)
 * [Contribution](development.md)

docs/SUMMARY.md

@@ -6,6 +6,7 @@
 * [Operator Configuration](operator-configuration.md)
 * [VarnishCluster](varnish-cluster.md)
 * [VarnishCluster Configuration](varnish-cluster-configuration.md)
+* [Custom container images](custom-images.md)
 * [VCL Configuration](vcl-configuration.md)
 * [Monitoring](monitoring.md)
 * [Debugging Issues](debugging-issues.md)

docs/architecture.md

@@ -22,7 +22,7 @@ The containers share specific volumes for the varnish configuration and work dir
 
 ##### Varnish
 
-The Varnish process itself. Varnish **7.x** is supported (images use Debian trixie packages, currently **7.7**). The operator doesn't support arbitrary Varnish images due to additional components needed for the operator to function. The container image is custom built with `varnish` and `varnish-modules` preinstalled.
+The Varnish process itself. Varnish **9.x** is supported (default images install **9.0.3** from [packages.varnish-software.com](https://packages.varnish-software.com/) on Debian trixie, plus `varnish-modules`). You may set `spec.varnish.image` (and sidecar images) to your own registry, but all three pod images must stay compatible with the operator’s layout—see [Custom container images](custom-images.md).
 
 ##### Varnish-Controller