Images should be rebuilt with the release tag

[skitt]

The release process currently retags images:

• for the first GA, the last RC images are retagged (to avoid unintended changes being released)
• for any other release, the last images built on the appropriate release branch are retagged

Now that binaries embed version information, this results in misleading information being shown to users, e.g. using subctl show versions. For example in submariner-io/subctl#971, the RC1 images were tagged using the last built image on the 0.16 branch, embedding the commit information from those images instead of 0.16.0-rc1 (e.g. release-0.16-d1b6c9e194f8 for the gateway and route-agent images), and reproducing that for the GA images instead of 0.16.0. As a result, even though the setup is correctly running 0.16.0 images, that is not apparent.

Limiting the risk of releasing images with unintended changes is still desirable, so fixing this isn’t as simple as building the relevant branch.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further
activity occurs. Thank you for your contributions.

[skitt]

One possible solution here would be to change the various programs that report their versions to look for an /app/version file, and if present, use that instead of their compiled-in version. Then, during release, the images can get an additional layer with only the correct /app/version file (and only an additional layer — in particular, the base image must not change). Ideally programs reporting their version should also provide a way to obtain their commit hash, to verify that they haven’t been changed since the RCs. The image layers can also be checked (the hashes of all the layers apart from the last one should match the RCs).