Open daneov opened 3 months ago
@daneov Hi, does this meet your requirements?
redis_image: docker.private.registry.com/redis@sha256
redis_image_version: 7635b0bfdd7dd8552b4b31d6541fef07b734614045b45a52fd5cc27c9dada9e2
Thanks for getting back to me! I've considered that but decided against it as I thought it brittle: it builds on internal knowledge of how the AWX-operator playbook works and is not intuitive.
Would this be the advised way, or do you think of it as something to get me going?
For me this would not work as we have tooling that looks for image
records :
image: <image>:<tag>
in the yaml
with image: <image>@<sha_hash
to ensure immutability on our k8s deploy.Hi, my idea is just a workaround 😃
As an alternative workaround, you can also specify custom image by adding environment variable RELATED_IMAGE_AWX_REDIS = "docker.private.registry.com/redis@sha256:7635b0bfdd7dd8552b4b31d6541fef07b734614045b45a52fd5cc27c9dada9e2"
for Operator's deployment.
Of course the above approaches are not ideal, and I think it is a good RFE to suggest that native @DIGEST
support should be provided.
Please confirm the following
Bug Summary
Currently to override an image we need to provide both the
image
name and thetag
, which is joined together by doing{{ image }} + ':' + {{ tag }}
.Because of this it is not possible to pin an image to the sha256 hash at the time of deployment, opening it up to images being replaced at a later time and thus opening up security issues.
AWX Operator version
2.14.0
AWX version
24.1.0
Kubernetes platform
kubernetes
Kubernetes/Platform version
1.27
Modifications
no
Steps to reproduce
Define an override for an image with the
sha256
:Expected results
To be able to specify any image by the
sha256
reference.Actual results
This does not get propagated (can't remember if it halts deployment as well, I think it did but I'm not at work at this time)
Additional information
Currently, you'd override the following fields on the
kind: AWX
deployment (See #1441):But using the sha it breaks the concatenation at https://github.com/ansible/awx-operator/blob/413b7003a2c5f949b175e430456d4eb49c13a999/roles/installer/tasks/resources_configuration.yml#L233-L235, but I'd expect this to function for all image overrides.
Operator Logs
No response