search

eclipse-che / che

Kubernetes based Cloud Development Environments for Enterprise Teams
http://eclipse.org/che
Eclipse Public License 2.0
6.99k stars 1.19k forks source link

Make default setting CHE_DEFAULT_SPEC_DEVENVIRONMENTS_DEFAULTCOMPONENTS use same UDI image as everything else #22427

Open amisevsk opened 1 year ago

amisevsk commented 1 year ago

Is your enhancement related to a problem? Please describe

The default value for checluster.spec.devEnvironments.defaultComponents is stored in the environment variable CHE_DEFAULT_SPEC_DEVENVIRONMENTS_DEFAULTCOMPONENTS.

This variable references the UDI image associated with the current release:

  - name: CHE_DEFAULT_SPEC_DEVENVIRONMENTS_DEFAULTCOMPONENTS
    value: '[{"name": "universal-developer-image", "container":
      {"image": "quay.io/devfile/universal-developer-image@sha256:c351dba8c203494512aae20d91144a0843f68e897fbc4ce0296939b48f49853e"}}]'

This can cause an issue with automation for updating the UDI image in response to CVEs, etc., as this automation will replace e.g. the UDI used in the devfile and plugin registries:

  - name: RELATED_IMAGE_universal_developer_image_plugin_registry_image_<base64>
    value: quay.io/devfile/universal-developer-image@sha256:c351dba8c203494512aae20d91144a0843f68e897fbc4ce0296939b48f49853e

since they are RELATED_IMAGEs, but not the UDI image used for default components.

This means that empty workspace samples do not necessarily get the same CVE fixes as other workspaces (that have devfiles associated with them).

Describe the solution you'd like

Ideally, we should resolve additional environment variables inside the default setting field. Something like

  - name: RELATED_IMAGE_universal-developer-image
    value: quay.io/devfile/universal-developer-image@sha256:c351dba8c203494512aae20d91144a0843f68e897fbc4ce0296939b48f49853e
  - name: CHE_DEFAULT_SPEC_DEVENVIRONMENTS_DEFAULTCOMPONENTS
    value: '[{"name": "universal-developer-image", "container":
      {"image": "${RELATED_IMAGE_universal-developer-image}"}}]'

which the Che Operator resolves to the same default setting as above.

Describe alternatives you've considered

No response

Additional context

No response

tolusha commented 1 year ago

Why not possible to update CHE_DEFAULT_SPEC_DEVENVIRONMENTS_DEFAULTCOMPONENTS when a new DS version with CVE fixes is released?

amisevsk commented 1 year ago

Internally, we have automation (Freshmaker) that can be used for any operator to

  1. Respin containers with CVE warnings (e.g. in RPMs, that are fixed by a dnf/yum/apt update)
  2. Update the .spec.relatedImages and RELATED_IMAGES_* environment variables in an Operator's definition to use those new images

This automation is designed only to operate on the images present in .spec.relatedImages; the existence of an image reference in the CHE_DEFAULT_SPEC_DEVENVIRONMENTS_DEFAULTCOMPONENTS environment variable is similar to hard-coding an image reference internally and not listing it in relatedImages -- updating this field automatically to keep it in sync would require specific logic to ensure the image is updated alongside others.

che-bot commented 9 months ago

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.