You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
Bug Summary
Currently to override an image we need to provide both the image name and the tag, which is joined together by doing {{ image }} + ':' + {{ tag }}.
Because of this it is not possible to pin an image to the sha256 hash at the time of deployment, opening it up to images being replaced at a later time and thus opening up security issues.
Thanks for getting back to me!
I've considered that but decided against it as I thought it brittle: it builds on internal knowledge of how the AWX-operator playbook works and is not intuitive.
Would this be the advised way, or do you think of it as something to get me going?
For me this would not work as we have tooling that looks for image records :
e.g. RenovateBot
Internal tooling that replaces image: <image>:<tag> in the yaml with image: <image>@<sha_hash to ensure immutability on our k8s deploy.
Hi, my idea is just a workaround 😃
As an alternative workaround, you can also specify custom image by adding environment variable RELATED_IMAGE_AWX_REDIS = "docker.private.registry.com/redis@sha256:7635b0bfdd7dd8552b4b31d6541fef07b734614045b45a52fd5cc27c9dada9e2" for Operator's deployment.
Of course the above approaches are not ideal, and I think it is a good RFE to suggest that native @DIGEST support should be provided.
Please confirm the following
Bug Summary
Currently to override an image we need to provide both the
image
name and thetag
, which is joined together by doing{{ image }} + ':' + {{ tag }}
.Because of this it is not possible to pin an image to the sha256 hash at the time of deployment, opening it up to images being replaced at a later time and thus opening up security issues.
AWX Operator version
2.14.0
AWX version
24.1.0
Kubernetes platform
kubernetes
Kubernetes/Platform version
1.27
Modifications
no
Steps to reproduce
Define an override for an image with the
sha256
:Expected results
To be able to specify any image by the
sha256
reference.Actual results
This does not get propagated (can't remember if it halts deployment as well, I think it did but I'm not at work at this time)
Additional information
Currently, you'd override the following fields on the
kind: AWX
deployment (See #1441):But using the sha it breaks the concatenation at
awx-operator/roles/installer/tasks/resources_configuration.yml
Lines 233 to 235 in 413b700
Operator Logs
No response
The text was updated successfully, but these errors were encountered: