Skip to content
This repository has been archived by the owner on Nov 16, 2022. It is now read-only.

14898 Update RHSSO Image Pull Policy to Always #237

Merged
merged 1 commit into from
Jul 29, 2020
Merged

14898 Update RHSSO Image Pull Policy to Always #237

merged 1 commit into from
Jul 29, 2020

Conversation

briangallagher
Copy link
Contributor

JIRA ID

https://issues.redhat.com/browse/KEYCLOAK-14898

Additional Information

RHSSO image updates due to a CVE will not be automatically deployed if the image already exists on the OpenShift Node. This is due to the ImagePullPolicy on the RHSSO image defaulting to "IfNotPresent". Explicitly set the pull policy to "Always" to force the update of the image and thereby potentially deploying a CVE fix. The RHSSO image is referenced using a floating tag which will work in conjunction with the "Always" pull policy.

Checklist:

  • Automated Tests - not applicable
  • Documentation changes if necessary - not required

@abstractj abstractj requested a review from slaskawi July 29, 2020 10:25
@abstractj abstractj self-assigned this Jul 29, 2020
@abstractj abstractj requested a review from ASzc July 29, 2020 10:26
ASzc
ASzc approved these changes Jul 29, 2020
View reviewed changes
Copy link
Contributor

@ASzc ASzc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to align with recommended best practice. Always is the default when using :latest tag, but not otherwise it seems. Would be good to have that behaviour regardless of tag.

@ASzc
Copy link
Contributor

ASzc commented Jul 29, 2020

@abstractj LGTM

@abstractj abstractj merged commit c12a371 into keycloak:master Jul 29, 2020
@briangallagher
Copy link
Contributor Author

@ASzc @abstractj Thanks for approving the PR. Can you suggest a temp workaround while we wait for the new Operator Image? How do I force pulling the new image. I've tried programmatically setting the pull policy but the operator reverts it.

@slaskawi
Copy link
Contributor

@briangallagher Unfortunately there's no good workaround for it. The only way I know is to create a MutatingAdmissionWebhook and modify objects created by the operator on the fly.

slaskawi
slaskawi reviewed Aug 10, 2020
View reviewed changes
Copy link
Contributor

@slaskawi slaskawi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@slaskawi slaskawi slaskawi left review comments

@abstractj abstractj abstractj approved these changes

@ASzc ASzc ASzc approved these changes

Assignees

@abstractj abstractj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@briangallagher @ASzc @slaskawi @abstractj