Parent: #85
Status: deferred
Don't start until we see whether the YAML + customScript path covers real customer usage. If it does, this ticket may never need to ship.
What (when triggered)
For customers who genuinely need a custom ingestor image (proprietary binary formats, on-the-fly decryption, etc.), constrain what a custom image can be:
- A Kyverno (or equivalent) cluster policy that admits an ingestor Job only if its image:
- is
cosign verify-signed by a trusted issuer (tracebloc CI for the official image; customer signing key for their own custom images), AND
- has a base layer matching
ghcr.io/tracebloc/ingestor-base@sha256:... (a published official base, separate from the all-in-one official image).
- Custom-image use is opt-in via
spec.customImage.enabled: true in the ingestor subchart values.
- Document the friction explicitly: "if you find yourself reaching for this, file an issue first — your case may be one we want to absorb into the standard image."
When to revisit
- After the new flow has been live for ~one quarter.
- If telemetry / customer feedback shows real demand for custom images, pick this up.
- If demand is near zero, close as won't-do.
Depends on
Parent: #85
Status: deferred
Don't start until we see whether the YAML + customScript path covers real customer usage. If it does, this ticket may never need to ship.
What (when triggered)
For customers who genuinely need a custom ingestor image (proprietary binary formats, on-the-fly decryption, etc.), constrain what a custom image can be:
cosign verify-signed by a trusted issuer (tracebloc CI for the official image; customer signing key for their own custom images), ANDghcr.io/tracebloc/ingestor-base@sha256:...(a published official base, separate from the all-in-one official image).spec.customImage.enabled: truein the ingestor subchart values.When to revisit
Depends on
ghcr.io/tracebloc/ingestor-baseimage (out of scope here; spin up if we get to this ticket)