fix: update ose-cli image version (#4)

* fix: update ose-cli image version

Signed-off-by: Min Zhang <minzhang@redhat.com>

* refactor: use OpenShift built-in cli ImageStream instead of ose-cli

Replace hardcoded registry.redhat.io/openshift4/ose-cli-rhel9:v4.20 with
the cluster-internal cli ImageStream at
image-registry.openshift-image-registry.svc:5000/openshift/cli.

This image auto-updates with the cluster, eliminating the need to manually
track ose-cli version bumps on a monthly/quarterly/yearly basis.

Signed-off-by: Min Zhang <minzhang@redhat.com>

---------

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

.github/linters/.checkov.yaml

@@ -19,6 +19,8 @@ skip-check:
   - CKV_K8S_38
   # CKV_K8S_40: Job uses OpenShift namespace default UID (high UID assigned at runtime, no anyuid needed)
   - CKV_K8S_40
+  # CKV_K8S_14: ImageStream tag tracks the cluster version; no fixed tag by design
+  - CKV_K8S_14
   # CKV_K8S_43: Image digest; chart uses tag, digest is deployment-specific
   - CKV_K8S_43
   # CKV_SECRET_6: False positives - templates use placeholders, script refs to cluster secrets only

.trivyignore

@@ -1,4 +1,4 @@
-# AVD-KSV-0125: registry.redhat.io trusted; S3 job uses ose-cli from Red Hat
+# AVD-KSV-0125: S3 job uses OpenShift built-in cli ImageStream (cluster-internal registry)
 AVD-KSV-0125
 # AVD-KSV-0113: S3 setup Role intentionally needs secret get/create/patch for quay config bundle
 AVD-KSV-0113

Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: quay
 description: Red Hat Quay Registry Resources
 type: application
-version: 0.1.1
+version: 0.1.2
 appVersion: "3.9"
 home: https://github.com/validatedpatterns/quay-chart
 maintainers:

README.md

@@ -2,7 +2,7 @@
 
 <!-- markdownlint-disable MD013 -->
 
-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.9](https://img.shields.io/badge/AppVersion-3.9-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.9](https://img.shields.io/badge/AppVersion-3.9-informational?style=flat-square)
 
 <!-- markdownlint-enable MD013 -->
 
@@ -28,28 +28,28 @@ This chart is used to serve as the template for Validated Patterns Charts
 
 ## Values
 
-| Key                                          | Type   | Default                                        | Description |
-| -------------------------------------------- | ------ | ---------------------------------------------- | ----------- |
-| job.image                                    | string | `"registry.redhat.io/openshift4/ose-cli:4.15"` |             |
-| job.resources.limits.cpu                     | string | `"500m"`                                       |             |
-| job.resources.limits.memory                  | string | `"256Mi"`                                      |             |
-| job.resources.requests.cpu                   | string | `"50m"`                                        |             |
-| job.resources.requests.memory                | string | `"128Mi"`                                      |             |
-| objectStorage.objectBucketClaim.bucketName   | string | `"quay-datastore"`                             |             |
-| objectStorage.objectBucketClaim.name         | string | `"quay-bucket"`                                |             |
-| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"`                |             |
-| quay.configBundleSecret.deploy               | bool   | `true`                                         |             |
-| quay.configBundleSecret.name                 | string | `"quay-init-config-bundle-secret"`             |             |
-| quay.namespace                               | string | `"quay-enterprise"`                            |             |
-| quay.setup.admin.email                       | string | `"quayadmin@example.com"`                      |             |
-| quay.setup.admin.name                        | string | `"quayadmin"`                                  |             |
-| quay.setup.user.email                        | string | `"developer1@myorg.com"`                       |             |
-| quay.setup.user.name                         | string | `"developer1"`                                 |             |
-| quay.storage.clairpostgres.size              | string | `"50Gi"`                                       |             |
-| quay.storage.postgres.size                   | string | `"50Gi"`                                       |             |
-| quay_config.org.email                        | string | `"devel@myorg.com"`                            |             |
-| quay_config.org.name                         | string | `"devel"`                                      |             |
-| quay_config.repo                             | string | `"example"`                                    |             |
+| Key                                          | Type   | Default                                                            | Description |
+| -------------------------------------------- | ------ | ------------------------------------------------------------------ | ----------- |
+| job.image                                    | string | `"image-registry.openshift-image-registry.svc:5000/openshift/cli"` |             |
+| job.resources.limits.cpu                     | string | `"500m"`                                                           |             |
+| job.resources.limits.memory                  | string | `"256Mi"`                                                          |             |
+| job.resources.requests.cpu                   | string | `"50m"`                                                            |             |
+| job.resources.requests.memory                | string | `"128Mi"`                                                          |             |
+| objectStorage.objectBucketClaim.bucketName   | string | `"quay-datastore"`                                                 |             |
+| objectStorage.objectBucketClaim.name         | string | `"quay-bucket"`                                                    |             |
+| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"`                                    |             |
+| quay.configBundleSecret.deploy               | bool   | `true`                                                             |             |
+| quay.configBundleSecret.name                 | string | `"quay-init-config-bundle-secret"`                                 |             |
+| quay.namespace                               | string | `"quay-enterprise"`                                                |             |
+| quay.setup.admin.email                       | string | `"quayadmin@example.com"`                                          |             |
+| quay.setup.admin.name                        | string | `"quayadmin"`                                                      |             |
+| quay.setup.user.email                        | string | `"developer1@myorg.com"`                                           |             |
+| quay.setup.user.name                         | string | `"developer1"`                                                     |             |
+| quay.storage.clairpostgres.size              | string | `"50Gi"`                                                           |             |
+| quay.storage.postgres.size                   | string | `"50Gi"`                                                           |             |
+| quay_config.org.email                        | string | `"devel@myorg.com"`                                                |             |
+| quay_config.org.name                         | string | `"devel"`                                                          |             |
+| quay_config.repo                             | string | `"example"`                                                        |             |
 
 <!-- markdownlint-enable MD013 MD034 MD060 -->
 

templates/quay-s3-credentials-job.yaml

@@ -18,7 +18,7 @@ spec:
       automountServiceAccountToken: true
       containers:
       - name: setup-s3-credentials
-        image: {{ .Values.job.image | default "registry.redhat.io/openshift4/ose-cli:4.15" }}
+        image: {{ .Values.job.image | default "image-registry.openshift-image-registry.svc:5000/openshift/cli" }}
         imagePullPolicy: Always
         securityContext:
           allowPrivilegeEscalation: false

values.yaml

@@ -17,8 +17,10 @@ quay:
       size: 50Gi # Default and minimum size is 50 Gi
 
 job:
-  # Use a version tag; avoid :latest for production (CKV_K8S_14)
-  image: registry.redhat.io/openshift4/ose-cli:4.15
+  # Uses OpenShift built-in cli ImageStream; auto-updates with the cluster
+  # Override with e.g. registry.redhat.io/openshift4/ose-cli-rhel9:v4.20
+  # if the internal image registry is not available
+  image: image-registry.openshift-image-registry.svc:5000/openshift/cli
   resources:
     requests:
       cpu: 50m