diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml index d9415e5..f3b1cfc 100644 --- a/.github/linters/.checkov.yaml +++ b/.github/linters/.checkov.yaml @@ -19,6 +19,8 @@ skip-check: - CKV_K8S_38 # CKV_K8S_40: Job uses OpenShift namespace default UID (high UID assigned at runtime, no anyuid needed) - CKV_K8S_40 + # CKV_K8S_14: ImageStream tag tracks the cluster version; no fixed tag by design + - CKV_K8S_14 # CKV_K8S_43: Image digest; chart uses tag, digest is deployment-specific - CKV_K8S_43 # CKV_SECRET_6: False positives - templates use placeholders, script refs to cluster secrets only diff --git a/.trivyignore b/.trivyignore index f012e06..a33ed9b 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,4 +1,4 @@ -# AVD-KSV-0125: registry.redhat.io trusted; S3 job uses ose-cli from Red Hat +# AVD-KSV-0125: S3 job uses OpenShift built-in cli ImageStream (cluster-internal registry) AVD-KSV-0125 # AVD-KSV-0113: S3 setup Role intentionally needs secret get/create/patch for quay config bundle AVD-KSV-0113 diff --git a/Chart.yaml b/Chart.yaml index 62aef23..f5c6ecc 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: quay description: Red Hat Quay Registry Resources type: application -version: 0.1.1 +version: 0.1.2 appVersion: "3.9" home: https://github.com/validatedpatterns/quay-chart maintainers: diff --git a/README.md b/README.md index 37c52d4..850bf2d 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.9](https://img.shields.io/badge/AppVersion-3.9-informational?style=flat-square) +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.9](https://img.shields.io/badge/AppVersion-3.9-informational?style=flat-square) @@ -28,28 +28,28 @@ This chart is used to serve as the template for Validated Patterns Charts ## Values -| Key | Type | Default | Description | -| -------------------------------------------- | ------ | ---------------------------------------------- | ----------- | -| job.image | string | `"registry.redhat.io/openshift4/ose-cli:4.15"` | | -| job.resources.limits.cpu | string | `"500m"` | | -| job.resources.limits.memory | string | `"256Mi"` | | -| job.resources.requests.cpu | string | `"50m"` | | -| job.resources.requests.memory | string | `"128Mi"` | | -| objectStorage.objectBucketClaim.bucketName | string | `"quay-datastore"` | | -| objectStorage.objectBucketClaim.name | string | `"quay-bucket"` | | -| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"` | | -| quay.configBundleSecret.deploy | bool | `true` | | -| quay.configBundleSecret.name | string | `"quay-init-config-bundle-secret"` | | -| quay.namespace | string | `"quay-enterprise"` | | -| quay.setup.admin.email | string | `"quayadmin@example.com"` | | -| quay.setup.admin.name | string | `"quayadmin"` | | -| quay.setup.user.email | string | `"developer1@myorg.com"` | | -| quay.setup.user.name | string | `"developer1"` | | -| quay.storage.clairpostgres.size | string | `"50Gi"` | | -| quay.storage.postgres.size | string | `"50Gi"` | | -| quay_config.org.email | string | `"devel@myorg.com"` | | -| quay_config.org.name | string | `"devel"` | | -| quay_config.repo | string | `"example"` | | +| Key | Type | Default | Description | +| -------------------------------------------- | ------ | ------------------------------------------------------------------ | ----------- | +| job.image | string | `"image-registry.openshift-image-registry.svc:5000/openshift/cli"` | | +| job.resources.limits.cpu | string | `"500m"` | | +| job.resources.limits.memory | string | `"256Mi"` | | +| job.resources.requests.cpu | string | `"50m"` | | +| job.resources.requests.memory | string | `"128Mi"` | | +| objectStorage.objectBucketClaim.bucketName | string | `"quay-datastore"` | | +| objectStorage.objectBucketClaim.name | string | `"quay-bucket"` | | +| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"` | | +| quay.configBundleSecret.deploy | bool | `true` | | +| quay.configBundleSecret.name | string | `"quay-init-config-bundle-secret"` | | +| quay.namespace | string | `"quay-enterprise"` | | +| quay.setup.admin.email | string | `"quayadmin@example.com"` | | +| quay.setup.admin.name | string | `"quayadmin"` | | +| quay.setup.user.email | string | `"developer1@myorg.com"` | | +| quay.setup.user.name | string | `"developer1"` | | +| quay.storage.clairpostgres.size | string | `"50Gi"` | | +| quay.storage.postgres.size | string | `"50Gi"` | | +| quay_config.org.email | string | `"devel@myorg.com"` | | +| quay_config.org.name | string | `"devel"` | | +| quay_config.repo | string | `"example"` | | diff --git a/templates/quay-s3-credentials-job.yaml b/templates/quay-s3-credentials-job.yaml index 51a515e..f1f8c75 100644 --- a/templates/quay-s3-credentials-job.yaml +++ b/templates/quay-s3-credentials-job.yaml @@ -18,7 +18,7 @@ spec: automountServiceAccountToken: true containers: - name: setup-s3-credentials - image: {{ .Values.job.image | default "registry.redhat.io/openshift4/ose-cli:4.15" }} + image: {{ .Values.job.image | default "image-registry.openshift-image-registry.svc:5000/openshift/cli" }} imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false diff --git a/values.yaml b/values.yaml index 0363056..c4419c6 100644 --- a/values.yaml +++ b/values.yaml @@ -17,8 +17,10 @@ quay: size: 50Gi # Default and minimum size is 50 Gi job: - # Use a version tag; avoid :latest for production (CKV_K8S_14) - image: registry.redhat.io/openshift4/ose-cli:4.15 + # Uses OpenShift built-in cli ImageStream; auto-updates with the cluster + # Override with e.g. registry.redhat.io/openshift4/ose-cli-rhel9:v4.20 + # if the internal image registry is not available + image: image-registry.openshift-image-registry.svc:5000/openshift/cli resources: requests: cpu: 50m