From 0543671a90de8dc179f63e20518b11082b8b7ea4 Mon Sep 17 00:00:00 2001 From: Min Zhang Date: Mon, 23 Mar 2026 14:18:34 -0400 Subject: [PATCH 1/2] fix: update ose-cli image version Signed-off-by: Min Zhang --- Chart.yaml | 2 +- README.md | 46 +++++++++++++------------- templates/quay-s3-credentials-job.yaml | 2 +- values.yaml | 2 +- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 62aef23..f5c6ecc 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: quay description: Red Hat Quay Registry Resources type: application -version: 0.1.1 +version: 0.1.2 appVersion: "3.9" home: https://github.com/validatedpatterns/quay-chart maintainers: diff --git a/README.md b/README.md index 37c52d4..7dc27d4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.9](https://img.shields.io/badge/AppVersion-3.9-informational?style=flat-square) +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.9](https://img.shields.io/badge/AppVersion-3.9-informational?style=flat-square) @@ -28,28 +28,28 @@ This chart is used to serve as the template for Validated Patterns Charts ## Values -| Key | Type | Default | Description | -| -------------------------------------------- | ------ | ---------------------------------------------- | ----------- | -| job.image | string | `"registry.redhat.io/openshift4/ose-cli:4.15"` | | -| job.resources.limits.cpu | string | `"500m"` | | -| job.resources.limits.memory | string | `"256Mi"` | | -| job.resources.requests.cpu | string | `"50m"` | | -| job.resources.requests.memory | string | `"128Mi"` | | -| objectStorage.objectBucketClaim.bucketName | string | `"quay-datastore"` | | -| objectStorage.objectBucketClaim.name | string | `"quay-bucket"` | | -| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"` | | -| quay.configBundleSecret.deploy | bool | `true` | | -| quay.configBundleSecret.name | string | `"quay-init-config-bundle-secret"` | | -| quay.namespace | string | `"quay-enterprise"` | | -| quay.setup.admin.email | string | `"quayadmin@example.com"` | | -| quay.setup.admin.name | string | `"quayadmin"` | | -| quay.setup.user.email | string | `"developer1@myorg.com"` | | -| quay.setup.user.name | string | `"developer1"` | | -| quay.storage.clairpostgres.size | string | `"50Gi"` | | -| quay.storage.postgres.size | string | `"50Gi"` | | -| quay_config.org.email | string | `"devel@myorg.com"` | | -| quay_config.org.name | string | `"devel"` | | -| quay_config.repo | string | `"example"` | | +| Key | Type | Default | Description | +| -------------------------------------------- | ------ | ----------------------------------------------------- | ----------- | +| job.image | string | `"registry.redhat.io/openshift4/ose-cli-rhel9:v4.20"` | | +| job.resources.limits.cpu | string | `"500m"` | | +| job.resources.limits.memory | string | `"256Mi"` | | +| job.resources.requests.cpu | string | `"50m"` | | +| job.resources.requests.memory | string | `"128Mi"` | | +| objectStorage.objectBucketClaim.bucketName | string | `"quay-datastore"` | | +| objectStorage.objectBucketClaim.name | string | `"quay-bucket"` | | +| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"` | | +| quay.configBundleSecret.deploy | bool | `true` | | +| quay.configBundleSecret.name | string | `"quay-init-config-bundle-secret"` | | +| quay.namespace | string | `"quay-enterprise"` | | +| quay.setup.admin.email | string | `"quayadmin@example.com"` | | +| quay.setup.admin.name | string | `"quayadmin"` | | +| quay.setup.user.email | string | `"developer1@myorg.com"` | | +| quay.setup.user.name | string | `"developer1"` | | +| quay.storage.clairpostgres.size | string | `"50Gi"` | | +| quay.storage.postgres.size | string | `"50Gi"` | | +| quay_config.org.email | string | `"devel@myorg.com"` | | +| quay_config.org.name | string | `"devel"` | | +| quay_config.repo | string | `"example"` | | diff --git a/templates/quay-s3-credentials-job.yaml b/templates/quay-s3-credentials-job.yaml index 51a515e..ed9e8c3 100644 --- a/templates/quay-s3-credentials-job.yaml +++ b/templates/quay-s3-credentials-job.yaml @@ -18,7 +18,7 @@ spec: automountServiceAccountToken: true containers: - name: setup-s3-credentials - image: {{ .Values.job.image | default "registry.redhat.io/openshift4/ose-cli:4.15" }} + image: {{ .Values.job.image | default "registry.redhat.io/openshift4/ose-cli-rhel9:v4.20" }} imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false diff --git a/values.yaml b/values.yaml index 0363056..55dba17 100644 --- a/values.yaml +++ b/values.yaml @@ -18,7 +18,7 @@ quay: job: # Use a version tag; avoid :latest for production (CKV_K8S_14) - image: registry.redhat.io/openshift4/ose-cli:4.15 + image: registry.redhat.io/openshift4/ose-cli-rhel9:v4.20 resources: requests: cpu: 50m From ba621c1e831cabcbe0d4a8bf1a85272dd9011ee3 Mon Sep 17 00:00:00 2001 From: Min Zhang Date: Tue, 24 Mar 2026 11:30:12 -0400 Subject: [PATCH 2/2] refactor: use OpenShift built-in cli ImageStream instead of ose-cli Replace hardcoded registry.redhat.io/openshift4/ose-cli-rhel9:v4.20 with the cluster-internal cli ImageStream at image-registry.openshift-image-registry.svc:5000/openshift/cli. This image auto-updates with the cluster, eliminating the need to manually track ose-cli version bumps on a monthly/quarterly/yearly basis. Signed-off-by: Min Zhang --- .github/linters/.checkov.yaml | 2 ++ .trivyignore | 2 +- README.md | 44 +++++++++++++------------- templates/quay-s3-credentials-job.yaml | 2 +- values.yaml | 6 ++-- 5 files changed, 30 insertions(+), 26 deletions(-) diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml index d9415e5..f3b1cfc 100644 --- a/.github/linters/.checkov.yaml +++ b/.github/linters/.checkov.yaml @@ -19,6 +19,8 @@ skip-check: - CKV_K8S_38 # CKV_K8S_40: Job uses OpenShift namespace default UID (high UID assigned at runtime, no anyuid needed) - CKV_K8S_40 + # CKV_K8S_14: ImageStream tag tracks the cluster version; no fixed tag by design + - CKV_K8S_14 # CKV_K8S_43: Image digest; chart uses tag, digest is deployment-specific - CKV_K8S_43 # CKV_SECRET_6: False positives - templates use placeholders, script refs to cluster secrets only diff --git a/.trivyignore b/.trivyignore index f012e06..a33ed9b 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,4 +1,4 @@ -# AVD-KSV-0125: registry.redhat.io trusted; S3 job uses ose-cli from Red Hat +# AVD-KSV-0125: S3 job uses OpenShift built-in cli ImageStream (cluster-internal registry) AVD-KSV-0125 # AVD-KSV-0113: S3 setup Role intentionally needs secret get/create/patch for quay config bundle AVD-KSV-0113 diff --git a/README.md b/README.md index 7dc27d4..850bf2d 100644 --- a/README.md +++ b/README.md @@ -28,28 +28,28 @@ This chart is used to serve as the template for Validated Patterns Charts ## Values -| Key | Type | Default | Description | -| -------------------------------------------- | ------ | ----------------------------------------------------- | ----------- | -| job.image | string | `"registry.redhat.io/openshift4/ose-cli-rhel9:v4.20"` | | -| job.resources.limits.cpu | string | `"500m"` | | -| job.resources.limits.memory | string | `"256Mi"` | | -| job.resources.requests.cpu | string | `"50m"` | | -| job.resources.requests.memory | string | `"128Mi"` | | -| objectStorage.objectBucketClaim.bucketName | string | `"quay-datastore"` | | -| objectStorage.objectBucketClaim.name | string | `"quay-bucket"` | | -| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"` | | -| quay.configBundleSecret.deploy | bool | `true` | | -| quay.configBundleSecret.name | string | `"quay-init-config-bundle-secret"` | | -| quay.namespace | string | `"quay-enterprise"` | | -| quay.setup.admin.email | string | `"quayadmin@example.com"` | | -| quay.setup.admin.name | string | `"quayadmin"` | | -| quay.setup.user.email | string | `"developer1@myorg.com"` | | -| quay.setup.user.name | string | `"developer1"` | | -| quay.storage.clairpostgres.size | string | `"50Gi"` | | -| quay.storage.postgres.size | string | `"50Gi"` | | -| quay_config.org.email | string | `"devel@myorg.com"` | | -| quay_config.org.name | string | `"devel"` | | -| quay_config.repo | string | `"example"` | | +| Key | Type | Default | Description | +| -------------------------------------------- | ------ | ------------------------------------------------------------------ | ----------- | +| job.image | string | `"image-registry.openshift-image-registry.svc:5000/openshift/cli"` | | +| job.resources.limits.cpu | string | `"500m"` | | +| job.resources.limits.memory | string | `"256Mi"` | | +| job.resources.requests.cpu | string | `"50m"` | | +| job.resources.requests.memory | string | `"128Mi"` | | +| objectStorage.objectBucketClaim.bucketName | string | `"quay-datastore"` | | +| objectStorage.objectBucketClaim.name | string | `"quay-bucket"` | | +| objectStorage.objectBucketClaim.storageClass | string | `"openshift-storage.noobaa.io"` | | +| quay.configBundleSecret.deploy | bool | `true` | | +| quay.configBundleSecret.name | string | `"quay-init-config-bundle-secret"` | | +| quay.namespace | string | `"quay-enterprise"` | | +| quay.setup.admin.email | string | `"quayadmin@example.com"` | | +| quay.setup.admin.name | string | `"quayadmin"` | | +| quay.setup.user.email | string | `"developer1@myorg.com"` | | +| quay.setup.user.name | string | `"developer1"` | | +| quay.storage.clairpostgres.size | string | `"50Gi"` | | +| quay.storage.postgres.size | string | `"50Gi"` | | +| quay_config.org.email | string | `"devel@myorg.com"` | | +| quay_config.org.name | string | `"devel"` | | +| quay_config.repo | string | `"example"` | | diff --git a/templates/quay-s3-credentials-job.yaml b/templates/quay-s3-credentials-job.yaml index ed9e8c3..f1f8c75 100644 --- a/templates/quay-s3-credentials-job.yaml +++ b/templates/quay-s3-credentials-job.yaml @@ -18,7 +18,7 @@ spec: automountServiceAccountToken: true containers: - name: setup-s3-credentials - image: {{ .Values.job.image | default "registry.redhat.io/openshift4/ose-cli-rhel9:v4.20" }} + image: {{ .Values.job.image | default "image-registry.openshift-image-registry.svc:5000/openshift/cli" }} imagePullPolicy: Always securityContext: allowPrivilegeEscalation: false diff --git a/values.yaml b/values.yaml index 55dba17..c4419c6 100644 --- a/values.yaml +++ b/values.yaml @@ -17,8 +17,10 @@ quay: size: 50Gi # Default and minimum size is 50 Gi job: - # Use a version tag; avoid :latest for production (CKV_K8S_14) - image: registry.redhat.io/openshift4/ose-cli-rhel9:v4.20 + # Uses OpenShift built-in cli ImageStream; auto-updates with the cluster + # Override with e.g. registry.redhat.io/openshift4/ose-cli-rhel9:v4.20 + # if the internal image registry is not available + image: image-registry.openshift-image-registry.svc:5000/openshift/cli resources: requests: cpu: 50m