On 2022-06-17 22:56, Kevin Fenzi wrote:
We have a few apps that rebuild/deploy on git changes, which is fine,
but doesn't do anything to keep their container env up to date/secure.
We have a number of apps that tigger on imagestream changes, but as far
as I can tell thats only changes in their image ('bodhi-base') not the
base image that it was built from ('fedora:36'). I'd like to see us
track base images and build/deploy when one changes. If we do that then
:latest might be ok to use, since we know automation took care of
updating it for us.
There's a number of applications using ubi (rhel's base image), which I
think might be worth recommending, especially if we start build/deploy
on base image changes. Likely Fedora base images will change more
quickly.
We should use imagestream for base image too.
One good way to achieve that is to have all these commonly used
imagestreams
available in a shared namespace (just like the openshift namespace for
images catalog).
We can configure them to automatically track remote images (ubi, fedora,
...),
then it's really easy for developers to just add the required trigger to
their buildconfig to keep their own images up-to-date.
IMHO using :latest is fine but require proper monitoring. Currently,
if a build fail, the application owner is not notified, and will most
likely never fix it.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
