chore(deps): digest-pin pause and keep vendored KubeVirt/CDI bumps human-reviewed#2018
Merged
Merged
Conversation
…man-reviewed The overprovisioning pause container was the only raw, non-vendored pod image in the repo without a digest pin; Renovate's kubernetes manager already maintains tag+digest pairs for the others (e.g. traefik in #1987). KubeVirt/CDI ship as vendored upstream operator manifests, but Renovate only sees the image: lines inside them — an automerged image-only bump would silently skew the operator against the CRDs/RBAC vendored next to it, and the system test would still pass bring-up. Keep the PR as the new-release signal but require a maintainer to re-vendor the full manifest before merging. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 1.50.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two update-automation hygiene fixes from a best-practice audit:
1. Digest-pin the overprovisioning
pauseimageregistry.k8s.io/pause:3.10ink8s/providers/hetzner/infrastructure-overprovisioning/replicaset.yamlwas the only raw, non-vendored pod image in the repo without a digest pin — every sibling raw manifest (openbao snapshot jobs, coroot pricing/heartbeat curl, velero heartbeat, docker-provider traefik/minio/registry) pinstag@sha256, and Renovate's kubernetes manager maintains those pairs (e.g. the traefik digest bump in #1987). Pinned to the upstream manifest-list digestsha256:ee6521f2…(verified against registry.k8s.io).2. Renovate: no automerge for
quay.io/kubevirt/**KubeVirt and CDI ship as vendored upstream operator manifests (
kubevirt-operator.yaml,cdi-operator.yaml— thousands of lines of CRDs + RBAC + operator Deployment vendored as one unit). Renovate's kubernetes manager only sees theimage:lines inside them, so a bump rewrites the operator image alone and silently skews it against the CRDs/RBAC vendored next to it. With the repo's major/minor/patch automerge defaults, that skew would land unseen — the system test still passes bring-up because operators tolerate startup skew. The new packageRule (placed last, so it overrides the automerge defaults) keeps the update PR as the new-release signal but requires a maintainer to re-vendor the full release manifest before merging — same pattern as the existing velero-plugin-for-aws and Talos rules.Validation
ksail workload validate— ✅ 318 files greenksail --config ksail.prod.yaml workload validate— ✅providers/hetzner/infrastructure-overprovisioning validated; only failure is the pre-existing datreeio coroot schema gap (Update coroot.com/coroot_v1 schema from coroot-operator 0.9.7 datreeio/CRDs-catalog#896, unrelated)kubectl kustomize k8s/clusters/local/andk8s/clusters/prod/— ✅ both buildjq . .github/renovate.json— ✅ valid JSON