Details
Description
Your DM app is setup to point at an imagestream with a specific image / imageTag (7.11.1 for example) from an internal registry.
When the app is created / deployed, the DM operator automatically creates the imagestream / imagestreamtag objects referencing the rhdm-kieserver-rhel8 image from the registry.
At this point, the app comes up and there are no issues.
A new release of the rhdm-kieserver-rhel8 image came out to address various CVEs and the image for the 7.11.1 tag is updated.
For now, the app is still running fine. When the app next restarts, both the app and the imagestream(tag) still point to old 7.11.1 image, but the imagestreamtag still points to the SHA of the old 7.11.1 and that image was overwritten by the newly updated 7.11.1 image with the CVE fixes.
At this point, the app pod fails to start with 'Failed to pull image "registry.com/rhdm-7/rhdm-kieserver-rhel8@sha256:8c420dec1205084ca101f2a52a54781d39cf0d6a23ae52a2b465b9aaa7bfa25e": rpc error: code = Unknown desc = Error reading manifest sha256:8c420dec1205084ca101f2a52a54781d39cf0d6a23ae52a2b465b9aaa7bfa25e in registry.com/rhdm-7/rhdm-kieserver-rhel8: manifest unknown: manifest unknown.' because that image sha no longer exists.
This is typically handled by enabling the scheduled true importPolicy on the imagestream which will keep the imagestream up to date with the upstream registry.
importPolicy:
scheduled: true
Once the IS is created by the operator, customer could, if they knew how to do so, add this manually, but it should be a default or at least a configurable option with the operator.
Attachments
Issue Links
- is documented by
-
BXMSDOC-8463 Document ImageStreams and importPolicy
-
- Resolved
-
