Allow pinning for quay.io/operatorhubio/catalog
Opened this issue · 0 comments
Feature Request
Is your feature request related to a problem? Please describe.
I'm a maintainer of minikube, which currently has an OLM addon that leverages the yaml files in the deploy directory. Currently one of the images in olm.yaml is unpinned, just being referred to as quay.io/operatorhubio/catalog:latest. We've attempted to pin to specific versions (see https://github.com/kubernetes/minikube/blob/master/deploy/addons/olm/olm.yaml.tmpl#L357 and https://github.com/kubernetes/minikube/blob/master/pkg/minikube/assets/addons.go#L315), but have had hashes pulled out from underneath us a couple of times now.
We can't continue to use latest as a tag as that poses a security risk, but can't trust that specific images will continue to exist long term as well. Currently, our only option will be to disable or deprecate the OLM addon in the next minikube version.
Describe the solution you'd like
A way to safely pin to a version of the quay.io/operatorhubio/catalog image.
Additionally, if anyone on OLM's side wants to take ownership of the addon, we can attribute ownership properly in minikube addons list, otherwise it'll be listed as a generic third party addon.