manifests icon indicating copy to clipboard operation
manifests copied to clipboard
verified publisher icon oauth2-proxy

Lock default OCI images

Open gberche-orange opened this issue 3 months ago • 3 comments

Thanks for maintaining this helm release !

As a oauth2-proxy user, In order to avoid that a bump to sso-proxy automatically deploy to my production system, And in order to ensure that OCI image bumps are compatible with Helm chart versions I need the default OCI images to be specified in the values.yaml

Currently no tag is specified, resulting to using latest AFAIK https://github.com/oauth2-proxy/manifests/blob/a457c15910e88559b991618ff6ed0008a844c5d5/helm/oauth2-proxy/values.yaml#L77-L82

gberche-orange avatar Sep 17 '25 16:09 gberche-orange

https://github.com/oauth2-proxy/manifests/pull/353#issuecomment-3304122835

This will introduce an additional place to maintain the version which is already specified and updated in the Chart.yaml

tuunit avatar Sep 17 '25 18:09 tuunit

Thanks for reviewing this suggestion and PR

#353 (comment)

Any suggestion on how to achieve the goal of locking the default image version while preserving helm chart best practices ? Bitnami seems to be handling it though annotations in the charts.yaml see https://github.com/bitnami/charts/blob/f25c8f4fbabdf66fa9094311cb94304a16fb698d/bitnami/oauth2-proxy/Chart.yaml#L4-L11

This will introduce an additional place to maintain the version which is already specified and updated in the Chart.yaml

Renovate can be configured to update the Chart.yaml in the same PR using the regexp manager, see https://docs.renovatebot.com/modules/manager/regex/

See sample usage at https://github.com/idoshalev058/k3sinfra/blame/7210a727186957f80f22c1f90d83c217968506bf/woodpecker/helm-main/renovate.json#L13-L22 and https://github.com/idoshalev058/k3sinfra/blob/7210a727186957f80f22c1f90d83c217968506bf/woodpecker/helm-main/charts/woodpecker/charts/agent/Chart.yaml#L6-L7

gberche-orange avatar Sep 23 '25 09:09 gberche-orange

Why aren't you just setting the tag / version you want in your deployment values.yaml ?

Am I misunderstanding the problem?

tuunit avatar Oct 31 '25 09:10 tuunit

@gberche-orange, could you please provide feedback?

pierluigilenoci avatar Nov 27 '25 10:11 pierluigilenoci

@tuunit and @pierluigilenoci sorry for my late response.

The rationale for suggesting that out of the box the helm chart has a locked down version of the OCI image is to

  • protect users from supply chain attacks that oauth-proxy might be subjects to (see recent shai hallud 2 at https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ ), by avoiding latest version by default (aka sensible production defaults)
  • encourage users to regularly bump both the chart and the image as a consistent whole (aka preserve the chart encapsulation), following semver semantics, and documenting new features/breaking changes in the release notes/changelog
  • protects users against bumping the tag/version of the OCI image with a version tested in https://github.com/oauth2-proxy/manifests/blob/main/.github/workflows/lint-test.yaml#L22-L47 but incompatible with their current chart version

gberche-orange avatar Nov 28 '25 14:11 gberche-orange

protect users from supply chain attacks that oauth-proxy might be subjects to (see recent shai hallud 2 at https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/ ), by avoiding latest version by default (aka sensible production defaults)

We do use a fixed version and never latest. If tag is empty as it is by default the appVersion from the Chart.yaml is being used. Yes it isn't a digest but a fixed tag

encourage users to regularly bump both the chart and the image as a consistent whole (aka preserve the chart encapsulation), following semver semantics, and documenting new features/breaking changes in the release notes/changelog

If you bump the chart you automatically bump the appVersion unless you use a fixed tag in your own values

I don't see the problem, we don't use the latest tag. We always bundle the helm chart and the appVersion as one unit and enforce Chart and appVersion updates in the CI. From what I can gather we already do as you suggest.

tuunit avatar Nov 28 '25 15:11 tuunit

Thanks for the clarification and your patience. My apologies for my misunderstanding and the associated noise and wasted effort. I should have double checked the comment and implementation instead of jumping to conclusion that latest would be used and opening this issue and https://github.com/oauth2-proxy/manifests/pull/353 .

https://github.com/oauth2-proxy/manifests/blob/ef5126e1052264106d58fce4c35e6ee0ff6fd67e/helm/oauth2-proxy/values.yaml#L77-L81

https://github.com/oauth2-proxy/manifests/blob/ef5126e1052264106d58fce4c35e6ee0ff6fd67e/helm/oauth2-proxy/templates/deployment.yaml#L109-L112

https://github.com/oauth2-proxy/manifests/blob/ef5126e1052264106d58fce4c35e6ee0ff6fd67e/helm/oauth2-proxy/templates/_helpers.tpl#L116-L121

gberche-orange avatar Nov 28 '25 17:11 gberche-orange