Merge branch 'develop' into main

clemlesne · Apr 3, 2023 · c04065e · c04065e
2 parents 422c8bf + 1b870d8
commit c04065e
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -79,7 +79,7 @@ helm upgrade --install agent clemlesne-azure-pipelines-agent/azure-pipelines-age
 | `extraVolumes` | Additional volumes for the agent pod. | `[]` |
 | `fullnameOverride` | Overrides release fullname | `""` |
 | `image.flavor` | Container image tag | `bullseye` |
-| `image.pullPolicy` | Container image pull policy | `Always` if `image.tag` is `latest`, else `IfNotPresent` |
+| `image.pullPolicy` | Container image pull policy | `IfNotPresent` |
 | `image.repository` | Container image repository | `ghcr.io/clemlesne/azure-pipelines-agent:bullseye` |
 | `image.version` | Container image tag | *Version* |
 | `initContainers` | InitContainers for the agent pod. | `[]` |

diff --git a/SECURITY.md b/SECURITY.md
@@ -6,14 +6,11 @@ The Helm chart is signed with a GPG key. [The public key is available on Keybase
 
 ## Reliability notes
 
-Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours. To do this, by default, Kubernetes downloads the image at each pod deployment.
+Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours.
 
-Nevertheless:
+Nevertheless it can happen that a package provider (e.g. Debian, Canonical, Red Hat) deploys a system update that introduces a bug. This is difficult to predict.
 
-- These downloads may incur network costs.
-- It can happen that a package provider (e.g. Debian, Canonical, Red Hat) deploys a system update that introduces a bug. This is difficult to predict.
-
-So it is possible to change the `image.pullPolicy` property to `IfNotPresent`, but these updates will not be downloaded automatically. Each image is pushed with a unique tag, which corresponds to the date of the last update (example: `bullseye-20230313` for a build on March 13, 2023). It is therefore possible to fix the download of a version by modifying the `image.version` property to `20230313`.
+Each image is pushed with a unique tag, which corresponds to the date of the last update (example: `bullseye-20230313` for a build on March 13, 2023). It is therefore possible to fix the download of a version by modifying the `image.version` property to `20230313`.
 
 ## Reporting a Vulnerability
 

diff --git a/src/helm/azure-pipelines-agent/values.yaml b/src/helm/azure-pipelines-agent/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: ghcr.io/clemlesne/azure-pipelines-agent
-  pullPolicy: Always
+  pullPolicy: IfNotPresent
   flavor: bullseye
   # Overrides the image tag whose default is the chart appVersion.
   version: ""