Skip to content

Update imagePullPolicy... #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
trispera wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Update imagePullPolicy... #193

trispera wants to merge 1 commit into from

Conversation

@trispera
Copy link
Member

@trispera trispera commented Jan 5, 2026
edited by sourcery-ai bot
Loading

...to pull the latest mongo:noble version (v8.2.3) and fix cve-2025-14847

IMPORTANT: Please create an issue before filing a pull request! Changes need to be discussed before proceeding. Please read the contribution guidelines.

Details

Please provide enough information so that others can review your pull request. Give a brief summary of the motivation. Refer to the corresponding issue/s with #XXXX for more information.

Testing

Write the appropriate unit and integration tests, if applicable. Make sure these and all other tests pass.

Documentation

Please document your changes and test cases in the appropriate places, if applicable.

Style

Make sure your changes adhere to the coding/documentation style used throughout the project.

Closing issues

If your changes fix any issue/s, put closes #XXXX in your comment to auto-close it/them.

Credit

Add your credentials to the list of contributors once your pull request was merged.

Summary by Sourcery

Bump the Helm chart and application version and adjust MongoDB deployment configuration to always pull the specified image.

Enhancements:

  • Increase the Helm chart and application version from 2.0.0 to 2.0.1.
  • Update the MongoDB deployment to use an Always imagePullPolicy for its container image.

@trispera
Update imagePullPolicy...
4e08dc2 
...to pull the latest mongo:noble version (v8.2.3) and fix cve-2025-14847
@sourcery-ai
Copy link

sourcery-ai bot commented Jan 5, 2026
edited
Loading

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR bumps the Helm chart/app version and changes the MongoDB Deployment to always pull the configured image so that Kubernetes fetches the latest mongo:noble version with CVE fixes on every pod start.

Sequence diagram for MongoDB pod start with imagePullPolicy Always

sequenceDiagram
  actor Dev
  participant Helm as Helm_chart_protes_2_0_1
  participant KAPI as Kubernetes_APIServer
  participant Kubelet as Node_Kubelet
  participant CR as Container_Registry
  participant Pod as MongoDB_Pod

  Dev->>Helm: helm upgrade --install protes
  Helm->>KAPI: Apply MongoDB Deployment (imagePullPolicy Always)
  KAPI->>Kubelet: Schedule MongoDB Pod
  Kubelet->>CR: Pull mongo_noble_latest image (Always)
  CR-->>Kubelet: Image layers
  Kubelet->>Pod: Create container from latest image
  Pod-->>Dev: MongoDB ready with latest patched image
Loading

File-Level Changes

Change Details Files
Update Helm chart metadata to reflect a new patch release for the application.
  • Increment chart version from 2.0.0 to 2.0.1.
  • Increment appVersion from 2.0.0 to 2.0.1 to align with the new release.
 deployment/Chart.yaml
Ensure MongoDB pods always pull the latest configured MongoDB container image on deployment or restart.
  • Change the MongoDB container imagePullPolicy from IfNotPresent to Always so that updated mongo:noble images (e.g., with CVE fixes) are pulled even if an image with the same tag exists on the node.
 deployment/templates/mongodb/mongodb-deployment.yaml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Jan 5, 2026
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • Hardcoding imagePullPolicy: Always in the deployment could introduce unnecessary image pulls in production; consider making the pull policy configurable via values.yaml and defaulting it appropriately.
  • To reliably address CVE-2025-14847, it may be safer to pin the MongoDB image to an explicit version or digest rather than relying on latest-like behavior, so that upgrades are controlled and reproducible.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- Hardcoding `imagePullPolicy: Always` in the deployment could introduce unnecessary image pulls in production; consider making the pull policy configurable via `values.yaml` and defaulting it appropriately.
- To reliably address CVE-2025-14847, it may be safer to pin the MongoDB image to an explicit version or digest rather than relying on `latest`-like behavior, so that upgrades are controlled and reproducible.

## Individual Comments

### Comment 1
<location> `deployment/templates/mongodb/mongodb-deployment.yaml:45` </location>
<code_context>
                 name: {{ .Values.mongodb.appName }}
           image: {{ .Values.mongodb.image }}
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           livenessProbe:
             failureThreshold: 3
</code_context>

<issue_to_address>
**suggestion:** Consider making the MongoDB imagePullPolicy configurable via values.yaml rather than hard-coding `Always`.

Hard-coding `imagePullPolicy: Always` can cause issues in production (e.g., private registries, rate limits, or clusters without external registry access). Exposing this as something like `.Values.mongodb.imagePullPolicy` with a sane default would keep flexibility while still allowing `Always` where required.

Suggested implementation:

```
          image: {{ .Values.mongodb.image }}
          imagePullPolicy: {{ .Values.mongodb.imagePullPolicy | default "IfNotPresent" }}

```

1. In `values.yaml`, add a configurable value with a sane default, for example:
   ```yaml
   mongodb:
     imagePullPolicy: IfNotPresent
   ```
2. If there is documentation for chart values (e.g., README or values reference), document `mongodb.imagePullPolicy` as an optional override, mentioning that it defaults to `IfNotPresent` but can be set to `Always` when needed.
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

deployment/templates/mongodb/mongodb-deployment.yaml
name: {{ .Values.mongodb.appName }}
image: {{ .Values.mongodb.image }}
imagePullPolicy: IfNotPresent
imagePullPolicy: Always
Copy link

@sourcery-ai sourcery-ai bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: Consider making the MongoDB imagePullPolicy configurable via values.yaml rather than hard-coding Always.

Hard-coding imagePullPolicy: Always can cause issues in production (e.g., private registries, rate limits, or clusters without external registry access). Exposing this as something like .Values.mongodb.imagePullPolicy with a sane default would keep flexibility while still allowing Always where required.

Suggested implementation:

          image: {{ .Values.mongodb.image }}
          imagePullPolicy: {{ .Values.mongodb.imagePullPolicy | default "IfNotPresent" }}
  1. In values.yaml, add a configurable value with a sane default, for example: 
    mongodb:
  imagePullPolicy: IfNotPresent
  2. If there is documentation for chart values (e.g., README or values reference), document mongodb.imagePullPolicy as an optional override, mentioning that it defaults to IfNotPresent but can be set to Always when needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@trispera