Skip to content

Podman and Kubernetes drivers default supervisor image to :latest instead of pinning to gateway version #2068

Description

@benoitf

Agent Diagnostic

  • Explored codebase to investigate DEFAULT_SUPERVISOR_IMAGE usage
  • Found DEFAULT_SUPERVISOR_IMAGE at crates/openshell-core/src/config.rs:41 hardcodes :latest
  • Found Docker driver (crates/openshell-driver-docker/src/lib.rs:85-128) already implements proper version pinning via CARGO_PKG_VERSION and OPENSHELL_IMAGE_TAG env var
  • Confirmed Podman driver (crates/openshell-driver-podman/src/config.rs:258) and Kubernetes driver (crates/openshell-driver-kubernetes/src/config.rs:236, main.rs:117) fall back to the :latest default
  • Helm chart (deploy/helm/openshell/templates/_helpers.tpl:86) correctly uses appVersion — not affected
  • Verified openshell_core::VERSION (from CARGO_PKG_VERSION / OPENSHELL_GIT_VERSION) is available for pinning
  • Investigated reported crash symptoms from Gateway should pin supervisor image to its own version instead of :latest #2067 — they appear environmental (SSRF hardening, namespace cleanup), not caused by version mismatch

Description

DEFAULT_SUPERVISOR_IMAGE in crates/openshell-core/src/config.rs uses :latest. The Docker driver already solved this by resolving the tag from CARGO_PKG_VERSION at compile time, but the Podman and Kubernetes drivers still fall back to the core :latest default. This means the supervisor image tag is mutable and can silently drift from the gateway version when the registry is updated, creating an untested version combination.

Replaces #2067 (filed without template).

Reproduction Steps

  1. Deploy a gateway at a specific version (e.g., v0.0.72) using the Podman or Kubernetes driver without explicitly setting supervisor_image
  2. Wait for a new version to be published to the registry (updating the :latest tag)
  3. Create a new sandbox — it will pull the newer supervisor image while the gateway remains at the older version

Environment

  • Affects all platforms using Podman or Kubernetes drivers without explicit supervisor_image config
  • Docker driver and Helm-deployed gateways are not affected (already pin versions)

Agent-First Checklist

  • I pointed my agent at the repo and had it investigate this issue
  • I loaded relevant skills (e.g., debug-openshell-cluster, debug-inference, openshell-cli)
  • My agent could not resolve this — the diagnostic above explains why

Metadata

Metadata

Assignees

No one assigned

    Labels

    state:triage-neededOpened without agent diagnostics and needs triage

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions