I’ve been noticing that the default behavior for an Istio deployment (via Helm at least) is to use the
release-1.1-latest-daily tag for its container images across the k8s
Deployment resources. These tags aren’t static / immutable, so one can end up in a situation where new code is deployed unintentionally, which makes debugging a little frustrating. This also goes against the principle of least surprise, in that releases aren’t immutable.
As a motivating example, when tracking down a panic in Pilot, I noticed that a different underlying container image had been pulled from the day before. Looking on GCR I see that a new image is built from master each day, and the
release-1.1-latest-daily points to the latest, as the name would suggest.
I assume this is by design (the Helm charts are configurable via the values files), but I’m wondering if anyone has opinions or context on why this is the current state, or if this decision is documented somewhere (I couldn’t find anything from a quick search).
Best practice in the container world seems to be to not use tags like “latest” due to the issue I mentioned, as well as cases where images aren’t pulled in the case that
imagePullPolicy is not
I’m basing this off of my experience with Istio 1.1.2, but I see that this is still the case in 1.1.3 (the latest release).
If this is better suited to an issue on the GH project, happy to move it there!