When upgrading from the cockroachdb/cockroach:v22.2.17-fips image to the cockroachdb/cockroach:v22.2.19-fips image using the k8s operator, we noticed that the operator will first upgrade each statefulset pod to the base image (in this case cockroachdb/cockroach:v22.2.19), and then once that upgrade completes, the operator will then do a 2nd upgrade to each statefulset pod to the -fips image. Is this intended behavior? If not intended, is there a different procedure we should follow when upgrading the fips image?

The concern around the 2-stage process is that for a small period of time, between moving to the base image and moving back to the fips image, we're not enforcing FIPS mode. Thanks for any info.