Handling FIPS image upgrades
buddwm opened this issue · comments
When upgrading from the cockroachdb/cockroach:v22.2.17-fips
image to the cockroachdb/cockroach:v22.2.19-fips
image using the k8s operator, we noticed that the operator will first upgrade each statefulset pod to the base image (in this case cockroachdb/cockroach:v22.2.19
), and then once that upgrade completes, the operator will then do a 2nd upgrade to each statefulset pod to the -fips
image. Is this intended behavior? If not intended, is there a different procedure we should follow when upgrading the fips image?
The concern around the 2-stage process is that for a small period of time, between moving to the base image and moving back to the fips image, we're not enforcing FIPS mode. Thanks for any info.