potiuk opened a new pull request, #66423: URL: https://github.com/apache/airflow/pull/66423
## Summary The scheduled K8s system-test job intermittently fails because multiple test pods pull `alpine:latest` (xcom sidecar default), `busybox:latest`, and `ubuntu:latest` from Docker Hub anonymously and trip the 100-pulls-per-6h limit. Without a tag, kubelet defaults `imagePullPolicy` to `Always`, so even nodes with the image cached re-pull every run. Recent example: https://github.com/apache/airflow/actions/runs/25365187430/job/74380551079 ## What changed 1. **Production default** — `xcom_sidecar.PodDefaults.SIDECAR_CONTAINER` now uses `alpine:3.23` via a new `XCOM_SIDECAR_IMAGE` constant. Tagged → kubelet defaults to `imagePullPolicy: IfNotPresent`. Documented in the cncf-kubernetes provider changelog. 2. **Test pin** — every bare `image="ubuntu"` / `"busybox"` / `"alpine"` in `kubernetes-tests/` and in `providers/cncf/kubernetes/tests/...` is pinned (`ubuntu:24.04`, `busybox:1.37`, `alpine:3.23`). 3. **Pre-load into kind** — new `_preload_test_images_to_kind()` in `breeze k8s`, called from `_run_complete_tests` after `_upload_k8s_image`. Pulls each image on the runner with exponential-backoff retries on Docker Hub 429s, then `kind load docker-image` puts it on every node. 4. **Auto-tracker** — `scripts/ci/prek/upgrade_important_versions.py` gains `UPGRADE_ALPINE` / `UPGRADE_BUSYBOX` flags, regex patterns for `alpine:` / `busybox:` / chart `ALPINE_VERSION` ARGs, plus the relevant call-sites added to `FILES_TO_UPDATE`. The next "Upgrade important CI environment" run keeps these pins fresh. Ubuntu is intentionally manual (interim releases beat LTS in semver-sort). Drive-by: `# type: ignore[no-redef]` on the `tomli as tomllib` fallback in `dev/registry/extract_{metadata,versions}.py` so `mypy-dev` passes on edits to anything under `dev/`. The same fix is in PR #66314 — whichever lands first, the other becomes a no-op rebase. ## Test plan - [ ] Unit: `uv --project providers/cncf/kubernetes run pytest providers/cncf/kubernetes/tests/unit/cncf/kubernetes/operators/test_pod.py -k xcom_sidecar_container_image_default -xvs` — passes locally. - [ ] CI: K8s scheduled job (the one currently flaking) passes once this lands. - [ ] CI: provider unit tests still green. - [ ] Manual: `prek run --files <changed files>` — clean. --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
