Update Spark Operator image references to version v2.4.0-odh-3.4.0-GA

[shruthis4]

Update Spark Operator image references to version v2.4.0-odh-3.4.0-GA in params.env files across default, odh, and rhoai overlays.

Purpose of this PR

Proposed changes:

• <Change 1>
• <Change 2>
• <Change 3>

Change Category

• Bugfix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that could affect existing functionality)
• Documentation update

Rationale

Checklist

• I have conducted a self-review of my own code.
• I have updated documentation accordingly.
• I have added tests that prove my changes are effective or that my feature works.
• Existing unit tests pass locally with my changes.

Additional Notes

Summary by CodeRabbit

• Chores
  • Updated Spark Operator image version to v2.4.0-odh-3.4.0-GA across all deployment configurations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Three configuration files (config/default/params.env, config/overlays/odh/params.env, config/overlays/rhoai/params.env) are updated with identical changes to Spark Operator image tags. RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE, SPARK_OPERATOR_CONTROLLER_IMAGE, and SPARK_OPERATOR_WEBHOOK_IMAGE are all updated from quay.io/opendatahub/spark-operator:v2.4.0 to quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA. Total of 9 lines changed across all three files with consistent, repetitive edits.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating Spark Operator image references across configuration files to version v2.4.0-odh-3.4.0-GA.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/default/params.env`:
- Line 5: The RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE entry uses a mutable tag;
replace it with a digest-pinned reference to prevent silent image substitution:
obtain the canonical image digest for
quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA (e.g., quay query or
registry API) and set RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE to the
image@sha256:<digest> form; update any deployment manifests or CI that derive
this env var to use the same digest-pinned value and document the source of the
digest for future updates.

In `@config/overlays/odh/params.env`:
- Line 5: The RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE environment variable
currently uses a mutable tag; update the value to a fully-pinned OCI reference
using the image digest (format
quay.io/opendatahub/spark-operator@sha256:<digest>) instead of
:v2.4.0-odh-3.4.0-GA, obtaining the correct sha256 from the registry (or CI
image promotion metadata) and replace the tagged reference; apply the same
digest-pinning change to the other related variables mentioned (the entries
around the same block) so no overlay relies on mutable tags.

In `@config/overlays/rhoai/params.env`:
- Line 6: The env var RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE is using a mutable
tag (quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA) which allows image
substitution; replace it with a digest-pinned reference
(quay.io/opendatahub/spark-operator@sha256:...) to enforce immutability, i.e.,
obtain the verified image SHA256 digest for the exact tag and update
RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE to that digest-pinned value so
deployments use the exact reviewed image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 059af06b-d568-4e73-9baf-7e5bf218a680

📥 Commits

Reviewing files that changed from the base of the PR and between 4277b5b and 95371cb.

📒 Files selected for processing (3)

• config/default/params.env
• config/overlays/odh/params.env
• config/overlays/rhoai/params.env

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Pin Spark Operator images by digest, not mutable tags (CWE-494).

Using tag-only references allows image substitution without config changes if the tag is retargeted upstream. Exploit scenario: a compromised registry/project retags v2.4.0-odh-3.4.0-GA, and cluster pulls an unexpected image.

Remediation (digest pinning)

-RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
+RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>
...
-SPARK_OPERATOR_CONTROLLER_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
-SPARK_OPERATOR_WEBHOOK_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
+SPARK_OPERATOR_CONTROLLER_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>
+SPARK_OPERATOR_WEBHOOK_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>

As per coding guidelines, **: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code).

Also applies to: 9-10

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/default/params.env` at line 5, The
RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE entry uses a mutable tag; replace it with
a digest-pinned reference to prevent silent image substitution: obtain the
canonical image digest for
quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA (e.g., quay query or
registry API) and set RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE to the
image@sha256:<digest> form; update any deployment manifests or CI that derive
this env var to use the same digest-pinned value and document the source of the
digest for future updates.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Overlay still uses mutable image tags; pin by digest (CWE-494).

This overlay can pull a different artifact later under the same tag. Exploit scenario: tag retargeting causes ODH rollout to run unreviewed code.

Remediation (digest pinning)

-RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
+RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>
...
-SPARK_OPERATOR_CONTROLLER_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
-SPARK_OPERATOR_WEBHOOK_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
+SPARK_OPERATOR_CONTROLLER_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>
+SPARK_OPERATOR_WEBHOOK_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>

As per coding guidelines, **: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code).

Also applies to: 10-11

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/overlays/odh/params.env` at line 5, The
RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE environment variable currently uses a
mutable tag; update the value to a fully-pinned OCI reference using the image
digest (format quay.io/opendatahub/spark-operator@sha256:<digest>) instead of
:v2.4.0-odh-3.4.0-GA, obtaining the correct sha256 from the registry (or CI
image promotion metadata) and replace the tagged reference; apply the same
digest-pinning change to the other related variables mentioned (the entries
around the same block) so no overlay relies on mutable tags.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

RHOAI overlay is also tag-based; enforce digest pinning (CWE-494).

Current values are mutable references. Exploit scenario: if the tag is overwritten, this overlay deploys a different image than the one validated in review.

Remediation (digest pinning)

-RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
+RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>
...
-SPARK_OPERATOR_CONTROLLER_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
-SPARK_OPERATOR_WEBHOOK_IMAGE=quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA
+SPARK_OPERATOR_CONTROLLER_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>
+SPARK_OPERATOR_WEBHOOK_IMAGE=quay.io/opendatahub/spark-operator@sha256:<approved_digest>

As per coding guidelines, **: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code).

Also applies to: 11-12

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/overlays/rhoai/params.env` at line 6, The env var
RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE is using a mutable tag
(quay.io/opendatahub/spark-operator:v2.4.0-odh-3.4.0-GA) which allows image
substitution; replace it with a digest-pinned reference
(quay.io/opendatahub/spark-operator@sha256:...) to enforce immutability, i.e.,
obtain the verified image SHA256 digest for the exact tag and update
RELATED_IMAGE_ODH_SPARK_OPERATOR_IMAGE to that digest-pinned value so
deployments use the exact reviewed image.