-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
-
False
A non-OCP customer has requested that the charts use tags instead of digests.
I explained that we specifically switched from tags to digest pinning in RHIDP-2814 in order to better service airgap scenarios, but perhaps the OCP as default deployment env was an invalid assumption and we need a different solution that supports both k8s and OCP airgapped deployments.
Idea would be that instead of a tag or a digest, we'd use both like this:
quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0
Not sure if we can achieve this in the operator CSV as well, but we can experiment to see if it's possible.
One complication is that skopeo doesn't support tag@sha notation, so other tools might have similar limitations:
$➔ skopeo inspect docker://quay.io/rhdh/rhdh-hub-rhel9:1.4-148@sha256:02e685cb6a91b17365345c6d2a26a8c99cab56a32e024c708208a6c6ddbad392 FATA[0000] Error parsing image name "docker://quay.io/rhdh/rhdh-hub-rhel9:1.4-148@sha256:02e685cb6a91b17365345c6d2a26a8c99cab56a32e024c708208a6c6ddbad392": Docker references with both a tag and digest are currently not supported
Replacement could be to use oras:
oras manifest fetch-config quay.io/rhdh/rhdh-hub-rhel9:1.4-148@sha256:02e685cb6a91b17365345c6d2a26a8c99cab56a32e024c708208a6c6ddbad392 | jq oras manifest fetch quay.io/rhdh/rhdh-hub-rhel9:1.4-148@sha256:02e685cb6a91b17365345c6d2a26a8c99cab56a32e024c708208a6c6ddbad392 | jq
But not all metadata is the same...
Needs input from PM and Install team here: jfargett@redhat.com rh-ee-asoro cdaley
