Enable use of pinned image checksums in releases opposed to floating tags

Question

Enable use of pinned image checksums in releases opposed to floating tags

Closed this issue a year ago · 6 comments

We have some users who are running on 'disconnected' or 'airgapped' OpenShift clusters that want to consume Konveyor releases yet are blocked from our use of floating tags opposed to pinned image checksums.

The ask is to update our release process so when we create new upstream Konveyor releases we pin to specific image checksums.

For background info https://www.redhat.com/en/blog/using-red-hat-openshift-operatorhub-restricted-networks

Answer 1 · 2023-01-19T14:38:37.000Z

This seems a better fit for this issue as the most meaningful place to put image checksums is in the CSVs we publish to community-operators.

Answer 2 · 2023-01-19T16:10:27.000Z

I am a big +1 on SHA references because we know exactly what is being used then regarding user environments.

Answer 3 · 2023-01-30T17:37:13.000Z

@djzager It would also be nice to inject an image label with the commit hash for each component image built , i.e hub :

LABEL  io.openshift.build.commit.id="${CI_TACKLE2_HUB_UPSTREAM_COMMIT}"

Answer 4 · 2023-03-16T13:49:53.000Z

@jmontleon I think your PR #161 fixes this. Is that right?

Answer 5 · 2023-03-30T12:47:34.000Z

Yes. This is the PR created by the workflow test run:
https://github.com/redhat-openshift-ecosystem/community-operators-prod/pull/2432/files#diff-da872ac04b3de675cf90eda44f62823cb1bd18f828d0aed49d551a5d4ec830d5R147-R162

Answer 6 · 2023-03-30T13:16:43.000Z

Closing as completed by #161