EPMDEDP-16587: feat: add image digest field to CodebaseImageStream CRD and Helm scaffolding

Add optional SHA256 digest field to the Tag struct in CodebaseImageStream
CRD for NIST SP 800-190 compliance. Update application Helm scaffolding
templates to support immutable image references (tag@digest format) for
both Kubernetes and OpenShift platforms.

Signed-off-by: Sergiy Kulanov <sergiy_kulanov@epam.com>

Author: SergK

api/v1/codebaseimagestream_types.go

@@ -21,6 +21,7 @@ type CodebaseImageStreamSpec struct {
 type Tag struct {
 	Name    string `json:"name"`
 	Created string `json:"created"`
+	Digest  string `json:"digest,omitempty"`
 }
 
 // CodebaseImageStreamStatus defines the observed state of CodebaseImageStream.

build/templates/applications/helm-chart/kubernetes/templates/deployment.yaml

@@ -34,7 +34,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ if .Values.image.digest }}@{{ .Values.image.digest }}{{ end }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http

build/templates/applications/helm-chart/kubernetes/values.tmpl

@@ -9,6 +9,8 @@ image:
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion.
   tag: ""
+  # -- Image digest for immutable reference (e.g., sha256:abc123...). If set, deployed as :tag@digest.
+  digest: ""
 
 imagePullSecrets:
 # Define secret to pull images. Secret can be provisioned by edp-install or manually.

build/templates/applications/helm-chart/openshift/templates/deployment.yaml

@@ -31,7 +31,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ if .Values.image.digest }}@{{ .Values.image.digest }}{{ end }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http

build/templates/applications/helm-chart/openshift/values.tmpl

@@ -9,6 +9,8 @@ image:
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion.
   tag: ""
+  # -- Image digest for immutable reference (e.g., sha256:abc123...). If set, deployed as :tag@digest.
+  digest: ""
 
 imagePullSecrets:
 # Define secret to pull images. Secret can be provisioned by edp-install or manually.

config/crd/bases/v2.edp.epam.com_codebaseimagestreams.yaml

@@ -60,6 +60,8 @@ spec:
                   properties:
                     created:
                       type: string
+                    digest:
+                      type: string
                     name:
                       type: string
                   required:

deploy-templates/crds/v2.edp.epam.com_codebaseimagestreams.yaml

@@ -60,6 +60,8 @@ spec:
                   properties:
                     created:
                       type: string
+                    digest:
+                      type: string
                     name:
                       type: string
                   required:

docs/api.md

@@ -603,6 +603,13 @@ CodebaseImageStreamSpec defines the desired state of CodebaseImageStream.
           <br/>
         </td>
         <td>true</td>
+      </tr><tr>
+        <td><b>digest</b></td>
+        <td>string</td>
+        <td>
+          <br/>
+        </td>
+        <td>false</td>
       </tr></tbody>
 </table>