From 005c3ff35859502cb51afe2b0a2c2bf06a0d8d8c Mon Sep 17 00:00:00 2001 From: Sergiy Kulanov Date: Fri, 20 Mar 2026 16:15:20 +0200 Subject: [PATCH] EPMDEDP-16587: feat: add image digest field to CodebaseImageStream CRD and Helm scaffolding Add optional SHA256 digest field to the Tag struct in CodebaseImageStream CRD for NIST SP 800-190 compliance. Update application Helm scaffolding templates to support immutable image references (tag@digest format) for both Kubernetes and OpenShift platforms. Signed-off-by: Sergiy Kulanov --- api/v1/codebaseimagestream_types.go | 1 + .../helm-chart/kubernetes/templates/deployment.yaml | 2 +- .../applications/helm-chart/kubernetes/values.tmpl | 2 ++ .../helm-chart/openshift/templates/deployment.yaml | 2 +- .../applications/helm-chart/openshift/values.tmpl | 2 ++ config/crd/bases/v2.edp.epam.com_codebaseimagestreams.yaml | 2 ++ .../crds/v2.edp.epam.com_codebaseimagestreams.yaml | 2 ++ docs/api.md | 7 +++++++ 8 files changed, 18 insertions(+), 2 deletions(-) diff --git a/api/v1/codebaseimagestream_types.go b/api/v1/codebaseimagestream_types.go index 936c0a60..53b630e8 100644 --- a/api/v1/codebaseimagestream_types.go +++ b/api/v1/codebaseimagestream_types.go @@ -21,6 +21,7 @@ type CodebaseImageStreamSpec struct { type Tag struct { Name string `json:"name"` Created string `json:"created"` + Digest string `json:"digest,omitempty"` } // CodebaseImageStreamStatus defines the observed state of CodebaseImageStream. diff --git a/build/templates/applications/helm-chart/kubernetes/templates/deployment.yaml b/build/templates/applications/helm-chart/kubernetes/templates/deployment.yaml index 8ded5cf9..724ff6ff 100644 --- a/build/templates/applications/helm-chart/kubernetes/templates/deployment.yaml +++ b/build/templates/applications/helm-chart/kubernetes/templates/deployment.yaml @@ -34,7 +34,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ if .Values.image.digest }}@{{ .Values.image.digest }}{{ end }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http diff --git a/build/templates/applications/helm-chart/kubernetes/values.tmpl b/build/templates/applications/helm-chart/kubernetes/values.tmpl index cc9abdb1..bcb5ca36 100644 --- a/build/templates/applications/helm-chart/kubernetes/values.tmpl +++ b/build/templates/applications/helm-chart/kubernetes/values.tmpl @@ -9,6 +9,8 @@ image: pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "" + # -- Image digest for immutable reference (e.g., sha256:abc123...). If set, deployed as :tag@digest. + digest: "" imagePullSecrets: # Define secret to pull images. Secret can be provisioned by edp-install or manually. diff --git a/build/templates/applications/helm-chart/openshift/templates/deployment.yaml b/build/templates/applications/helm-chart/openshift/templates/deployment.yaml index fbafc88e..3fa7ee50 100644 --- a/build/templates/applications/helm-chart/openshift/templates/deployment.yaml +++ b/build/templates/applications/helm-chart/openshift/templates/deployment.yaml @@ -31,7 +31,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ if .Values.image.digest }}@{{ .Values.image.digest }}{{ end }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http diff --git a/build/templates/applications/helm-chart/openshift/values.tmpl b/build/templates/applications/helm-chart/openshift/values.tmpl index 300c48c7..0900ad06 100644 --- a/build/templates/applications/helm-chart/openshift/values.tmpl +++ b/build/templates/applications/helm-chart/openshift/values.tmpl @@ -9,6 +9,8 @@ image: pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "" + # -- Image digest for immutable reference (e.g., sha256:abc123...). If set, deployed as :tag@digest. + digest: "" imagePullSecrets: # Define secret to pull images. Secret can be provisioned by edp-install or manually. diff --git a/config/crd/bases/v2.edp.epam.com_codebaseimagestreams.yaml b/config/crd/bases/v2.edp.epam.com_codebaseimagestreams.yaml index 601079f0..4a027562 100644 --- a/config/crd/bases/v2.edp.epam.com_codebaseimagestreams.yaml +++ b/config/crd/bases/v2.edp.epam.com_codebaseimagestreams.yaml @@ -60,6 +60,8 @@ spec: properties: created: type: string + digest: + type: string name: type: string required: diff --git a/deploy-templates/crds/v2.edp.epam.com_codebaseimagestreams.yaml b/deploy-templates/crds/v2.edp.epam.com_codebaseimagestreams.yaml index 601079f0..4a027562 100644 --- a/deploy-templates/crds/v2.edp.epam.com_codebaseimagestreams.yaml +++ b/deploy-templates/crds/v2.edp.epam.com_codebaseimagestreams.yaml @@ -60,6 +60,8 @@ spec: properties: created: type: string + digest: + type: string name: type: string required: diff --git a/docs/api.md b/docs/api.md index 0323efcb..8fcf45b6 100644 --- a/docs/api.md +++ b/docs/api.md @@ -603,6 +603,13 @@ CodebaseImageStreamSpec defines the desired state of CodebaseImageStream.
true + + digest + string + +
+ + false