Pin image version to SHA of the tag

[ego93]

As suggested here https://github.com/Kong/kubernetes-ingress-controller/issues/6907#issuecomment-2571682378 after the recent security incident with the kubernetes-ingress-controller 3.4.0 image https://github.com/Kong/kubernetes-ingress-controller/issues/6907#issuecomment-2569792227, it would be a good idea to pin the image tag for kubernetes-ingress-controller to the SHA rather than the moving target 3.4 tag

[ego93]

After some testing, adding SHA to the image tag is possible, but it would be better to have a separate value in the values file.

This is what I tested, it hard codes the image version to 3.8.0 with it's SHA from the kong docker repo for linux/amd64

image:
  repository: kong
  tag: "3.8.0@sha256:e66c22bf9bc7140c439c96b09ff6022e0875b0a131c052ec129c29ec9c02c5bc"

If the SHA does not match the image tag it will not pull, this is why you won't be able to use the floating 3.8 tag as that is subject to change with newer versions.

That said, if Kong releases a new version, even with a patch version change, It is my belief that it should be updated in the chart to allow for testing before wildly accepting a new version.

A better implementation of this would be as I said to have a value for sha like so:

image:
  repository: kong
  tag: 3.8.0
  sha: e66c22bf9bc7140c439c96b09ff6022e0875b0a131c052ec129c29ec9c02c5bc

in the templates you could make this support sha value with or without the sha256: for better compatibility.

This also applies to the KIC and waitImage