[SPIKE] Usage of Image Digests in requirements download

[cicharka]

Is your spike related to a problem or idea? Please describe. Currently in download requirements a way to select specific image is to use tag (and them checking downloaded image checksum), like:

  'quay.io/cephcsi/cephcsi:v3.5.1':
    sha1: 51dee9ea8ad76fb95ebd16f951e8ffaaaba95eb6

Unfortunately tags can be mutable (we had this problem with ceph and image registry images) which can lead to the situation where Epiphany installation is reporting that image has changed - that happens when image used has been updated and assigned to the same tag.

In order to avoid this kind of problems, we can research usage of container image digests. According to the docs: Images that use the v2 or later format have a content-addressable identifier called a digest. As long as the input used to generate the image is unchanged, the digest value is predictable. Therefore it is a more stable way to specify image version.

Describe the outcome you'd like Verify if:

• image digests are better solution that tags (safe, stable etc.)
• image digests can be used in Epiphany and if their usage is not breaking any functionality

What is the reason or source for the spike So far we faced problem that images were updated and assigned to the same tag, which led to checksum mismatch.

Additional context https://docs.docker.com/engine/reference/commandline/images/#list-image-digests https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests https://www.mikenewswanger.com/posts/2020/docker-image-digests/ https://www.ibm.com/docs/en/filenet-p8-platform/5.5.x?topic=deployment-choosing-image-tags-digests

---

DoD checklist

• [ ] Reader is able to understand the results of spike
• [ ] The results of the spike are presented in a table (to show simply what are compared or researched parameters) / not applicable
• [ ] Each value / cell in the results table is described more deeply below
• [ ] Demo of the spike (automated as much as possible)
• [ ] Design doc updated