Summary
The dependency-controller chart currently bakes the registry into image.repository and has no digest support. To localize images uniformly (rewrite the registry to a local mirror, pin by digest) — the same way platform-mesh charts now do — the chart should
adopt the split schema image.{registry, repository, tag, digest}.
So a potential bootstrap with an operator via ocm transfer can be easier achieved.
Current state
charts/dependency-controller/values.yaml:
image:
repository: ghcr.io/opendefensecloud/dependency-controller # registry is baked into the path
tag: ""
pullPolicy: IfNotPresent
Rendered identically in both deployments — templates/deployment.yaml:24 and
templates/webhook-deployment.yaml:24:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
Limitations:
- The registry (
ghcr.io) is part of repository, so localization can't rewrite the registry without string-surgery on a combined field.
- No
digest — images can only be pinned by tag, not cryptographically.
- Divergent from the
platform-mesh schema, so localization tooling can't treat both the same way.
Proposed schema
image:
registry: ghcr.io # registry host only
repository: opendefensecloud/dependency-controller # path WITHOUT the registry
tag: "" # defaults to .Chart.AppVersion
digest: "" # when set: registry/repository@digest (overrides tag)
pullPolicy: IfNotPresent
Reference rendering: registry + "/" + repository, then @digest if set, else :tag | default .Chart.AppVersion.
Why this enables localization
- Registry is its own field → a localization step rewrites only
image.registry (e.g. → oci-registry.local); repository/tag/digest stay intact and the manifest references the local registry honestly (not via a pull-level mirror that lies about origin).
- Digest pins the exact artifact (cryptographic), not just a moving tag — important for air-gap integrity.
- Same shape as
platform-mesh and as OCM's toOCI() fields (registry, repository, tag, digest) → one mental model, reusable tooling across both products.
Acceptance criteria
References
platform-mesh common chart 0.13.0 — image.{registry,repository,tag,digest} schema.
- OCM
toOCI() fields: host, registry, repository, tag, digest, reference.
- Air-gap rationale: rewriting only the registry yields an honest local reference; digest preserves the exact artifact end-to-end.
Summary
The dependency-controller chart currently bakes the registry into
image.repositoryand has no digest support. To localize images uniformly (rewrite the registry to a local mirror, pin by digest) — the same wayplatform-meshcharts now do — the chart shouldadopt the split schema
image.{registry, repository, tag, digest}.So a potential bootstrap with an operator via ocm transfer can be easier achieved.
Current state
charts/dependency-controller/values.yaml:Rendered identically in both deployments —
templates/deployment.yaml:24andtemplates/webhook-deployment.yaml:24:Limitations:
ghcr.io) is part ofrepository, so localization can't rewrite the registry without string-surgery on a combined field.digest— images can only be pinned by tag, not cryptographically.platform-meshschema, so localization tooling can't treat both the same way.Proposed schema
Reference rendering:
registry + "/" + repository, then@digestif set, else:tag | default .Chart.AppVersion.Why this enables localization
image.registry(e.g. →oci-registry.local);repository/tag/digeststay intact and the manifest references the local registry honestly (not via a pull-level mirror that lies about origin).platform-meshand as OCM'stoOCI()fields (registry, repository, tag, digest) → one mental model, reusable tooling across both products.Acceptance criteria
values.yamlexposesimage.{registry, repository, tag, digest, pullPolicy}.digestis set, the reference isregistry/repository@digest(tag ignored).ghcr.io/opendefensecloud/dependency-controller:<appVersion>._helpers.tplversion label keeps usingimage.tag | default .Chart.AppVersion.versionbumped (minor).References
platform-meshcommon chart0.13.0—image.{registry,repository,tag,digest}schema.toOCI()fields:host, registry, repository, tag, digest, reference.