Skip to content

Adopt the unified image values schema (registry/repository/tag/digest) in the Helm chart #98

Description

@Perseus985

Summary

The dependency-controller chart currently bakes the registry into image.repository and has no digest support. To localize images uniformly (rewrite the registry to a local mirror, pin by digest) — the same way platform-mesh charts now do — the chart should
adopt the split schema image.{registry, repository, tag, digest}.

So a potential bootstrap with an operator via ocm transfer can be easier achieved.

Current state

charts/dependency-controller/values.yaml:

image:
  repository: ghcr.io/opendefensecloud/dependency-controller   # registry is baked into the path
  tag: ""
  pullPolicy: IfNotPresent

Rendered identically in both deployments — templates/deployment.yaml:24 and
templates/webhook-deployment.yaml:24:

image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

Limitations:

  • The registry (ghcr.io) is part of repository, so localization can't rewrite the registry without string-surgery on a combined field.
  • No digest — images can only be pinned by tag, not cryptographically.
  • Divergent from the platform-mesh schema, so localization tooling can't treat both the same way.

Proposed schema

image:
  registry: ghcr.io                              # registry host only
  repository: opendefensecloud/dependency-controller   # path WITHOUT the registry
  tag: ""                                        # defaults to .Chart.AppVersion
  digest: ""                                     # when set: registry/repository@digest (overrides tag)
  pullPolicy: IfNotPresent

Reference rendering: registry + "/" + repository, then @digest if set, else :tag | default .Chart.AppVersion.

Why this enables localization

  • Registry is its own field → a localization step rewrites only image.registry (e.g. → oci-registry.local); repository/tag/digest stay intact and the manifest references the local registry honestly (not via a pull-level mirror that lies about origin).
  • Digest pins the exact artifact (cryptographic), not just a moving tag — important for air-gap integrity.
  • Same shape as platform-mesh and as OCM's toOCI() fields (registry, repository, tag, digest) → one mental model, reusable tooling across both products.

Acceptance criteria

  • values.yaml exposes image.{registry, repository, tag, digest, pullPolicy}.
  • When digest is set, the reference is registry/repository@digest (tag ignored).
  • Default rendering is unchanged vs today: ghcr.io/opendefensecloud/dependency-controller:<appVersion>.
  • _helpers.tpl version label keeps using image.tag | default .Chart.AppVersion.
  • README / values docs regenerated; chart version bumped (minor).

References

  • platform-mesh common chart 0.13.0image.{registry,repository,tag,digest} schema.
  • OCM toOCI() fields: host, registry, repository, tag, digest, reference.
  • Air-gap rationale: rewriting only the registry yields an honest local reference; digest preserves the exact artifact end-to-end.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions