Digests versus image tags

Image tags

Image tags are a volatile reference to an image version at a specific point in time. Images on Docker Hub, for example, typically have tags for major and minor versions of images that get updated over time. The tag redis:3 is the same image as redis:3.2.11 at the time of release, but in the past this tag pointed to redis:3.2.10.

Cloud Pak for Business Automation also delivers tagged container images from IBM Entitled Registry that indicate the version number. For example, some images include the Cloud Pak version.

image:
   tag: 22.0.2

Some images include an identifier and a version number specific to that container image. For more information, see Checking and completing your custom resource.

Digests

To get deterministic and repeatable deployments Cloud Pak for Business Automation uses digests instead of tags. The CP4BA operator takes the image@sha256:<digestValue> instead of image:tag to ensure that you deploy the exact same image manifest.

Image tags can be left empty in the custom resource file, but are useful to identify the actual image version that is used. Therefore, it is important to keep the image tags up to date with the digests if a version is used in the image.tag parameters.

Digests are also used in an air-gapped configuration. OpenShift Container Platform can automatically redirect image pull requests from a specified registry location to an alternative location. The redirect is fundamental to enabling an air gap for disconnected installations, as it removes the need to update image references in every pod definition.

For more information, see Installing an offline (air gap) environment.