Choosing image tags or digests

(V5.5.6 and later) To make sure that a container always uses the same version of an image, you can specify its digest. The digest identifies a specific version of the image, so it is never updated by Kubernetes. Knowing how image tags work helps you to decide whether to use tags or to use the digest instead.

Image tags

Image tags are a dynamic reference to an image version at a specific point in time. Images on Docker Hub, for example, typically have tags for major and minor versions of images that get updated over time.

FileNet Content Manager also delivers tagged container images from IBM Entitled Registry and, for releases prior to V5.5.9, Passport Advantage (PPA) that indicate the version number. For example, some images include the Cloud Pak version. 

image:
   tag: 21.0.x

Some images include an identifier and a version number specific to that container image. For example, the image for Content Platform Engine (CPE) includes p8cpe and 556.

image:
   tag: ga-55x-p8cpe

Tags can also be used to convey useful information about a specific image version or variant. IT admins can use tags to be more intentional and specific about the container images they pull from a repository. Admins can create an alias (a reference) to a source image to assign an existing image another name to refer to it. The tags in this case can help developers and admins differentiate between the various available images in a repository, and can play a key role in the development lifecycle. Developers can use the tags to, for example, restrict the use of infrastructure for development purposes.

FileNet Content Manager provides a shared configuration parameter to set a repository for all the container images included in the custom resource instead of setting a parameter for each individual image. For more information about sc_image_repository, see Shared parameters.

Digests

Image tag mutability is useful and convenient in many scenarios, but it can also be dangerous if you are not aware and prepared to manage it. Avoid the :latest tag when you deploy containers in production as it is harder to track which version of the image is running and more difficult to roll back properly. Tag mutability can cause security issues like bypassing image scanning checks. To get deterministic and repeatable deployments, use digests instead of tags. When the operator uses a digest, it takes the image@sha256:<digestValue> instead of image:tag to ensure that you deploy the exact same image manifest.

The following scenarios determine when image tags are used and when digests are used. Image tags are used in the following cases.

  • The custom resource specifies sc_image_repository with an internal registry.
  • The custom resource specifies sc_image_repository with cp.icr.io (IBM Entitled Registry) and the component configuration image tags are defined.

Digests are used when the image tags are left empty.

  • The custom resource specifies sc_image_repository with cp.icr.io (IBM Entitled Registry) and the component configuration image tags are not defined.