Specifying image sha, rather than tag, in helm chart

We use Linkerd in our GKE cluster, and prefer to use GCP’s binary authorization product to control which software runs there. Right now, we’ve added an image path pattern to the Binary authorization exemption list, because we can’t figure out how to to change the helm chart’s values.yml file to use an image digest rather than a tag. For example, we want to use image.url/some/path/image@sha256: 3d056213495816b57e58df9cdfec0302d289cecb29d8747fab38ee6afa143162, and not image.url/some/path/image:v1.0.

It looks like most components do actually allow specifying the version in values.yml, eg here, we haven’t figured out whether there’s a supported path for setting the version for controllerImage. It seems to be configured slightly differently in the helm chart (here).

Does anyone know how to achieve what I’m describing?

1 Like

The controller image version is set to .Values.linkerdVersion. But you’re right, we should add some flexibility there to override with something else. As for the other images, if I understood correctly, would it work if you set for example image.name=image.url/some/path/image@sha256 and image.version=3d056213495816b57e58df9cdfec0302d289cecb29d8747fab38ee6afa143162?

Yes, I think that works for the other images.

I hope there are no other unintended consequences of setting those that way?

I believe those image names aren’t used for anything else besides the image field in the workload manifests, so there shouldn’t be any unintended consequences. I’ve opened an issue to tackle the controller tag parametrization.

1 Like