Summary
The docker-compose Jinja template at tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 currently pins container images to specific tags (improved in #16322), but image tags can be silently retargeted by maintainers. Pinning to @sha256:<digest> would make deployments fully deterministic and harden against supply-chain attacks.
Images to update
| Image |
Current tag |
mirror.gcr.io/library/redis |
7.4.8 |
mirror.gcr.io/library/haproxy |
2.3 |
mirror.gcr.io/splunk/splunk |
9.4.2 |
mirror.gcr.io/prom/prometheus |
v3.10.0 |
mirror.gcr.io/grafana/grafana-enterprise |
12.3.4 |
quay.io/sclorg/postgresql-15-c9s |
(floating tag) |
mirror.gcr.io/bitnami/pgbouncer |
1.24.0 |
mirror.gcr.io/otel/opentelemetry-collector-contrib |
0.88.0 |
mirror.gcr.io/grafana/loki |
2.9.5 |
hashicorp/vault |
1.14 |
Proposed change
Append @sha256:<digest> to each image reference, e.g.:
mirror.gcr.io/library/redis:7.4.8@sha256:<digest>
SHA256 digests can be retrieved via:
docker manifest inspect mirror.gcr.io/library/redis:7.4.8 --verbose | jq '.[0].Descriptor.digest'
# or
skopeo inspect --format '{{.Digest}}' docker://mirror.gcr.io/library/redis:7.4.8References
Summary
The docker-compose Jinja template at
tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2currently pins container images to specific tags (improved in #16322), but image tags can be silently retargeted by maintainers. Pinning to@sha256:<digest>would make deployments fully deterministic and harden against supply-chain attacks.Images to update
mirror.gcr.io/library/redis7.4.8mirror.gcr.io/library/haproxy2.3mirror.gcr.io/splunk/splunk9.4.2mirror.gcr.io/prom/prometheusv3.10.0mirror.gcr.io/grafana/grafana-enterprise12.3.4quay.io/sclorg/postgresql-15-c9smirror.gcr.io/bitnami/pgbouncer1.24.0mirror.gcr.io/otel/opentelemetry-collector-contrib0.88.0mirror.gcr.io/grafana/loki2.9.5hashicorp/vault1.14Proposed change
Append
@sha256:<digest>to each image reference, e.g.:SHA256 digests can be retrieved via:
References