Enable digest-based image references in Kuadrant 1.5+ releases

### Problem

Kuadrant currently uses tag-based image references in operator bundles. While this works for most scenarios, digest-based references provide better immutability guarantees and align with container security best practices.

### Why Digests?

Using digest-based image references is recommended for container security and immutability:
- **Required for OpenShift/OKD disconnected environments**: [OpenShift documentation](https://docs.redhat.com/en/documentation/openshift_container_platform/4.11/html/operators/developing-operators) explicitly states relatedImages should use digests
- **Container security best practice**: [CNCF Cloud Native Security Whitepaper](https://www.cncf.io/wp-content/uploads/2022/06/CNCF_cloud-native-security-whitepaper-May2022-v2.pdf) recommends "Immutable image binary and immutable URL of image" for secure distribution
- **Prevents tag mutation**: Tags are mutable and can point to different images over time; digests are cryptographically immutable
- **Downstream RHCL builds already work this way successfully**

### Expected Outcome

Starting with Kuadrant 1.5.0, all operator releases should:
- Use digest references in bundle relatedImages
- Generate fully digest-based catalogs
- Align upstream with downstream RHCL practices

**Benefits:**
- ✅ Better support for disconnected environments (OpenShift/OKD)
- ✅ Reproducible builds
- ✅ Alignment with container security best practices
- ✅ Upstream/downstream consistency
- ✅ Immutable image references

**Trade-offs:**
- Slightly less human-readable bundle manifests (digests instead of tags in relatedImages)
- Commits to maintaining this for releases going forward

### Implementation Status

The machinery already exists. PRs are open for all operator components adding `USE_IMAGE_DIGESTS` flag (off by default):

- **kuadrant-operator**: https://github.com/Kuadrant/kuadrant-operator/pull/2008
- **dns-operator**: https://github.com/Kuadrant/dns-operator/pull/773
- **limitador-operator**: https://github.com/Kuadrant/limitador-operator/pull/256
- **authorino-operator**: https://github.com/Kuadrant/authorino-operator/pull/313
- **Disconnected install documentation**: https://github.com/Kuadrant/kuadrant-operator/pull/2016

All PRs follow the same pattern:
- Add `USE_IMAGE_DIGESTS` flag (default: `false`)
- Generate bundles with `--use-image-digests` when enabled
- Add post-generation steps to deduplicate relatedImages

**Note:** The OpenShift-specific `features.operators.openshift.io/disconnected` annotation is not included in these PRs. This can be revisited separately if needed, but the digest capability is valuable regardless of disconnected clusters.

### Tasks

- [ ] **QE Review**: Confirm test scripts and automation handle digest-based relatedImages
- [ ] **Documentation Review**: Identify any docs beyond the disconnected install guide that need updates
- [ ] **Merge operator PRs**: Merge the four operator PRs listed above
- [ ] **Enable for 1.5.0 release**: Set `USE_IMAGE_DIGESTS=true` when building Kuadrant 1.5.0 bundles
- [ ] **Document the decision**: Update release process documentation

### Related Issues

- Original disconnected install request: https://github.com/Kuadrant/kuadrant-operator/issues/1894

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Enable digest-based image references in Kuadrant 1.5+ releases #177

Problem

Why Digests?

Expected Outcome

Implementation Status

Tasks

Related Issues

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

Enable digest-based image references in Kuadrant 1.5+ releases #177

Description

Problem

Why Digests?

Expected Outcome

Implementation Status

Tasks

Related Issues

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions