The new API field `.status.latestDigest` in the `ImagePolicy` kind
stores the digest of the image referred to by the the
`.status.latestImage` field.

The setting of this field is governed by the newly introduced field
`.spec.digestReflectionPolicy` which takes one of the values `Always`
or `IfNotPresent`. See the updated documentation under `docs/spec/`
for details.

The new status field can be used to pin an image to an immutable
descriptor rather than to a potentially moving tag, increasing the
security of workloads deployed on a cluster.

The goal is to make use of the digest in IAC so that manifests can be
updated with the actual image digest.

Signed-off-by: Max Jonas Werner <[email protected]>

This new field summarizes all data reflecting an image reference, i.e.
the repository name, tag and digest.

Since this change changes the API in a backwards-incompatible way, the
new API version v1beta3 is introduced.

Signed-off-by: Max Jonas Werner <[email protected]>

This way we circumvent issues with server-side apply so that users can
explicitly change this field instead of having to remove it. The
latter case might lead to the API server not removing it if another
field manager is registered for that field, causing an unintended
drift.

This commit also aligns the v1beta3 API with the latest changes done
in v1beta2.

Signed-off-by: Max Jonas Werner <[email protected]>

We agreed to make the changes in the existing v1beta2 API version.

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

.spec.image has no relevance in the given package, anymore.

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

These must have been leftovers from previous iterations of this test.

Signed-off-by: Max Jonas Werner <[email protected]>

1. Default digestReflectionPolicy to "Never" and add a getter. With
   the getter method we will never encounter an empty policy even if
   defaulting hasn't taken place.
2. Make status.latestRef a pointer to align with
   status.observedPreviousRef. Having both fields be pointers makes it
   easier to use them in code so we only have to compare to nil and
   not the zero value.

Signed-off-by: Max Jonas Werner <[email protected]>

The field hasn't been set properly before. Correct behaviour is backed
by associated unit tests.

Signed-off-by: Max Jonas Werner <[email protected]>

The updated documentation has gotten lost due to the back and forth
with v1beta3.

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>

Signed-off-by: Max Jonas Werner <[email protected]>