From f3007bcbfab49434a02f4d76100481af5f3f4b02 Mon Sep 17 00:00:00 2001
From: Tommy Lam <tommylam1004@gmail.com>
Date: Thu, 4 Dec 2025 12:40:55 -0800
Subject: [PATCH] fix(chart): Use image tags instead of digest for
 multi-registry support

---
 chart/templates/deployment.yaml | 4 +++-
 chart/values.yaml               | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index bedca2a7..c56e3df1 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -3,6 +3,8 @@ kind: Deployment
 metadata:
   name: {{ include "chart.fullname" . }}-controller-manager
   namespace: "{{ .Release.Namespace }}"
+  annotations:
+    checkov.io/skip1: CKV_K8S_43=Image digest not required - we use tags
   labels:
     app: {{ include "chart.fullname" . }}-controller-manager
     app.kubernetes.io/component: manager
@@ -93,7 +95,7 @@ spec:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
         image: {{ .Values.controllerManager.manager.image.repository }}{{- if .Values.controllerManager.manager.image.digest }}{{- if .Values.controllerManager.manager.image.tag }}:{{ .Values.controllerManager.manager.image.tag }}@{{ .Values.controllerManager.manager.image.digest }}{{- else }}@{{ .Values.controllerManager.manager.image.digest }}{{- end }}{{- else }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}{{- end }}
-        imagePullPolicy: IfNotPresent
+        imagePullPolicy: Always
         livenessProbe:
           httpGet:
             path: /healthz
diff --git a/chart/values.yaml b/chart/values.yaml
index fa2022db..17ba34cf 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -85,7 +85,7 @@ controllerManager:
     image:
       repository: nvcr.io/nvidia/skyhook/operator
       tag: "" ## if both tag and digest are omitted, defaults to the chart appVersion
-      digest: "sha256:b3acae2320d9d768fff455f5986fea9084b099291ecdd258d1580180dabc4efe" # manifest list digest (multi-arch)
+      digest: "" # manifest list digest (multi-arch)
     ## agentImage: is the image used for the agent container. This image is the default for this install, but can be overridden in the CR at package level.
     agent:
       repository: nvcr.io/nvidia/skyhook/agent