Pinning docker image version by digest

[cameel]

Currently we specify only tags for docker images in containers/versions.yml. This means that when an image changes on DockerHub, it may also change in our deployment and break things.

The problem is that, unlike in git, it's a common practice to update a Docker image and change it to point at the new version. For example when a new release of Alpine Linux is released, postgres:10.4-alpine is likely to be rebuilt but without getting a new tag.

To alleviate this, we should start specifying image digest along with the tag.

Currently our versions look like this:

debian_version:               "9.4"
openresty_alpine_fat_version: "1.13.6.2-0"

They should now look like this:

debian_version:               "9.4@sha256:6ee341d1cf3da8e6ea059f8bc3af9940613c4287205cd71d7c6f9e1718fdcb9b"
openresty_version:            "1.13.6.2-0-alpine-fat@sha256:4f854b36542ab92183da40d721c1b098aff79150ee153faf482d005a6e88ecf7"

• Add the digest after the @ symbol. You can get digests of currently downloaded images with docker images --digests
• Let's move the extra parts like alpine or fat to the version string. This will make updating the tags easier.

When updating images, remember to update both the tag and the digest. Docker ignores the tag if the digest is specified - it's only there for our information.

[PaweuB]

Pivotal:
https://www.pivotaltracker.com/story/show/163085362