fix: match image digests with any algorithm, not only sha256 (#6167)

* fix: match image digests with any algorithm, not only sha256 IsImageMatched hard-coded '@sha256:' in its regex, while Split accepts any digest algorithm. An image pinned with a non-sha256 digest (e.g. nginx@sha512:...) was not matched, so the ImageTagTransformer silently left it unchanged and the user's images: override was ignored. Generalize the digest algorithm in the regex to match what Split accepts. Signed-off-by: Seonghyun Hong <s3onghyun.hong@gmail.com> * Address review: match OCI digest grammar and test spec example algorithms Broaden the digest-algorithm match to the OCI grammar (algorithm components separated by +._-), so multihash+base58 and other registered/unregistered algorithms match, not just [a-zA-Z][a-zA-Z0-9]*. Add test cases using the descriptor example algorithms: a full-length sha512 digest and multihash+base58. Signed-off-by: Seonghyun Hong <s3onghyun.hong@gmail.com> --------- Signed-off-by: Seonghyun Hong <s3onghyun.hong@gmail.com>
2026-06-29 17:41:13 +00:00 · 2026-06-20 18:55:40 +09:00
parent 313aacedd3
commit 9f89960cf2
2 changed files with 36 additions and 1 deletions
--- a/api/internal/image/image.go
+++ b/api/internal/image/image.go
@@ -14,7 +14,14 @@ func IsImageMatched(s, t string) bool {
 	// Tag values are limited to [a-zA-Z0-9_.{}-].
 	// Some tools like Bazel rules_k8s allow tag patterns with {} characters.
 	// More info: https://github.com/bazelbuild/rules_k8s/pull/423
-	pattern, _ := regexp.Compile("^" + t + "(:[a-zA-Z0-9_.{}-]*)?(@sha256:[a-zA-Z0-9_.{}-]*)?$")
+	//
+	// The digest algorithm is matched following the OCI grammar
+	// (algorithm-component separated by one of [+._-], e.g. sha256, sha512,
+	// multihash+base58) rather than hard-coded to sha256, so that references
+	// using any OCI-valid digest algorithm match consistently with Split,
+	// which accepts any algorithm.
+	// See https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests
+	pattern, _ := regexp.Compile("^" + t + "(:[a-zA-Z0-9_.{}-]*)?(@[a-zA-Z0-9]+([.+_-][a-zA-Z0-9]+)*:[a-zA-Z0-9_.{}-]*)?$")
 	return pattern.MatchString(s)
 }

--- a/api/internal/image/image_test.go
+++ b/api/internal/image/image_test.go
@@ -41,6 +41,34 @@ func TestIsImageMatched(t *testing.T) {
 			name:      "nginx",
 			isMatched: true,
 		},
+		{
+			testName:  "name is match with non-sha256 digest",
+			value:     "nginx@sha512:xyz",
+			name:      "nginx",
+			isMatched: true,
+		},
+		{
+			testName:  "name is match with tag and non-sha256 digest",
+			value:     "nginx:12345@sha512:xyz",
+			name:      "nginx",
+			isMatched: true,
+		},
+		{
+			// Registered SHA-512 algorithm with a full-length digest, as in
+			// the OCI image-spec descriptor examples.
+			testName:  "name is match with full sha512 digest",
+			value:     "nginx@sha512:cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
+			name:      "nginx",
+			isMatched: true,
+		},
+		{
+			// Unregistered but OCI-valid algorithm with a separator (+), from
+			// the descriptor example "multihash+base58:Qm...".
+			testName:  "name is match with multihash+base58 digest",
+			value:     "nginx@multihash+base58:QmRZxt2b1FVZPNqd8hsiykDL3TdBDeTSPX9Kv46HmX4Gx8",
+			name:      "nginx",
+			isMatched: true,
+		},
 		{
 			testName:  "name is not a match",
 			value:     "apache:12345",