From 9f89960cf2c6f59b49db81c78451cbd1320e8624 Mon Sep 17 00:00:00 2001 From: SEONGHYUN HONG Date: Sat, 20 Jun 2026 18:55:40 +0900 Subject: [PATCH] fix: match image digests with any algorithm, not only sha256 (#6167) * fix: match image digests with any algorithm, not only sha256 IsImageMatched hard-coded '@sha256:' in its regex, while Split accepts any digest algorithm. An image pinned with a non-sha256 digest (e.g. nginx@sha512:...) was not matched, so the ImageTagTransformer silently left it unchanged and the user's images: override was ignored. Generalize the digest algorithm in the regex to match what Split accepts. Signed-off-by: Seonghyun Hong * Address review: match OCI digest grammar and test spec example algorithms Broaden the digest-algorithm match to the OCI grammar (algorithm components separated by +._-), so multihash+base58 and other registered/unregistered algorithms match, not just [a-zA-Z][a-zA-Z0-9]*. Add test cases using the descriptor example algorithms: a full-length sha512 digest and multihash+base58. Signed-off-by: Seonghyun Hong --------- Signed-off-by: Seonghyun Hong --- api/internal/image/image.go | 9 ++++++++- api/internal/image/image_test.go | 28 ++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/api/internal/image/image.go b/api/internal/image/image.go index 4a88050b4..da6af527a 100644 --- a/api/internal/image/image.go +++ b/api/internal/image/image.go @@ -14,7 +14,14 @@ func IsImageMatched(s, t string) bool { // Tag values are limited to [a-zA-Z0-9_.{}-]. // Some tools like Bazel rules_k8s allow tag patterns with {} characters. // More info: https://github.com/bazelbuild/rules_k8s/pull/423 - pattern, _ := regexp.Compile("^" + t + "(:[a-zA-Z0-9_.{}-]*)?(@sha256:[a-zA-Z0-9_.{}-]*)?$") + // + // The digest algorithm is matched following the OCI grammar + // (algorithm-component separated by one of [+._-], e.g. sha256, sha512, + // multihash+base58) rather than hard-coded to sha256, so that references + // using any OCI-valid digest algorithm match consistently with Split, + // which accepts any algorithm. + // See https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests + pattern, _ := regexp.Compile("^" + t + "(:[a-zA-Z0-9_.{}-]*)?(@[a-zA-Z0-9]+([.+_-][a-zA-Z0-9]+)*:[a-zA-Z0-9_.{}-]*)?$") return pattern.MatchString(s) } diff --git a/api/internal/image/image_test.go b/api/internal/image/image_test.go index 6d40306f3..334f639f1 100644 --- a/api/internal/image/image_test.go +++ b/api/internal/image/image_test.go @@ -41,6 +41,34 @@ func TestIsImageMatched(t *testing.T) { name: "nginx", isMatched: true, }, + { + testName: "name is match with non-sha256 digest", + value: "nginx@sha512:xyz", + name: "nginx", + isMatched: true, + }, + { + testName: "name is match with tag and non-sha256 digest", + value: "nginx:12345@sha512:xyz", + name: "nginx", + isMatched: true, + }, + { + // Registered SHA-512 algorithm with a full-length digest, as in + // the OCI image-spec descriptor examples. + testName: "name is match with full sha512 digest", + value: "nginx@sha512:cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e", + name: "nginx", + isMatched: true, + }, + { + // Unregistered but OCI-valid algorithm with a separator (+), from + // the descriptor example "multihash+base58:Qm...". + testName: "name is match with multihash+base58 digest", + value: "nginx@multihash+base58:QmRZxt2b1FVZPNqd8hsiykDL3TdBDeTSPX9Kv46HmX4Gx8", + name: "nginx", + isMatched: true, + }, { testName: "name is not a match", value: "apache:12345",