Merge pull request #1396 from mythi/PR-2023-020

operator: accept image SHA digests

pkg/apis/deviceplugin/v1/webhook_common.go

@@ -16,15 +16,23 @@ package v1
 
 import (
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/version"
 )
 
+const sha256RE = "@sha256:[0-9a-f]{64}$"
+
 // common functions for webhooks
 
 func validatePluginImage(image, expectedImageName string, expectedMinVersion *version.Version) error {
+	imageRe := regexp.MustCompile(expectedImageName + sha256RE)
+	if imageRe.MatchString(image) {
+		return nil
+	}
+
 	// Ignore registry, vendor and extract the image name with the tag
 	parts := strings.SplitN(filepath.Base(image), ":", 2)
 	if len(parts) != 2 {
@@ -34,13 +42,14 @@ func validatePluginImage(image, expectedImageName string, expectedMinVersion *ve
 	imageName := parts[0]
 	versionStr := parts[1]
 
-	if imageName != expectedImageName {
-		return errors.Errorf("incorrect image name %q. Make sure you use '<vendor>/%s:<version>'", imageName, expectedImageName)
+	// If user provided faulty SHA digest, the image name may include @sha256 suffix so strip it
+	if strings.TrimSuffix(imageName, "@sha256") != expectedImageName {
+		return errors.Errorf("incorrect image name %q. Make sure you use '<vendor>/%s'.", imageName, expectedImageName)
 	}
 
 	ver, err := version.ParseSemantic(versionStr)
 	if err != nil {
-		return errors.Wrapf(err, "unable to parse version %q", versionStr)
+		return errors.Wrapf(err, "unable to parse version %q. Make sure it's either valid SHA digest or semver tag.", versionStr)
 	}
 
 	if !ver.AtLeast(expectedMinVersion) {