Preserve original tag when resolving an image tag to digest

Signed-off-by: Yuto Iso <[email protected]>

Author: 0xiso

pkg/webhook/validator.go

@@ -1078,7 +1078,12 @@ func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
 					logging.FromContext(ctx).Debugf("Unable to resolve digest %q: %v", ref.String(), err)
 					continue
 				}
-				cs[i].Image = digest.String()
+				// Keep the original tag and append the digest
+				if tagRef, ok := ref.(name.Tag); ok {
+					cs[i].Image = fmt.Sprintf("%s@%s", tagRef.Name(), digest.DigestStr())
+				} else {
+					cs[i].Image = digest.String()
+				}
 			}
 		}
 	}
@@ -1102,7 +1107,12 @@ func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.PodSpec, opt
 					logging.FromContext(ctx).Debugf("Unable to resolve digest %q: %v", ref.String(), err)
 					continue
 				}
-				cs[i].Image = digest.String()
+				// Keep the original tag and append the digest
+				if tagRef, ok := ref.(name.Tag); ok {
+					cs[i].Image = fmt.Sprintf("%s@%s", tagRef.Name(), digest.DigestStr())
+				} else {
+					cs[i].Image = digest.String()
+				}
 			}
 		}
 	}

pkg/webhook/validator_test.go

@@ -136,6 +136,9 @@ func TestValidatePodSpec(t *testing.T) {
 	// Resolved via crane digest on 2022/09/29
 	digestNewer := name.MustParseReference("gcr.io/distroless/static:nonroot@sha256:2a9e2b4fa771d31fe3346a873be845bfc2159695b9f90ca08e950497006ccc2e")
 
+	// Digest only reference (without tag)
+	digestOnly := name.MustParseReference("gcr.io/distroless/static@sha256:be5d77c62dbe7fedfb0a4e5ec2f91078080800ab1f18358e5f31fcc8faa023c4")
+
 	ctx, _ := rtesting.SetupFakeContext(t)
 
 	// Non-existent URL for testing complete failure
@@ -681,6 +684,38 @@ func TestValidatePodSpec(t *testing.T) {
 			},
 		),
 		cvs: authorityPublicKeyCVS,
+	}, {
+		name: "digest only",
+		ps: &corev1.PodSpec{
+			Containers: []corev1.Container{{
+				Name:  "user-container",
+				Image: digestOnly.String(),
+			}},
+		},
+		customContext: config.ToContext(context.Background(),
+			&config.Config{
+				ImagePolicyConfig: &config.ImagePolicyConfig{
+					Policies: map[string]webhookcip.ClusterImagePolicy{
+						"cluster-image-policy": {
+							Images: []v1alpha1.ImagePattern{{
+								Glob: "gcr.io/*/*",
+							}},
+							Authorities: []webhookcip.Authority{
+								{
+									Key: &webhookcip.KeyRef{
+										Data:              authorityKeyCosignPubString,
+										PublicKeys:        []crypto.PublicKey{authorityKeyCosignPub},
+										HashAlgorithm:     signaturealgo.DefaultSignatureAlgorithm,
+										HashAlgorithmCode: crypto.SHA256,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		),
+		cvs: pass,
 	}}
 
 	for _, test := range tests {