Merge pull request #53161 from dims/fix-repotags

Automatic merge from submit-queue (batch tested with PRs 52634, 53121, 53161). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Normalize RepoTags before checking for match

**What this PR does / why we need it**:

on projectatomic-based docker, we get "docker.io/library/busybox:latest"
when someone uses an unqualified name like "busybox". Though when we
inspect, the RepoTag will still say "docker.io/busybox:latest", So
we have reparse the tag, normalize it and try again. Please see the
additional test case.

Signed-off-by: Andy Goldstein <andy.goldstein@gmail.com>

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

Fixes #52110

**Special notes for your reviewer**:

**Release note**:

```release-note
Fixes an issue pulling pod specs referencing unqualified images from docker.io on centos/fedora/rhel
```

pkg/kubelet/dockershim/libdocker/helpers.go

@@ -60,6 +60,38 @@ func matchImageTagOrSHA(inspected dockertypes.ImageInspect, image string) bool {
 			// hostname or not, we only check for the suffix match.
 			if strings.HasSuffix(image, tag) || strings.HasSuffix(tag, image) {
 				return true
+			} else {
+				// TODO: We need to remove this hack when project atomic based
+				// docker distro(s) like centos/fedora/rhel image fix problems on
+				// their end.
+				// Say the tag is "docker.io/busybox:latest"
+				// and the image is "docker.io/library/busybox:latest"
+				t, err := dockerref.ParseNormalizedNamed(tag)
+				if err != nil {
+					continue
+				}
+				// the parsed/normalized tag will look like
+				// reference.taggedReference {
+				// 	 namedRepository: reference.repository {
+				// 	   domain: "docker.io",
+				// 	   path: "library/busybox"
+				//	},
+				// 	tag: "latest"
+				// }
+				// If it does not have tags then we bail out
+				t2, ok := t.(dockerref.Tagged)
+				if !ok {
+					continue
+				}
+				// normalized tag would look like "docker.io/library/busybox:latest"
+				// note the library get added in the string
+				normalizedTag := t2.String()
+				if normalizedTag == "" {
+					continue
+				}
+				if strings.HasSuffix(image, normalizedTag) || strings.HasSuffix(normalizedTag, image) {
+					return true
+				}
 			}
 		}
 	}

pkg/kubelet/dockershim/libdocker/helpers_test.go

@@ -101,6 +101,14 @@ func TestMatchImageTagOrSHA(t *testing.T) {
 			Image:  "centos/ruby-23-centos7@sha256:940584acbbfb0347272112d2eb95574625c0c60b4e2fdadb139de5859cf754bf",
 			Output: true,
 		},
+		{
+			Inspected: dockertypes.ImageInspect{
+				ID:       "sha256:9bbdf247c91345f0789c10f50a57e36a667af1189687ad1de88a6243d05a2227",
+				RepoTags: []string{"docker.io/busybox:latest"},
+			},
+			Image:  "docker.io/library/busybox:latest",
+			Output: true,
+		},
 		{
 			// RepoDigest match is is required
 			Inspected: dockertypes.ImageInspect{