test: Fix image credential pulls test for CRI-O digest handling

This commit fixes the image credential pulls test by ensuring GetImageRef and PullImage return the same digest reference format for credential validation. The test was failing because: 1. PullImage returns a digest reference (e.g., localhost:5000/pause@sha256:abc...) 2. Pull records were stored under this digest 3. GetImageRef returned Image.Id (config hash) instead of a digest reference 4. Credential validation failed due to the lookup mismatch Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2026-02-19 02:38:07 -05:00 · 2025-11-24 09:27:14 +01:00 · 2025-11-24 09:27:14 +01:00 · cb011623c8
commit cb011623c8
parent 4cf195304c
2 changed files with 12 additions and 4 deletions
--- a/pkg/kubelet/kuberuntime/kuberuntime_image.go
+++ b/pkg/kubelet/kuberuntime/kuberuntime_image.go
@ -70,7 +70,7 @@ func (m *kubeGenericRuntimeManager) PullImage(ctx context.Context, image kubecon
 	return "", nil, utilerrors.NewAggregate(pullErrs)
 }

-// GetImageRef gets the ID of the image which has already been in
+// GetImageRef gets the reference (digest or ID) of the image which has already been in
 // the local storage. It returns ("", nil) if the image isn't in the local storage.
 func (m *kubeGenericRuntimeManager) GetImageRef(ctx context.Context, image kubecontainer.ImageSpec) (string, error) {
 	logger := klog.FromContext(ctx)
@ -82,6 +82,10 @@ func (m *kubeGenericRuntimeManager) GetImageRef(ctx context.Context, image kubec
 	if resp.Image == nil {
 		return "", nil
 	}
+	// Prefer returning a digest reference over an image ID to ensure pull record lookups work correctly.
+	if len(resp.Image.RepoDigests) > 0 {
+		return resp.Image.RepoDigests[0], nil
+	}
 	return resp.Image.Id, nil
 }

--- a/test/e2e_node/image_credential_pulls.go
+++ b/test/e2e_node/image_credential_pulls.go
@ -21,6 +21,7 @@ import (
 	"path"

 	"github.com/onsi/ginkgo/v2"
+	"github.com/onsi/gomega"

 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -48,8 +49,9 @@ var _ = SIGDescribe("Ensure Credential Pulled Images", func() {
 			_, is, err = getCRIClient()
 			framework.ExpectNoError(err)

-			registryAddress, _, err := e2eregistry.SetupRegistry(ctx, f, true)
+			registryAddress, registryNodeNames, err := e2eregistry.SetupRegistry(ctx, f, true)
 			framework.ExpectNoError(err)
+			gomega.Expect(registryNodeNames).ToNot(gomega.BeEmpty(), "registry should run on at least one node")
 			// this is to wait for the complete removal of all registry pods between tests
 			ginkgo.DeferCleanup(func(ctx context.Context) {
 				f.DeleteNamespace(ctx, f.Namespace.Name)
@ -62,8 +64,10 @@ var _ = SIGDescribe("Ensure Credential Pulled Images", func() {
 			testSecret.GenerateName = f.UniqueName
 			testSecret, err = f.ClientSet.CoreV1().Secrets(f.Namespace.Name).Create(ctx, testSecret, metav1.CreateOptions{})
 			framework.ExpectNoError(err)
-			origPod := e2ecommonnode.ImagePullTest(ctx, f, testImage, v1.PullIfNotPresent, testSecret, "", v1.PodRunning, false)
-			testNode = origPod.Spec.NodeName
+			// Use the registry node for scheduling - in node e2e tests, this is the single test node
+			testNode = registryNodeNames[0]
+			origPod := e2ecommonnode.ImagePullTest(ctx, f, testImage, v1.PullIfNotPresent, testSecret, testNode, v1.PodRunning, false)
+			gomega.Expect(origPod.Spec.NodeName).To(gomega.Equal(testNode), "pod should be scheduled on the expected node")
 		})

 		for _, pullPolicy := range []v1.PullPolicy{v1.PullIfNotPresent, v1.PullNever} {