Fix digest-pinned image references being truncated by FromString

[carloscastrojumo]

What does this PR do?

Fixes parsing of digest-pinned image references in pkg/images. Since v1.26.0, FromString splits the last image path component on every colon and keeps only the first two parts, so an override such as

override:
  clusterAgent:
    image:
      name: "eu.gcr.io/datadoghq/cluster-agent:7.80.0@sha256:55504934ebb295875d09c551e9f4e9f0e8540d1c274cde643a04c26dcb3b1a8a"

loses the digest hex and is rendered into pods as eu.gcr.io/datadoghq/cluster-agent:7.80.0@sha256, which is not a valid image reference. The cluster agent, cluster checks runners, and any rescheduled node agent pods then fail with InvalidImageName.

This change splits the digest off before the tag is parsed, carries it through Image and ToString, and makes an override of the image identity (name or tag) replace any previous digest instead of carrying a stale one over. Digest-only references (registry/name@sha256:...) now parse correctly too.

Motivation

We pin agent images by digest. Upgrading the operator from 1.23.1 to 1.27.1 broke every cluster that applied the upgrade: the regression came in with the tag suffix parsing rewrite in #2605 (first released in v1.26.0). Before that, the parser split on the first colon only, so tag plus digest references survived. Backports to v1.27 and v1.28 would be appreciated.

Additional Notes

None.

Minimum Agent Versions

No minimum Agent or Cluster Agent version changes.

• Agent: N/A
• Cluster Agent: N/A

Describe your test plan

Added unit tests covering digest parsing in Test_FromString, Test_ToString, Test_OverrideAgentImage (including the production repro and digest clearing on tag override) and Test_AssembleImage.

• go test ./pkg/images/...
• go test ./internal/controller/datadogagent/override/... ./internal/controller/datadogagent/global/...

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[datadog-prod-us1-4]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

pull request linter | build     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: b74d899 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8b6c913d78

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use digest-aware parsing for version gates

This split fixes FromString, but digest-pinned overrides are now rendered successfully while the version-gating path still parses them with common.GetAgentVersionFromImage (internal/controller/datadogagent/common/utils.go:118) -> utils.GetTagFromImageName (pkg/utils/utils.go:20), which splits on the last colon. For an override like agent:7.64.0@sha256:..., feature gates such as service discovery (internal/controller/datadogagent/feature/servicediscovery/feature.go:81) see the digest hex instead of 7.64.0; because those checks use an “unknown means latest” fallback, they can enable features for an old pinned Agent. Please strip the digest in the shared version parser as well.

Useful? React with 👍 / 👎.

[davidxia]

Thanks, this is affecting me as well. Looking forward to the release of this fix.