Harbor failing on deployment because of image tag not converted to digest

[senanz]

I'm have policy controller that install in the cluster, and trying to deploy harbor pod while the CIP mod is set to be warn, please see the below error: /usr/local/bin/helm install --create-namespace -n ncms harbor1 /opt/bcmt/storage/charts/harbor-2.10.4-ncs24.11.0-1.tgz --set hregistry.credentials.username=harbor_registry_user --set hregistry.credentials.password=ZzBudG5zZXZDYXgtdnA= --set redis.internal.password=Z3EyX2ppeHNjenlSdnA= --set database.internal.password=Z3BNdG1kbS00Z2F0ZHA= --set externalURL=https://harbor-harbor-core.ncms.svc/ --set global.timeZoneEnv=UTC -f /opt/bcmt/config/bcmt-harbor/overwrite-values-install.yml -f /opt/bcmt/config/bcmt-harbor/overwrite-values.yml W0628 07:10:56.255001 396738 warnings.go:70] annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead Error: INSTALLATION FAILED: 8 errors occurred:

• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.containers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.containers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-core:2.10.2-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.initContainers[1].image invalid value: bcmt-registry:5000/citm/citm-nginx-server:1.24.0-1.4.3-1.0.1-rocky8 must be an image digest: spec.template.spec.containers[0].image, spec.template.spec.initContainers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-core:2.10.2-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.containers[0].image, spec.template.spec.initContainers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.initContainers[0].image invalid value: bcmt-registry:5000/cbur/cbur-agent:1.2.0-alpine-580 must be an image digest: spec.template.spec.containers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/bcmt/harbor-registryctl:2.10.2-v2.8.3-5-ncs24.7.0-rcky-8.10-20240604-1 must be an image digest: spec.template.spec.initContainers[0].image invalid value: bcmt-registry:5000/crdb/crdb-redisio:6.1-2.4742-rocky8 must be an image digest: spec.template.spec.containers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/cbur/cbur-agent:1.2.0-alpine-580 must be an image digest: spec.template.spec.containers[0].image
• admission webhook "policy.sigstore.dev" denied the request: validation failed: invalid value: bcmt-registry:5000/cbur/cbur-agent:1.2.0-alpine-580 must be an image digest: spec.template.spec.containers[0].image

However running cosign verify command against the failing the above images it's working perfect and i see the image is signed.

[lucascherzer]

I encountered the same issue without using harbor. From what I have seen, it is not planned for this to work at all: #558