Properly handling image references with both tag and digest

[chanseokoh]

We fixed #1481, and Jib no longer fails when both a tag and a digest is given. However, it only enabled parsing it, and I believe it just ends up ignoring the tag part for a base image. For example, if you have jib.from.image=openjdk:latest@sha256:..., it essentially just becomes openjdk@sha256.... We should guard accidental misuse and confusion. At least we should show a warning at a stop-gap, but ideally, we should validate the meaning of references having both a tag and a digest. Even though we fixed #1481, it doesn't provide any new value than previous versions.

We also need to think about correct behavior and messages about the base image reference. I think correct error messages are important, as authentication causes the most friction.

I'm curious how Jib will work and respond if there's an error for a base image, e.g.,

• tag exists but digest doesn't match
• digest exists but tag doesn't

Will they work? If they fail, will the error message make sense and be helpful?

[chanseokoh]

Found these comments.

google/go-containerregistry#540 (comment)
google/go-containerregistry#351 (comment)

For fetching, if the comment about Docker CLI is right, it does seem like a tag is usually ignored and serves as a comment when a digest is present. Haven't tested though. Then, I am no longer sure weather we should even show a warning.

[chanseokoh]

This is a nice and reasonable idea, but as in #2398 (comment), most likely we don't need validation.