c12s-kubespray/roles/download/tasks/set_docker_image_facts.yml

---
- set_fact:
    pull_by_digest: >-
      {%- if download.sha256 is defined and download.sha256 != '' -%}true{%- else -%}false{%- endif -%}      

- set_fact:
    pull_args: >-
      {%- if pull_by_digest|bool %}{{download.repo}}@sha256:{{download.sha256}}{%- else -%}{{download.repo}}:{{download.tag}}{%- endif -%}      

- name: Register docker images info
  shell: "{{ docker_bin_dir }}/docker images -q | xargs {{ docker_bin_dir }}/docker inspect -f {% raw %}'{{.RepoTags}},{{.RepoDigests}}'{% endraw %}"
  register: docker_images_raw
  failed_when: false
  when: not download_always_pull|bool

- set_fact: docker_images="{{docker_images_raw.stdout|regex_replace('\[|\]|\\n]','')|regex_replace('\s',',')}}"
  when: not download_always_pull|bool

- set_fact:
    pull_required: >-
      {%- if pull_args in docker_images.split(',') %}false{%- else -%}true{%- endif -%}      
  when: not download_always_pull|bool

- name: Check the local digest sha256 corresponds to the given image tag
  assert:
    that: "{{download.repo}}:{{download.tag}} in docker_images.split(',')"
  when: not download_always_pull|bool and not pull_required|bool and pull_by_digest|bool