add test to validate container images for MR (#311)

* feat: add test to validate container images, improve ODH compatibility

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: Skip sidecar image check

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: fail if MR is Managed in RHOAI

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: Remove most ODH logic

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: ns reference in fixture

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: generalize pod getters and image verification

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: address review comments

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: add wait for single pod returned

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: mr_namespace constant removal

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: refactoring code

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: address comment and refactor

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* feat: parse related image refs in a fixture

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: typo in fixtue name

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: address review comments

Signed-off-by: lugi0 <lgiorgi@redhat.com>

* fix: address review comments

Signed-off-by: lugi0 <lgiorgi@redhat.com>

---------

Signed-off-by: lugi0 <lgiorgi@redhat.com>
Co-authored-by: Debarati Basu-Nag <dbasunag@redhat.com>

Author: lugi0

tests/model_registry/conftest.py

@@ -1,8 +1,6 @@
 import pytest
-import re
 import schemathesis
 from typing import Generator, Any
-from kubernetes.dynamic.exceptions import ResourceNotFoundError
 from ocp_resources.pod import Pod
 from ocp_resources.secret import Secret
 from ocp_resources.namespace import Namespace
@@ -32,6 +30,7 @@
     MODEL_REGISTRY_DB_SECRET_STR_DATA,
     MODEL_REGISTRY_DB_SECRET_ANNOTATIONS,
 )
+from utilities.constants import Labels
 from tests.model_registry.utils import (
     get_endpoint_from_mr_service,
     get_mr_service_by_label,
@@ -44,6 +43,7 @@
 from semver import Version
 from utilities.infra import get_product_version
 from utilities.operator_utils import get_cluster_service_version, validate_operator_subscription_channel
+from utilities.general import wait_for_pods_by_labels
 
 LOGGER = get_logger(name=__name__)
 
@@ -229,10 +229,12 @@ def updated_dsc_component_state_scope_class(
     request: FixtureRequest, dsc_resource: DataScienceCluster, admin_client: DynamicClient
 ) -> Generator[DataScienceCluster, Any, Any]:
     original_components = dsc_resource.instance.spec.components
-    with ResourceEditor(patches={dsc_resource: {"spec": {"components": request.param["component_patch"]}}}):
-        for component_name in request.param["component_patch"]:
+    component_patch = request.param["component_patch"]
+
+    with ResourceEditor(patches={dsc_resource: {"spec": {"components": component_patch}}}):
+        for component_name in component_patch:
             dsc_resource.wait_for_condition(condition=DscComponents.COMPONENT_MAPPING[component_name], status="True")
-        if request.param["component_patch"].get(DscComponents.MODELREGISTRY):
+        if component_patch.get(DscComponents.MODELREGISTRY):
             namespace = Namespace(
                 name=dsc_resource.instance.spec.components.modelregistry.registriesNamespace, ensure_exists=True
             )
@@ -244,7 +246,7 @@ def updated_dsc_component_state_scope_class(
         )
         yield dsc_resource
 
-    for component_name, value in request.param["component_patch"].items():
+    for component_name, value in component_patch.items():
         LOGGER.info(f"Waiting for component {component_name} to be updated.")
         if original_components[component_name]["managementState"] == DscComponents.ManagementState.MANAGED:
             dsc_resource.wait_for_condition(condition=DscComponents.COMPONENT_MAPPING[component_name], status="True")
@@ -288,15 +290,25 @@ def registered_model(request: FixtureRequest, model_registry_client: ModelRegist
 
 
 @pytest.fixture()
-def model_registry_operator_pod(admin_client: DynamicClient) -> Pod:
-    model_registry_operator_pods = [
-        pod
-        for pod in Pod.get(dyn_client=admin_client, namespace=py_config["applications_namespace"])
-        if re.match(MR_OPERATOR_NAME, pod.name)
-    ]
-    if not model_registry_operator_pods:
-        raise ResourceNotFoundError("Model registry operator pod not found")
-    return model_registry_operator_pods[0]
+def model_registry_operator_pod(admin_client: DynamicClient) -> Generator[Pod, Any, Any]:
+    """Get the model registry operator pod."""
+    yield wait_for_pods_by_labels(
+        admin_client=admin_client,
+        namespace=py_config["applications_namespace"],
+        label_selector=f"{Labels.OpenDataHubIo.NAME}={MR_OPERATOR_NAME}",
+        expected_num_pods=1,
+    )[0]
+
+
+@pytest.fixture()
+def model_registry_instance_pod(admin_client: DynamicClient) -> Generator[Pod, Any, Any]:
+    """Get the model registry instance pod."""
+    yield wait_for_pods_by_labels(
+        admin_client=admin_client,
+        namespace=py_config["model_registry_namespace"],
+        label_selector=f"app={MR_INSTANCE_NAME}",
+        expected_num_pods=1,
+    )[0]
 
 
 @pytest.fixture(scope="package", autouse=True)

tests/model_registry/image_validation/conftest.py

@@ -0,0 +1,11 @@
+import pytest
+from typing import Set
+from kubernetes.dynamic import DynamicClient
+from utilities.operator_utils import get_csv_related_images
+
+
+@pytest.fixture()
+def related_images_refs(admin_client: DynamicClient) -> Set[str]:
+    related_images = get_csv_related_images(admin_client=admin_client)
+    related_images_refs = {img["image"] for img in related_images}
+    return related_images_refs

tests/model_registry/image_validation/test_verify_rhoai_images.py

@@ -0,0 +1,59 @@
+import pytest
+from typing import Self, Set
+from simple_logger.logger import get_logger
+from kubernetes.dynamic import DynamicClient
+from pytest_testconfig import config as py_config
+
+from utilities.constants import DscComponents
+from utilities.general import (
+    validate_container_images,
+)
+from ocp_resources.model_registry import ModelRegistry
+from ocp_resources.pod import Pod
+
+LOGGER = get_logger(name=__name__)
+
+
+@pytest.mark.parametrize(
+    "updated_dsc_component_state_scope_class",
+    [
+        {
+            "component_patch": {
+                DscComponents.MODELREGISTRY: {
+                    "managementState": DscComponents.ManagementState.MANAGED,
+                    "registriesNamespace": py_config["model_registry_namespace"],
+                }
+            }
+        }
+    ],
+    indirect=True,
+)
+@pytest.mark.usefixtures("updated_dsc_component_state_scope_class")
+class TestModelRegistryImages:
+    """
+    Tests to verify that all Model Registry component images (operator and instance container images)
+    meet the requirements:
+    1. Images are hosted in registry.redhat.io
+    2. Images use sha256 digest instead of tags
+    3. Images are listed in the CSV's relatedImages section
+    """
+
+    @pytest.mark.smoke
+    def test_verify_model_registry_images(
+        self: Self,
+        admin_client: DynamicClient,
+        model_registry_instance: ModelRegistry,
+        model_registry_operator_pod: Pod,
+        model_registry_instance_pod: Pod,
+        related_images_refs: Set[str],
+    ):
+        validation_errors = []
+        for pod in [model_registry_operator_pod, model_registry_instance_pod]:
+            validation_errors.extend(
+                validate_container_images(
+                    pod=pod, valid_image_refs=related_images_refs, skip_patterns=["openshift-service-mesh"]
+                )
+            )
+
+        if validation_errors:
+            pytest.fail("\n".join(validation_errors))

utilities/constants.py

@@ -176,6 +176,7 @@ class Notebook:
 
     class OpenDataHubIo:
         MANAGED: str = Annotations.OpenDataHubIo.MANAGED
+        NAME: str = f"component.{ApiGroups.OPENDATAHUB_IO}/name"
 
     class Openshift:
         APP: str = "app"

utilities/general.py

@@ -1,12 +1,21 @@
 import base64
+import re
+from typing import List, Tuple
 
 from kubernetes.dynamic import DynamicClient
+from kubernetes.dynamic.exceptions import ResourceNotFoundError
 from ocp_resources.inference_service import InferenceService
 from ocp_resources.pod import Pod
 from simple_logger.logger import get_logger
 
 import utilities.infra
 from utilities.constants import Annotations, KServeDeploymentType, MODELMESH_SERVING
+from utilities.exceptions import UnexpectedResourceCountError
+from ocp_resources.resource import Resource
+from timeout_sampler import retry
+
+# Constants for image validation
+SHA256_DIGEST_PATTERN = r"@sha256:[a-f0-9]{64}$"
 
 LOGGER = get_logger(name=__name__)
 
@@ -171,3 +180,110 @@ def create_isvc_label_selector_str(isvc: InferenceService, resource_type: str, r
 
     else:
         raise ValueError(f"Unknown deployment mode {deployment_mode}")
+
+
+def get_pod_images(pod: Pod) -> List[str]:
+    """Get all container images from a pod.
+
+    Args:
+        pod: The pod to get images from
+
+    Returns:
+        List of container image strings
+    """
+    return [container.image for container in pod.instance.spec.containers]
+
+
+def validate_image_format(image: str) -> Tuple[bool, str]:
+    """Validate image format according to requirements.
+
+    Args:
+        image: The image string to validate
+
+    Returns:
+        Tuple of (is_valid, error_message)
+    """
+    if not image.startswith(Resource.ApiGroup.IMAGE_REGISTRY):
+        return False, f"Image {image} is not from {Resource.ApiGroup.IMAGE_REGISTRY}"
+
+    if not re.search(SHA256_DIGEST_PATTERN, image):
+        return False, f"Image {image} does not use sha256 digest"
+
+    return True, ""
+
+
+@retry(
+    wait_timeout=60,
+    sleep=5,
+    exceptions_dict={ResourceNotFoundError: [], UnexpectedResourceCountError: []},
+)
+def wait_for_pods_by_labels(
+    admin_client: DynamicClient,
+    namespace: str,
+    label_selector: str,
+    expected_num_pods: int,
+) -> list[Pod]:
+    """
+    Get pods by label selector in a namespace.
+
+    Args:
+        admin_client: The admin client to use for pod retrieval
+        namespace: The namespace to search in
+        label_selector: The label selector to filter pods
+        expected_num_pods: The expected number of pods to be found
+    Returns:
+        List of matching pods
+
+    Raises:
+        ResourceNotFoundError: If no pods are found
+    """
+    pods = list(
+        Pod.get(
+            dyn_client=admin_client,
+            namespace=namespace,
+            label_selector=label_selector,
+        )
+    )
+    if not pods:
+        raise ResourceNotFoundError(f"No pods found with label selector {label_selector} in namespace {namespace}")
+    if len(pods) != expected_num_pods:
+        raise UnexpectedResourceCountError(f"Expected {expected_num_pods} pods, found {len(pods)}")
+    return pods
+
+
+def validate_container_images(
+    pod: Pod,
+    valid_image_refs: set[str],
+    skip_patterns: list[str] | None = None,
+) -> list[str]:
+    """
+    Validate all container images in a pod against a set of valid image references.
+
+    Args:
+        pod: The pod whose images to validate
+        valid_image_refs: Set of valid image references to check against
+        skip_patterns: List of patterns to skip validation for (e.g. ["openshift-service-mesh"])
+
+    Returns:
+        List of validation error messages, empty if all validations pass
+    """
+    validation_errors = []
+    skip_patterns = skip_patterns or []
+
+    pod_images = get_pod_images(pod=pod)
+    for image in pod_images:
+        # Skip images matching any skip patterns
+        if any(pattern in image for pattern in skip_patterns):
+            LOGGER.warning(f"Skipping image {image} as it matches skip patterns")
+            continue
+
+        # Validate image format
+        is_valid, error_msg = validate_image_format(image=image)
+        if not is_valid:
+            validation_errors.append(f"Pod {pod.name} image validation failed: {error_msg}")
+
+        # Check if image is in valid references
+        if image not in valid_image_refs:
+            validation_errors.append(f"Pod {pod.name} image {image} is not in valid image references")
+
+    return validation_errors

utilities/infra.py

@@ -807,7 +807,7 @@ def get_operator_distribution(client: DynamicClient, dsc_name: str = "default-ds
         dsc_name (str): DSC name
 
     Returns:
-        str: Operator distribution.
+        str: Operator distribution. One of Open Data Hub or OpenShift AI.
 
     Raises:
             ValueError: If DSC release name not found

utilities/operator_utils.py

@@ -5,6 +5,10 @@
 from ocp_resources.cluster_service_version import ClusterServiceVersion
 from ocp_resources.subscription import Subscription
 from utilities.exceptions import ResourceMismatchError
+from utilities.infra import get_product_version
+from pytest_testconfig import config as py_config
+
+from typing import List, Dict
 
 LOGGER = get_logger(name=__name__)
 
@@ -46,3 +50,28 @@ def validate_operator_subscription_channel(
             f"For Operator {operator_name}, Subscription points to {subscription_channel}, expected: {channel_name}"
         )
     LOGGER.info(f"Operator {operator_name} subscription channel is {subscription_channel}")
+
+
+def get_csv_related_images(admin_client: DynamicClient, csv_name: str | None = None) -> List[Dict[str, str]]:
+    """Get relatedImages from the CSV.
+
+    Args:
+        admin_client: The kubernetes client
+        csv_name: Optional CSV name. If not provided, will use {operator_name}.{version}
+                 where operator_name is determined by the distribution (rhods-operator for OpenShift AI,
+                 opendatahub-operator for Open Data Hub)
+
+    Returns:
+        List of related images from the CSV
+    """
+
+    if csv_name is None:
+        distribution = py_config["distribution"]
+        operator_name = "opendatahub-operator" if distribution == "upstream" else "rhods-operator"
+        csv_name = f"{operator_name}.{get_product_version(admin_client=admin_client)}"
+
+    return get_cluster_service_version(
+        client=admin_client,
+        prefix=csv_name,
+        namespace=py_config["applications_namespace"],
+    ).instance.spec.relatedImages