Skip to content

Commit 5cc319e

Browse files
muraeemuraee
committed
Add CEL validation for RegistrySources in Image API
1 parent afdfbaf commit 5cc319e

12 files changed

+142
-0
lines changed

config/v1/tests/images.config.openshift.io/AAA_ungated.yaml

+90
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,93 @@ tests:
1212
apiVersion: config.openshift.io/v1
1313
kind: Image
1414
spec: {}
15+
onUpdate:
16+
- name: Should allow updating other fields with an invalid persisted registrySources in spec
17+
initialCRDPatches:
18+
- op: remove
19+
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/registrySources/x-kubernetes-validations
20+
initial: |
21+
apiVersion: config.openshift.io/v1
22+
kind: Image
23+
spec:
24+
registrySources:
25+
blockedRegistries: ["test"]
26+
allowedRegistries: ["test"]
27+
updated: |
28+
apiVersion: config.openshift.io/v1
29+
kind: Image
30+
spec:
31+
# imageStreamImportMode: Legacy
32+
externalRegistryHostnames: ["test"]
33+
registrySources:
34+
blockedRegistries: ["test"]
35+
allowedRegistries: ["test"]
36+
expected: |
37+
apiVersion: config.openshift.io/v1
38+
kind: Image
39+
spec:
40+
# imageStreamImportMode: Legacy
41+
externalRegistryHostnames: ["test"]
42+
registrySources:
43+
blockedRegistries: ["test"]
44+
allowedRegistries: ["test"]
45+
- name: Should allow removing one of blockedRegistries or allowedRegistries with an invalid persisted registrySources in spec
46+
initialCRDPatches:
47+
- op: remove
48+
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/registrySources/x-kubernetes-validations
49+
initial: |
50+
apiVersion: config.openshift.io/v1
51+
kind: Image
52+
spec:
53+
registrySources:
54+
blockedRegistries: ["test"]
55+
allowedRegistries: ["test"]
56+
updated: |
57+
apiVersion: config.openshift.io/v1
58+
kind: Image
59+
spec:
60+
registrySources:
61+
allowedRegistries: ["test"]
62+
expected: |
63+
apiVersion: config.openshift.io/v1
64+
kind: Image
65+
spec:
66+
registrySources:
67+
allowedRegistries: ["test"]
68+
- name: Should not allow adding another slice entry with an invalid persisted registrySources in spec
69+
initialCRDPatches:
70+
- op: remove
71+
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/registrySources/x-kubernetes-validations
72+
initial: |
73+
apiVersion: config.openshift.io/v1
74+
kind: Image
75+
spec:
76+
registrySources:
77+
blockedRegistries: ["test"]
78+
allowedRegistries: ["test"]
79+
updated: |
80+
apiVersion: config.openshift.io/v1
81+
kind: Image
82+
spec:
83+
registrySources:
84+
blockedRegistries: ["test", "test2"]
85+
allowedRegistries: ["test"]
86+
expectedError: 'Only one of BlockedRegistries or AllowedRegistries may be set'
87+
- name: Should not allow adding blockedRegistries field when a valid registrySources with allowedRegistries is persisted in spec
88+
initialCRDPatches:
89+
- op: remove
90+
path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/registrySources/x-kubernetes-validations
91+
initial: |
92+
apiVersion: config.openshift.io/v1
93+
kind: Image
94+
spec:
95+
registrySources:
96+
allowedRegistries: ["test"]
97+
updated: |
98+
apiVersion: config.openshift.io/v1
99+
kind: Image
100+
spec:
101+
registrySources:
102+
allowedRegistries: ["test"]
103+
blockedRegistries: ["test"]
104+
expectedError: 'Only one of BlockedRegistries or AllowedRegistries may be set'

config/v1/types_image.go

+2
Original file line numberDiff line numberDiff line change
@@ -161,6 +161,8 @@ type RegistryLocation struct {
161161
}
162162

163163
// RegistrySources holds cluster-wide information about how to handle the registries config.
164+
//
165+
// +kubebuilder:validation:XValidation:rule="has(self.blockedRegistries) ? !has(self.allowedRegistries) : true",message="Only one of BlockedRegistries or AllowedRegistries may be set"
164166
type RegistrySources struct {
165167
// insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
166168
// +optional

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-Default.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,11 @@ spec:
146146
type: array
147147
x-kubernetes-list-type: atomic
148148
type: object
149+
x-kubernetes-validations:
150+
- message: Only one of BlockedRegistries or AllowedRegistries may
151+
be set
152+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
153+
: true'
149154
type: object
150155
status:
151156
description: status holds observed values from the cluster. They may not

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-DevPreviewNoUpgrade.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images-TechPreviewNoUpgrade.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

config/v1/zz_generated.featuregated-crd-manifests/images.config.openshift.io/AAA_ungated.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,11 @@ spec:
146146
type: array
147147
x-kubernetes-list-type: atomic
148148
type: object
149+
x-kubernetes-validations:
150+
- message: Only one of BlockedRegistries or AllowedRegistries may
151+
be set
152+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
153+
: true'
149154
type: object
150155
status:
151156
description: status holds observed values from the cluster. They may not

config/v1/zz_generated.featuregated-crd-manifests/images.config.openshift.io/ImageStreamImportMode.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

payload-manifests/crds/0000_10_config-operator_01_images-CustomNoUpgrade.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

payload-manifests/crds/0000_10_config-operator_01_images-Default.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,11 @@ spec:
146146
type: array
147147
x-kubernetes-list-type: atomic
148148
type: object
149+
x-kubernetes-validations:
150+
- message: Only one of BlockedRegistries or AllowedRegistries may
151+
be set
152+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
153+
: true'
149154
type: object
150155
status:
151156
description: status holds observed values from the cluster. They may not

payload-manifests/crds/0000_10_config-operator_01_images-DevPreviewNoUpgrade.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

payload-manifests/crds/0000_10_config-operator_01_images-TechPreviewNoUpgrade.crd.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,11 @@ spec:
164164
type: array
165165
x-kubernetes-list-type: atomic
166166
type: object
167+
x-kubernetes-validations:
168+
- message: Only one of BlockedRegistries or AllowedRegistries may
169+
be set
170+
rule: 'has(self.blockedRegistries) ? !has(self.allowedRegistries)
171+
: true'
167172
type: object
168173
status:
169174
description: status holds observed values from the cluster. They may not

0 commit comments

Comments
 (0)