OCPBUGS-32158: Add CEL validation for RegistrySources in Image API

[muraee]

HyperShift embeds Image config API directly, so any webhook validation will not be triggered.
This adds CEL validation to the CRD directly to mitigate that.

ref: https://issues.redhat.com/browse/OCPBUGS-32158

[openshift-ci-robot]

@muraee: This pull request references Jira Issue OCPBUGS-32158, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

HyperShift embeds Image config API directly, so any webhook validation will not be triggered.
This adds CEL validation to the CRD directly to mitigate that.

ref: https://issues.redhat.com/browse/OCPBUGS-32158

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Hello @muraee! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[muraee]

/jira refresh

[openshift-ci-robot]

@muraee: This pull request references Jira Issue OCPBUGS-32158, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[muraee]

/retest-required

[csrwng]

/lgtm

[muraee]

cc @deads2k

[flavianmissi]

looks good to me from a registry perspective 👍🏼

[muraee]

cc @JoelSpeed @deads2k could take a look please.

[JoelSpeed]

Can you please link to where this is validated in a webhook for core OCP?

When was this CRD introduced into HyperShift, could there be existing resources that become broken by the addition of this CEL?

[JoelSpeed]

Some code generation issues here as well, will need to rerun the CRD generation

[muraee]

@JoelSpeed not sure where/if the webhook exist, I was just saying, if it exists then it won't run for Hypershift.

This is validated in the MCO code directly, see:
https://github.com/openshift/machine-config-operator/blob/eeea7495bc40d0f73dd9c2ba030e678ec598d8b1/pkg/controller/container-runtime-config/helpers.go#L504-L506

and its also mentioned on the field description

api/config/v1/types_image.go

Line 178 in 85dc560

// Only one of BlockedRegistries or AllowedRegistries may be set.

[muraee]

@JoelSpeed can we process with this PR, or do you want to use the Ratcheting validation you mentioned instead?

[JoelSpeed]

This validation should ratchet already, what I'd like to see is a test case added that shows this. Check the tests folder readme on how to set up a ratcheting validation integration test for this. #2142 also provides some examples of adding ratcheting tests

[muraee]

@JoelSpeed I added some tests, and adjusted the CEL to make the fields mutually exclusive, as self.blockedRegistries.size() == 0 || self.allowedRegistries.size() == 0 allowed both fields to be set and made at least one of them required, whereas it's allowed for both to be empty.

[JoelSpeed]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng, JoelSpeed, muraee

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD ead8ee7 and 2 for PR HEAD 79fcfda in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD cfbda0b and 1 for PR HEAD 79fcfda in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 744790f and 2 for PR HEAD 79fcfda in total

[muraee]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 744790f and 2 for PR HEAD 79fcfda in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 744790f and 2 for PR HEAD 79fcfda in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 744790f and 2 for PR HEAD 79fcfda in total

[openshift-ci]

@muraee: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-upgrade-minor	ad2927a	link	true	/test e2e-upgrade-minor

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[muraee]

/retest-required

[openshift-ci-robot]

@muraee: Jira Issue OCPBUGS-32158: All pull requests linked via external trackers have merged:

• openshift/api#1859

Jira Issue OCPBUGS-32158 has been moved to the MODIFIED state.

In response to this:

HyperShift embeds Image config API directly, so any webhook validation will not be triggered.
This adds CEL validation to the CRD directly to mitigate that.

ref: https://issues.redhat.com/browse/OCPBUGS-32158

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-config-api
This PR has been included in build ose-cluster-config-api-container-v4.19.0-202502242108.p0.g544b3ca.assembly.stream.el9.
All builds following this will include this PR.

[muraee]

/cherry-pick release-4.18

[openshift-cherrypick-robot]

@muraee: new pull request created: #2218

In response to this:

/cherry-pick release-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.