wmedvede commented on code in PR #535: URL: https://github.com/apache/incubator-kie-kogito-serverless-operator/pull/535#discussion_r1799193334
########## internal/controller/validation/image_validator.go: ########## @@ -0,0 +1,169 @@ +// Copyright 2024 Apache Software Foundation (ASF) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "archive/tar" + "context" + "crypto/tls" + "fmt" + "io" + "net/http" + "regexp" + + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/serverlessworkflow/sdk-go/v2/model" + + operatorapi "github.com/apache/incubator-kie-kogito-serverless-operator/api/v1alpha08" + "github.com/google/go-cmp/cmp" + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "k8s.io/apimachinery/pkg/util/yaml" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +type imageValidator struct{} + +var workflowPathRegex = regexp.MustCompile(`^deployments/app/[^/]+\.sw\.(json|yaml)$`) + +func (v *imageValidator) Validate(ctx context.Context, client client.Client, sonataflow *operatorapi.SonataFlow, req ctrl.Request) error { + equals, err := validateImage(ctx, sonataflow) + if err != nil { + return err + } + if !equals { + return fmt.Errorf("Workflow, defined in the image %s doesn't match deployment workflow", sonataflow.Spec.PodTemplate.Container.Image) + } + return nil +} + +func NewImageValidator() Validator { + return &imageValidator{} +} + +func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) { + isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image) Review Comment: Do this check mean that we are trying to cover the scenario where the operator is executing in kind? If true, do we need an equivalent verification when installed in minikube? (considering that most of our examples executes in minikube) ########## internal/controller/sonataflow_controller.go: ########## @@ -98,6 +100,11 @@ func (r *SonataFlowReconciler) Reconcile(ctx context.Context, req ctrl.Request) return ctrl.Result{}, err } + if err := r.Validate(ctx, workflow, req); err != nil { + klog.V(log.E).ErrorS(err, "Failed to validate SonataFlow") + return reconcile.Result{}, nil Review Comment: If we have the err, I think it makes sense to return it? ########## internal/controller/validation/image_validator.go: ########## @@ -0,0 +1,169 @@ +// Copyright 2024 Apache Software Foundation (ASF) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "archive/tar" + "context" + "crypto/tls" + "fmt" + "io" + "net/http" + "regexp" + + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/serverlessworkflow/sdk-go/v2/model" + + operatorapi "github.com/apache/incubator-kie-kogito-serverless-operator/api/v1alpha08" + "github.com/google/go-cmp/cmp" + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "k8s.io/apimachinery/pkg/util/yaml" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +type imageValidator struct{} + +var workflowPathRegex = regexp.MustCompile(`^deployments/app/[^/]+\.sw\.(json|yaml)$`) + +func (v *imageValidator) Validate(ctx context.Context, client client.Client, sonataflow *operatorapi.SonataFlow, req ctrl.Request) error { + equals, err := validateImage(ctx, sonataflow) + if err != nil { + return err + } + if !equals { + return fmt.Errorf("Workflow, defined in the image %s doesn't match deployment workflow", sonataflow.Spec.PodTemplate.Container.Image) + } + return nil +} + +func NewImageValidator() Validator { + return &imageValidator{} +} + +func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) { + isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image) + if err != nil { + return false, err + } + + var ref v1.Image + if isInKindRegistry { + ref, err = kindRegistryImage(sonataflow) + } else { + ref, err = remoteImage(sonataflow) Review Comment: So here we get the remoteImage from Docker registry. Did you guys @treblereel @jakubschwan verify that this code executes well when the image is read form Quay.io ? I think it's worth verify it works too. ########## internal/controller/validation/validator.go: ########## @@ -0,0 +1,42 @@ +// Copyright 2024 Apache Software Foundation (ASF) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "context" + + operatorapi "github.com/apache/incubator-kie-kogito-serverless-operator/api/v1alpha08" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var validators = []Validator{NewImageValidator()} + +type Validator interface { + Validate(ctx context.Context, client client.Client, sonataflow *operatorapi.SonataFlow, req ctrl.Request) error +} + +// validate the SonataFlow object, right now it's only check if workflow is in deployment has image declared as that image Review Comment: function documentation nitpick, should be Validate ########## internal/controller/validation/common.go: ########## @@ -0,0 +1,117 @@ +// Copyright 2024 Apache Software Foundation (ASF) Review Comment: License header not good, see the last PR we sent with license nitpicks please. ########## internal/controller/validation/image_validator.go: ########## @@ -0,0 +1,169 @@ +// Copyright 2024 Apache Software Foundation (ASF) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "archive/tar" + "context" + "crypto/tls" + "fmt" + "io" + "net/http" + "regexp" + + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/serverlessworkflow/sdk-go/v2/model" + + operatorapi "github.com/apache/incubator-kie-kogito-serverless-operator/api/v1alpha08" + "github.com/google/go-cmp/cmp" + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "k8s.io/apimachinery/pkg/util/yaml" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +type imageValidator struct{} + +var workflowPathRegex = regexp.MustCompile(`^deployments/app/[^/]+\.sw\.(json|yaml)$`) + +func (v *imageValidator) Validate(ctx context.Context, client client.Client, sonataflow *operatorapi.SonataFlow, req ctrl.Request) error { + equals, err := validateImage(ctx, sonataflow) + if err != nil { + return err + } + if !equals { + return fmt.Errorf("Workflow, defined in the image %s doesn't match deployment workflow", sonataflow.Spec.PodTemplate.Container.Image) Review Comment: If think that to include the workflow name in the error message can help future debugging and error tracking. ########## internal/controller/validation/image_validator.go: ########## @@ -0,0 +1,169 @@ +// Copyright 2024 Apache Software Foundation (ASF) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "archive/tar" + "context" + "crypto/tls" + "fmt" + "io" + "net/http" + "regexp" + + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/serverlessworkflow/sdk-go/v2/model" + + operatorapi "github.com/apache/incubator-kie-kogito-serverless-operator/api/v1alpha08" + "github.com/google/go-cmp/cmp" + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "k8s.io/apimachinery/pkg/util/yaml" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +type imageValidator struct{} + +var workflowPathRegex = regexp.MustCompile(`^deployments/app/[^/]+\.sw\.(json|yaml)$`) + +func (v *imageValidator) Validate(ctx context.Context, client client.Client, sonataflow *operatorapi.SonataFlow, req ctrl.Request) error { + equals, err := validateImage(ctx, sonataflow) + if err != nil { + return err + } + if !equals { + return fmt.Errorf("Workflow, defined in the image %s doesn't match deployment workflow", sonataflow.Spec.PodTemplate.Container.Image) + } + return nil +} + +func NewImageValidator() Validator { + return &imageValidator{} +} + +func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) { + isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image) + if err != nil { + return false, err + } + + var ref v1.Image + if isInKindRegistry { + ref, err = kindRegistryImage(sonataflow) + } else { + ref, err = remoteImage(sonataflow) + } + + if err != nil { + return false, err + } + + reader, err := readWorkflowSpecLayer(ref) + if err != nil { + return false, err + } + + workflowDockerImage, err := workflowSpecFromDockerImage(reader) + if err != nil { + return false, err + } + + return cmp.Equal(workflowDockerImage, sonataflow.Spec.Flow, cmpopts.IgnoreUnexported(model.Transition{})), nil +} + +func remoteImage(sonataflow *operatorapi.SonataFlow) (v1.Image, error) { + imageRef, err := name.ParseReference(sonataflow.Spec.PodTemplate.Container.Image) + if err != nil { + return nil, err + } + + ref, err := remote.Image(imageRef) + if err != nil { + return nil, err + } + return ref, nil +} + +func kindRegistryImage(sonataflow *operatorapi.SonataFlow) (v1.Image, error) { + transportOptions := []remote.Option{ + remote.WithTransport(&http.Transport{ + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + }), + } + + imageRef, err := name.ParseReference(sonataflow.Spec.PodTemplate.Container.Image, name.Insecure) + if err != nil { + return nil, err + } + + ref, err := remote.Image(imageRef, transportOptions...) + if err != nil { + return nil, err + } + return ref, nil +} + +func readWorkflowSpecLayer(image v1.Image) (*tar.Reader, error) { + layers, err := image.Layers() + if err != nil { + return nil, err + } + + for i := len(layers) - 1; i >= 0; i-- { + if reader, err := findWorkflowSpecLayer(layers[i]); err == nil && reader != nil { + return reader, nil + } else if err != nil { + return nil, err + } + } + return nil, fmt.Errorf("Workflow definition was not found in the Docker image") Review Comment: same here, the image reference as part of the error might help debugging/error tracing. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
