treblereel commented on code in PR #535: URL: https://github.com/apache/incubator-kie-kogito-serverless-operator/pull/535#discussion_r1801894768
########## internal/controller/validation/image_validator.go: ########## @@ -0,0 +1,169 @@ +// Copyright 2024 Apache Software Foundation (ASF) +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "archive/tar" + "context" + "crypto/tls" + "fmt" + "io" + "net/http" + "regexp" + + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/serverlessworkflow/sdk-go/v2/model" + + operatorapi "github.com/apache/incubator-kie-kogito-serverless-operator/api/v1alpha08" + "github.com/google/go-cmp/cmp" + "github.com/google/go-containerregistry/pkg/name" + v1 "github.com/google/go-containerregistry/pkg/v1" + "github.com/google/go-containerregistry/pkg/v1/remote" + "k8s.io/apimachinery/pkg/util/yaml" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +type imageValidator struct{} + +var workflowPathRegex = regexp.MustCompile(`^deployments/app/[^/]+\.sw\.(json|yaml)$`) + +func (v *imageValidator) Validate(ctx context.Context, client client.Client, sonataflow *operatorapi.SonataFlow, req ctrl.Request) error { + equals, err := validateImage(ctx, sonataflow) + if err != nil { + return err + } + if !equals { + return fmt.Errorf("Workflow, defined in the image %s doesn't match deployment workflow", sonataflow.Spec.PodTemplate.Container.Image) + } + return nil +} + +func NewImageValidator() Validator { + return &imageValidator{} +} + +func validateImage(ctx context.Context, sonataflow *operatorapi.SonataFlow) (bool, error) { + isInKindRegistry, _, err := imageStoredInKindRegistry(ctx, sonataflow.Spec.PodTemplate.Container.Image) + if err != nil { + return false, err + } + + var ref v1.Image + if isInKindRegistry { + ref, err = kindRegistryImage(sonataflow) + } else { + ref, err = remoteImage(sonataflow) Review Comment: @wmedvede @ricardozanini The whole point of the `isInKindRegistry` check is to determine whether the image is in the `kind-registry` or not. As far as I understand, this only makes sense for tests and only in the case where the 'data.localRegistryHosting.v1.hostFromClusterNetwork' flag is set in the `ConfigMap`. Kind-registry is insecure. Overall, I don't like the idea of adding checks to the production code just to simplify testing (I'd prefer to remove this check), but the strategy for fetching an image from a secure and insecure registry is different One option would be to add certificates (self-signed ones are not suitable) to make the `kind-registry` secure This does not interfere with `minikube` because we don't use `kind-registry` in it For testing, I use this image from Docker: `docker.io/treblereel/sonataflow-workflow-demo:latest`. I don't think there should be any issues with quay.io, but I will check further -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
