Documentation
¶
Overview ¶
Package validation provides image validation functionality for the ToolHive operator.
Index ¶
- Constants
- Variables
- func ValidateCABundleSource(ref *mcpv1alpha1.CABundleSource) error
- func ValidateCedarPolicies(policies []string) error
- func ValidateJWKSURL(rawURL string) error
- func ValidateOIDCIssuerURL(issuer string, allowInsecure bool) error
- func ValidateRemoteURL(rawURL string) error
- type AlwaysAllowValidator
- type ImageValidation
- type ImageValidator
- type RegistryEnforcingValidator
Constants ¶
const ( // OIDCCABundleVolumePrefix is the prefix used for OIDC CA bundle volume names. // Used by controllerutil/oidc_volumes.go when creating volumes. OIDCCABundleVolumePrefix = "oidc-ca-bundle-" // OIDCCABundleMountBasePath is the base path where OIDC CA bundle ConfigMaps are mounted. // The full mount path is: OIDCCABundleMountBasePath + "/" + configMapName // The full file path is: OIDCCABundleMountBasePath + "/" + configMapName + "/" + key // Used by both controllerutil/oidc_volumes.go and oidc/resolver.go. OIDCCABundleMountBasePath = "/config/certs" // OIDCCABundleDefaultKey is the default key name used when not specified in caBundleRef. OIDCCABundleDefaultKey = "ca.crt" )
Variables ¶
var ( // ErrImageInvalid indicates that the image failed validation for any reason. // The wrapped error and message provide specific details about the validation failure. // This is the generic error that controllers should check for to handle any validation failure. ErrImageInvalid = errors.New("image validation failed") // ErrImageNotChecked indicates that no validation was performed on the image ErrImageNotChecked = errors.New("image validation was not performed") )
Sentinel errors for image validation. These errors can be checked using errors.Is() to determine the specific validation failure.
Functions ¶
func ValidateCABundleSource ¶ added in v0.8.1
func ValidateCABundleSource(ref *mcpv1alpha1.CABundleSource) error
ValidateCABundleSource validates the CABundleSource configuration. It ensures that configMapRef is specified when CABundleRef is provided, and that the ConfigMap name is short enough to fit in a Kubernetes volume name. Returns nil if ref is nil (no CA bundle configured).
func ValidateCedarPolicies ¶ added in v0.12.2
ValidateCedarPolicies validates the syntax of each Cedar policy string in the provided slice. It returns an error for the first policy that fails to parse, or nil if all policies are valid (including when the slice is empty or nil).
func ValidateJWKSURL ¶ added in v0.12.2
ValidateJWKSURL validates that rawURL, if non-empty, is a well-formed HTTPS URL with a non-empty host. JWKS endpoints serve key material and must use HTTPS. An empty rawURL is allowed because JWKS discovery can determine the endpoint automatically.
func ValidateOIDCIssuerURL ¶ added in v0.11.1
ValidateOIDCIssuerURL validates that an OIDC issuer URL is well-formed and uses HTTPS. If allowInsecure is true, HTTP scheme is permitted (for development/testing only). Returns nil if the issuer is empty (nothing to validate).
func ValidateRemoteURL ¶ added in v0.12.2
ValidateRemoteURL validates that rawURL is a well-formed HTTP or HTTPS URL with a non-empty host. No network calls are made.
Types ¶
type AlwaysAllowValidator ¶
type AlwaysAllowValidator struct{}
AlwaysAllowValidator is a no-op validator that always allows images
func (*AlwaysAllowValidator) ValidateImage ¶
func (*AlwaysAllowValidator) ValidateImage(_ context.Context, _ string, _ metav1.ObjectMeta) error
ValidateImage always returns ErrImageNotChecked, indicating no validation was performed
type ImageValidation ¶
type ImageValidation string
ImageValidation represents the type of image validation to perform.
const ( // ImageValidationAlwaysAllow indicates that all images are allowed ImageValidationAlwaysAllow ImageValidation = "always-allow" // ImageValidationRegistryEnforcing indicates that images must be validated against MCPRegistry resources ImageValidationRegistryEnforcing ImageValidation = "registry-enforcing" // RegistryNameLabel is the label key used to specify which registry an MCPServer should use RegistryNameLabel = "toolhive.stacklok.io/registry-name" )
type ImageValidator ¶
type ImageValidator interface {
// ValidateImage checks if an image is valid for use.
// The metadata parameter contains MCPServer metadata (labels, annotations) that may affect validation.
// Returns:
// - nil if validation passes
// - ErrImageNotChecked if no validation was performed
// - wrapped ErrImageInvalid if image fails validation (with specific reason in error message)
// - other errors for system/infrastructure failures
ValidateImage(ctx context.Context, image string, metadata metav1.ObjectMeta) error
}
ImageValidator defines the interface for validating container images
func NewImageValidator ¶
func NewImageValidator(k8sClient client.Client, namespace string, validation ImageValidation) ImageValidator
NewImageValidator creates an appropriate ImageValidator based on configuration
type RegistryEnforcingValidator ¶
type RegistryEnforcingValidator struct {
// contains filtered or unexported fields
}
RegistryEnforcingValidator provides validation against MCPRegistry resources
func (*RegistryEnforcingValidator) ValidateImage ¶
func (v *RegistryEnforcingValidator) ValidateImage(ctx context.Context, image string, metadata metav1.ObjectMeta) error
ValidateImage checks if an image should be validated and if it exists in registries If the MCPServer has a registry-name label, validation is restricted to that specific registry. Otherwise, all registries are checked according to the original behavior.
Source Files