Documentation
¶
Overview ¶
Package validation provides image validation functionality for the ToolHive operator.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrImageInvalid indicates that the image failed validation for any reason. // The wrapped error and message provide specific details about the validation failure. // This is the generic error that controllers should check for to handle any validation failure. ErrImageInvalid = errors.New("image validation failed") // ErrImageNotChecked indicates that no validation was performed on the image ErrImageNotChecked = errors.New("image validation was not performed") )
Sentinel errors for image validation. These errors can be checked using errors.Is() to determine the specific validation failure.
Functions ¶
This section is empty.
Types ¶
type AlwaysAllowValidator ¶
type AlwaysAllowValidator struct{}
AlwaysAllowValidator is a no-op validator that always allows images
func (*AlwaysAllowValidator) ValidateImage ¶
func (*AlwaysAllowValidator) ValidateImage(_ context.Context, _ string, _ metav1.ObjectMeta) error
ValidateImage always returns ErrImageNotChecked, indicating no validation was performed
type ImageValidation ¶
type ImageValidation string
ImageValidation represents the type of image validation to perform.
const ( // ImageValidationAlwaysAllow indicates that all images are allowed ImageValidationAlwaysAllow ImageValidation = "always-allow" // ImageValidationRegistryEnforcing indicates that images must be validated against MCPRegistry resources ImageValidationRegistryEnforcing ImageValidation = "registry-enforcing" // RegistryNameLabel is the label key used to specify which registry an MCPServer should use RegistryNameLabel = "toolhive.stacklok.io/registry-name" )
type ImageValidator ¶
type ImageValidator interface {
// ValidateImage checks if an image is valid for use.
// The metadata parameter contains MCPServer metadata (labels, annotations) that may affect validation.
// Returns:
// - nil if validation passes
// - ErrImageNotChecked if no validation was performed
// - wrapped ErrImageInvalid if image fails validation (with specific reason in error message)
// - other errors for system/infrastructure failures
ValidateImage(ctx context.Context, image string, metadata metav1.ObjectMeta) error
}
ImageValidator defines the interface for validating container images
func NewImageValidator ¶
func NewImageValidator(k8sClient client.Client, namespace string, validation ImageValidation) ImageValidator
NewImageValidator creates an appropriate ImageValidator based on configuration
type RegistryEnforcingValidator ¶
type RegistryEnforcingValidator struct {
// contains filtered or unexported fields
}
RegistryEnforcingValidator provides validation against MCPRegistry resources
func (*RegistryEnforcingValidator) ValidateImage ¶
func (v *RegistryEnforcingValidator) ValidateImage(ctx context.Context, image string, metadata metav1.ObjectMeta) error
ValidateImage checks if an image should be validated and if it exists in registries If the MCPServer has a registry-name label, validation is restricted to that specific registry. Otherwise, all registries are checked according to the original behavior.
Source Files