Documentation
¶
Overview ¶
Package validation provides image validation functionality for the ToolHive operator.
Index ¶
Constants ¶
const ( // OIDCCABundleVolumePrefix is the prefix used for OIDC CA bundle volume names. // Used by controllerutil/oidc_volumes.go when creating volumes. OIDCCABundleVolumePrefix = "oidc-ca-bundle-" // OIDCCABundleMountBasePath is the base path where OIDC CA bundle ConfigMaps are mounted. // The full mount path is: OIDCCABundleMountBasePath + "/" + configMapName // The full file path is: OIDCCABundleMountBasePath + "/" + configMapName + "/" + key // Used by both controllerutil/oidc_volumes.go and oidc/resolver.go. OIDCCABundleMountBasePath = "/config/certs" // OIDCCABundleDefaultKey is the default key name used when not specified in caBundleRef. OIDCCABundleDefaultKey = "ca.crt" )
Variables ¶
var ( // ErrImageInvalid indicates that the image failed validation for any reason. // The wrapped error and message provide specific details about the validation failure. // This is the generic error that controllers should check for to handle any validation failure. ErrImageInvalid = errors.New("image validation failed") // ErrImageNotChecked indicates that no validation was performed on the image ErrImageNotChecked = errors.New("image validation was not performed") )
Sentinel errors for image validation. These errors can be checked using errors.Is() to determine the specific validation failure.
Functions ¶
func ValidateCABundleSource ¶ added in v0.8.1
func ValidateCABundleSource(ref *mcpv1alpha1.CABundleSource) error
ValidateCABundleSource validates the CABundleSource configuration. It ensures that configMapRef is specified when CABundleRef is provided, and that the ConfigMap name is short enough to fit in a Kubernetes volume name. Returns nil if ref is nil (no CA bundle configured).
Types ¶
type AlwaysAllowValidator ¶
type AlwaysAllowValidator struct{}
AlwaysAllowValidator is a no-op validator that always allows images
func (*AlwaysAllowValidator) ValidateImage ¶
func (*AlwaysAllowValidator) ValidateImage(_ context.Context, _ string, _ metav1.ObjectMeta) error
ValidateImage always returns ErrImageNotChecked, indicating no validation was performed
type ImageValidation ¶
type ImageValidation string
ImageValidation represents the type of image validation to perform.
const ( // ImageValidationAlwaysAllow indicates that all images are allowed ImageValidationAlwaysAllow ImageValidation = "always-allow" // ImageValidationRegistryEnforcing indicates that images must be validated against MCPRegistry resources ImageValidationRegistryEnforcing ImageValidation = "registry-enforcing" // RegistryNameLabel is the label key used to specify which registry an MCPServer should use RegistryNameLabel = "toolhive.stacklok.io/registry-name" )
type ImageValidator ¶
type ImageValidator interface {
// ValidateImage checks if an image is valid for use.
// The metadata parameter contains MCPServer metadata (labels, annotations) that may affect validation.
// Returns:
// - nil if validation passes
// - ErrImageNotChecked if no validation was performed
// - wrapped ErrImageInvalid if image fails validation (with specific reason in error message)
// - other errors for system/infrastructure failures
ValidateImage(ctx context.Context, image string, metadata metav1.ObjectMeta) error
}
ImageValidator defines the interface for validating container images
func NewImageValidator ¶
func NewImageValidator(k8sClient client.Client, namespace string, validation ImageValidation) ImageValidator
NewImageValidator creates an appropriate ImageValidator based on configuration
type RegistryEnforcingValidator ¶
type RegistryEnforcingValidator struct {
// contains filtered or unexported fields
}
RegistryEnforcingValidator provides validation against MCPRegistry resources
func (*RegistryEnforcingValidator) ValidateImage ¶
func (v *RegistryEnforcingValidator) ValidateImage(ctx context.Context, image string, metadata metav1.ObjectMeta) error
ValidateImage checks if an image should be validated and if it exists in registries If the MCPServer has a registry-name label, validation is restricted to that specific registry. Otherwise, all registries are checked according to the original behavior.
Source Files