Skip to content

OCPBUGS-43353: fix(nodepool): validate registry entries in image config#8070

Closed
reedcort wants to merge 1 commit intoopenshift:mainfrom
reedcort:OCPBUGS-43353
Closed

OCPBUGS-43353: fix(nodepool): validate registry entries in image config#8070
reedcort wants to merge 1 commit intoopenshift:mainfrom
reedcort:OCPBUGS-43353

Conversation

@reedcort
Copy link
Copy Markdown

@reedcort reedcort commented Mar 25, 2026
edited by coderabbitai bot
Loading

Summary

  • Add validation for registry entries in blockedRegistries, allowedRegistries, and insecureRegistries using the MCO sourceRegex pattern
  • Invalid entries (e.g. with tags like :latest or digests like @sha256:...) are now rejected at webhook admission time and surfaced via ValidHostedClusterConfiguration and ValidMachineConfig conditions
  • Fixes OCPBUGS-43353: Invalid registry entries silently generate broken /etc/containers/policy.json, causing nodes to fail to join

Changes

File Change
support/globalconfig/image.go Add ValidateRegistrySources() with MCO regex
support/globalconfig/image_test.go 11 unit tests covering valid/invalid entries
hostedcluster_webhook.go Reject invalid entries at create/update time
hostedcluster_controller.go Surface errors via ValidHostedClusterConfiguration
nodepool/config.go Surface errors via ValidMachineConfig condition

Bug Reproduction

Confirmed the bug still exists on OCP 4.21.5 (ROSA HCP staging cluster):

  • Applied trusted.com/myrepo:latest as a blocked registry
  • ValidMachineConfig reported True despite the invalid entry
  • Nodes would fail to join on replacement due to invalid policy.json

Test plan

  • Unit tests pass (go test ./support/globalconfig/ -v — 11/11)
  • All modified packages compile (go build)
  • make verify passes
  • CI e2e tests

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

    • Added validation for image registry sources in HostedCluster configurations to ensure registry entries follow the required format (hostname[:port][/path]) and prevent invalid entries containing image tags or digests. Validation is enforced for both creation and update operations.

  • Tests

    • Added comprehensive test coverage for registry source validation with multiple test scenarios.

@reedcort @claude
fix(nodepool): validate registry entries in image config
2df02b6 
Registry entries in blockedRegistries, allowedRegistries, and
insecureRegistries were not validated, allowing invalid entries
(e.g. with tags like :latest or digests) to pass through and
generate an invalid /etc/containers/policy.json, causing nodes
to silently fail to join the cluster.

Add validation using the MCO sourceRegex pattern at three layers:
- Webhook: reject invalid entries at admission time
- Controller: surface errors via ValidHostedClusterConfiguration
- NodePool: surface errors via ValidMachineConfig condition

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-43353

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 25, 2026

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 25, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 831da47f-41b4-4678-b060-5631d0d441a0

📥 Commits

Reviewing files that changed from the base of the PR and between 825ff5a and 2df02b6.

📒 Files selected for processing (5)
  • hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
  • hypershift-operator/controllers/hostedcluster/hostedcluster_webhook.go
  • hypershift-operator/controllers/nodepool/config.go
  • support/globalconfig/image.go
  • support/globalconfig/image_test.go
📝 Walkthrough

Walkthrough

The changes introduce validation for OpenShift image registry sources across multiple components of the hosted cluster infrastructure. A new ValidateRegistrySources function was added to validate registry source entries against a hostname pattern (rejecting entries with image tags or digests). This validation is now integrated into three locations: the hosted cluster admission webhook for create/update requests, the hosted cluster controller's configuration validation, and the node pool's global configuration generation. Comprehensive test coverage validates the behavior of the registry source validation function.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 25, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: reedcort
Once this PR has been reviewed and has the lgtm label, please assign cblecker for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot requested review from bryan-cox and csrwng March 25, 2026 13:48
@openshift-ci openshift-ci bot added area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release and removed do-not-merge/needs-area labels Mar 25, 2026
@reedcort
Copy link
Copy Markdown
Author

reedcort commented Mar 25, 2026

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 25, 2026
@reedcort
Copy link
Copy Markdown
Author

reedcort commented Mar 25, 2026

/test all

@reedcort
Copy link
Copy Markdown
Author

reedcort commented Mar 25, 2026

/test e2e-azure-self-managed

@reedcort reedcort changed the title fix(nodepool): validate registry entries in image config OCPBUGS-43353: fix(nodepool): validate registry entries in image config Mar 25, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 25, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 25, 2026

@reedcort: This pull request references Jira Issue OCPBUGS-43353, which is invalid:

  • expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Add validation for registry entries in blockedRegistries, allowedRegistries, and insecureRegistries using the MCO sourceRegex pattern
  • Invalid entries (e.g. with tags like :latest or digests like @sha256:...) are now rejected at webhook admission time and surfaced via ValidHostedClusterConfiguration and ValidMachineConfig conditions
  • Fixes OCPBUGS-43353: Invalid registry entries silently generate broken /etc/containers/policy.json, causing nodes to fail to join

Changes

File Change
support/globalconfig/image.go Add ValidateRegistrySources() with MCO regex
support/globalconfig/image_test.go 11 unit tests covering valid/invalid entries
hostedcluster_webhook.go Reject invalid entries at create/update time
hostedcluster_controller.go Surface errors via ValidHostedClusterConfiguration
nodepool/config.go Surface errors via ValidMachineConfig condition

Bug Reproduction

Confirmed the bug still exists on OCP 4.21.5 (ROSA HCP staging cluster):

  • Applied trusted.com/myrepo:latest as a blocked registry
  • ValidMachineConfig reported True despite the invalid entry
  • Nodes would fail to join on replacement due to invalid policy.json

Test plan

  • Unit tests pass (go test ./support/globalconfig/ -v — 11/11)
  • All modified packages compile (go build)
  • make verify passes
  • CI e2e tests

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

  • Added validation for image registry sources in HostedCluster configurations to ensure registry entries follow the required format (hostname[:port][/path]) and prevent invalid entries containing image tags or digests. Validation is enforced for both creation and update operations.

  • Tests

  • Added comprehensive test coverage for registry source validation with multiple test scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@joshbranham
Copy link
Copy Markdown
Contributor

joshbranham commented Mar 25, 2026

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 25, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 25, 2026

@joshbranham: This pull request references Jira Issue OCPBUGS-43353, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @xiuwang

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from xiuwang March 25, 2026 21:09
@joshbranham
Copy link
Copy Markdown
Contributor

joshbranham commented Mar 26, 2026

/test e2e-azure-self-managed

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci bot commented Mar 26, 2026

@reedcort: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@enxebre
Copy link
Copy Markdown
Member

enxebre commented Mar 26, 2026

please fix this in the canonical API https://github.com/openshift/api/blob/30c2ef7a272e592fd836c6bedbd4394b3ed15042/config/v1/types_image.go#L56 with CEL
self.all(r, r.matches('^your-regex$'))",message="each entry must match ^your-regex$"

@reedcort reedcort closed this Mar 30, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 30, 2026

@reedcort: This pull request references Jira Issue OCPBUGS-43353. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

Summary

  • Add validation for registry entries in blockedRegistries, allowedRegistries, and insecureRegistries using the MCO sourceRegex pattern
  • Invalid entries (e.g. with tags like :latest or digests like @sha256:...) are now rejected at webhook admission time and surfaced via ValidHostedClusterConfiguration and ValidMachineConfig conditions
  • Fixes OCPBUGS-43353: Invalid registry entries silently generate broken /etc/containers/policy.json, causing nodes to fail to join

Changes

File Change
support/globalconfig/image.go Add ValidateRegistrySources() with MCO regex
support/globalconfig/image_test.go 11 unit tests covering valid/invalid entries
hostedcluster_webhook.go Reject invalid entries at create/update time
hostedcluster_controller.go Surface errors via ValidHostedClusterConfiguration
nodepool/config.go Surface errors via ValidMachineConfig condition

Bug Reproduction

Confirmed the bug still exists on OCP 4.21.5 (ROSA HCP staging cluster):

  • Applied trusted.com/myrepo:latest as a blocked registry
  • ValidMachineConfig reported True despite the invalid entry
  • Nodes would fail to join on replacement due to invalid policy.json

Test plan

  • Unit tests pass (go test ./support/globalconfig/ -v — 11/11)
  • All modified packages compile (go build)
  • make verify passes
  • CI e2e tests

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

  • New Features

  • Added validation for image registry sources in HostedCluster configurations to ensure registry entries follow the required format (hostname[:port][/path]) and prevent invalid entries containing image tags or digests. Validation is enforced for both creation and update operations.

  • Tests

  • Added comprehensive test coverage for registry source validation with multiple test scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@reedcort reedcort mentioned this pull request Mar 31, 2026
Draft
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bryan-cox bryan-cox Awaiting requested review from bryan-cox

@csrwng csrwng Awaiting requested review from csrwng

@xiuwang xiuwang Awaiting requested review from xiuwang

Assignees

No one assigned

Labels

area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release area/hypershift-operator Indicates the PR includes changes for the hypershift operator and API - outside an OCP release do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@reedcort @openshift-ci-robot @joshbranham @enxebre