Skip to content

adding olm.bundle image/relatedImages pullspec format validation #1905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
grokspawn wants to merge 1 commit into
base: master
Choose a base branch
from
Open

adding olm.bundle image/relatedImages pullspec format validation #1905

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions alpha/declcfg/declcfg_to_model.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"fmt"

"github.com/blang/semver/v4"
"github.com/distribution/reference"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation"

Expand Down Expand Up @@ -128,6 +129,15 @@ func ConvertToModel(cfg DeclarativeConfig) (model.Model, error) {
return nil, fmt.Errorf("package %q does not match %q property %q", b.Package, property.TypePackage, props.Packages[0].PackageName)
}

if err := validateImagePullSpec(b.Image, "package %q bundle %q image", b.Package, b.Name); err != nil {
return nil, err
}
for i, rel := range b.RelatedImages {
if err := validateImagePullSpec(rel.Image, "package %q bundle %q relatedImages[%d].image", b.Package, b.Name, i); err != nil {
return nil, err
}
}

// Parse version from the package property.
rawVersion := props.Packages[0].Version
ver, err := semver.Parse(rawVersion)
Expand Down Expand Up @@ -269,3 +279,16 @@ func relatedImagesToModelRelatedImages(in []RelatedImage) []model.RelatedImage {
}
return out
}

// validateImagePullSpec checks that a non-empty image pull spec is valid
// using github.com/distribution/reference.ParseNormalizedNamed.
Copy link
Contributor

@acornett21 acornett21 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we link to the go docs since the above 404's?

Suggested change
// using github.com/distribution/reference.ParseNormalizedNamed.
// using https://pkg.go.dev/github.com/distribution/reference#ParseNormalizedNamed

Copy link
Member

@joelanford joelanford Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest using the parsers from container-lib/image since that's the underlying library that OPM itself uses by default and that most of the rest of the typical OLM ecosystem uses (e.g. skopeo and cri-o).

// Empty pull specs are not validated.
func validateImagePullSpec(pullSpec, errFormat string, errArgs ...interface{}) error {
if pullSpec == "" {
return nil
}
if _, err := reference.ParseNormalizedNamed(pullSpec); err != nil {
return fmt.Errorf(errFormat+": invalid image pull spec %q: %w", append(errArgs, pullSpec, err)...)
}
return nil
}
62 changes: 62 additions & 0 deletions alpha/declcfg/declcfg_to_model_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,57 @@ func TestConvertToModel(t *testing.T) {
})},
},
},
{
name: "Error/BundleImageInvalidPullSpecUnsupportedDigestSsha256",
assertion: hasErrorContaining("invalid image pull spec"),
cfg: DeclarativeConfig{
Packages: []Package{newTestPackage("foo", "alpha", svgSmallCircle)},
Channels: []Channel{newTestChannel("foo", "alpha", ChannelEntry{Name: testBundleName("foo", "0.1.0")})},
Bundles: []Bundle{newTestBundle("foo", "0.1.0", func(b *Bundle) {
// Misspelled digest algorithm: ssha256 instead of sha256 (unsupported hash type)
b.Image = "quay.io/operator-framework/foo-bundle@ssha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
})},
},
},
{
name: "Error/BundleImageInvalidPullSpecUnsupportedDigestMd5",
assertion: hasErrorContaining("invalid image pull spec"),
cfg: DeclarativeConfig{
Packages: []Package{newTestPackage("foo", "alpha", svgSmallCircle)},
Channels: []Channel{newTestChannel("foo", "alpha", ChannelEntry{Name: testBundleName("foo", "0.1.0")})},
Bundles: []Bundle{newTestBundle("foo", "0.1.0", func(b *Bundle) {
b.Image = "quay.io/operator-framework/foo-bundle@md5:abcd1234abcd1234abcd1234abcd1234"
})},
},
},
{
name: "Error/BundleRelatedImageInvalidPullSpecSsha256",
assertion: hasErrorContaining("invalid image pull spec"),
cfg: DeclarativeConfig{
Packages: []Package{newTestPackage("foo", "alpha", svgSmallCircle)},
Channels: []Channel{newTestChannel("foo", "alpha", ChannelEntry{Name: testBundleName("foo", "0.1.0")})},
Bundles: []Bundle{newTestBundle("foo", "0.1.0", func(b *Bundle) {
b.RelatedImages = []RelatedImage{
{Name: "bundle", Image: testBundleImage("foo", "0.1.0")},
{Name: "operator", Image: "quay.io/operator-framework/my-operator@ssha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"},
}
})},
},
},
{
name: "Success/BundleImageValidSha256Digest",
assertion: require.NoError,
cfg: DeclarativeConfig{
Packages: []Package{newTestPackage("foo", "alpha", svgSmallCircle)},
Channels: []Channel{newTestChannel("foo", "alpha", ChannelEntry{Name: testBundleName("foo", "0.1.0")})},
Bundles: []Bundle{newTestBundle("foo", "0.1.0", func(b *Bundle) {
b.Image = "quay.io/operator-framework/foo-bundle@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
b.RelatedImages = []RelatedImage{
{Name: "bundle", Image: "quay.io/operator-framework/foo-bundle@sha256:abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"},
}
})},
},
},
Copy link
Contributor

@camilamacedo86 camilamacedo86 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add here a test to ensure that we still allowing usage of tags

Copy link
Contributor

@acornett21 acornett21 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we allow tags, since we have to pin as digests in catalogs.

Copy link
Contributor

@camilamacedo86 camilamacedo86 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OLM supports this upstream—it's not an OLM limitation. What you’re describing is a downstream requirement specific to Red Hat OCP, mainly because of disconnected environment constraints. OLM can work with tags.

Copy link
Member

@joelanford joelanford Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 on a test showing that tags work. I think it is also valid to have a pullspec that looks like this:

quay.io/example-org/example-repo:v1.2.3@sha256:<digest>

In this case, my understanding is that the tag becomes informational/ignored and the digest is what is used.

}

for _, s := range specs {
Expand Down Expand Up @@ -577,3 +628,14 @@ func hasError(expectedError string) require.ErrorAssertionFunc {
t.FailNow()
}
}

// hasErrorContaining returns an ErrorAssertionFunc that passes when the error message contains the given substring.
func hasErrorContaining(substring string) require.ErrorAssertionFunc {
return func(t require.TestingT, actualError error, args ...interface{}) {
if stdt, ok := t.(*testing.T); ok {
stdt.Helper()
}
require.Error(t, actualError)
require.Contains(t, actualError.Error(), substring, "expected error to contain %q", substring)
}
}