Skip to content

Commit

Permalink
deprecate notary support in v1alpha2
Browse files Browse the repository at this point in the history
  • Loading branch information
tomkennedy513 committed Sep 28, 2021
1 parent 961032c commit 109e912
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 49 deletions.
12 changes: 11 additions & 1 deletion pkg/apis/build/v1alpha2/build_validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@ func (bs *BuildSpec) Validate(ctx context.Context) *apis.FieldError {
Also(bs.LastBuild.Validate(ctx).ViaField("lastBuild")).
Also(bs.validateImmutableFields(ctx)).
Also(bs.validateCnbBindings(ctx).ViaField("cnbBindings")).
Also(bs.validateNodeSelector(ctx))
Also(bs.validateNodeSelector(ctx)).
Also(bs.validateNotary(ctx).ViaField("notary"))
}

func (bs *BuildSpec) validateCnbBindings(ctx context.Context) *apis.FieldError {
Expand All @@ -46,6 +47,15 @@ func (bs *BuildSpec) validateCnbBindings(ctx context.Context) *apis.FieldError {
return bs.CNBBindings.Validate(ctx)
}

func (bs *BuildSpec) validateNotary(ctx context.Context) *apis.FieldError {
//only allow the kpack controller to create resources with notary
if !resourceCreatedByKpackController(apis.GetUserInfo(ctx)) && bs.Notary != nil {
return apis.ErrGeneric("use of this field has been deprecated and cannot be set", "")
}

return bs.Notary.Validate(ctx)
}

func resourceCreatedByKpackController(info *authv1.UserInfo) bool {
if info == nil {
return false
Expand Down
42 changes: 42 additions & 0 deletions pkg/apis/build/v1alpha2/build_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,48 @@ func testBuildValidation(t *testing.T, when spec.G, it spec.S) {
})
})

it("validates notary config has not been set by user", func() {
build.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "some-secret-name",
},
},
}
assertValidationError(build, context.TODO(), apis.ErrGeneric("use of this field has been deprecated and cannot be set", "spec.notary"))

})

when("validating notary if build is created by kpack controller", func() {
ctx := apis.WithUserInfo(context.TODO(), &authv1.UserInfo{Username: kpackControllerServiceAccountUsername})
it("handles an empty notary url", func() {
build.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "some-secret-name",
},
},
}
err := build.Validate(ctx)
assert.EqualError(t, err, "missing field(s): spec.notary.v1.url")
})

it("handles an empty notary secret ref", func() {
build.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "some-url",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "",
},
},
}
err := build.Validate(ctx)
assert.EqualError(t, err, "missing field(s): spec.notary.v1.secretRef.name")
})
})

it("validates not registry AND volume cache are both specified", func() {
build.Spec.Cache = &BuildCacheConfig{
Volume: &BuildPersistentVolumeCache{ClaimName: "pvc"},
Expand Down
14 changes: 11 additions & 3 deletions pkg/apis/build/v1alpha2/image_validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ import (
"fmt"
"strings"

"github.com/google/go-containerregistry/pkg/name"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
"k8s.io/apimachinery/pkg/util/validation"
"knative.dev/pkg/apis"

"github.com/google/go-containerregistry/pkg/name"
corev1alpha1 "github.com/pivotal/kpack/pkg/apis/core/v1alpha1"
"github.com/pivotal/kpack/pkg/apis/validate"
)
Expand Down Expand Up @@ -87,10 +87,18 @@ func (is *ImageSpec) ValidateSpec(ctx context.Context) *apis.FieldError {
Also(is.Build.Validate(ctx).ViaField("build")).
Also(is.Cache.Validate(ctx).ViaField("cache")).
Also(is.validateVolumeCache(ctx)).
Also(is.Notary.Validate(ctx).ViaField("notary")).
Also(validateNotaryUnset(is.Notary).ViaField("notary")).
Also(is.Cosign.Validate(ctx).ViaField("cosign"))
}

func validateNotaryUnset(notaryConfig *corev1alpha1.NotaryConfig) *apis.FieldError {
if notaryConfig != nil {
return apis.ErrGeneric("notary support has been deprecated in v1alpha2, please use v1alpha1 for notary image signing", "")
}

return nil
}

func (is *ImageSpec) validateTag(ctx context.Context) *apis.FieldError {
if apis.IsInUpdate(ctx) {
original := apis.GetBaseline(ctx).(*Image)
Expand Down Expand Up @@ -169,7 +177,7 @@ func (ib *ImageBuild) Validate(ctx context.Context) *apis.FieldError {

func validateCnbBindingsEmpty(bindings corev1alpha1.CNBBindings) *apis.FieldError {
if len(bindings) > 0 {
return apis.ErrDisallowedFields("")
return apis.ErrGeneric("CNB binding support has been deprecated in v1alpha2, please use v1alpha1 for CNB bindings", "")
}

return nil
Expand Down
62 changes: 17 additions & 45 deletions pkg/apis/build/v1alpha2/image_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -267,7 +267,7 @@ func testImageValidation(t *testing.T, when spec.G, it spec.S) {
},
}

assertValidationError(image, ctx, apis.ErrDisallowedFields("spec.build.cnbBindings"))
assertValidationError(image, ctx, apis.ErrGeneric("CNB binding support has been deprecated in v1alpha2, please use v1alpha1 for CNB bindings", "spec.build.cnbBindings"))
})

it("image name is too long", func() {
Expand Down Expand Up @@ -383,54 +383,26 @@ func testImageValidation(t *testing.T, when spec.G, it spec.S) {
assert.Nil(t, image.Validate(ctx))
})

when("validating the notary config", func() {
it("handles a valid notary config", func() {
image.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "some-url",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "some-secret-name",
},
},
}
assert.Nil(t, image.Validate(ctx))
})

it("handles an empty notary url", func() {
image.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "some-secret-name",
},
},
}
err := image.Validate(ctx)
assert.EqualError(t, err, "missing field(s): spec.notary.v1.url")
})

it("handles an empty notary secret ref", func() {
image.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "some-url",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "",
},
it("validates that notary config is unset", func() {
image.Spec.Notary = &corev1alpha1.NotaryConfig{
V1: &corev1alpha1.NotaryV1Config{
URL: "some-url",
SecretRef: corev1alpha1.NotarySecretRef{
Name: "some-secret-name",
},
}
err := image.Validate(ctx)
assert.EqualError(t, err, "missing field(s): spec.notary.v1.secretRef.name")
})

it("validates not registry AND volume cache are both specified", func() {
original := image.DeepCopy()
},
}
err := image.Validate(ctx)
assert.EqualError(t, err, "notary support has been deprecated in v1alpha2, please use v1alpha1 for notary image signing: spec.notary")
})

image.Spec.Cache.Registry = &RegistryCache{Tag: "test"}
it("validates not registry AND volume cache are both specified", func() {
original := image.DeepCopy()

err := image.Validate(apis.WithinUpdate(ctx, original))
assert.EqualError(t, err, "only one type of cache can be specified: spec.cache.registry, spec.cache.volume")
})
image.Spec.Cache.Registry = &RegistryCache{Tag: "test"}

err := image.Validate(apis.WithinUpdate(ctx, original))
assert.EqualError(t, err, "only one type of cache can be specified: spec.cache.registry, spec.cache.volume")
})

it("validates kubernetes.io/os node selector is unset", func() {
Expand Down

0 comments on commit 109e912

Please sign in to comment.