Here is a list of metadata validation to be performed:

Metadata Validator

Design

Goals:

• Unordered independent validators
• Field level validation
• Struct level validation (cross-field)

Proposal:

Was thinking about using go-playground/vaidator and the RegisterStructValidation interface. Go-playground provides an easy way to perform:

1. Field level validation (using annotating tags)
2. Struct-level validation (using RegisterStructValidation + validate.Struct(...))

// --- cross field validation ---
// type StructLevelFunc func(sl validator.StructLevel)
// func (v *Validate) RegisterStructValidation(fn StructLevelFunc, types ...interface{})

// Example: https://github.com/go-playground/validator/blob/master/_examples/struct-level/main.go

type AddonMetadata struct {
    // define fields and a validation tag for field-level validation
}

var validate *validator.Validate

func main() {
  validate = validator.New()
  for _, fn := range getAllValidationFuncs() {
    validate.RegisterStructValidation(fn, AddonMetadata{})
  }
  
  // perform struct level validation against instances of AddonMetadata{} type
  err := validate.Struct(<addon_struct>)
}

func getAllValidationFuncs() []validator.StructLevelFunc {
  res := make([]validator.StructLevelFunc)
  res = append(res, MetadataStructLevelValidation)
  // add more
  return res
}

func MetadataStructLevelValidation(sl validator.StructLevel) {
  addonMetadata := sl.Current().Interface().(AddonMetadata)
  // validate something at the struct level (get access to all fields)
}

Validation

• Validate extra resources, against a schema, and document which CR are accepted (currently we only validate the extraResource path exists)
  • validates DeadmansSnitchIntegration field snitchNamePostFix is present and does not start with hive-
• run all pattern checks (try to migrate regex to something better)
• If a top-level key of the jsonschema is present twice should error (e.g.: addOnRequirements key was present twice without causing error)
  • tasks/check/01_test_duplicated.py <= why are there exceptions? why not all fields?
• validate namespaces:
  • check the targetNamespace is present in the namespaces list
  • namespaces need to be prefixed by redhat-
  • tasks/check/09_test_namespaces.py <= why exceptions?
• make sure all images exist in their repos tasks/check/10_test_harness.py
• test icon is base64 encoded, and is valid tasks/check/20_test_icon.py
• check the ocmQuotaName has an addon SKU in OCM tasks/check/30_test_metadata.py
• validate addOnParameters with their provided validation field tasks/check/40_test_addon_parameters.py
• validate k8s resources are DNS compliant (< 63 characters) and matches regex (use k8s libraries here)
  • https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
• validate Channels name are part of enum (alpha, beta, stable, edge, rc)
• validate link points to a HTTP doc (exists)
• look at: https://<gitlab_url>/service/managed-tenants/-/blob/main/docs/tenants/metadata_specification.md
• validate relatedImages from imagesets:
  • are in supported registries (only quay.io for now -> make it extensible)
  • can be pulled by OSD <-- How do we confirm this? Need service account similar to devtools private CatalogSource.
• validate that the defaultChannel is listed in the list of channels
• validate that namespaces are given access to us through backplane (example for RHODS: https://github.com/openshift/managed-cluster-config/blob/master/deploy/backplane/mtsre/managed-odh/)
  • Validate the SubjectPermission type from https://github.com/openshift/rbac-permissions-operator/blob/master/pkg/apis/managed/v1alpha1/subjectpermission_types.go
  • Validate the addon label is in config.yaml
  • More?

Bundle Validator

Design

• Gets a temporary path where bundles are extracted
• Also has access to metadata

Validation

• validate that addon.yaml:installMode is present in CSV:spec.installModes /w supported: True
• check the operatorName matches the top currentCSV name (tasks/check/01_test_csv.py)
• validate all images listed in the csv are valid
  • base64 encoded
  • PNG or JPEG
  • around 300 px
• CSV has replaces directive if an older version already exists
• defaultChannel from metadata matches annotations.yaml+defaultChannel
• make sure version that bump a fix have a skipRange: directive: https://v0-18-z.olm.operatorframework.io/docs/concepts/olm-architecture/operator-catalog/creating-an-update-graph/#skiprange

# makes 1.0.0,1.0.1,1.0.2 uninstallable
metadata:
  name: myoperator.v1.0.3
  annotations:
    olm.skipRange: ">=1.0.0 <1.0.3"

• targetNamespace should match namespace in CSV to make sure the OperatorGroup lives in same namespace as CSV
• make sure the pkgName from the annotations.yaml file (operators.operatorframework.io.bundle.package.v1: <pkgName>) - matches the operatorName from the metadata. This is because the Subscription object that is created uses the operatorName to find the pkgname. (The template says {{ ADDON.metadata['id'] }} but it is patched by tasks/deploy/50_post_SelectorSyncSet.py) <-- probably should improve clarity of what gets templated here