🐛 Add regex validation for signer (#336)

* Add regex validation for signer

Signed-off-by: Jian Qiu <[email protected]>

* do not allow start with -

Signed-off-by: Jian Qiu <[email protected]>

---------

Signed-off-by: Jian Qiu <[email protected]>

Author: qiujian16

addon/v1alpha1/0000_01_addon.open-cluster-management.io_managedclusteraddons.crd.yaml

@@ -314,6 +314,7 @@ spec:
                         will use to create csr.
                       maxLength: 571
                       minLength: 5
+                      pattern: ^([a-z0-9][a-z0-9-]*[a-z0-9]\.)+[a-z]+\/[a-z0-9-\.]+$
                       type: string
                     subject:
                       description: 'subject is the user subject of the addon agent

addon/v1alpha1/0000_03_addon.open-cluster-management.io_addontemplates.crd.yaml

@@ -330,6 +330,7 @@ spec:
                             agent will use to create csr.
                           maxLength: 571
                           minLength: 5
+                          pattern: ^([a-z0-9][a-z0-9-]*[a-z0-9]\.)+[a-z]+\/[a-z0-9-\.]+$
                           type: string
                         signingCA:
                           description: 'SigningCA represents the reference of the

addon/v1alpha1/types_addontemplate.go

@@ -157,6 +157,7 @@ type CustomSignerRegistrationConfig struct {
 	// +required
 	// +kubebuilder:validation:MaxLength=571
 	// +kubebuilder:validation:MinLength=5
+	// +kubebuilder:validation:Pattern=^([a-z0-9][a-z0-9-]*[a-z0-9]\.)+[a-z]+\/[a-z0-9-\.]+$
 	SignerName string `json:"signerName"`
 
 	// Subject is the user subject of the addon agent to be registered to the hub.

addon/v1alpha1/types_managedclusteraddon.go

@@ -56,6 +56,7 @@ type RegistrationConfig struct {
 	// +required
 	// +kubebuilder:validation:MaxLength=571
 	// +kubebuilder:validation:MinLength=5
+	// +kubebuilder:validation:Pattern=^([a-z0-9][a-z0-9-]*[a-z0-9]\.)+[a-z]+\/[a-z0-9-\.]+$
 	SignerName string `json:"signerName"`
 
 	// subject is the user subject of the addon agent to be registered to the hub.

test/integration-test.mk

@@ -2,7 +2,7 @@ TEST_TMP :=/tmp
 
 export KUBEBUILDER_ASSETS ?=$(TEST_TMP)/kubebuilder/bin
 
-K8S_VERSION ?=1.23.1
+K8S_VERSION ?=1.29.3
 GOHOSTOS ?=$(shell go env GOHOSTOS)
 GOHOSTARCH =amd64
 KB_TOOLS_ARCHIVE_NAME :=kubebuilder-tools-$(K8S_VERSION)-$(GOHOSTOS)-$(GOHOSTARCH).tar.gz

test/integration/api/managedclusteraddon_test.go

@@ -107,7 +107,7 @@ var _ = ginkgo.Describe("ManagedClusterAddOn API test", func() {
 
 		mca.Status.Registrations = []addonv1alpha1.RegistrationConfig{
 			{
-				SignerName: "addontest",
+				SignerName: "open-cluster-management.io/addontest",
 			},
 		}
 
@@ -119,6 +119,42 @@ var _ = ginkgo.Describe("ManagedClusterAddOn API test", func() {
 		gomega.Expect(err).ToNot(gomega.HaveOccurred())
 	})
 
+	ginkgo.It("Update failed with wrong signer name in the ManagedClusterAddOn", func() {
+		managedClusterAddOn := &addonv1alpha1.ManagedClusterAddOn{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: managedClusterAddOnName,
+			},
+			Spec: addonv1alpha1.ManagedClusterAddOnSpec{},
+		}
+
+		_, err := hubAddonClient.AddonV1alpha1().ManagedClusterAddOns(testNamespace).Create(
+			context.TODO(),
+			managedClusterAddOn,
+			metav1.CreateOptions{},
+		)
+		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+		mca, err := hubAddonClient.AddonV1alpha1().ManagedClusterAddOns(testNamespace).Get(
+			context.TODO(),
+			managedClusterAddOnName,
+			metav1.GetOptions{},
+		)
+		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+		mca.Status.Registrations = []addonv1alpha1.RegistrationConfig{
+			{
+				SignerName: "addontest",
+			},
+		}
+
+		_, err = hubAddonClient.AddonV1alpha1().ManagedClusterAddOns(testNamespace).UpdateStatus(
+			context.TODO(),
+			mca,
+			metav1.UpdateOptions{},
+		)
+		gomega.Expect(err).To(gomega.HaveOccurred())
+	})
+
 	ginkgo.It("Should update the ManagedClusterAddOn status with config", func() {
 		managedClusterAddOn := &addonv1alpha1.ManagedClusterAddOn{
 			ObjectMeta: metav1.ObjectMeta{