feat: validate plugin name on CR create (#1265)

Signed-off-by: Susan Shi <[email protected]>

.vscode/launch.json

@@ -46,7 +46,8 @@
       "program": "${workspaceFolder}/cmd/ratify",
       "env": {
         "RATIFY_LOG_LEVEL": "debug",
-        "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1"
+        "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
+        "RATIFY_NAMESPACE": "gatekeeper-system",
       },
       "args": [
         "serve",

Makefile

@@ -82,6 +82,7 @@ build-plugins:
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/cosign/... -o ./bin/plugins/ ./plugins/verifier/cosign
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/licensechecker/... -o ./bin/plugins/ ./plugins/verifier/licensechecker
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/sample/... -o ./bin/plugins/ ./plugins/verifier/sample
+	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/referrerstore/sample/... -o ./bin/plugins/referrerstore/ ./plugins/referrerstore/sample
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/sbom/... -o ./bin/plugins/ ./plugins/verifier/sbom
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/schemavalidator/... -o ./bin/plugins/ ./plugins/verifier/schemavalidator
 	go build -cover -coverpkg=github.com/deislabs/ratify/plugins/verifier/vulnerabilityreport/... -o ./bin/plugins/ ./plugins/verifier/vulnerabilityreport

api/v1beta1/store_types.go

@@ -41,12 +41,24 @@ type StoreSpec struct {
 
 // StoreStatus defines the observed state of Store
 type StoreStatus struct {
-	// Important: Run "make" to regenerate code after modifying this file
+	// Important: Run "make install-crds" to regenerate code after modifying this file
+
+	// Is successful in finding the plugin
+	IsSuccess bool `json:"issuccess"`
+	// Error message if operation was unsuccessful
+	// +optional
+	Error string `json:"error,omitempty"`
+	// Truncated error message if the message is too long
+	// +optional
+	BriefError string `json:"brieferror,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope="Cluster"
+// +kubebuilder:subresource:status
 // +kubebuilder:storageversion
+// +kubebuilder:printcolumn:name="IsSuccess",type=boolean,JSONPath=`.status.issuccess`
+// +kubebuilder:printcolumn:name="Error",type=string,JSONPath=`.status.brieferror`
 // Store is the Schema for the stores API
 type Store struct {
 	metav1.TypeMeta   `json:",inline"`

api/v1beta1/verifier_types.go

@@ -48,12 +48,24 @@ type VerifierSpec struct {
 // VerifierStatus defines the observed state of Verifier
 type VerifierStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
+	// Important: Run "make install-crds" to regenerate code after modifying this file
+
+	// Is successful in finding the plugin
+	IsSuccess bool `json:"issuccess"`
+	// Error message if operation was unsuccessful
+	// +optional
+	Error string `json:"error,omitempty"`
+	// Truncated error message if the message is too long
+	// +optional
+	BriefError string `json:"brieferror,omitempty"`
 }
 
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope="Cluster"
+// +kubebuilder:subresource:status
 // +kubebuilder:storageversion
+// +kubebuilder:printcolumn:name="IsSuccess",type=boolean,JSONPath=`.status.issuccess`
+// +kubebuilder:printcolumn:name="Error",type=string,JSONPath=`.status.brieferror`
 // Verifier is the Schema for the verifiers API
 type Verifier struct {
 	metav1.TypeMeta   `json:",inline"`

charts/ratify/crds/store-customresourcedefinition.yaml

@@ -66,7 +66,14 @@ spec:
         type: object
     served: true
     storage: false
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .status.issuccess
+      name: IsSuccess
+      type: boolean
+    - jsonPath: .status.brieferror
+      name: Error
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: Store is the Schema for the stores API
@@ -94,7 +101,7 @@ spec:
                 type: string
               version:
                 description: Version of the store plugin. Optional
-                type: string
+                type: string     
               parameters:
                 description: Parameters of the store
                 type: object
@@ -110,13 +117,27 @@ spec:
                       source, optional
                     type: object
                     x-kubernetes-preserve-unknown-fields: true
-                type: object              
+                type: object
             required:
             - name
             type: object
           status:
             description: StoreStatus defines the observed state of Store
+            properties:
+              brieferror:
+                description: Truncated error message if the message is too long
+                type: string
+              error:
+                description: Error message if operation was unsuccessful
+                type: string
+              issuccess:
+                description: Is successful in finding the plugin
+                type: boolean
+            required:
+            - issuccess
             type: object
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}

charts/ratify/crds/verifier-customresourcedefinition.yaml

@@ -69,7 +69,14 @@ spec:
         type: object
     served: true
     storage: false
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .status.issuccess
+      name: IsSuccess
+      type: boolean
+    - jsonPath: .status.brieferror
+      name: Error
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: Verifier is the Schema for the verifiers API
@@ -100,7 +107,7 @@ spec:
                 type: string
               version:
                 description: Version of the verifier plugin. Optional
-                type: string
+                type: string   
               parameters:
                 description: Parameters for this verifier
                 type: object
@@ -123,7 +130,21 @@ spec:
             type: object
           status:
             description: VerifierStatus defines the observed state of Verifier
+            properties:
+              brieferror:
+                description: Truncated error message if the message is too long
+                type: string
+              error:
+                description: Error message if operation was unsuccessful
+                type: string
+              issuccess:
+                description: Is successful in finding the plugin
+                type: boolean
+            required:
+            - issuccess
             type: object
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}

config/crd/bases/config.ratify.deislabs.io_stores.yaml

@@ -67,7 +67,14 @@ spec:
         type: object
     served: true
     storage: false
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .status.issuccess
+      name: IsSuccess
+      type: boolean
+    - jsonPath: .status.brieferror
+      name: Error
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: Store is the Schema for the stores API
@@ -95,7 +102,7 @@ spec:
                 type: string
               version:
                 description: Version of the store plugin. Optional
-                type: string                
+                type: string     
               parameters:
                 description: Parameters of the store
                 type: object
@@ -117,7 +124,21 @@ spec:
             type: object
           status:
             description: StoreStatus defines the observed state of Store
+            properties:
+              brieferror:
+                description: Truncated error message if the message is too long
+                type: string
+              error:
+                description: Error message if operation was unsuccessful
+                type: string
+              issuccess:
+                description: Is successful in finding the plugin
+                type: boolean
+            required:
+            - issuccess
             type: object
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}

config/crd/bases/config.ratify.deislabs.io_verifiers.yaml

@@ -70,7 +70,14 @@ spec:
         type: object
     served: true
     storage: false
-  - name: v1beta1
+  - additionalPrinterColumns:
+    - jsonPath: .status.issuccess
+      name: IsSuccess
+      type: boolean
+    - jsonPath: .status.brieferror
+      name: Error
+      type: string
+    name: v1beta1
     schema:
       openAPIV3Schema:
         description: Verifier is the Schema for the verifiers API
@@ -101,7 +108,7 @@ spec:
                 type: string
               version:
                 description: Version of the verifier plugin. Optional
-                type: string                
+                type: string   
               parameters:
                 description: Parameters for this verifier
                 type: object
@@ -124,7 +131,21 @@ spec:
             type: object
           status:
             description: VerifierStatus defines the observed state of Verifier
+            properties:
+              brieferror:
+                description: Truncated error message if the message is too long
+                type: string
+              error:
+                description: Error message if operation was unsuccessful
+                type: string
+              issuccess:
+                description: Is successful in finding the plugin
+                type: boolean
+            required:
+            - issuccess
             type: object
         type: object
     served: true
     storage: true
+    subresources:
+      status: {}

config/samples/config_v1beta1_store_dynamic.yaml

@@ -0,0 +1,8 @@
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Store
+metadata:
+  name: store-dynamic
+spec:
+  name: dynamic  
+  source:
+    artifact: wabbitnetworks.azurecr.io/test/sample-store-plugin:v1

pkg/controllers/policy_controller.go

@@ -88,6 +88,7 @@ func (r *PolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return ctrl.Result{}, err
 	}
 
+	writePolicyStatus(ctx, r, &policy, policyLogger, true, "")
 	return ctrl.Result{}, nil
 }
 
@@ -159,13 +160,14 @@ func writePolicyStatus(ctx context.Context, r client.StatusClient, policy *confi
 		updatePolicyErrorStatus(policy, errString)
 	}
 	if statusErr := r.Status().Update(ctx, policy); statusErr != nil {
-		logger.Error(statusErr, ", unbale to update policy error status")
+		logger.Error(statusErr, ", unable to update policy error status")
 	}
 }
 
 func updatePolicySuccessStatus(policy *configv1beta1.Policy) {
 	policy.Status.IsSuccess = true
 	policy.Status.Error = ""
+	policy.Status.BriefError = ""
 }
 
 func updatePolicyErrorStatus(policy *configv1beta1.Policy, errString string) {

pkg/controllers/store_controller.go

@@ -74,9 +74,12 @@ func (r *StoreReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 
 	if err := storeAddOrReplace(store.Spec, resource); err != nil {
 		storeLogger.Error(err, "unable to create store from store crd")
+		writeStoreStatus(ctx, r, &store, storeLogger, false, err.Error())
 		return ctrl.Result{}, err
 	}
 
+	writeStoreStatus(ctx, r, &store, storeLogger, true, "")
+
 	// returning empty result and no error to indicate we’ve successfully reconciled this object
 	return ctrl.Result{}, nil
 }
@@ -140,3 +143,21 @@ func specToStoreConfig(storeSpec configv1beta1.StoreSpec) (rc.StorePluginConfig,
 
 	return storeConfig, nil
 }
+
+func writeStoreStatus(ctx context.Context, r client.StatusClient, store *configv1beta1.Store, logger *logrus.Entry, isSuccess bool, errorString string) {
+	if isSuccess {
+		store.Status.IsSuccess = true
+		store.Status.Error = ""
+		store.Status.BriefError = ""
+	} else {
+		store.Status.IsSuccess = false
+		store.Status.Error = errorString
+		if len(errorString) > maxBriefErrLength {
+			store.Status.BriefError = fmt.Sprintf("%s...", errorString[:maxBriefErrLength])
+		}
+	}
+
+	if statusErr := r.Status().Update(ctx, store); statusErr != nil {
+		logger.Error(statusErr, ",unable to update store error status")
+	}
+}