Add config support with jsonschema validation

Per Goncalves da Silva · Per Goncalves da Silva · commit 630a47d8d17e · 2025-09-03T15:29:45.000+02:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/internal/operator-controller/rukpak/bundle/config.go b/internal/operator-controller/rukpak/bundle/config.go
@@ -0,0 +1,185 @@
+package bundle
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+
+	jsonschemagen "github.com/invopop/jsonschema"
+	"github.com/santhosh-tekuri/jsonschema/v6"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation"
+
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+)
+
+const (
+	dns1123SubdomainFormat = "RFC-1123"
+)
+
+var unsupportedInstallModes = sets.New[v1alpha1.InstallModeType](v1alpha1.InstallModeTypeMultiNamespace)
+
+// dnsFormat checks conformity to RFC1213 lowercase dns subdomain format by any field with format 'RFC-1123'
+var dnsFormat = &jsonschema.Format{
+	Name: dns1123SubdomainFormat,
+	Validate: func(v any) error {
+		if v == nil {
+			return nil
+		}
+		s, ok := v.(string)
+		if !ok {
+			return fmt.Errorf("invalid type %T, expected string", v)
+		}
+		errs := validation.IsDNS1123Subdomain(s)
+		if len(errs) > 0 {
+			return errors.New(strings.Join(errs, ", "))
+		}
+		return nil
+	},
+}
+
+// Config is a registry+v1 bundle configuration surface
+type Config struct {
+	WatchNamespace string `json:"watchNamespace,omitempty"`
+	// OperatorConfig *v1alpha1.SubscriptionConfig `json:"operatorConfig,omitempty"`
+}
+
+func ValidatedBundleConfigFromRaw(rv1 RegistryV1, installNamespace string, rawConfig map[string]interface{}) (*Config, error) {
+	if len(rawConfig) == 0 {
+		return nil, nil
+	}
+
+	rawSchema := bundleConfigSchema(rv1, installNamespace)
+	if err := validateBundleConfig(rawSchema, rawConfig); err != nil {
+		return nil, fmt.Errorf("invalid configuration: %v", err)
+	}
+
+	return toConfig(rawConfig)
+}
+
+func bundleConfigSchema(rv1 RegistryV1, installNamespace string) []byte {
+	// configure reflector
+	r := new(jsonschemagen.Reflector)
+	r.ExpandedStruct = true
+	r.AllowAdditionalProperties = false
+
+	// generate base schema
+	schema := r.Reflect(&Config{})
+
+	// apply bundle rawConfig based mutations for watchNamespace
+	configureWatchNamespaceProperty(rv1, installNamespace, schema)
+
+	// return schema
+	out, err := schema.MarshalJSON()
+	if err != nil {
+		panic(err)
+	}
+	return out
+}
+
+func configureWatchNamespaceProperty(rv1 RegistryV1, installNamespace string, schema *jsonschemagen.Schema) {
+	supportedInstallModes := sets.New[v1alpha1.InstallModeType]()
+	for _, im := range rv1.CSV.Spec.InstallModes {
+		if im.Supported && !unsupportedInstallModes.Has(im.Type) {
+			supportedInstallModes.Insert(im.Type)
+		}
+	}
+
+	allSupported := supportedInstallModes.Has(v1alpha1.InstallModeTypeAllNamespaces)
+	singleSupported := supportedInstallModes.Has(v1alpha1.InstallModeTypeSingleNamespace)
+	ownSupported := supportedInstallModes.Has(v1alpha1.InstallModeTypeOwnNamespace)
+
+	if len(supportedInstallModes) == 0 {
+		panic("bundle does not support any supported install modes")
+	}
+
+	// no watchNamespace rawConfig parameter if bundle only supports AllNamespaces or OwnNamespace install modes
+	if len(supportedInstallModes) == 1 && (allSupported || ownSupported) {
+		schema.Properties.Delete("watchNamespace")
+		return
+	}
+
+	watchNamespaceProperty, ok := schema.Properties.Get("watchNamespace")
+	if !ok {
+		panic("watchNamespace not found in schema")
+	}
+
+	watchNamespaceProperty.Format = dns1123SubdomainFormat
+
+	// required or optional
+	if !allSupported && singleSupported {
+		schema.Required = append(schema.Required, "watchNamespace")
+	} else {
+		watchNamespaceProperty.Extras = map[string]any{
+			"type": []string{"string", "null"},
+		}
+	}
+
+	// must be the install namespace
+	if allSupported && ownSupported && !singleSupported {
+		watchNamespaceProperty.Enum = []any{
+			installNamespace,
+			nil,
+		}
+	}
+}
+
+func validateBundleConfig(rawSchema []byte, config map[string]interface{}) error {
+	schema, err := jsonschema.UnmarshalJSON(strings.NewReader(string(rawSchema)))
+	if err != nil {
+		return err
+	}
+
+	compiler := jsonschema.NewCompiler()
+	compiler.RegisterFormat(dnsFormat)
+	compiler.AssertFormat()
+	if err := compiler.AddResource("schema.json", schema); err != nil {
+		return err
+	}
+	compiledSchema, err := compiler.Compile("schema.json")
+	if err != nil {
+		return err
+	}
+
+	return formatJSONSchemaValidationError(compiledSchema.Validate(config))
+}
+
+func toConfig(config map[string]interface{}) (*Config, error) {
+	cfg := Config{}
+	dataBytes, err := json.Marshal(config)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(dataBytes, &cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}
+
+func formatJSONSchemaValidationError(err error) error {
+	var validationErr *jsonschema.ValidationError
+	if !errors.As(err, &validationErr) {
+		return err
+	}
+	var errs []error
+	for _, cause := range validationErr.Causes {
+		if cause == nil || cause.BasicOutput() == nil {
+			continue
+		}
+
+		output := cause.BasicOutput()
+		instanceLocation := strings.ReplaceAll(output.InstanceLocation, "/", ".")
+		if instanceLocation == "" {
+			errs = append(errs, fmt.Errorf("%v", output.Error))
+		} else {
+			errs = append(errs, fmt.Errorf("at path %q: %s", instanceLocation, output.Error))
+		}
+	}
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+	return err
+}
diff --git a/internal/operator-controller/rukpak/bundle/config_test.go b/internal/operator-controller/rukpak/bundle/config_test.go
@@ -0,0 +1,210 @@
+package bundle_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle"
+	. "github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util/testing"
+)
+
+const (
+	installNamespace = "install-namespace"
+)
+
+var (
+	requiredConfigSet = []v1alpha1.InstallModeType{
+		v1alpha1.InstallModeTypeSingleNamespace,
+	}
+
+	optionalConfigSet = []v1alpha1.InstallModeType{
+		v1alpha1.InstallModeTypeAllNamespaces,
+		v1alpha1.InstallModeTypeSingleNamespace,
+	}
+
+	optionalRestrictedConfigSet = []v1alpha1.InstallModeType{
+		v1alpha1.InstallModeTypeAllNamespaces,
+		v1alpha1.InstallModeTypeOwnNamespace,
+	}
+
+	notRequiredConfigSet = []v1alpha1.InstallModeType{
+		v1alpha1.InstallModeTypeAllNamespaces,
+	}
+)
+
+func Test_ValidatedBundleConfigFromRaw_WatchNamespace_Configuration(t *testing.T) {
+	// The behavior of watchNamespace is dynamic and depends on the install modes supported by
+	// the bundle (declared in its ClusterServiceVersion). For instance, a bundle that only
+	// supports AllNamespaces or only supports OwnNamespace mode does not need a watchNamespace configuration, or
+	// a bundle that supports AllNamespaces and OwnNamespace install modes will have an optional watchNamespace
+	// configuration, however when set, the value must be equal to the install namespace
+	for _, tt := range []struct {
+		name                   string
+		supportedInstallModes  []v1alpha1.InstallModeType
+		rawConfig              map[string]interface{}
+		expectedErrMsgFragment string
+		expectedConfig         *bundle.Config
+	}{
+		{
+			name:                  "watchNamespace is required and provided",
+			supportedInstallModes: requiredConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "some-namespace",
+			},
+			expectedConfig: &bundle.Config{
+				WatchNamespace: "some-namespace",
+			},
+		},
+		{
+			name:                  "watchNamespace is required and provided but invalid",
+			supportedInstallModes: requiredConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "not a valid namespace name",
+			},
+			expectedErrMsgFragment: "'not a valid namespace name' is not valid RFC-1123",
+		},
+		{
+			name:                  "watchNamespace is required and provided but empty",
+			supportedInstallModes: requiredConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "",
+			},
+			expectedErrMsgFragment: "'' is not valid RFC-1123",
+		},
+		{
+			name:                  "watchNamespace is required and not provided (nil)",
+			supportedInstallModes: requiredConfigSet,
+			rawConfig:             nil,
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is required and not provided (empty config)",
+			supportedInstallModes: requiredConfigSet,
+			rawConfig:             map[string]interface{}{},
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is optional and provided",
+			supportedInstallModes: optionalConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "some-namespace",
+			},
+			expectedConfig: &bundle.Config{
+				WatchNamespace: "some-namespace",
+			},
+		},
+		{
+			name:                  "watchNamespace is optional and provided but invalid",
+			supportedInstallModes: optionalConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "not a valid namespace name",
+			},
+			expectedErrMsgFragment: "'not a valid namespace name' is not valid RFC-1123",
+		},
+		{
+			name:                  "watchNamespace is optional and not provided (nil config)",
+			supportedInstallModes: optionalConfigSet,
+			rawConfig:             nil,
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is optional and not provided (empty config)",
+			supportedInstallModes: optionalConfigSet,
+			rawConfig:             map[string]interface{}{},
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is optional and not provided (nil)",
+			supportedInstallModes: optionalConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": nil,
+			},
+			expectedConfig: &bundle.Config{},
+		},
+		{
+			name:                  "watchNamespace is optional and restricted to install-namespace and correctly provided",
+			supportedInstallModes: optionalRestrictedConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "install-namespace",
+			},
+			expectedConfig: &bundle.Config{
+				WatchNamespace: "install-namespace",
+			},
+		},
+		{
+			name:                  "watchNamespace is optional and restricted to install-namespace and incorrectly provided",
+			supportedInstallModes: optionalRestrictedConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "not-install-namespace",
+			},
+			expectedErrMsgFragment: "value must be one of 'install-namespace', <nil>",
+		},
+		{
+			name:                  "watchNamespace is optional and restricted to install-namespace and not provided (nil)",
+			supportedInstallModes: optionalRestrictedConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": nil,
+			},
+			expectedConfig: &bundle.Config{},
+		},
+		{
+			name:                  "watchNamespace is optional and restricted to install-namespace and not provided (nil config)",
+			supportedInstallModes: optionalRestrictedConfigSet,
+			rawConfig:             nil,
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is optional and restricted to install-namespace and not provided (empty config)",
+			supportedInstallModes: optionalRestrictedConfigSet,
+			rawConfig:             map[string]interface{}{},
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is not a config option and it is set",
+			supportedInstallModes: notRequiredConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": "some-namespace",
+			},
+			expectedErrMsgFragment: "additional properties 'watchNamespace' not allowed",
+		},
+		{
+			name:                  "watchNamespace is not a config option and it is not set (nil)",
+			supportedInstallModes: notRequiredConfigSet,
+			rawConfig: map[string]interface{}{
+				"watchNamespace": nil,
+			},
+			expectedErrMsgFragment: "additional properties 'watchNamespace' not allowed",
+		},
+		{
+			name:                  "watchNamespace is not a config option and it is not set (config empty)",
+			supportedInstallModes: notRequiredConfigSet,
+			rawConfig:             map[string]interface{}{},
+			expectedConfig:        nil,
+		},
+		{
+			name:                  "watchNamespace is not a config option and it is not set (config nil)",
+			supportedInstallModes: notRequiredConfigSet,
+			rawConfig:             nil,
+			expectedConfig:        nil,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			rv1 := bundle.RegistryV1{
+				CSV: MakeCSV(WithInstallModeSupportFor(tt.supportedInstallModes...)),
+			}
+
+			cfg, err := bundle.ValidatedBundleConfigFromRaw(rv1, installNamespace, tt.rawConfig)
+
+			if tt.expectedErrMsgFragment == "" {
+				require.NoError(t, err)
+				require.Equal(t, tt.expectedConfig, cfg)
+			} else {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tt.expectedErrMsgFragment)
+			}
+		})
+	}
+}
