Validate function tag literals before execution#4503
Open
AkashKumar7902 wants to merge 3 commits intokptdev:mainfrom
Open
Validate function tag literals before execution#4503AkashKumar7902 wants to merge 3 commits intokptdev:mainfrom
AkashKumar7902 wants to merge 3 commits intokptdev:mainfrom
Conversation
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
AkashKumar7902
requested review from
efiacor,
kispaljr,
liamfallon and
mozesl-nokia
as code owners
✅ Deploy Preview for kptdocs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dosubot
Bot
added
size:S
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds early validation for literal function.tag values to ensure they conform to OCI/Docker image tag syntax, preventing invalid tags from reaching runtime execution and failing later.
Changes:
- Validate literal (non-constraint-resolved)
function.tagvalues against an image tag regex before constructing the final image reference. - Factor literal-tag image construction into a helper (
imageWithLiteralTag) used by both semver-exact and non-semver tag paths. - Add test coverage for invalid literal tags (including a semver-valid-but-tag-invalid case).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pkg/fn/runtime/tag_resolution.go | Adds image-tag syntax validation for literal tags and routes literal tag resolution through a helper returning actionable errors early. |
| pkg/fn/runtime/tag_resolution_test.go | Adds cases asserting invalid literal tags now fail during resolution rather than later at execution time. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Akash Kumar <meakash7902@gmail.com>
|
|
||
| const imageTagError = "must start with an alphanumeric character or underscore, followed by at most 127 alphanumeric characters, underscores, periods, or dashes" | ||
|
|
||
| var imageTagRegex = regexp.MustCompile(`^[A-Za-z0-9_][A-Za-z0-9._-]{0,127}$`) |
Contributor
There was a problem hiding this comment.
I think you could import this instead: https://github.com/distribution/reference/blob/0965666a6ade2e06035fe352e38344be1e68951a/regexp.go#L39
I would actually prefer a validator function from distribution, but I can't find one...
Comment on lines
+93
to
+99
| resolvedImage, tagErr := imageWithLiteralTag(ref, tag) | ||
| if tagErr != nil { | ||
| return "", tagErr | ||
| } | ||
| klog.Warningf("Tag %q could not be parsed as a semantic version (\"%s\") or constraint (\"%s\"), will use it literally", | ||
| tag, versionErr, constraintErr) | ||
| return resolvedImage, nil |
Contributor
There was a problem hiding this comment.
I don't think this bit is necessary to change, just leave that warning in the else branch
…l flow mozesl-nokia in kptdev#4503 review: - Suggested importing the canonical tag regexp from github.com/distribution/reference instead of duplicating the pattern. Switched imageWithLiteralTag to use reference.TagRegexp; since it is unanchored, require a full-string match via FindString to keep the same semantics as the previous local regex. - Restored the pre-PR control flow in ResolveFunctionImage so the literal-tag warning stays in the else branch and the validation / reference build happens once at the end via imageWithLiteralTag. Signed-off-by: Akash Kumar <meakash7902@gmail.com>
Author
|
@mozesl-nokia Thanks for the review! Pushed 9782c09 addressing both points:
@copilot the wording suggestion ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
function.tagvalues against image tag syntax before constructing the function image reference.Motivation
Fixes #4500.
Invalid tag values that were neither semantic versions nor semantic version constraints could be appended to the image name and only fail later during function execution. This catches those values during tag resolution with an actionable error.
Validation
go test ./pkg/fn/runtimego test ./pkg/fn/...go test -cover ./pkg/fn/runtimego vet ./pkg/fn/runtimego run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run ./pkg/fn/runtimeAI Assistance
I used OpenAI GPT-5 for code exploration, implementation assistance, and test drafting. I reviewed the changes and validated them locally.