diff --git a/.claude/settings.local.json b/.claude/settings.local.json deleted file mode 100644 index 8442212..0000000 --- a/.claude/settings.local.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "permissions": { - "allow": [ - "Bash(gh pr:*)", - "WebFetch(domain:github.com)", - "WebFetch(domain:raw.githubusercontent.com)", - "Bash(curl:*)", - "Bash(go build *)", - "Bash(golangci-lint run *)", - "Bash(go test *)", - "Bash(gofmt *)", - "Bash(gmake *)" - ] - } -} diff --git a/.gitignore b/.gitignore index 7ac623e..fa93b88 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,5 @@ build/ .idea + +.claude diff --git a/.golangci.yaml b/.golangci.yaml index f14146f..98b6863 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -136,7 +136,7 @@ linters: # for github.com/sapcc/vpa_butler - k8s.io/client-go toolchain-forbidden: true - go-version-pattern: 1\.\d+(\.0)?$ + go-version-pattern: 1\.\d+(\.\d+)?$ # manually edited, as default rule does not allow go version with patch, but some deps require e.g. go 1.26.2 gosec: excludes: # gosec wants us to set a short ReadHeaderTimeout to avoid Slowloris attacks, but doing so would expose us to Keep-Alive race conditions (see https://iximiuz.com/en/posts/reverse-proxy-http-keep-alive-and-502s/ diff --git a/.typos.toml b/.typos.toml index 7dd0e8b..2ceb92e 100644 --- a/.typos.toml +++ b/.typos.toml @@ -4,6 +4,9 @@ [default.extend-words] +[default] +extend-ignore-identifiers-re = ["ANDed"] + [files] extend-exclude = [ "go.mod", diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt deleted file mode 100644 index 0e259d4..0000000 --- a/LICENSES/CC0-1.0.txt +++ /dev/null @@ -1,121 +0,0 @@ -Creative Commons Legal Code - -CC0 1.0 Universal - - CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE - LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN - ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS - INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES - REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS - PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM - THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED - HEREUNDER. - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator -and subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for -the purpose of contributing to a commons of creative, cultural and -scientific works ("Commons") that the public can reliably and without fear -of later claims of infringement build upon, modify, incorporate in other -works, reuse and redistribute as freely as possible in any form whatsoever -and for any purposes, including without limitation commercial purposes. -These owners may contribute to the Commons to promote the ideal of a free -culture and the further production of creative, cultural and scientific -works, or to gain reputation or greater distribution for their Work in -part through the use and efforts of others. - -For these and/or other purposes and motivations, and without any -expectation of additional consideration or compensation, the person -associating CC0 with a Work (the "Affirmer"), to the extent that he or she -is an owner of Copyright and Related Rights in the Work, voluntarily -elects to apply CC0 to the Work and publicly distribute the Work under its -terms, with knowledge of his or her Copyright and Related Rights in the -Work and the meaning and intended legal effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not -limited to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, - communicate, and translate a Work; - ii. moral rights retained by the original author(s) and/or performer(s); -iii. publicity and privacy rights pertaining to a person's image or - likeness depicted in a Work; - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - v. rights protecting the extraction, dissemination, use and reuse of data - in a Work; - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation - thereof, including any amended or successor version of such - directive); and -vii. other similar, equivalent or corresponding rights throughout the - world based on applicable law or treaty, and any national - implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention -of, applicable law, Affirmer hereby overtly, fully, permanently, -irrevocably and unconditionally waives, abandons, and surrenders all of -Affirmer's Copyright and Related Rights and associated claims and causes -of action, whether now known or unknown (including existing as well as -future claims and causes of action), in the Work (i) in all territories -worldwide, (ii) for the maximum duration provided by applicable law or -treaty (including future time extensions), (iii) in any current or future -medium and for any number of copies, and (iv) for any purpose whatsoever, -including without limitation commercial, advertising or promotional -purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each -member of the public at large and to the detriment of Affirmer's heirs and -successors, fully intending that such Waiver shall not be subject to -revocation, rescission, cancellation, termination, or any other legal or -equitable action to disrupt the quiet enjoyment of the Work by the public -as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason -be judged legally invalid or ineffective under applicable law, then the -Waiver shall be preserved to the maximum extent permitted taking into -account Affirmer's express Statement of Purpose. In addition, to the -extent the Waiver is so judged Affirmer hereby grants to each affected -person a royalty-free, non transferable, non sublicensable, non exclusive, -irrevocable and unconditional license to exercise Affirmer's Copyright and -Related Rights in the Work (i) in all territories worldwide, (ii) for the -maximum duration provided by applicable law or treaty (including future -time extensions), (iii) in any current or future medium and for any number -of copies, and (iv) for any purpose whatsoever, including without -limitation commercial, advertising or promotional purposes (the -"License"). The License shall be deemed effective as of the date CC0 was -applied by Affirmer to the Work. Should any part of the License for any -reason be judged legally invalid or ineffective under applicable law, such -partial invalidity or ineffectiveness shall not invalidate the remainder -of the License, and in such case Affirmer hereby affirms that he or she -will not (i) exercise any of his or her remaining Copyright and Related -Rights in the Work or (ii) assert any associated claims and causes of -action with respect to the Work, in either case contrary to Affirmer's -express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - b. Affirmer offers the Work as-is and makes no representations or - warranties of any kind concerning the Work, express, implied, - statutory or otherwise, including without limitation warranties of - title, merchantability, fitness for a particular purpose, non - infringement, or the absence of latent or other defects, accuracy, or - the present or absence of errors, whether or not discoverable, all to - the greatest extent permissible under applicable law. - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without - limitation any person's Copyright and Related Rights in the Work. - Further, Affirmer disclaims responsibility for obtaining any necessary - consents, permissions or other rights required for any use of the - Work. - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to - this CC0 or use of the Work. diff --git a/cloudprofilesync/imageupdater.go b/cloudprofilesync/imageupdater.go index 51bf07a..85d610f 100644 --- a/cloudprofilesync/imageupdater.go +++ b/cloudprofilesync/imageupdater.go @@ -17,16 +17,33 @@ import ( func filterImages(log logr.Logger, versions []SourceImage) []SourceImage { filtered := make([]SourceImage, 0, len(versions)) for _, version := range versions { - versionStr := version.effectiveVersion() - _, err := semver.Parse(versionStr) - if err != nil { - log.V(1).Info("skipping invalid version", "version", versionStr) + if len(version.Architectures) == 0 { + log.V(1).Info("skipping version with no architectures", "version", version.Version) continue } - if len(version.Architectures) == 0 { - log.V(1).Info("skipping version with no architectures", "version", versionStr) + + validLegacyTag := false + if _, err := semver.Parse(version.Version); err == nil { + validLegacyTag = true + } + + validCleanVersion := false + if version.CleanVersion != "" { + // Found that we can have "1921.0" in annotations. It will be transformed to "1921.0.0" + if parsed, err := semver.ParseTolerant(version.CleanVersion); err == nil { + validCleanVersion = true + version.CleanVersion = parsed.String() + } else { + log.V(1).Info("ignoring invalid clean version annotation", "tag", version.Version, "cleanVersion", version.CleanVersion) + version.CleanVersion = "" + } + } + + if !validLegacyTag && !validCleanVersion { + log.V(1).Info("skipping invalid version (both tag and clean version are bad)", "tag", version.Version) continue } + filtered = append(filtered, version) } return filtered @@ -73,13 +90,21 @@ func (iu *ImageUpdater) Update(ctx context.Context, cpSpec *gardenerv1beta1.Clou if idx, exists := existingVersions[sourceImage.Version]; exists { image.Versions[idx].Architectures = sourceImage.Architectures } else { - image.Versions = append(image.Versions, gardenerv1beta1.MachineImageVersion{ - ExpirableVersion: gardenerv1beta1.ExpirableVersion{ - Version: sourceImage.Version, - }, - Architectures: sourceImage.Architectures, - }) - existingVersions[sourceImage.Version] = len(image.Versions) - 1 + // Moving this check to filterImages() would break the core architectural goal of GEP-33 + // as it intentionally decouples the OCI registry tag from the semantic OS version + // In the future, teams might push images with tags like build-0849f313 or 2026-06-release + // As long as the CleanVersion annotation is a valid SemVer (e.g., 2262.0.0), the extension needs to route to it + if _, err = semver.Parse(sourceImage.Version); err != nil { + iu.Log.V(1).Info("skipping legacy entry in spec.machineImages because original tag is not valid semver", "version", sourceImage.Version) + } else { + image.Versions = append(image.Versions, gardenerv1beta1.MachineImageVersion{ + ExpirableVersion: gardenerv1beta1.ExpirableVersion{ + Version: sourceImage.Version, + }, + Architectures: sourceImage.Architectures, + }) + existingVersions[sourceImage.Version] = len(image.Versions) - 1 + } } // When capabilities are enabled, also write the clean version entry. diff --git a/cloudprofilesync/imageupdater_test.go b/cloudprofilesync/imageupdater_test.go index 5ffbb99..2b1bc35 100644 --- a/cloudprofilesync/imageupdater_test.go +++ b/cloudprofilesync/imageupdater_test.go @@ -14,8 +14,108 @@ import ( "github.com/cobaltcore-dev/cloud-profile-sync/cloudprofilesync" ) -var _ = Describe("ImageUpdater", func() { +var _ = Describe("filterImages", func() { + // helper: run Update and return the versions written to spec.machineImages + versions := func(ctx SpecContext, images []cloudprofilesync.SourceImage) []gardencorev1beta1.MachineImageVersion { + mockSource.images = images + updater := cloudprofilesync.ImageUpdater{ + Log: GinkgoLogr, + Source: &mockSource, + ImageName: "test", + EnableCapabilities: true, + } + var cpSpec gardencorev1beta1.CloudProfileSpec + Expect(updater.Update(ctx, &cpSpec)).To(Succeed()) + if len(cpSpec.MachineImages) == 0 { + return nil + } + return cpSpec.MachineImages[0].Versions + } + + It("invalid tag + no clean version: drops the image entirely", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + {Version: "not-a-version", Architectures: []string{"amd64"}}, + }) + Expect(result).To(BeEmpty()) + }) + + It("invalid tag + invalid clean version: drops the image entirely", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + {Version: "not-a-version", CleanVersion: "also-not-a-version", Architectures: []string{"amd64"}}, + }) + Expect(result).To(BeEmpty()) + }) + + It("invalid tag + valid clean version: NEW format only (no legacy entry)", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + { + Version: "1877.9.2.0-metal-sci-pxe-amd64", + CleanVersion: "1877.9.2", + Architectures: []string{"amd64"}, + Capabilities: gardencorev1beta1.Capabilities{"architecture": {"amd64"}, "feature": {"sci", "_pxe"}}, + }, + }) + Expect(result).To(HaveLen(1)) + Expect(result[0].Version).To(Equal("1877.9.2")) + }) + + It("valid tag + valid clean version: BOTH formats", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + { + Version: "2254.0.0-baremetal-sci-usi-amd64", + CleanVersion: "2254.0.0", + Architectures: []string{"amd64"}, + Capabilities: gardencorev1beta1.Capabilities{"architecture": {"amd64"}, "feature": {"sci", "_usi"}}, + }, + }) + Expect(result).To(HaveLen(2)) + versionStrings := []string{result[0].Version, result[1].Version} + Expect(versionStrings).To(ContainElements("2254.0.0-baremetal-sci-usi-amd64", "2254.0.0")) + }) + + It("valid tag + no clean version: OLD format only", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + {Version: "1921.0.0", Architectures: []string{"amd64"}}, + }) + Expect(result).To(HaveLen(1)) + Expect(result[0].Version).To(Equal("1921.0.0")) + }) + + It("valid tag + invalid clean version: BOTH formats with clean version normalized", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + { + Version: "1921.0.0-metal-sci-usi-amd64", + CleanVersion: "1921.0", + Architectures: []string{"amd64"}, + Capabilities: gardencorev1beta1.Capabilities{"architecture": {"amd64"}, "feature": {"sci", "_usi"}}, + }, + }) + Expect(result).To(HaveLen(2)) + versionStrings := []string{result[0].Version, result[1].Version} + Expect(versionStrings).To(ContainElements("1921.0.0-metal-sci-usi-amd64", "1921.0.0")) + }) + + It("valid tag + unparsable clean version: does not write clean version entry", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + { + Version: "1921.0.0-metal-sci-usi-amd64", + CleanVersion: "not-a-version", + Architectures: []string{"amd64"}, + }, + }) + Expect(result).To(HaveLen(1)) + Expect(result[0].Version).To(Equal("1921.0.0-metal-sci-usi-amd64")) + }) + It("no architectures: drops the image entirely", func(ctx SpecContext) { + result := versions(ctx, []cloudprofilesync.SourceImage{ + {Version: "1.0.0"}, + }) + Expect(result).To(BeEmpty()) + }) +}) + +var _ = Describe("ImageUpdater", func() { Describe("flag OFF (default behavior)", func() { It("adds an image from the source to the CloudProfile spec", func(ctx SpecContext) { mockSource.images = []cloudprofilesync.SourceImage{{Version: "1.0.0", Architectures: []string{"amd64"}}} @@ -172,6 +272,37 @@ var _ = Describe("ImageUpdater", func() { Expect(cpSpec.MachineImages[0].Versions).To(HaveLen(2)) }) + It("skips legacy spec entry for non-semver raw tag but still passes image to provider", func(ctx SpecContext) { + mockSource.images = []cloudprofilesync.SourceImage{ + { + Version: "1877.9.2.0-metal-sci-pxe-amd64-1877-9-2-6bb2b442", + CleanVersion: "1877.9.2", + Architectures: []string{"amd64"}, + Capabilities: gardencorev1beta1.Capabilities{"architecture": {"amd64"}, "feature": {"sci", "_pxe"}}, + }, + } + updater := cloudprofilesync.ImageUpdater{ + Log: GinkgoLogr, + Source: &mockSource, + ImageName: "test", + EnableCapabilities: true, + Provider: &MockProvider{}, + } + var cpSpec gardencorev1beta1.CloudProfileSpec + Expect(updater.Update(ctx, &cpSpec)).To(Succeed()) + + // Non-semver raw tag must not appear in spec.machineImages — Gardener would reject it. + // Only the clean version entry should be written. + Expect(cpSpec.MachineImages[0].Versions).To(HaveLen(1)) + Expect(cpSpec.MachineImages[0].Versions[0].Version).To(Equal("1877.9.2")) + + // The raw tag must still reach the provider (capabilityFlavors). + var fromProvider []cloudprofilesync.SourceImage + Expect(json.Unmarshal(cpSpec.ProviderConfig.Raw, &fromProvider)).To(Succeed()) + Expect(fromProvider).To(HaveLen(1)) + Expect(fromProvider[0].Version).To(Equal("1877.9.2.0-metal-sci-pxe-amd64-1877-9-2-6bb2b442")) + }) + It("writes only full tag when CleanVersion is absent", func(ctx SpecContext) { mockSource.images = []cloudprofilesync.SourceImage{ {Version: "1877.0.0", Architectures: []string{"amd64"}}, diff --git a/go.mod b/go.mod index aafcb04..0bc82ee 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cobaltcore-dev/cloud-profile-sync -go 1.26 +go 1.26.2 require ( github.com/blang/semver/v4 v4.0.0