Add Allow and Block lists for registries.

Author: atd9876

Dockerfile

@@ -15,6 +15,7 @@ RUN go mod download
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/controller/ internal/controller/
+COPY internal/registry/ internal/registry/
 COPY server/ server/
 COPY templates/ templates/
 

api/v1alpha1/zz_generated.deepcopy.go

@@ -34,6 +34,7 @@ import (
 
 	bootv1alpha1 "github.com/ironcore-dev/boot-operator/api/v1alpha1"
 	"github.com/ironcore-dev/boot-operator/internal/controller"
+	"github.com/ironcore-dev/boot-operator/internal/registry"
 	bootserver "github.com/ironcore-dev/boot-operator/server"
 	//+kubebuilder:scaffold:imports
 )
@@ -227,6 +228,10 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Initialize registry validator for OCI image validation
+	registryValidator := registry.NewValidator()
+	setupLog.Info("Initialized registry validator", "allowedRegistries", os.Getenv("ALLOWED_REGISTRIES"), "blockedRegistries", os.Getenv("BLOCKED_REGISTRIES"))
+
 	if controllers.Enabled(ipxeBootConfigController) {
 		if err = (&controller.IPXEBootConfigReconciler{
 			Client: mgr.GetClient(),
@@ -239,10 +244,11 @@ func main() {
 
 	if controllers.Enabled(serverBootConfigControllerPxe) {
 		if err = (&controller.ServerBootConfigurationPXEReconciler{
-			Client:         mgr.GetClient(),
-			Scheme:         mgr.GetScheme(),
-			IPXEServiceURL: ipxeServiceURL,
-			Architecture:   architecture,
+			Client:            mgr.GetClient(),
+			Scheme:            mgr.GetScheme(),
+			IPXEServiceURL:    ipxeServiceURL,
+			Architecture:      architecture,
+			RegistryValidator: registryValidator,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ServerBootConfigPxe")
 			os.Exit(1)
@@ -251,10 +257,11 @@ func main() {
 
 	if controllers.Enabled(serverBootConfigControllerHttp) {
 		if err = (&controller.ServerBootConfigurationHTTPReconciler{
-			Client:         mgr.GetClient(),
-			Scheme:         mgr.GetScheme(),
-			ImageServerURL: imageServerURL,
-			Architecture:   architecture,
+			Client:            mgr.GetClient(),
+			Scheme:            mgr.GetScheme(),
+			ImageServerURL:    imageServerURL,
+			Architecture:      architecture,
+			RegistryValidator: registryValidator,
 		}).SetupWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create controller", "controller", "ServerBootConfigHttp")
 			os.Exit(1)

cmd/main.go

@@ -12,6 +12,7 @@ import (
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 
 	"github.com/containerd/containerd/remotes/docker"
+	"github.com/ironcore-dev/boot-operator/internal/registry"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 
 	corev1 "k8s.io/api/core/v1"
@@ -36,9 +37,10 @@ const (
 
 type ServerBootConfigurationHTTPReconciler struct {
 	client.Client
-	Scheme         *runtime.Scheme
-	ImageServerURL string
-	Architecture   string
+	Scheme            *runtime.Scheme
+	ImageServerURL    string
+	Architecture      string
+	RegistryValidator *registry.Validator
 }
 
 //+kubebuilder:rbac:groups=metal.ironcore.dev,resources=serverbootconfigurations,verbs=get;list;watch
@@ -87,6 +89,13 @@ func (r *ServerBootConfigurationHTTPReconciler) reconcile(ctx context.Context, l
 
 	ukiURL, err := r.constructUKIURL(ctx, config.Spec.Image)
 	if err != nil {
+		log.Error(err, "Failed to construct UKI URL")
+		if patchErr := r.patchConfigStateFromHTTPState(ctx,
+			&bootv1alpha1.HTTPBootConfig{Status: bootv1alpha1.HTTPBootConfigStatus{
+				State: bootv1alpha1.HTTPBootConfigStateError}},
+			config); patchErr != nil {
+			return ctrl.Result{}, fmt.Errorf("failed to patch state to error: %w (original error: %w)", patchErr, err)
+		}
 		return ctrl.Result{}, fmt.Errorf("failed to construct UKI URL: %w", err)
 	}
 	log.V(1).Info("Extracted UKI URL for boot")
@@ -203,8 +212,14 @@ func (r *ServerBootConfigurationHTTPReconciler) constructUKIURL(ctx context.Cont
 }
 
 func (r *ServerBootConfigurationHTTPReconciler) getUKIDigestFromNestedManifest(ctx context.Context, imageName, imageVersion string) (string, error) {
-	resolver := docker.NewResolver(docker.ResolverOptions{})
 	imageRef := fmt.Sprintf("%s:%s", imageName, imageVersion)
+	if r.RegistryValidator != nil {
+		if err := r.RegistryValidator.ValidateImageRegistry(imageRef); err != nil {
+			return "", fmt.Errorf("registry validation failed: %w", err)
+		}
+	}
+
+	resolver := docker.NewResolver(docker.ResolverOptions{})
 	name, desc, err := resolver.Resolve(ctx, imageRef)
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve image reference: %w", err)

internal/controller/serverbootconfiguration_http_controller.go

@@ -29,6 +29,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	"github.com/ironcore-dev/boot-operator/api/v1alpha1"
+	"github.com/ironcore-dev/boot-operator/internal/registry"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -56,9 +57,10 @@ const (
 
 type ServerBootConfigurationPXEReconciler struct {
 	client.Client
-	Scheme         *runtime.Scheme
-	IPXEServiceURL string
-	Architecture   string
+	Scheme            *runtime.Scheme
+	IPXEServiceURL    string
+	Architecture      string
+	RegistryValidator *registry.Validator
 }
 
 //+kubebuilder:rbac:groups=metal.ironcore.dev,resources=serverbootconfigurations,verbs=get;list;watch
@@ -235,8 +237,14 @@ func (r *ServerBootConfigurationPXEReconciler) getImageDetailsFromConfig(ctx con
 }
 
 func (r *ServerBootConfigurationPXEReconciler) getLayerDigestsFromNestedManifest(ctx context.Context, imageName, imageVersion string) (string, string, string, error) {
-	resolver := docker.NewResolver(docker.ResolverOptions{})
 	imageRef := fmt.Sprintf("%s:%s", imageName, imageVersion)
+	if r.RegistryValidator != nil {
+		if err := r.RegistryValidator.ValidateImageRegistry(imageRef); err != nil {
+			return "", "", "", fmt.Errorf("registry validation failed: %w", err)
+		}
+	}
+
+	resolver := docker.NewResolver(docker.ResolverOptions{})
 	name, desc, err := resolver.Resolve(ctx, imageRef)
 	if err != nil {
 		return "", "", "", fmt.Errorf("failed to resolve image reference: %w", err)

internal/controller/serverbootconfiguration_pxe_controller.go

@@ -6,13 +6,15 @@ package controller
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
 	"runtime"
 	"testing"
 	"time"
 
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/config"
+	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
 	"github.com/ironcore-dev/controller-utils/modutils"
 	metalv1alpha1 "github.com/ironcore-dev/metal-operator/api/v1alpha1"
@@ -33,6 +35,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
 	bootv1alpha1 "github.com/ironcore-dev/boot-operator/api/v1alpha1"
+	"github.com/ironcore-dev/boot-operator/internal/registry"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -61,6 +64,12 @@ func TestControllers(t *testing.T) {
 var _ = BeforeSuite(func() {
 	logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
 
+	// Set ALLOWED_REGISTRIES for tests to use ghcr.io images
+	Expect(os.Setenv("ALLOWED_REGISTRIES", "ghcr.io")).To(Succeed())
+	DeferCleanup(func() {
+		Expect(os.Unsetenv("ALLOWED_REGISTRIES")).To(Succeed())
+	})
+
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
 		CRDDirectoryPaths: []string{
@@ -120,6 +129,9 @@ func SetupTest() *corev1.Namespace {
 
 		k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{
 			Scheme: scheme.Scheme,
+			Metrics: metricsserver.Options{
+				BindAddress: "0", // Disable metrics server to avoid port 8080 conflicts with Tilt
+			},
 			Controller: config.Controller{
 				// need to skip unique controller name validation
 				// since all tests need a dedicated controller
@@ -128,17 +140,21 @@ func SetupTest() *corev1.Namespace {
 		})
 		Expect(err).ToNot(HaveOccurred())
 
+		registryValidator := registry.NewValidator()
+
 		Expect((&ServerBootConfigurationPXEReconciler{
-			Client:         k8sManager.GetClient(),
-			Scheme:         k8sManager.GetScheme(),
-			IPXEServiceURL: "http://localhost:5000",
-			Architecture:   "arm64",
+			Client:            k8sManager.GetClient(),
+			Scheme:            k8sManager.GetScheme(),
+			IPXEServiceURL:    "http://localhost:5000",
+			Architecture:      runtime.GOARCH,
+			RegistryValidator: registryValidator,
 		}).SetupWithManager(k8sManager)).To(Succeed())
 
 		Expect((&ServerBootConfigurationHTTPReconciler{
-			Client:         k8sManager.GetClient(),
-			Scheme:         k8sManager.GetScheme(),
-			ImageServerURL: "http://localhost:5000/httpboot",
+			Client:            k8sManager.GetClient(),
+			Scheme:            k8sManager.GetScheme(),
+			ImageServerURL:    "http://localhost:5000/httpboot",
+			RegistryValidator: registryValidator,
 		}).SetupWithManager(k8sManager)).To(Succeed())
 
 		go func() {

internal/controller/suite_test.go

@@ -0,0 +1,97 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package registry
+
+import (
+	"fmt"
+	"os"
+	"strings"
+)
+
+// Validator provides registry validation with cached environment variables.
+type Validator struct {
+	allowedRegistries string
+	blockedRegistries string
+}
+
+// NewValidator creates a new Validator with environment variables cached at initialization.
+// This should be called once at startup to avoid repeated os.Getenv calls.
+func NewValidator() *Validator {
+	return &Validator{
+		allowedRegistries: os.Getenv("ALLOWED_REGISTRIES"),
+		blockedRegistries: os.Getenv("BLOCKED_REGISTRIES"),
+	}
+}
+
+// ExtractRegistryDomain extracts the registry domain from an OCI image reference.
+func ExtractRegistryDomain(imageRef string) string {
+	parts := strings.SplitN(imageRef, "/", 2)
+	if len(parts) < 2 {
+		return "registry-1.docker.io"
+	}
+
+	potentialRegistry := parts[0]
+
+	if strings.Contains(potentialRegistry, ".") || strings.Contains(potentialRegistry, ":") || potentialRegistry == "localhost" {
+		return potentialRegistry
+	}
+
+	return "registry-1.docker.io"
+}
+
+// isInList checks if a value is in a comma-separated list (exact match only).
+func isInList(registry string, list string) bool {
+	if list == "" {
+		return false
+	}
+
+	items := strings.Split(list, ",")
+	for _, item := range items {
+		if strings.TrimSpace(item) == registry {
+			return true
+		}
+	}
+	return false
+}
+
+// IsRegistryAllowed checks if a registry is allowed based on the cached allow/block lists.
+func (v *Validator) IsRegistryAllowed(registry string) bool {
+	if v.allowedRegistries != "" {
+		return isInList(registry, v.allowedRegistries)
+	}
+
+	if v.blockedRegistries != "" {
+		return !isInList(registry, v.blockedRegistries)
+	}
+
+	return false
+}
+
+// ValidateImageRegistry validates that an image reference uses an allowed registry.
+func (v *Validator) ValidateImageRegistry(imageRef string) error {
+	registry := ExtractRegistryDomain(imageRef)
+	if !v.IsRegistryAllowed(registry) {
+		if v.allowedRegistries != "" {
+			return fmt.Errorf("registry not allowed: %s (allowed registries: %s)", registry, v.allowedRegistries)
+		} else if v.blockedRegistries != "" {
+			return fmt.Errorf("registry blocked: %s (blocked registries: %s)", registry, v.blockedRegistries)
+		}
+		return fmt.Errorf("registry not allowed: %s (no ALLOWED_REGISTRIES or BLOCKED_REGISTRIES configured, denying all)", registry)
+	}
+	return nil
+}
+
+// Package-level functions for backward compatibility (deprecated - use Validator instead)
+
+// IsRegistryAllowed checks if a registry is allowed (deprecated: use Validator.IsRegistryAllowed).
+func IsRegistryAllowed(registry string) bool {
+	v := NewValidator()
+	return v.IsRegistryAllowed(registry)
+}
+
+// ValidateImageRegistry validates that an image reference uses an allowed registry (deprecated: use Validator.ValidateImageRegistry).
+func ValidateImageRegistry(imageRef string) error {
+	v := NewValidator()
+	return v.ValidateImageRegistry(imageRef)
+}