chore(installation): early validate presence of tag in image and imageRepository

[sudiptob2]

PR #6296 added support for customizing the EnvoyProxy image using the image and imageRepository fields. In summary:

• If users want to explicitly specify the image tag, they should use the format: image: repo:tag. This has been the standard approach in all versions up to this PR.
• If users prefer to define only the image repository and let Envoy Gateway decide the appropriate tag, they should use the format: imageRepository: repo_url.

To ensure these fields are used correctly, it's helpful to validate the presence or absence of a tag depending on which field is set.

This PR improves the resolveProxyImage function by adding the following validations: (5a85f82)
This PR adds following CEL validation:

• If imageRepository is set, it must not include a tag.
• If image is set, it must include a valid tag.

Idea for more validation logic is appreciated.

Fixes #6350

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.82%. Comparing base (9453572) to head (ba8b2f4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6354      +/-   ##
==========================================
- Coverage   70.82%   70.82%   -0.01%     
==========================================
  Files         220      220              
  Lines       37132    37132              
==========================================
- Hits        26300    26299       -1     
  Misses       9293     9293              
- Partials     1539     1540       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[arkodg]

can this be solved with CEL ? so the user hit this error during apply and won't have to find the error in logs

[sudiptob2]

can this be solved with CEL ? So the user hit this error during apply and won't have to find the error in logs

Updated with CEL validation

[rudrakhp]

Suggested change

	// +kubebuilder:validation:XValidation:rule="has(self.image) ? self.image.matches('^[^:]+:[^:]+$') : true",message="Image must include a tag (e.g., 'image:tag')."
	// +kubebuilder:validation:XValidation:rule="self.image.matches('^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$') : true",message="Image must include a tag and allowed characters only (e.g., 'image:tag')."

Added some suggestions to make regex stricter, let me know what you think! Also can we remove has checks and move them to the respective fields, so kube validations apply on non-null values of the fields only?

[sudiptob2]

Stricter regex sounds good!

can we remove has checks and move them to the respective fields

Yeah, moving validation to the respective field will be a cleaner approach, but we wont be able to provide a custom message. But a generic message would be fine, I guess.

[sudiptob2]

Well, the generic message does not look very good. Let me know your thougts

EnvoyProxy.gateway.envoyproxy.io "proxy-1750699777609469000" is invalid: spec.provider.kubernetes.envoyDeployment.container.image: Invalid value: "envoyproxy/envoy": spec.provider.kubernetes.envoyDeployment.container.image in body should match '^[a-zA-Z0-9._/-]+:[a-zA-Z0-9._-]+$'

[rudrakhp]

@sudiptob2 can we do something like this?

gateway/api/v1alpha1/shared_types.go

Line 339 in ddc9a5c

// +kubebuilder:validation:XValidation:message="loadBalancerIP must be a valid IPv4 address",rule="self.matches(r\"^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$\")"

[sudiptob2]

updated

[rudrakhp]

Suggested change

	// +kubebuilder:validation:XValidation:rule="has(self.imageRepository) ? !self.imageRepository.contains(':') : true",message="ImageRepository must not include a tag or any colons."
	// +kubebuilder:validation:XValidation:rule="self.imageRepository.matches('^[a-zA-Z0-9._/-]+$')",message="ImageRepository must include allowed characters only and not include a tag or any colons."

[shawnh2]

/retest

[rudrakhp]

/retest