[OCPNODE-553] Support allowMirrorByTags From config/v1 ImageContentPolicy

cmd/machine-config-controller/start.go

@@ -120,6 +120,7 @@ func createControllers(ctx *ctrlcommon.ControllerContext) []ctrlcommon.Controlle
 			ctx.InformerFactory.Machineconfiguration().V1().ControllerConfigs(),
 			ctx.InformerFactory.Machineconfiguration().V1().ContainerRuntimeConfigs(),
 			ctx.ConfigInformerFactory.Config().V1().Images(),
+			ctx.ConfigInformerFactory.Config().V1().ImageContentPolicies(),
 			ctx.OperatorInformerFactory.Operator().V1alpha1().ImageContentSourcePolicies(),
 			ctx.ConfigInformerFactory.Config().V1().ClusterVersions(),
 			ctx.ClientBuilder.KubeClientOrDie("container-runtime-config-controller"),

go.mod

@@ -35,9 +35,9 @@ require (
 	github.com/imdario/mergo v0.3.12
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/openshift/api v0.0.0-20210924154557-a4f696157341
-	github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83
-	github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05
+	github.com/openshift/api v0.0.0-20210927171657-636513e97fda
+	github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a
+	github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5
 	github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
@@ -70,7 +70,7 @@ replace (
 	github.com/godbus/dbus => github.com/godbus/dbus v0.0.0-20190623212516-8a1682060722
 	github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1
 	github.com/opencontainers/runtime-spec => github.com/opencontainers/runtime-spec v0.1.2-0.20190408193819-a1b50f621a48
-	github.com/openshift/api => github.com/openshift/api v0.0.0-20210924154557-a4f696157341
+	github.com/openshift/api => github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52
 	github.com/openshift/cluster-api => github.com/openshift/cluster-api v0.0.0-20191129101638-b09907ac6668
 	github.com/securego/gosec => github.com/securego/gosec v0.0.0-20190709033609-4b59c948083c
 	k8s.io/api => k8s.io/api v0.22.1
@@ -100,3 +100,5 @@ replace (
 	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.22.1
 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.22.1
 )
+
+replace github.com/openshift/runtime-utils => github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d

go.sum

@@ -104,6 +104,8 @@ github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tN
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d h1:y5NimrgDusOrIXDV4HhDxcf8d1Bbolbsy1Kntw3z1VI=
+github.com/QiWang19/runtime-utils v0.0.0-20210930174628-6eb5b615b71d/go.mod h1:xcwHYhGPZFBXK687HUZ4AY2kn1vQu05vmNcIPI6JT4g=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
 github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
@@ -871,17 +873,15 @@ github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqi
 github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
 github.com/opencontainers/selinux v1.8.2 h1:c4ca10UMgRcvZ6h0K4HtS15UaVSBEaE+iln2LVpAuGc=
 github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
-github.com/openshift/api v0.0.0-20210924154557-a4f696157341 h1:UUFuSm+bNyMr0Bf8CTY1eDbEmB2DiO8zENK850DgAMU=
-github.com/openshift/api v0.0.0-20210924154557-a4f696157341/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8=
-github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160/go.mod h1:1CkcsT3aVebzRBzVTSbiKSkJMsC/CASqxesfqEMfJEc=
+github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52 h1:/Psrr5UV6fqPYvN+mzTxsdiKYn8qPXZuHEe5lWfF1dA=
+github.com/openshift/api v0.0.0-20210924152358-cda7121b2f52/go.mod h1:RsQCVJu4qhUawxxDP7pGlwU3IA4F01wYm3qKEu29Su8=
 github.com/openshift/build-machinery-go v0.0.0-20210712174854-1bb7fd1518d3/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/build-machinery-go v0.0.0-20210806203541-4ea9b6da3a37/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
-github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83 h1:TGBy40xVBCqDqvu8gaakva4u+08JtOt/LfekiwbCMyc=
-github.com/openshift/client-go v0.0.0-20210916133943-9acee1a0fb83/go.mod h1:iSeqKIqUKxVec3gV1kNvwS1tjDpzpdP134RimkLc3BE=
-github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05 h1:fqacx32b0XdTNe5yU6rvkkI9UPl1R2ztN8vXWy/6/8U=
-github.com/openshift/library-go v0.0.0-20210930103404-8911cacccb05/go.mod h1:b1cKE6TuNqjl7wT0y3W4g0qREuab1mH6WOJm9pT8L/A=
-github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d h1:lmhB56wFIB/CBhjiZTd1IinQz9OFoNet8OYBQF59Z0I=
-github.com/openshift/runtime-utils v0.0.0-20210722191527-8b8348d80d1d/go.mod h1:H2kQ7bM4oYJk8G+N9ybDDlTg45V10G/+h2xL8zmjjHU=
+github.com/openshift/client-go v0.0.0-20210831095141-e19a065e79f7/go.mod h1:D6P8RkJzwdkBExQdYUnkWcePMLBiTeCCr8eQIQ7y8Dk=
+github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a h1:hgDqZDU+q4YTNqmgMTy4aEuhTnyWTZaEC5OMi3CeWyo=
+github.com/openshift/client-go v0.0.0-20210927134410-067cd720e52a/go.mod h1:hvUrAN65G/TvcwbY4PDOkS0lao0dAl7SaHvcPJvpr7o=
+github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5 h1:hz4W1nHi2xZZUGh9cTj7mqRQ4HGO6J35w02B4JimURs=
+github.com/openshift/library-go v0.0.0-20210906100234-6754cfd64cb5/go.mod h1:fKtzrsRXSWMLiBT1SM8cEVT2YyL7ihx/TEuT3gmgFgQ=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/ostreedev/ostree-go v0.0.0-20190702140239-759a8c1ac913/go.mod h1:J6OG6YJVEWopen4avK3VNQSnALmmjvniMmni/YFYAwc=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=

manifests/machineconfigcontroller/clusterrole.yaml

@@ -19,6 +19,9 @@ rules:
 - apiGroups: ["config.openshift.io"]
   resources: ["schedulers", "apiservers"]
   verbs: ["get", "list", "watch"]
+- apiGroups: ["config.openshift.io"]
+  resources: ["imagecontentpolicies"]
+  verbs: ["get", "list", "watch"]
 - apiGroups: ["operator.openshift.io"]
   resources: ["imagecontentsourcepolicies"]
   verbs: ["get", "list", "watch"]

pkg/controller/container-runtime-config/container_runtime_config_controller.go

@@ -89,6 +89,9 @@ type Controller struct {
 	imgLister       cligolistersv1.ImageLister
 	imgListerSynced cache.InformerSynced
 
+	icpLister       cligolistersv1.ImageContentPolicyLister
+	icpListerSynced cache.InformerSynced
+
 	icspLister       operatorlistersv1alpha1.ImageContentSourcePolicyLister
 	icspListerSynced cache.InformerSynced
 
@@ -109,6 +112,7 @@ func New(
 	ccInformer mcfginformersv1.ControllerConfigInformer,
 	mcrInformer mcfginformersv1.ContainerRuntimeConfigInformer,
 	imgInformer cligoinformersv1.ImageInformer,
+	icpInformer cligoinformersv1.ImageContentPolicyInformer,
 	icspInformer operatorinformersv1alpha1.ImageContentSourcePolicyInformer,
 	clusterVersionInformer cligoinformersv1.ClusterVersionInformer,
 	kubeClient clientset.Interface,
@@ -140,6 +144,12 @@ func New(
 		DeleteFunc: ctrl.imageConfDeleted,
 	})
 
+	icpInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    ctrl.icpConfAdded,
+		UpdateFunc: ctrl.icpConfUpdated,
+		DeleteFunc: ctrl.icpConfDeleted,
+	})
+
 	icspInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc:    ctrl.icspConfAdded,
 		UpdateFunc: ctrl.icspConfUpdated,
@@ -162,6 +172,9 @@ func New(
 	ctrl.imgLister = imgInformer.Lister()
 	ctrl.imgListerSynced = imgInformer.Informer().HasSynced
 
+	ctrl.icpLister = icpInformer.Lister()
+	ctrl.icpListerSynced = icpInformer.Informer().HasSynced
+
 	ctrl.icspLister = icspInformer.Lister()
 	ctrl.icspListerSynced = icspInformer.Informer().HasSynced
 
@@ -178,7 +191,7 @@ func (ctrl *Controller) Run(workers int, stopCh <-chan struct{}) {
 	defer ctrl.imgQueue.ShutDown()
 
 	if !cache.WaitForCacheSync(stopCh, ctrl.mcpListerSynced, ctrl.mccrListerSynced, ctrl.ccListerSynced,
-		ctrl.imgListerSynced, ctrl.icspListerSynced, ctrl.clusterVersionListerSynced) {
+		ctrl.imgListerSynced, ctrl.icpListerSynced, ctrl.icspListerSynced, ctrl.clusterVersionListerSynced) {
 		return
 	}
 
@@ -217,6 +230,18 @@ func (ctrl *Controller) imageConfDeleted(obj interface{}) {
 	ctrl.imgQueue.Add("openshift-config")
 }
 
+func (ctrl *Controller) icpConfAdded(obj interface{}) {
+	ctrl.imgQueue.Add("openshift-config")
+}
+
+func (ctrl *Controller) icpConfUpdated(oldObj, newObj interface{}) {
+	ctrl.imgQueue.Add("openshift-config")
+}
+
+func (ctrl *Controller) icpConfDeleted(obj interface{}) {
+	ctrl.imgQueue.Add("openshift-config")
+}
+
 func (ctrl *Controller) icspConfAdded(obj interface{}) {
 	ctrl.imgQueue.Add("openshift-config")
 }
@@ -669,6 +694,7 @@ func (ctrl *Controller) mergeConfigChanges(origFile *ign3types.File, cfg *mcfgv1
 	return cfgTOML, ctrl.syncStatusOnly(cfg, nil)
 }
 
+// nolint:gocyclo
 func (ctrl *Controller) syncImageConfig(key string) error {
 	startTime := time.Now()
 	glog.V(4).Infof("Started syncing ImageConfig %q (%v)", key, startTime)
@@ -716,13 +742,26 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 		return fmt.Errorf("could not get ControllerConfig %v", err)
 	}
 
+	// Find all ImageContentPolicy objects
+	icpRules, err := ctrl.icpLister.List(labels.Everything())
+	if err != nil && errors.IsNotFound(err) {
+		icpRules = []*apicfgv1.ImageContentPolicy{}
+	} else if err != nil {
+		return err
+	}
+	if err = validateICPRules(icpRules); err != nil {
+		return err
+	}
+	glog.Info("getting all icpRules", icpRules)
+
 	// Find all ImageContentSourcePolicy objects
 	icspRules, err := ctrl.icspLister.List(labels.Everything())
 	if err != nil && errors.IsNotFound(err) {
 		icspRules = []*apioperatorsv1alpha1.ImageContentSourcePolicy{}
 	} else if err != nil {
 		return err
 	}
+	icpRules = mergeToICPRules(icspRules, icpRules)
 
 	sel, err := metav1.LabelSelectorAsSelector(metav1.AddLabelToSelector(&metav1.LabelSelector{}, builtInLabelKey, ""))
 	if err != nil {
@@ -745,7 +784,7 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 		if err := retry.RetryOnConflict(updateBackoff, func() error {
 			registriesIgn, err := registriesConfigIgnition(ctrl.templatesDir, controllerConfig, role,
 				imgcfg.Spec.RegistrySources.InsecureRegistries, blockedRegs, imgcfg.Spec.RegistrySources.AllowedRegistries,
-				imgcfg.Spec.RegistrySources.ContainerRuntimeSearchRegistries, icspRules)
+				imgcfg.Spec.RegistrySources.ContainerRuntimeSearchRegistries, icpRules)
 			if err != nil {
 				return err
 			}
@@ -806,7 +845,7 @@ func (ctrl *Controller) syncImageConfig(key string) error {
 }
 
 func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.ControllerConfig, role string,
-	insecureRegs, blockedRegs, allowedRegs, searchRegs []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) (*ign3types.Config, error) {
+	insecureRegs, blockedRegs, allowedRegs, searchRegs []string, icpRules []*apicfgv1.ImageContentPolicy) (*ign3types.Config, error) {
 
 	var (
 		registriesTOML []byte
@@ -819,15 +858,15 @@ func registriesConfigIgnition(templateDir string, controllerConfig *mcfgv1.Contr
 		return nil, fmt.Errorf("could not generate origin ContainerRuntime Configs: %v", err)
 	}
 
-	if insecureRegs != nil || blockedRegs != nil || len(icspRules) != 0 {
+	if insecureRegs != nil || blockedRegs != nil || len(icpRules) != 0 {
 		if originalRegistriesIgn.Contents.Source == nil {
 			return nil, fmt.Errorf("original registries config is empty")
 		}
 		dataURL, err := dataurl.DecodeString(*originalRegistriesIgn.Contents.Source)
 		if err != nil {
 			return nil, fmt.Errorf("could not decode original registries config: %v", err)
 		}
-		registriesTOML, err = updateRegistriesConfig(dataURL.Data, insecureRegs, blockedRegs, icspRules)
+		registriesTOML, err = updateRegistriesConfig(dataURL.Data, insecureRegs, blockedRegs, icpRules)
 		if err != nil {
 			return nil, fmt.Errorf("could not update registries config with new changes: %v", err)
 		}
@@ -881,6 +920,9 @@ func RunImageBootstrap(templateDir string, controllerConfig *mcfgv1.ControllerCo
 		}
 	}
 
+	icpRules := []*apicfgv1.ImageContentPolicy{}
+	icpRules = mergeToICPRules(icspRules, icpRules)
+
 	var res []*mcfgv1.MachineConfig
 	for _, pool := range mcpPools {
 		role := pool.Name
@@ -889,7 +931,7 @@ func RunImageBootstrap(templateDir string, controllerConfig *mcfgv1.ControllerCo
 			return nil, err
 		}
 		registriesIgn, err := registriesConfigIgnition(templateDir, controllerConfig, role,
-			insecureRegs, blockedRegs, allowedRegs, searchRegs, icspRules)
+			insecureRegs, blockedRegs, allowedRegs, searchRegs, icpRules)
 		if err != nil {
 			return nil, err
 		}

pkg/controller/container-runtime-config/container_runtime_config_controller_test.go

@@ -179,6 +179,7 @@ func (f *fixture) newController() *Controller {
 		i.Machineconfiguration().V1().ControllerConfigs(),
 		i.Machineconfiguration().V1().ContainerRuntimeConfigs(),
 		ci.Config().V1().Images(),
+		ci.Config().V1().ImageContentPolicies(),
 		oi.Operator().V1alpha1().ImageContentSourcePolicies(),
 		ci.Config().V1().ClusterVersions(),
 		k8sfake.NewSimpleClientset(), f.client, f.imgClient)
@@ -353,9 +354,10 @@ func verifyRegistriesConfigAndPolicyJSONContents(t *testing.T, mc *mcfgv1.Machin
 	// configuration file.
 	// First get the valid blocked registries to ensure we don't block the registry where the release image is from
 	blockedRegistries, _ := getValidBlockedRegistries(releaseImageReg, &imgcfg.Spec)
+	icps := mergeToICPRules(icsps, []*apicfgv1.ImageContentPolicy{})
 	expectedRegistriesConf, err := updateRegistriesConfig(templateRegistriesConfig,
 		imgcfg.Spec.RegistrySources.InsecureRegistries,
-		blockedRegistries, icsps)
+		blockedRegistries, icps)
 	require.NoError(t, err)
 	assert.Equal(t, mcName, mc.ObjectMeta.Name)
 

pkg/controller/container-runtime-config/helpers.go

@@ -356,17 +356,66 @@ func updateSearchRegistriesConfig(searchRegs []string) []generatedConfigFile {
 	return generatedConfigFileList
 }
 
-func updateRegistriesConfig(data []byte, internalInsecure, internalBlocked []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) ([]byte, error) {
+// mergeToICPRules converts specs of ImageContentPolicy objects to ImageContentPolicy spec and adds it to the currnt icpRules
+// hornors the contents of ImageContentPolicy if there is confict between ImageContentPolicy and ImageContentPolicy on the source field
+func mergeToICPRules(icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy, icpRules []*apicfgv1.ImageContentPolicy) []*apicfgv1.ImageContentPolicy {
+
+	if len(icspRules) == 0 && len(icpRules) == 0 {
+		return icpRules
+	}
+	if len(icspRules) == 0 {
+		return icpRules
+	}
+	icpSourceSet := make(map[string]bool)
+	for _, icp := range icpRules {
+		for _, mirrorSet := range icp.Spec.RepositoryDigestMirrors {
+			if _, ok := icpSourceSet[mirrorSet.Source]; !ok {
+				icpSourceSet[mirrorSet.Source] = true
+			}
+		}
+	}
+
+	var icpRepoDigestMirrors []apicfgv1.RepositoryDigestMirrors
+	for _, icsp := range icspRules {
+		for _, mirrorSet := range icsp.Spec.RepositoryDigestMirrors {
+			if _, ok := icpSourceSet[mirrorSet.Source]; ok {
+				continue
+			}
+			var icpMirrors []apicfgv1.Mirror
+			for _, mirror := range mirrorSet.Mirrors {
+				icpMirrors = append(icpMirrors, apicfgv1.Mirror(mirror))
+			}
+			icpRepoDigestMirror := apicfgv1.RepositoryDigestMirrors{
+				Source:  mirrorSet.Source,
+				Mirrors: icpMirrors,
+			}
+			icpRepoDigestMirrors = append(icpRepoDigestMirrors, icpRepoDigestMirror)
+		}
+	}
+	icpRule := &apicfgv1.ImageContentPolicy{
+		Spec: apicfgv1.ImageContentPolicySpec{
+			RepositoryDigestMirrors: icpRepoDigestMirrors,
+		},
+	}
+	icpRules = append(icpRules, icpRule)
+	return icpRules
+}
+
+func updateRegistriesConfig(data []byte, internalInsecure, internalBlocked []string, icpRules []*apicfgv1.ImageContentPolicy) ([]byte, error) {
 	tomlConf := sysregistriesv2.V2RegistriesConf{}
 	if _, err := toml.Decode(string(data), &tomlConf); err != nil {
 		return nil, fmt.Errorf("error unmarshalling registries config: %v", err)
 	}
 
-	if err := validateRegistriesConfScopes(internalInsecure, internalBlocked, []string{}, icspRules); err != nil {
+	if len(icpRules) != 0 {
+		glog.V(2).Infoln("icpRules configured: ", icpRules)
+	}
+
+	if err := validateRegistriesConfScopes(internalInsecure, internalBlocked, []string{}, icpRules); err != nil {
 		return nil, err
 	}
 
-	if err := registries.EditRegistriesConfig(&tomlConf, internalInsecure, internalBlocked, icspRules); err != nil {
+	if err := registries.EditRegistriesConfig(&tomlConf, internalInsecure, internalBlocked, icpRules); err != nil {
 		return nil, err
 	}
 
@@ -505,7 +554,7 @@ func getValidBlockedRegistries(releaseImage string, imgSpec *apicfgv1.ImageSpec)
 	return blockedRegs, nil
 }
 
-func validateRegistriesConfScopes(insecure, blocked, allowed []string, icspRules []*apioperatorsv1alpha1.ImageContentSourcePolicy) error {
+func validateRegistriesConfScopes(insecure, blocked, allowed []string, icpRules []*apicfgv1.ImageContentPolicy) error {
 	for _, scope := range insecure {
 		if !registries.IsValidRegistriesConfScope(scope) {
 			return fmt.Errorf("invalid entry for insecure registries %q", scope)
@@ -524,13 +573,13 @@ func validateRegistriesConfScopes(insecure, blocked, allowed []string, icspRules
 		}
 	}
 
-	for _, icsp := range icspRules {
+	for _, icsp := range icpRules {
 		for _, mirrorSet := range icsp.Spec.RepositoryDigestMirrors {
 			if strings.Contains(mirrorSet.Source, "*") {
 				return fmt.Errorf("wildcard entries are not supported with mirror configuration %q", mirrorSet.Source)
 			}
 			for _, mirror := range mirrorSet.Mirrors {
-				if strings.Contains(mirror, "*") {
+				if strings.Contains(string(mirror), "*") {
 					return fmt.Errorf("wildcard entries are not supported with mirror configuration %q", mirror)
 				}
 			}
@@ -539,3 +588,21 @@ func validateRegistriesConfScopes(insecure, blocked, allowed []string, icspRules
 	}
 	return nil
 }
+
+// validateICPRules validate that the user does not apply conlicting values of allowMirrorByTags among pre-existing and newly added ImageContentPolicy CR.
+// returns error if there the conflict exists
+func validateICPRules(icpRules []*apicfgv1.ImageContentPolicy) error {
+	allowMirror := make(map[string]bool)
+	for _, icp := range icpRules {
+		for _, repoMirror := range icp.Spec.RepositoryDigestMirrors {
+			v, ok := allowMirror[repoMirror.Source]
+			glog.Infof("source: %v, allowTag: %v, nil: %v", repoMirror.Source, repoMirror.AllowMirrorByTags, repoMirror.AllowMirrorByTags == nil)
+			if !ok {
+				allowMirror[repoMirror.Source] = *repoMirror.AllowMirrorByTags
+			} else if v != *repoMirror.AllowMirrorByTags {
+				return fmt.Errorf("conflicting value of allowMirrorByTags for the same souce %v", repoMirror.Source)
+			}
+		}
+	}
+	return nil
+}