whitelist spec.dockerImageRepository for updates

Signed-off-by: Michal Minář <[email protected]>

Author: Michal Minář

pkg/image/apis/image/validation/validation.go

@@ -362,6 +362,9 @@ type referencePath struct {
 func collectImageStreamSpecImageReferences(s *imageapi.ImageStream) sets.String {
 	res := sets.NewString()
 
+	if len(s.Spec.DockerImageRepository) > 0 {
+		res.Insert(s.Spec.DockerImageRepository)
+	}
 	for _, tagRef := range s.Spec.Tags {
 		if tagRef.From != nil && tagRef.From.Kind == "DockerImage" {
 			res.Insert(tagRef.From.Name)

pkg/image/apis/image/validation/validation_test.go

@@ -852,13 +852,15 @@ func TestValidateImageStreamWithWhitelister(t *testing.T) {
 
 func TestValidateImageStreamUpdateWithWhitelister(t *testing.T) {
 	for _, tc := range []struct {
-		name          string
-		whitelist     *serverapi.AllowedRegistries
-		oldSpecTags   map[string]imageapi.TagReference
-		oldStatusTags map[string]imageapi.TagEventList
-		newSpecTags   map[string]imageapi.TagReference
-		newStatusTags map[string]imageapi.TagEventList
-		expected      field.ErrorList
+		name                     string
+		whitelist                *serverapi.AllowedRegistries
+		oldDockerImageRepository string
+		newDockerImageRepository string
+		oldSpecTags              map[string]imageapi.TagReference
+		oldStatusTags            map[string]imageapi.TagEventList
+		newSpecTags              map[string]imageapi.TagReference
+		newStatusTags            map[string]imageapi.TagEventList
+		expected                 field.ErrorList
 	}{
 		{
 			name:      "no old referencess",
@@ -977,6 +979,30 @@ func TestValidateImageStreamUpdateWithWhitelister(t *testing.T) {
 				},
 			},
 		},
+
+		{
+			name:                     "allow whitelisted dockerImageRepository",
+			whitelist:                mkAllowed(false, "docker.io"),
+			oldDockerImageRepository: "example.com/my/app",
+			newDockerImageRepository: "docker.io/my/newapp",
+		},
+
+		{
+			name:                     "forbid not whitelisted dockerImageRepository",
+			whitelist:                mkAllowed(false, "docker.io"),
+			oldDockerImageRepository: "docker.io/my/app",
+			newDockerImageRepository: "example.com/my/newapp",
+			expected: field.ErrorList{
+				field.Forbidden(field.NewPath("spec", "dockerImageRepository"),
+					`registry "example.com" not allowed by whitelist { "docker.io:443" }`)},
+		},
+
+		{
+			name:                     "permit no change to not whitelisted dockerImageRepository",
+			whitelist:                mkAllowed(false, "docker.io"),
+			oldDockerImageRepository: "example.com/my/newapp",
+			newDockerImageRepository: "example.com/my/newapp",
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			whitelister := mkWhitelister(t, tc.whitelist)
@@ -988,6 +1014,7 @@ func TestValidateImageStreamUpdateWithWhitelister(t *testing.T) {
 			oldStream := imageapi.ImageStream{
 				ObjectMeta: objMeta,
 				Spec: imageapi.ImageStreamSpec{
+					DockerImageRepository: tc.oldDockerImageRepository,
 					Tags: tc.oldSpecTags,
 				},
 				Status: imageapi.ImageStreamStatus{
@@ -997,6 +1024,7 @@ func TestValidateImageStreamUpdateWithWhitelister(t *testing.T) {
 			newStream := imageapi.ImageStream{
 				ObjectMeta: objMeta,
 				Spec: imageapi.ImageStreamSpec{
+					DockerImageRepository: tc.newDockerImageRepository,
 					Tags: tc.newSpecTags,
 				},
 				Status: imageapi.ImageStreamStatus{