Description:
The PR #211 is incomplete. It make the image related fields optional, but lack the required check.
The CEL validation self == oldSelf doesn't properly handle optional pointer fields when one side is nil. This allows both:
- Adding a value to a previously unset field (nil → value)
- Removing a value from a previously set field (value → nil)
Both should be rejected after CR creation.
Affected Fields:
- trusteeImage
- pcrsComputeImage
- registerServerImage
- attestationKeyRegisterImage
To reproduce:
- install the operator and create a trustedexecutioncluster CR with minimum setting:
apiVersion: trusted-execution-clusters.io/v1alpha1
kind: TrustedExecutionCluster
metadata:
name: trusted-execution-cluster
namespace: yalan310
spec:
publicTrusteeAddr: kbs-service-yalan310.apps.cc-421-shared-capz.cc.azure.dog8.cloud
registerServerPort: 8000
trusteeKbsPort: 8080
- after the CR installed, edit it to insert a line "trusteeImage: quay.io/redhat-user-workloads/ose-osc-tenant/trustee/trustee:28dee8866a5f4a7cf2bc8762a1f6298fbd220902" , it can be saved successfully. This is unexpected, the CR should be immutable after creation.
- The same happens when create with full yaml, and delete any optional image setting.
Fix:
Update validation to handle nil cases explicitly using CEL's has() function.
Test Cases:
- Verify nil → value is blocked
- Verify value → nil is blocked
- Verify value1 → value2 is blocked (already working)
Description:
The PR #211 is incomplete. It make the image related fields optional, but lack the required check.
The CEL validation self == oldSelf doesn't properly handle optional pointer fields when one side is nil. This allows both:
Both should be rejected after CR creation.
Affected Fields:
To reproduce:
Fix:
Update validation to handle nil cases explicitly using CEL's has() function.
Test Cases: