kie-issues#1583: [sonataflow-operator] Add external built image integrity validation

[treblereel]

Closes: apache/incubator-kie-kogito-serverless-operator#405

[ricardozanini]

So, should the builder image add the workflow file to the /deployments/app? Is there no other way to do it? This file can also be a YAML named anything (bananas.sw.yml).

So, if we imagine a custom builder or an image built by users, they must know where to put the file in their environment.

Docs and migration from a previous version will be severely impacted. Can you also add a configuration to the manager to skip this validation? It will be needed in case of a migration from a previous version.

Currently, users may build their workflow images as they wish. To migrate to this new version, they might need to turn the validation off and turn it on once everything is migrated.

[treblereel]

blocked by #3028

[wmedvede]

wrong licence format, copyright not needed

[wmedvede]

I think the error message should include the name / namespace of the failing workflow. That information will be very helpful when we need to see the logs in case of failues.

[wmedvede]

This invocation to the validator should go after the code below.
That if indicates that the WF being deleted right now, so, we don't need to validate it.

if workflow.DeletionTimestamp != nil {
	return r.applyFinalizers(ctx, workflow)
}

[wmedvede]

Nice approach!

[wmedvede]

nitpick, validate here, goes with uppercase Validate instead.

[wmedvede]

If we are validating a `workflow' that was just read the instant before calling the Validators sequence, I don't believe we need to re-read it again.

But if you do, I don't believe we should read it and storing the value in the parameter sonataflow *operatorapi.SonataFlow paramter, I think this could make the validator has side effects on that variable value. When multiple validators are executed I think this code wont be clear.

Another nitpick, when we do reading of the resource as part of the reconciliation, we normally guard the code with something like this:

	err := r.Client.Get(ctx, req.NamespacedName, workflow)
	if err != nil {
		if errors.IsNotFound(err) {
			not good, return the error or whatever, but we know exactly that the given resource don't exist at this time.
		}
		not good, return the error or whatever, something went wrong, we don't know what.
	}

[wmedvede]

if we don't do the consideration above, in case of error the sonataflow value is uncertain.

[wmedvede]

workflow name/namepace would be nice to include in the message.

[wmedvede]

Excuse me if I'm missing something, but do this Unmarshalling work both when the workflow inside the image is in json and yaml format? If so, maybe this function can be called workflowFromDockerImage.

[wmedvede]

same here, copyright we don't need

[wmedvede]

Hi @treblereel I had tried the feature in OpenShift 4.15.17 with the following scenario

1. I have a workflow with a pre-built image
2. In SonataFlow I modify the flow intentionally to force validation to fail
3. When I deploy the workflow I can see this message:

E0401 16:52:11.167885 1 sonataflow_controller.go:126] "Failed to validate SonataFlow" err="Get \"https://quay.io/v2/\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

``

It looks like it was not possible for the validator to read the image,

[wmedvede]

@treblereel I'd recommend rebasing with main, since there has been some recent updates in sontaflow_controller.go

[ricardozanini]

@treblereel the docker api needs to authenticate with OpenShift internal registry