feat(controller): reject ScanJob creation when referenced Registry does not exist#1184
Conversation
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
…not exist Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1184 +/- ##
==========================================
+ Coverage 53.41% 53.47% +0.05%
==========================================
Files 61 61
Lines 5328 5339 +11
==========================================
+ Hits 2846 2855 +9
- Misses 2086 2087 +1
- Partials 396 397 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR improves the ScanJob admission experience by rejecting ScanJob creation when the referenced Registry resource does not exist (while still leaving the controller-side guard in place to avoid TOCTOU issues), addressing #1180.
Changes:
- Switch the
ScanJobwebhook validator to use the manager’s API reader for read-only access. - Add validation on
ScanJobcreate to verify the referencedRegistryexists in the same namespace and return aspec.registry“Not found” validation error otherwise. - Extend webhook unit tests to cover the missing-
Registrydenial case and to create aRegistryfor existing “admit/deny by running job” scenarios.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| internal/webhook/v1alpha1/scanjob_webhook.go | Adds Registry existence validation during ScanJob creation and uses a read-only API reader. |
| internal/webhook/v1alpha1/scanjob_webhook_test.go | Updates/extends tests to account for the new Registry existence requirement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
Fixes #1180