From b552b74feb947f0cc8ea55e2eb45ea49c55fa7a0 Mon Sep 17 00:00:00 2001 From: Aykut Bulgu Date: Mon, 4 May 2026 08:47:07 +0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Reject=20non-empty=20checksum=20?= =?UTF-8?q?for=20OCI=20images=20(#3186)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Reject non-empty checksum for OCI images GetChecksum() made checksums optional for OCI images but never rejected a non-empty checksum. This causes the webhook to accept invalid configurations where both oci:// scheme and a checksum are provided, leading to confusing provisioning failures. Signed-off-by: mabulgu * Address review: move OCI check before live-iso and improve error message Move the OCI checksum validation before the live-iso early return to prevent bypassing the check with oci:// + live-iso + non-empty checksum. Include field context in the error message for better user guidance. Signed-off-by: mabulgu --------- Signed-off-by: mabulgu --- .../metal3.io/v1alpha1/baremetalhost_types.go | 9 +++++---- .../v1alpha1/baremetalhost_types_test.go | 20 ++++++++++++++++++- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/apis/metal3.io/v1alpha1/baremetalhost_types.go b/apis/metal3.io/v1alpha1/baremetalhost_types.go index 89525d4373..5961e5035b 100644 --- a/apis/metal3.io/v1alpha1/baremetalhost_types.go +++ b/apis/metal3.io/v1alpha1/baremetalhost_types.go @@ -1098,13 +1098,14 @@ func (image *Image) GetChecksum() (checksum, checksumType string, err error) { return "", "", errors.New("image is not provided") } - if image.DiskFormat != nil && *image.DiskFormat == "live-iso" { - // Checksum is not required for live-iso + if image.IsOCI() { + if image.Checksum != "" { + return "", "", errors.New("spec.image.checksum must be empty for OCI images (oci:// images have embedded checksums)") + } return "", "", nil } - // Checksum is not required for OCI images as they have embedded checksums - if image.IsOCI() && image.Checksum == "" { + if image.DiskFormat != nil && *image.DiskFormat == "live-iso" { return "", "", nil } diff --git a/apis/metal3.io/v1alpha1/baremetalhost_types_test.go b/apis/metal3.io/v1alpha1/baremetalhost_types_test.go index f7f118e0f3..ece8764de6 100644 --- a/apis/metal3.io/v1alpha1/baremetalhost_types_test.go +++ b/apis/metal3.io/v1alpha1/baremetalhost_types_test.go @@ -492,7 +492,25 @@ func TestGetImageChecksum(t *testing.T) { }, }, }, - Expected: true, + Expected: false, + ExpectedType: "", + }, + { + Scenario: "OCI image with live-iso format and checksum", + Host: BareMetalHost{ + ObjectMeta: metav1.ObjectMeta{ + Name: "myhost", + Namespace: "myns", + }, + Spec: BareMetalHostSpec{ + Image: &Image{ + URL: "oci://example.com/image:latest", + Checksum: "sha256hash", + DiskFormat: ptr.To("live-iso"), + }, + }, + }, + Expected: false, ExpectedType: "", }, {