Add CEL validation for registry entries in image config

Invalid registry entries (e.g., with tags like ":latest" or digests like
"@sha256:...") in registrySources fields generate an invalid
/etc/containers/policy.json, causing CRI-O to fail and nodes to silently
not join the cluster.

Add per-item CEL validation rules to insecureRegistries, blockedRegistries,
and allowedRegistries fields in the RegistrySources struct to reject invalid
entries at the API level. Each entry must match a valid registry scope
pattern: hostname[:port][/path], optionally with a wildcard prefix (*.).

Also adds MaxItems=512 and items MaxLength=512 bounds required by the
Kubernetes CEL cost estimator.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: reedcort

config/v1/types_image.go

@@ -165,20 +165,41 @@ type RegistryLocation struct {
 // +kubebuilder:validation:XValidation:rule="has(self.blockedRegistries) ? !has(self.allowedRegistries) : true",message="Only one of blockedRegistries or allowedRegistries may be set"
 type RegistrySources struct {
 	// insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+	// Each entry must be a valid registry scope in the format hostname[:port][/path],
+	// optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+	// Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+	// Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 	// +optional
 	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=512
+	// +kubebuilder:validation:items:MaxLength=512
+	// +kubebuilder:validation:items:XValidation:rule="self.matches('^(\\\\*\\\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')",message="each registry must be a valid hostname[:port][/path] without tags or digests"
 	InsecureRegistries []string `json:"insecureRegistries,omitempty"`
 	// blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
+	// Each entry must be a valid registry scope in the format hostname[:port][/path],
+	// optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+	// Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+	// Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 	//
 	// Only one of BlockedRegistries or AllowedRegistries may be set.
 	// +optional
 	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=512
+	// +kubebuilder:validation:items:MaxLength=512
+	// +kubebuilder:validation:items:XValidation:rule="self.matches('^(\\\\*\\\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')",message="each registry must be a valid hostname[:port][/path] without tags or digests"
 	BlockedRegistries []string `json:"blockedRegistries,omitempty"`
 	// allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
+	// Each entry must be a valid registry scope in the format hostname[:port][/path],
+	// optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+	// Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+	// Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 	//
 	// Only one of BlockedRegistries or AllowedRegistries may be set.
 	// +optional
 	// +listType=atomic
+	// +kubebuilder:validation:MaxItems=512
+	// +kubebuilder:validation:items:MaxLength=512
+	// +kubebuilder:validation:items:XValidation:rule="self.matches('^(\\\\*\\\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')",message="each registry must be a valid hostname[:port][/path] without tags or digests"
 	AllowedRegistries []string `json:"allowedRegistries,omitempty"`
 	// containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified
 	// domains in their pull specs. Registries will be searched in the order provided in the list.

config/v1/zz_generated.crd-manifests/0000_10_config-operator_01_images.crd.yaml

@@ -129,19 +129,39 @@ spec:
                   allowedRegistries:
                     description: |-
                       allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 
                       Only one of BlockedRegistries or AllowedRegistries may be set.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                   blockedRegistries:
                     description: |-
                       blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 
                       Only one of BlockedRegistries or AllowedRegistries may be set.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                   containerRuntimeSearchRegistries:
@@ -156,10 +176,20 @@ spec:
                     type: array
                     x-kubernetes-list-type: set
                   insecureRegistries:
-                    description: insecureRegistries are registries which do not have
-                      a valid TLS certificates or only support HTTP connections.
+                    description: |-
+                      insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object

config/v1/zz_generated.featuregated-crd-manifests/images.config.openshift.io/AAA_ungated.yaml

@@ -112,19 +112,39 @@ spec:
                   allowedRegistries:
                     description: |-
                       allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 
                       Only one of BlockedRegistries or AllowedRegistries may be set.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                   blockedRegistries:
                     description: |-
                       blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 
                       Only one of BlockedRegistries or AllowedRegistries may be set.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                   containerRuntimeSearchRegistries:
@@ -139,10 +159,20 @@ spec:
                     type: array
                     x-kubernetes-list-type: set
                   insecureRegistries:
-                    description: insecureRegistries are registries which do not have
-                      a valid TLS certificates or only support HTTP connections.
+                    description: |-
+                      insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object

config/v1/zz_generated.featuregated-crd-manifests/images.config.openshift.io/ImageStreamImportMode.yaml

@@ -130,19 +130,39 @@ spec:
                   allowedRegistries:
                     description: |-
                       allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 
                       Only one of BlockedRegistries or AllowedRegistries may be set.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                   blockedRegistries:
                     description: |-
                       blockedRegistries cannot be used for image pull and push actions. All other registries are permitted.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
 
                       Only one of BlockedRegistries or AllowedRegistries may be set.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                   containerRuntimeSearchRegistries:
@@ -157,10 +177,20 @@ spec:
                     type: array
                     x-kubernetes-list-type: set
                   insecureRegistries:
-                    description: insecureRegistries are registries which do not have
-                      a valid TLS certificates or only support HTTP connections.
+                    description: |-
+                      insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections.
+                      Each entry must be a valid registry scope in the format hostname[:port][/path],
+                      optionally prefixed with "*." for wildcard subdomains (e.g., "*.example.com").
+                      Entries must not include tags (e.g., ":latest") or digests (e.g., "@sha256:...").
+                      Each entry must be at most 512 characters in length and the list may contain at most 512 entries.
                     items:
+                      maxLength: 512
                       type: string
+                      x-kubernetes-validations:
+                      - message: each registry must be a valid hostname[:port][/path]
+                          without tags or digests
+                        rule: self.matches('^(\\*\\.)?[a-zA-Z0-9]([a-zA-Z0-9.-]*[a-zA-Z0-9])?(:[0-9]+)?(/[a-z0-9._-]+)*$')
+                    maxItems: 512
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object