feat: adds a generic checker package with registry checks

Author: faiq

cmd/main.go

@@ -42,6 +42,7 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/options"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/cluster"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+	preflightgeneric "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/generic"
 	preflightnutanix "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/nutanix"
 )
 
@@ -241,6 +242,7 @@ func main() {
 		Handler: preflight.New(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme()),
 			[]preflight.Checker{
 				// Add your preflight checkers here.
+				preflightgeneric.Checker,
 				preflightnutanix.Checker,
 			}...,
 		),

go.mod

@@ -28,6 +28,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
 	github.com/pkg/errors v0.9.1
+	github.com/regclient/regclient v0.8.3
 	github.com/samber/lo v1.51.0
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
@@ -73,6 +74,7 @@ require (
 	github.com/docker/docker v28.0.2+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
@@ -111,6 +113,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -145,6 +148,7 @@ require (
 	github.com/spf13/viper v1.20.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/ulikunitz/xz v0.5.12 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect

go.sum

@@ -73,6 +73,8 @@ github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
+github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5sizHf27aoY2RTvw62mO6x7mxkScNk0=
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
@@ -192,6 +194,8 @@ github.com/keploy/go-sdk v0.9.0 h1:kpSNcCTDdELsa1gWyhoD9oV57SgSMbG/wq6Cjp4y7cY=
 github.com/keploy/go-sdk v0.9.0/go.mod h1:vNKXoFd2MaK+Gly/K6XeP1Hs9dP834C74szH+vtBPwg=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -241,6 +245,8 @@ github.com/nutanix/ntnx-api-golang-clients/volumes-go-client/v4 v4.0.1-beta.1 h1
 github.com/nutanix/ntnx-api-golang-clients/volumes-go-client/v4 v4.0.1-beta.1/go.mod h1:Z+RKLwsHYxAcFbZPy2ft3QAK9kBPt9bQdqXSp7eYWkY=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/olareg/olareg v0.1.2 h1:75G8X6E9FUlzL/CSjgFcYfMgNzlc7CxULpUUNsZBIvI=
+github.com/olareg/olareg v0.1.2/go.mod h1:TWs+N6pO1S4bdB6eerzUm/ITRQ6kw91mVf9ZYeGtw+Y=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
@@ -270,6 +276,8 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/regclient/regclient v0.8.3 h1:AFAPu/vmOYGyY22AIgzdBUKbzH+83lEpRioRYJ/reCs=
+github.com/regclient/regclient v0.8.3/go.mod h1:gjQh5uBVZoo/CngchghtQh9Hx81HOMKRRDd5WPcPkbk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.2 h1:YwD0ulJSJytLpiaWua0sBDusfsCZohxjxzVTYjwxfV8=
 github.com/rivo/uniseg v0.4.2/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -310,6 +318,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
+github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=

pkg/webhook/preflight/generic/checker.go

@@ -0,0 +1,47 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package generic
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+var Checker = &genericChecker{
+	registryCheckFactory: newRegistryCheck,
+}
+
+type genericChecker struct {
+	registryCheckFactory func(
+		cd *checkDependencies,
+	) []preflight.Check
+}
+
+type checkDependencies struct {
+	kclient                  ctrlclient.Client
+	cluster                  *clusterv1.Cluster
+	genericClusterConfigSpec *carenv1.GenericClusterConfigSpec
+	log                      logr.Logger
+}
+
+func (g *genericChecker) Init(
+	ctx context.Context,
+	kclient ctrlclient.Client,
+	cluster *clusterv1.Cluster,
+) []preflight.Check {
+	cd := &checkDependencies{
+		kclient: kclient,
+		cluster: cluster,
+		log:     ctrl.LoggerFrom(ctx).WithName("preflight/generic"),
+	}
+	checks := []preflight.Check{}
+	checks = append(checks, g.registryCheckFactory(cd)...)
+	return checks
+}

pkg/webhook/preflight/generic/registry.go

@@ -0,0 +1,185 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package generic
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/regclient/regclient"
+	"github.com/regclient/regclient/config"
+	"github.com/regclient/regclient/types/ref"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+var (
+	registryMirrorVarPath    = "cluster.spec.topology.variables[.name=clusterConfig].value.globalImageRegistryMirror"
+	mirrorURLValidationRegex = regexp.MustCompile(
+		`^https?://`,
+	) // in order to use regclient we need to pass just a hostname
+	// this regex allows us to strip it so we can verify connectivity for this test.
+)
+
+type registyCheck struct {
+	registryMirror *carenv1.GlobalImageRegistryMirror
+	imageRegistry  *carenv1.ImageRegistry
+	field          string
+	kclient        ctrlclient.Client
+	cluster        *clusterv1.Cluster
+}
+
+func (r *registyCheck) Name() string {
+	return "RegistryCredentials"
+}
+
+func (r *registyCheck) Run(ctx context.Context) preflight.CheckResult {
+	if r.registryMirror != nil {
+		return r.checkRegistry(
+			ctx,
+			mirrorURLValidationRegex.ReplaceAllString(r.registryMirror.URL, ""),
+			r.registryMirror.Credentials,
+		)
+	}
+	if r.imageRegistry != nil {
+		return r.checkRegistry(
+			ctx,
+			mirrorURLValidationRegex.ReplaceAllString(r.imageRegistry.URL, ""),
+			r.imageRegistry.Credentials,
+		)
+	}
+	return preflight.CheckResult{
+		Allowed: true,
+	}
+}
+
+func (r *registyCheck) checkRegistry(
+	ctx context.Context,
+	registryURL string,
+	credentials *carenv1.RegistryCredentials,
+) preflight.CheckResult {
+	result := preflight.CheckResult{
+		Allowed: false,
+	}
+	mirrorHost := config.Host{
+		Name: registryURL,
+	}
+	if credentials != nil && credentials.SecretRef != nil {
+		mirrorCredentialsSecret := &corev1.Secret{}
+		err := r.kclient.Get(
+			ctx,
+			types.NamespacedName{
+				Namespace: r.cluster.Namespace,
+				Name:      r.registryMirror.Credentials.SecretRef.Name,
+			},
+			mirrorCredentialsSecret,
+		)
+		if err != nil {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes,
+				preflight.Cause{
+					Message: fmt.Sprintf("failed to get Registry credentials Secret: %s", err),
+					Field:   fmt.Sprintf("%s.credentials.secretRef", registryMirrorVarPath),
+				},
+			)
+			return result
+		}
+		username, ok := mirrorCredentialsSecret.Data["username"]
+		if !ok {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes,
+				preflight.Cause{
+					Message: "failed to get username from Registry credentials Secret. secret must have field username.",
+					Field:   fmt.Sprintf("%s.credentials.secretRef", registryMirrorVarPath),
+				},
+			)
+			return result
+		}
+		password, ok := mirrorCredentialsSecret.Data["password"]
+		if !ok {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes,
+				preflight.Cause{
+					Message: "failed to get username from Registry credentials Secret. secret must have field password.",
+					Field:   fmt.Sprintf("%s.credentials.secretRef", registryMirrorVarPath),
+				},
+			)
+			return result
+		}
+		mirrorHost.User = string(username)
+		mirrorHost.Pass = string(password)
+		if caCert, ok := mirrorCredentialsSecret.Data["ca.crt"]; ok {
+			mirrorHost.RegCert = string(caCert)
+		}
+	}
+	rc := regclient.New(
+		regclient.WithConfigHost(mirrorHost),
+		regclient.WithUserAgent("regclient/example"),
+	)
+	mirrorRef, err := ref.NewHost(mirrorHost.Hostname)
+	if err != nil {
+		result.Allowed = false
+		result.Error = true
+		result.Causes = append(result.Causes,
+			preflight.Cause{
+				Message: "failed to create a client to verify registry configuration",
+				Field:   registryMirrorVarPath,
+			},
+		)
+		return result
+	}
+	_, err = rc.Ping(ctx, mirrorRef) // ping will return an error for anything that's not 200
+	if err != nil {
+		result.Allowed = false
+		result.Error = true
+		result.Causes = append(result.Causes,
+			preflight.Cause{
+				Message: fmt.Sprintf("failed to ping registry %s with err: %s", mirrorHost.Hostname, err.Error()),
+				Field:   registryMirrorVarPath,
+			},
+		)
+		return result
+	}
+	result.Allowed = true
+	result.Error = false
+	return result
+}
+
+func newRegistryCheck(
+	cd *checkDependencies,
+) []preflight.Check {
+	checks := []preflight.Check{}
+	if cd.genericClusterConfigSpec != nil &&
+		cd.genericClusterConfigSpec.GlobalImageRegistryMirror != nil {
+		checks = append(checks, &registyCheck{
+			field:          "cluster.spec.topology.variables[.name=clusterConfig].value.globalImageRegistryMirror",
+			kclient:        cd.kclient,
+			registryMirror: cd.genericClusterConfigSpec.GlobalImageRegistryMirror,
+			cluster:        cd.cluster,
+		})
+	}
+	if cd.genericClusterConfigSpec != nil && len(cd.genericClusterConfigSpec.ImageRegistries) > 0 {
+		for i, registry := range cd.genericClusterConfigSpec.ImageRegistries {
+			checks = append(checks, &registyCheck{
+				field: fmt.Sprintf(
+					"cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[%d]",
+					i,
+				),
+				kclient:       cd.kclient,
+				imageRegistry: &registry,
+				cluster:       cd.cluster,
+			})
+		}
+	}
+	return checks
+}