validator-labs
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/v1alpha1/ocivalidator_types.go
Lines changed: 28 additions & 7 deletions b/‎api/v1alpha1/ocivalidator_types.go
Lines changed: 28 additions & 7 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go
Lines changed: 3 additions & 3 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎chart/validator-plugin-oci/crds/validation.spectrocloud.labs_ocivalidators.yaml
Lines changed: 26 additions & 10 deletions b/‎chart/validator-plugin-oci/crds/validation.spectrocloud.labs_ocivalidators.yaml
Lines changed: 26 additions & 10 deletions
diff --git a/‎config/crd/bases/validation.spectrocloud.labs_ocivalidators.yaml
Lines changed: 26 additions & 10 deletions b/‎config/crd/bases/validation.spectrocloud.labs_ocivalidators.yaml
Lines changed: 26 additions & 10 deletions
diff --git a/‎config/samples/ocivalidator-private-registry.yaml
Lines changed: 3 additions & 4 deletions b/‎config/samples/ocivalidator-private-registry.yaml
Lines changed: 3 additions & 4 deletions
diff --git a/‎config/samples/ocivalidator-public-registry.yaml
Lines changed: 2 additions & 0 deletions b/‎config/samples/ocivalidator-public-registry.yaml
Lines changed: 2 additions & 0 deletions
diff --git a/‎internal/controller/ocivalidator_controller_test.go
Lines changed: 19 additions & 15 deletions b/‎internal/controller/ocivalidator_controller_test.go
Lines changed: 19 additions & 15 deletions
@@ -13,7 +13,7 @@ The OCI validator plugin reconciles `OciValidator` custom resources to perform t
 
 1. Validate OCI registry authentication
 2. Validate the existence of arbitrary OCI artifacts (pack, image, etc.)
-3. Validate downloading arbitrary OCI artifacts
+3. If `ValidationType` is set to `full` or `fast`, downloads the OCI artifacts and verifies their layers, manifests, and configs
 
 Each `OciValidator` CR is (re)-processed every two minutes to continuously ensure that your OCI registry matches the expected state.
 
 
@@ -48,11 +48,19 @@ type OciRegistryRule struct {
 	// Host is the URI of an OCI registry.
 	Host string `json:"host" yaml:"host"`
 
-	// SkipLayerValidation specifies whether deep validation of the artifact layers should be skipped.
-	// The existence of layers will always validated whether this option is enabled or disabled.
-	// See more details here:
-	// https://github.com/google/go-containerregistry/blob/8dadbe76ff8c20d0e509406f04b7eade43baa6c1/pkg/v1/validate/image.go#L105
-	SkipLayerValidation bool `json:"skipLayerValidation,omitempty" yaml:"skipLayerValidation,omitempty"`
+	// ValidationType specifies which (if any) type of validation is performed on the artifacts.
+	// Valid values are "full", "fast", and "none". When set to "none", the artifact will not be pulled and no extra validation will be performed.
+	// For both "full" and "fast" validationType, the following validations will be executed:
+	// - Layers existence will be validated
+	// - Config digest, size, content, and type will be validated
+	// - Manifest digest, content, and size will be validated
+	// For "full" validationType, the following additional validations will be performed:
+	// - Layer digest, diffID, size, and media type will be validated
+	// See more details about validation here:
+	// https://github.com/google/go-containerregistry/blob/8dadbe76ff8c20d0e509406f04b7eade43baa6c1/pkg/v1/validate/image.go#L30
+	// +kubebuilder:validation:Enum=full;fast;none
+	// +kubebuilder:default:=none
+	ValidationType ValidationType `json:"validationType" yaml:"validationType"`
 
 	// Artifacts is a slice of artifacts in the OCI registry that should be validated.
 	Artifacts []Artifact `json:"artifacts,omitempty" yaml:"artifacts,omitempty"`
@@ -70,6 +78,18 @@ type OciRegistryRule struct {
 	SignatureVerification SignatureVerification `json:"signatureVerification,omitempty" yaml:"signatureVerification,omitempty"`
 }
 
+// ValidationType defines the type of extra validation to perform on the artifacts.
+type ValidationType string
+
+const (
+	// ValidationTypeFull specifies full validation of the artifacts.
+	ValidationTypeFull ValidationType = "full"
+	// ValidationTypeFast specifies fast validation of the artifacts.
+	ValidationTypeFast ValidationType = "fast"
+	// ValidationTypeNone specifies no extra validation of the artifacts, artifacts will not be pulled.
+	ValidationTypeNone ValidationType = "none"
+)
+
 // Name returns the name of the OciRegistryRule.
 func (r OciRegistryRule) Name() string {
 	return r.RuleName
@@ -86,8 +106,9 @@ type Artifact struct {
 	// When no tag or digest are specified, the default tag "latest" is used.
 	Ref string `json:"ref" yaml:"ref"`
 
-	// SkipLayerValidation overrides the OciRegistryRule level SkiplayerValidation for a particular artifact.
-	SkipLayerValidation *bool `json:"skipLayerValidation,omitempty" yaml:"skipLayerValidation,omitempty"`
+	// ValidationType overrides the OciRegistryRule level ValidationType for a particular artifact.
+	// +kubebuilder:validation:Enum=full;fast;none
+	ValidationType *ValidationType `json:"validationType,omitempty" yaml:"validationType,omitempty"`
 }
 
 // Auth defines the authentication information for the registry.
 
@@ -61,10 +61,14 @@ spec:
 
                               When no tag or digest are specified, the default tag "latest" is used.
                             type: string
-                          skipLayerValidation:
-                            description: SkipLayerValidation overrides the OciRegistryRule
-                              level SkiplayerValidation for a particular artifact.
-                            type: boolean
+                          validationType:
+                            description: ValidationType overrides the OciRegistryRule
+                              level ValidationType for a particular artifact.
+                            enum:
+                            - full
+                            - fast
+                            - none
+                            type: string
                         required:
                         - ref
                         type: object
@@ -148,16 +152,28 @@ spec:
                       - provider
                       - secretName
                       type: object
-                    skipLayerValidation:
+                    validationType:
+                      default: none
                       description: |-
-                        SkipLayerValidation specifies whether deep validation of the artifact layers should be skipped.
-                        The existence of layers will always validated whether this option is enabled or disabled.
-                        See more details here:
-                        https://github.com/google/go-containerregistry/blob/8dadbe76ff8c20d0e509406f04b7eade43baa6c1/pkg/v1/validate/image.go#L105
-                      type: boolean
+                        ValidationType specifies which (if any) type of validation is performed on the artifacts.
+                        Valid values are "full", "fast", and "none". When set to "none", the artifact will not be pulled and no extra validation will be performed.
+                        For both "full" and "fast" validationType, the following validations will be executed:
+                        - Layers existence will be validated
+                        - Config digest, size, content, and type will be validated
+                        - Manifest digest, content, and size will be validated
+                        For "full" validationType, the following additional validations will be performed:
+                        - Layer digest, diffID, size, and media type will be validated
+                        See more details about validation here:
+                        https://github.com/google/go-containerregistry/blob/8dadbe76ff8c20d0e509406f04b7eade43baa6c1/pkg/v1/validate/image.go#L30
+                      enum:
+                      - full
+                      - fast
+                      - none
+                      type: string
                   required:
                   - host
                   - name
+                  - validationType
                   type: object
                 maxItems: 5
                 type: array
 
@@ -61,10 +61,14 @@ spec:
 
                               When no tag or digest are specified, the default tag "latest" is used.
                             type: string
-                          skipLayerValidation:
-                            description: SkipLayerValidation overrides the OciRegistryRule
-                              level SkiplayerValidation for a particular artifact.
-                            type: boolean
+                          validationType:
+                            description: ValidationType overrides the OciRegistryRule
+                              level ValidationType for a particular artifact.
+                            enum:
+                            - full
+                            - fast
+                            - none
+                            type: string
                         required:
                         - ref
                         type: object
@@ -148,16 +152,28 @@ spec:
                       - provider
                       - secretName
                       type: object
-                    skipLayerValidation:
+                    validationType:
+                      default: none
                       description: |-
-                        SkipLayerValidation specifies whether deep validation of the artifact layers should be skipped.
-                        The existence of layers will always validated whether this option is enabled or disabled.
-                        See more details here:
-                        https://github.com/google/go-containerregistry/blob/8dadbe76ff8c20d0e509406f04b7eade43baa6c1/pkg/v1/validate/image.go#L105
-                      type: boolean
+                        ValidationType specifies which (if any) type of validation is performed on the artifacts.
+                        Valid values are "full", "fast", and "none". When set to "none", the artifact will not be pulled and no extra validation will be performed.
+                        For both "full" and "fast" validationType, the following validations will be executed:
+                        - Layers existence will be validated
+                        - Config digest, size, content, and type will be validated
+                        - Manifest digest, content, and size will be validated
+                        For "full" validationType, the following additional validations will be performed:
+                        - Layer digest, diffID, size, and media type will be validated
+                        See more details about validation here:
+                        https://github.com/google/go-containerregistry/blob/8dadbe76ff8c20d0e509406f04b7eade43baa6c1/pkg/v1/validate/image.go#L30
+                      enum:
+                      - full
+                      - fast
+                      - none
+                      type: string
                   required:
                   - host
                   - name
+                  - validationType
                   type: object
                 maxItems: 5
                 type: array
 
@@ -8,10 +8,11 @@ spec:
     # private oci registry artifacts using basic auth and a caCert
     - name: "private oci registry"
       host: "oci-airgap.spectrocloud.dev"
+      validationType: "full"
       artifacts:
         - ref: "spectro-images/gcr.io/spectro-images-fips/kube-apiserver:v1.26.5"
+          validationType: "fast"
         - ref: "spectro-packs/spectro-packs/archive/vault:0.25.0"
-          skipLayerValidation: true
       auth:
         basic:
           username: some-user
@@ -40,7 +41,6 @@ spec:
     # private ecr registry with ecr auth and no artifact specified
     - name: "private ecr registry"
       host: "745150053801.dkr.ecr.us-east-1.amazonaws.com"
-      skipLayerValidation: true
       auth:
         ecr:
           accessKeyID: some-access-key-id
@@ -50,11 +50,10 @@ spec:
     # private oci registry with secret key auth and signature verification enabled
     - name: "private oci registry with signature verification enabled"
       host: "registry.hub.docker.com"
-      skipLayerValidation: true
+      validationType: "fast"
       artifacts:
         - ref: "ahmadibraspectrocloud/validator:signed"
         - ref: "ahmadibraspectrocloud/validator-plugin-oci:signed"
-          skipLayerValidation: false
       signatureVerification:
         secretName: "cosign-public-keys"
       auth:
 
@@ -14,12 +14,14 @@ spec:
     # public oci registry artifact referenced by default "latest" tag
     - name: "public oci registry with default latest tag"
       host: "registry.hub.docker.com"
+      validationType: "full"
       artifacts:
         - ref: "ahmadibraspectrocloud/kubebuilder-cron"
 
     # public oci registry with signature verification enabled
     - name: "public oci registry with signature verification enabled"
       host: "registry.hub.docker.com"
+      validationType: "fast"
       artifacts:
         - ref: "ahmadibraspectrocloud/kb-guestbook:signed"
       signatureVerification:
 
@@ -37,8 +37,9 @@ var _ = Describe("OCIValidator controller", Ordered, func() {
 		Spec: v1alpha1.OciValidatorSpec{
 			OciRegistryRules: []v1alpha1.OciRegistryRule{
 				{
-					RuleName: "basic auth and empty artifact list",
-					Host:     "foo1.registry.io",
+					RuleName:       "basic auth and empty artifact list",
+					Host:           "foo1.registry.io",
+					ValidationType: v1alpha1.ValidationTypeNone,
 					Auth: v1alpha1.Auth{
 						Basic: &v1alpha1.BasicAuth{
 							Username: "userName",
@@ -51,9 +52,9 @@ var _ = Describe("OCIValidator controller", Ordered, func() {
 					},
 				},
 				{
-					RuleName:            "layer validation skipped on rule level",
-					Host:                "foo.registry.io",
-					SkipLayerValidation: true,
+					RuleName:       "full layer validation enabled on rule level",
+					Host:           "foo.registry.io",
+					ValidationType: v1alpha1.ValidationTypeFull,
 					Artifacts: []v1alpha1.Artifact{
 						{
 							Ref: "foo/bar:latest",
@@ -64,38 +65,41 @@ var _ = Describe("OCIValidator controller", Ordered, func() {
 					},
 				},
 				{
-					RuleName: "layer validation skipped on artifact level",
-					Host:     "foo.registry.io",
+					RuleName:       "fast layer validation enabled on artifact level",
+					Host:           "foo.registry.io",
+					ValidationType: v1alpha1.ValidationTypeNone,
 					Artifacts: []v1alpha1.Artifact{
 						{
-							Ref:                 "foo/bar:latest",
-							SkipLayerValidation: util.Ptr(true),
+							Ref:            "foo/bar:latest",
+							ValidationType: util.Ptr(v1alpha1.ValidationTypeFast),
 						},
 					},
 					SignatureVerification: v1alpha1.SignatureVerification{
 						Provider: "cosign",
 					},
 				},
 				{
-					RuleName: "secret auth and ca cert provided",
-					Host:     "foo2.registry.io",
+					RuleName:       "secret auth and ca cert provided",
+					Host:           "foo2.registry.io",
+					ValidationType: v1alpha1.ValidationTypeNone,
 					Auth: v1alpha1.Auth{
 						SecretName: util.Ptr("auth-secret"),
 					},
 					CaCert: "dummy-ca-cert",
 					Artifacts: []v1alpha1.Artifact{
 						{
-							Ref:                 "foo/bar:latest",
-							SkipLayerValidation: util.Ptr(true),
+							Ref:            "foo/bar:latest",
+							ValidationType: util.Ptr(v1alpha1.ValidationTypeFast),
 						},
 					},
 					SignatureVerification: v1alpha1.SignatureVerification{
 						Provider: "cosign",
 					},
 				},
 				{
-					RuleName: "ecr auth and pubkeys secret provided and created",
-					Host:     "foo3.registry.io",
+					RuleName:       "ecr auth and pubkeys secret provided and created",
+					Host:           "foo3.registry.io",
+					ValidationType: v1alpha1.ValidationTypeNone,
 					Auth: v1alpha1.Auth{
 						ECR: &v1alpha1.ECRAuth{
 							AccessKeyID:     "accessKeyID",