Unhandled tags in the alpha create module command

[janmedrek]

Description

When passing PR-XX tag the module cannot be built and a pattern error is returned.

Expected result

Module is built correctly.

Actual result

WARNING: The Kubebuilder support in this command is DEPRECATED. Use the simple mode by providing the "--module-config-file" flag instead.
- Module built
- Default CR validation succeeded
- Module archive created
- Adding layers to archive...
X Configuring security scanning...
Error: component.resources.1: Must validate at least one schema (anyOf);component.resources.1.version: Does not match pattern '^[v]?(0|[1-9]\d*)(?:\.(0|[1-9]\d*))?(?:\.(0|[1-9]\d*))?(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'
make[1]: *** [Makefile:197: module-build] Error 1

Steps to reproduce

YAML used:

module-name: nats-manager
protecode:
  - europe-docker.pkg.dev/kyma-project/dev/nats-manager:PR-97
  - europe-docker.pkg.dev/kyma-project/prod/external/natsio/prometheus-nats-exporter:0.12.0
  - europe-docker.pkg.dev/kyma-project/prod/external/natsio/nats-server-config-reloader:0.11.0
  - europe-docker.pkg.dev/kyma-project/prod/external/natsio/nats-box:0.13.8
  - europe-docker.pkg.dev/kyma-project/prod/external/nats:v20230714-2.9.20-alpine3.18
whitesource:
  language: golang-mod
  subprojects: false
  exclude:
    - "**/test/**"
    - "**/*_test.go"

Changing the PR-97 tag to v20230807-ca19ea9a solves the issue.

[lindnerby]

Apart for the error, the PR images are found under europe-docker.pkg.dev/kyma-project/dev/*, right?

[LeelaChacha]

@janmedrek we use ocm library to validate the component descriptor generated from the security config. Their pattern (defined in the componen descriptot v2 schema) does not allow for tags that don't follow semantic versioning. Therefore, to support "PR-XX" tags, we would have to implement our own logic. which will then require further test cases and maintenance down the line. Is this worth pursuing?

[ruanxin]

further conclusion:

as @LeelaChacha described, since we are using ocm library, and the protecode are configured as external access layer, the image tag must follow the API definition - semantic version, and the validation is not only happened by calling ocm.Validate(descriptor) specifically, it also validate internally in the archive.Update(), which make it's basically impossible to get rid of.

  - access:
      imageReference: europe-docker.pkg.dev/kyma-project/prod/btp-manager:0.5.0
      type: ociRegistry
    labels:
    - name: scan.security.kyma-project.io/type
      value: third-party-image
      version: v1
    name: btp-manager
    relation: external
    type: ociImage
    version: 0.5.0

@janmedrek , please clarify if this PR image is really needed feature request, otherwise I suggest we close this issue and make sure all image provided in protecode is released version.

[janmedrek]

We can not afford to introduce another maintenance overhead for the team (maintaining the check and diverging from the OCM library).

I will decrease the priority, move it back to the backlog and we will re-discuss that feature request.

[kyma-bot]

This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale