Skip to content

feat(controller): add validation of acr server endpoints against configured suffixes#129

Draft
matucker-msft wants to merge 1 commit into
mainfrom
allowed-acr-suffixes
Draft

feat(controller): add validation of acr server endpoints against configured suffixes#129
matucker-msft wants to merge 1 commit into
mainfrom
allowed-acr-suffixes

Conversation

@matucker-msft
Copy link
Copy Markdown
Member

@matucker-msft matucker-msft commented May 26, 2026
edited
Loading

Adds controller-level validation for ACR server domains using a configurable allowed suffix list. The Helm chart now defaults to allowing public Azure Container Registry domains via azurecr.io, while operators can configure suffixes for sovereign cloud environments.

@matucker-msft matucker-msft requested a review from Copilot May 26, 2026 18:48
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an optional-but-configurable validation layer that restricts which ACR registry hostnames the controller will exchange Azure tokens with, based on an allowed list of domain suffixes (defaulted by the Helm chart to azurecr.io). This helps prevent misconfiguration or malicious bindings from directing token exchange traffic to unexpected registry domains.

Changes:

  • Introduces ACR server hostname parsing + allowed-suffix validation and wires it into both v1beta1 and v1beta2 reconcilers (executed early in reconcile, before token acquisition).
  • Exposes configuration via a new controller flag --allowed-acr-server-suffixes and Helm values (allowedACRServerSuffixes), with documentation in README.
  • Adds unit tests covering suffix matching and controller behavior when a disallowed server is configured.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
README.md Documents the new “allowed suffixes” restriction and Helm value to configure it.
internal/controller/generic_controller.go Adds an optional ValidateBinding hook and runs it early during reconcile.
internal/controller/acrpullbinding_controller.go Hooks ACR server suffix validation into v1beta1 binding reconcile flow.
internal/controller/acrpullbinding_controller_test.go Adds v1beta1 test ensuring disallowed servers fail before token acquisition.
internal/controller/acrpullbinding_v1beta2_controller.go Hooks ACR server suffix validation into v1beta2 binding reconcile flow.
internal/controller/acrpullbinding_v1beta2_controller_test.go Adds v1beta2 test ensuring disallowed servers fail before token acquisition.
internal/controller/acr_server.go Implements hostname extraction, suffix normalization, and allowed-suffix validation.
internal/controller/acr_server_test.go Unit tests for suffix validation behavior and invalid server inputs.
config/helm/values.yaml Adds allowedACRServerSuffixes defaulting to azurecr.io.
config/helm/templates/deployment.yaml Passes --allowed-acr-server-suffixes from Helm values to the manager args.
cmd/main.go Adds CLI flag parsing and passes configured suffix list into both reconcilers.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matucker-msft