Allow :ref suffix in additionalLayerStores path for stargz-store to support lazy image pulling

BhargaviGudi · BhargaviGudi · commit 942df244ddef · 2026-04-15T20:25:10.000+05:30
Introduced LayerStorePath type for additionalLayerStores that allows paths ending with :ref (e.g., /var/lib/stargz-store/store:ref), while keeping StorePath unchanged for additionalImageStores and additionalArtifactStores. Fixes: https://issues.redhat.com/browse/OCPBUGS-83492
diff --git a/machineconfiguration/v1/tests/containerruntimeconfigs.machineconfiguration.openshift.io/AdditionalStorageConfig.yaml b/machineconfiguration/v1/tests/containerruntimeconfigs.machineconfiguration.openshift.io/AdditionalStorageConfig.yaml
@@ -26,6 +26,42 @@ tests:
               - path: /mnt/nydus-store
               - path: /opt/layer_store-v1.0
 
+    - name: Should be able to create ContainerRuntimeConfig with additionalLayerStores using :ref suffix for stargz-store
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: ContainerRuntimeConfig
+        spec:
+          containerRuntimeConfig:
+            additionalLayerStores:
+              - path: /var/lib/stargz-store/store:ref
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: ContainerRuntimeConfig
+        spec:
+          containerRuntimeConfig:
+            additionalLayerStores:
+              - path: /var/lib/stargz-store/store:ref
+
+    - name: Should be able to create ContainerRuntimeConfig with mixed additionalLayerStores paths (with and without :ref)
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: ContainerRuntimeConfig
+        spec:
+          containerRuntimeConfig:
+            additionalLayerStores:
+              - path: /var/lib/stargz-store/store:ref
+              - path: /mnt/nydus-store
+              - path: /opt/layer-store:ref
+      expected: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: ContainerRuntimeConfig
+        spec:
+          containerRuntimeConfig:
+            additionalLayerStores:
+              - path: /var/lib/stargz-store/store:ref
+              - path: /mnt/nydus-store
+              - path: /opt/layer-store:ref
+
     - name: Should fail if additionalLayerStores path is empty
       initial: |
         apiVersion: machineconfiguration.openshift.io/v1
@@ -64,7 +100,17 @@ tests:
           containerRuntimeConfig:
             additionalLayerStores:
               - path: /var/lib/stargz@store
-      expectedError: "path must be absolute and contain only alphanumeric characters, '/', '.', '_', and '-'"
+      expectedError: "path must be absolute and contain only alphanumeric characters, '/', '.', '_', '-', and optionally end with ':ref'"
+
+    - name: Should fail if additionalLayerStores path contains colon with suffix other than :ref
+      initial: |
+        apiVersion: machineconfiguration.openshift.io/v1
+        kind: ContainerRuntimeConfig
+        spec:
+          containerRuntimeConfig:
+            additionalLayerStores:
+              - path: /var/lib/stargz-store:other
+      expectedError: "path must be absolute and contain only alphanumeric characters, '/', '.', '_', '-', and optionally end with ':ref'"
 
     - name: Should fail if additionalLayerStores path is too long
       initial: |
diff --git a/machineconfiguration/v1/types.go b/machineconfiguration/v1/types.go
@@ -976,17 +976,30 @@ const (
 // +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="path must not contain consecutive forward slashes"
 type StorePath string
 
+// LayerStorePath is an absolute filesystem path used by additional layer store configurations.
+// The path must be between 1 and 256 characters long, begin with a forward slash, and only contain
+// the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'. The colon is only permitted as part of
+// the ':ref' suffix for reference-based layer organization (e.g., stargz-store).
+// Consecutive forward slashes are not permitted.
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=256
+// +kubebuilder:validation:XValidation:rule="self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')",message="path must be absolute and contain only alphanumeric characters, '/', '.', '_', '-', and optionally end with ':ref'"
+// +kubebuilder:validation:XValidation:rule="!self.contains('//')",message="path must not contain consecutive forward slashes"
+type LayerStorePath string
+
 // AdditionalLayerStore defines a read-only storage location for Open Container Initiative (OCI) container image layers.
 type AdditionalLayerStore struct {
 	// path specifies the absolute location of the additional layer store.
 	// The path must exist on the node before configuration is applied.
 	// When a container image is requested, layers found at this location will be used instead of
 	// retrieving from the registry.
 	// The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-	// and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+	// and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+	// The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+	// (e.g., /var/lib/stargz-store/store:ref for stargz-store).
 	// Consecutive forward slashes are not permitted.
 	// +required
-	Path StorePath `json:"path,omitempty"`
+	Path LayerStorePath `json:"path,omitempty"`
 }
 
 // AdditionalImageStore defines an additional read-only storage location for Open Container Initiative (OCI) images.
diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs-CustomNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs-CustomNoUpgrade.crd.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs-DevPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs-DevPreviewNoUpgrade.crd.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
diff --git a/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs-TechPreviewNoUpgrade.crd.yaml b/machineconfiguration/v1/zz_generated.crd-manifests/0000_80_machine-config_01_containerruntimeconfigs-TechPreviewNoUpgrade.crd.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
diff --git a/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/containerruntimeconfigs.machineconfiguration.openshift.io/AdditionalStorageConfig.yaml b/machineconfiguration/v1/zz_generated.featuregated-crd-manifests/containerruntimeconfigs.machineconfiguration.openshift.io/AdditionalStorageConfig.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
diff --git a/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/machineconfiguration/v1/zz_generated.swagger_doc_generated.go
diff --git a/payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs-CustomNoUpgrade.crd.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
diff --git a/payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs-DevPreviewNoUpgrade.crd.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
diff --git a/payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_80_machine-config_01_containerruntimeconfigs-TechPreviewNoUpgrade.crd.yaml
@@ -163,15 +163,18 @@ spec:
                             When a container image is requested, layers found at this location will be used instead of
                             retrieving from the registry.
                             The path is required and must be between 1 and 256 characters long, begin with a forward slash,
-                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', and '-'.
+                            and only contain the characters a-z, A-Z, 0-9, '/', '.', '_', '-', and ':'.
+                            The colon is only permitted as part of the ':ref' suffix for reference-based layer organization
+                            (e.g., /var/lib/stargz-store/store:ref for stargz-store).
                             Consecutive forward slashes are not permitted.
                           maxLength: 256
                           minLength: 1
                           type: string
                           x-kubernetes-validations:
                           - message: path must be absolute and contain only alphanumeric
-                              characters, '/', '.', '_', and '-'
-                            rule: self.matches('^/[a-zA-Z0-9/._-]+$')
+                              characters, '/', '.', '_', '-', and optionally end with
+                              ':ref'
+                            rule: self.matches('^/[a-zA-Z0-9/._-]+(:ref)?$')
                           - message: path must not contain consecutive forward slashes
                             rule: '!self.contains(''//'')'
                       required:
