add policy enforcement for bundle metadata format based on OCP versions

Signed-off-by: Jordan Keister <[email protected]>

task/fbc-validation/0.1/fbc-validation.yaml

@@ -62,14 +62,17 @@ spec:
 
         ### FBC base image check
         if [ -z "${BASE_IMAGE}" ]; then
-          echo "Base image is uknown. The file-based catalog must have base image defined. Check inspect-image task log."
+          echo "Base image is unknown. The file-based catalog must have base image defined. Check inspect-image task log."
           note="Task $(context.task.name) failed: The file-based catalog must have base image defined. For details, check Tekton task result TEST_OUTPUT in task inspect-image."
           TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
           echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
           exit 0
         fi
 
         IMAGE_WITHOUT_TAG=$(echo "${BASE_IMAGE}" | sed "s/:.*$//" | sed "s/@.*$//")
+        OCP_VER_FROM_BASE=$(echo "${BASE_IMAGE}" | sed "s/@.*$//" | sed "s/^.*://")   # strips hash first due to greedy match
+        OCP_VER_MAJOR=$(echo "${OCP_VER_FROM_BASE}" | cut -d '.' -f 1)
+        OCP_VER_MINOR=$(echo "${OCP_VER_FROM_BASE}" | cut -d '.' -f 2)
 
         allowed=false
         for value in "${ALLOWED_BASE_IMAGES[@]}"
@@ -152,8 +155,8 @@ spec:
         echo "OPM_BINARY: '${OPM_BINARY}'"
         chmod 775 "$OPM_BINARY"
 
-        # We have totally 3 checks here currently
-        check_num=3
+        # We have 4 total checks
+        check_num=4
         failure_num=0
         TESTPASSED=true
 
@@ -162,16 +165,42 @@ spec:
           failure_num=`expr $failure_num + 1`
           TESTPASSED=false
         fi
+
         if ! ${OPM_BINARY} validate ."${conffolder}"; then
           echo "!FAILURE! - opm validate check failed."
           failure_num=`expr $failure_num + 1`
           TESTPASSED=false
         fi
+
         if ! ${OPM_BINARY} render ."${conffolder}" | jq -en 'reduce (inputs | select(.schema == "olm.package")) as $obj (0; .+1) == 1'; then
           echo "!FAILURE! - More than one olm.packages is not permitted in a FBC fragment."
           failure_num=`expr $failure_num + 1`
           TESTPASSED=false
         fi
+
+        OCP_BUNDLE_METADATA_THRESHOLD_MAJOR=4
+        OCP_BUNDLE_METADATA_THRESHOLD_MINOR=17
+
+        if [[ "${OCP_VER_MAJOR}" -ge "${OCP_BUNDLE_METADATA_THRESHOLD_MAJOR}" ]] && [[ "${OCP_VER_MINOR}" -ge "${OCP_BUNDLE_METADATA_THRESHOLD_MINOR}" ]]; then
+          #
+          # above the version threshold for mandatory `olm.csv.metadata` bundle metadata format, so presence of `olm.bundle.object` is an error
+          #
+          if ! ${OPM_BINARY} render ."${conffolder}" | jq -en 'reduce( inputs | select(.schema == "olm.bundle" and .properties[].type == "olm.bundle.object")) as $_ (0;.+1) == 0'; then
+            echo "!FAILURE! - olm.bundle.object bundle properties are not permitted in a FBC fragment for OCP version ${OCP_VER_MAJOR}.${OCP_VER_MINOR}. Fragments must move to olm.csv.metadata bundle metadata."
+            failure_num=`expr $failure_num + 1`
+            TESTPASSED=false
+          fi
+        else
+          #
+          # below the version threshold for mandatory `olm.csv.metadata` bundle metadata format, so presence of `olm.csv.metadata` is an error
+          #
+          if ! ${OPM_BINARY} render ."${conffolder}" | jq -en 'reduce( inputs | select(.schema == "olm.bundle" and .properties[].type == "olm.csv.metadata")) as $_ (0;.+1) == 0'; then
+            echo "!FAILURE! - olm.csv.metadata bundle properties are not permitted in a FBC fragment for OCP version ${OCP_VER_MAJOR}.${OCP_VER_MINOR}. Fragments must only use olm.bundle.object bundle metadata."
+            failure_num=`expr $failure_num + 1`
+            TESTPASSED=false
+          fi
+        fi
+        
         note="Task $(context.task.name) completed: Check result for task result."
         if [ $TESTPASSED == false ]; then
           ERROR_OUTPUT=$(make_result_json -r FAILURE -f $failure_num -s `expr $check_num - $failure_num` -t "$note")