CLID-579: Validate BlockedImage regex

[dorzel]

Description

During code review of #1372, coderabbit flagged an issue surrounding validation of BlockedImage regexes: #1372 (comment). This addresses the gap by providing validation through regex compilation on the BlockedImage names during config validation.

Github / Jira issue: https://redhat.atlassian.net/browse/CLID-579

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Code Improvements (Refactoring, Performance, CI upgrades, etc)
• Internal repo assets (diagrams / docs on github repo)
• This change requires a documentation update on openshift docs

How Has This Been Tested?

• ran unit tests
• quick manual test with test ISC:

apiVersion: mirror.openshift.io/v2alpha1
kind: ImageSetConfiguration
mirror:
  additionalimages:
    - name: registry.redhat.io/ubi8/ubi:latest
  blockedimages:
    - name: "registry\\.example\\.com/blocked/.*"
    - name: "[invalid-regex"
    - name: "valid-literal-name"
    - name: "(unclosed-group"

[dorzel@ppc64le-018: misc]$ oc-mirror --v2 --dest-tls-verify=false --authfile=/home/dorzel/oc-mirror/authfile.json -c blockedimages-test-isc.yaml file:///home/dorzel/oc-mirror/misc/test-mirror/ --dry-run
2026/05/06 17:01:26  [INFO]   : 👋 Hello, welcome to oc-mirror
2026/05/06 17:01:26  [INFO]   : ⚙️  setting up the environment for you...
2026/05/06 17:01:26  [WARN]   : ⚠️  Detected bad umask 002 (oc-mirror requires a umask of 0022)
2026/05/06 17:01:26  [INFO]   : ⚙️  environment version: v0.2.0-alpha.1-582-g0234a7f
2026/05/06 17:01:26  [ERROR]  : [Executor] invalid configuration: [blocked image "[invalid-regex": invalid regular expression: error parsing regexp: missing closing ]: `[invalid-regex`, blocked image "(unclosed-group": invalid regular expression: error parsing regexp: missing closing ): `(unclosed-group`] 

Expected Outcome

• Invalid BlockedImage regexes throw errors.

[openshift-ci-robot]

@dorzel: This pull request references CLID-579 which is a valid jira issue.

Details

In response to this:

Description

During code review of #1372, coderabbit flagged an issue surrounding validation of BlockedImage regexes: #1372 (comment). This addresses the gap by providing validation through regex compilation on the BlockedImage names during config validation.

Github / Jira issue: https://redhat.atlassian.net/browse/CLID-579

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Code Improvements (Refactoring, Performance, CI upgrades, etc)
• Internal repo assets (diagrams / docs on github repo)
• This change requires a documentation update on openshift docs

How Has This Been Tested?

• ran unit tests
• quick manual test with test ISC

Expected Outcome

• Invalid BlockedImage regexes throw errors.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Blocked image names are now validated as regular expressions during configuration validation. A new validateBlockedImages function compiles each blocked image as a regex pattern and collects any compilation errors, integrated into the validation check sequence.

Changes

Blocked Images Regex Validation

Layer / File(s)	Summary
Core Implementation internal/pkg/config/validate.go	Added regexp import and implemented validateBlockedImages function to compile and validate each blocked image name as a regex pattern. Integrated into validationChecks slice.
Tests internal/pkg/config/validate_test.go	Added test cases validating both valid regex patterns and malformed regex patterns in blocked images validation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'CLID-579: Validate BlockedImage regex' directly describes the main change in the changeset: adding validation for BlockedImage entries by compiling them as regular expressions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names are stable and deterministic. New test cases follow established naming patterns with no dynamic content.
Test Structure And Quality	✅ Passed	The custom check applies to Ginkgo tests, but this PR's test code uses standard Go unit tests with testify assertions, not Ginkgo. The check is not applicable to this codebase structure.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added. This PR modifies validation code using standard Go unit tests, not Ginkgo e2e tests. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The changes add unit tests using Go's standard testing framework to validate BlockedImage regex configuration. The custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds config validation for BlockedImage regex patterns only. No deployment manifests, operator code, controllers, or scheduling constraints are introduced. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	No stdout writes detected in process-level code. Changes add regex validation functions and tests without any fmt.Print, log.Print, or klog calls that would violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. Changes are unit tests using standard testing package. No networking, IPv4 assumptions, or external connectivity in the code.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

@dorzel: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[adolfo-ab]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: adolfo-ab, dorzel
Once this PR has been reviewed and has the lgtm label, please assign aguidirh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment