operator-framework
diff --git a/‎api/v1alpha1/operator_types.go
+12 b/‎api/v1alpha1/operator_types.go
+12
diff --git a/‎config/crd/bases/operators.operatorframework.io_operators.yaml
+10 b/‎config/crd/bases/operators.operatorframework.io_operators.yaml
+10
diff --git a/‎controllers/admission_test.go
+75 b/‎controllers/admission_test.go
+75
diff --git a/‎controllers/operator_controller.go
+14 b/‎controllers/operator_controller.go
+14
diff --git a/‎controllers/operator_controller_test.go
+81 b/‎controllers/operator_controller_test.go
+81
diff --git a/‎controllers/validators/validators.go
+43 b/‎controllers/validators/validators.go
+43
diff --git a/‎controllers/validators/validators_suite_test.go
+13 b/‎controllers/validators/validators_suite_test.go
+13
diff --git a/‎controllers/validators/validators_test.go
+63 b/‎controllers/validators/validators_test.go
+63
diff --git a/‎go.mod
+1-1 b/‎go.mod
+1-1
@@ -27,6 +27,16 @@ type OperatorSpec struct {
 	//+kubebuilder:validation:MaxLength:=48
 	//+kubebuilder:validation:Pattern:=^[a-z0-9]+(-[a-z0-9]+)*$
 	PackageName string `json:"packageName"`
+
+	//+kubebuilder:validation:MaxLength:=64
+	//+kubebuilder:validation:Pattern=^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(-(0|[1-9]\d*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9]\d*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*)?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?$
+	//+kubebuilder:Optional
+	// Version is an optional semver constraint on the package version. If not specified, the latest version available of the package will be installed.
+	// If specified, the specific version of the package will be installed so long as it is available in any of the content sources available.
+	// Examples: 1.2.3, 1.0.0-alpha, 1.0.0-rc.1
+	//
+	// For more information on semver, please see https://semver.org/
+	Version string `json:"version,omitempty"`
 }
 
 const (
@@ -38,6 +48,7 @@ const (
 	ReasonBundleLookupFailed        = "BundleLookupFailed"
 	ReasonInstallationFailed        = "InstallationFailed"
 	ReasonInstallationStatusUnknown = "InstallationStatusUnknown"
+	ReasonInvalidSpec               = "InvalidSpec"
 )
 
 func init() {
@@ -52,6 +63,7 @@ func init() {
 		ReasonBundleLookupFailed,
 		ReasonInstallationFailed,
 		ReasonInstallationStatusUnknown,
+		ReasonInvalidSpec,
 	)
 }
 
 
@@ -39,6 +39,16 @@ spec:
                 maxLength: 48
                 pattern: ^[a-z0-9]+(-[a-z0-9]+)*$
                 type: string
+              version:
+                description: "Version is an optional semver constraint on the package
+                  version. If not specified, the latest version available of the package
+                  will be installed. If specified, the specific version of the package
+                  will be installed so long as it is available in any of the content
+                  sources available. Examples: 1.2.3, 1.0.0-alpha, 1.0.0-rc.1 \n For
+                  more information on semver, please see https://semver.org/"
+                maxLength: 64
+                pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(-(0|[1-9]\d*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9]\d*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*)?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?$
+                type: string
             required:
             - packageName
             type: object
 
@@ -0,0 +1,75 @@
+package controllers_test
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	operatorsv1alpha1 "github.com/operator-framework/operator-controller/api/v1alpha1"
+)
+
+func operator(spec operatorsv1alpha1.OperatorSpec) *operatorsv1alpha1.Operator {
+	return &operatorsv1alpha1.Operator{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-operator",
+		},
+		Spec: spec,
+	}
+}
+
+var _ = Describe("Operator Spec Validations", func() {
+	var (
+		ctx    context.Context
+		cancel context.CancelFunc
+	)
+	BeforeEach(func() {
+		ctx, cancel = context.WithCancel(context.Background())
+	})
+	AfterEach(func() {
+		cancel()
+	})
+	It("should fail if the spec is empty", func() {
+		err := cl.Create(ctx, operator(operatorsv1alpha1.OperatorSpec{}))
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("spec.packageName in body should match '^[a-z0-9]+(-[a-z0-9]+)*$'"))
+	})
+	It("should fail if package name length is greater than 48 characters", func() {
+		err := cl.Create(ctx, operator(operatorsv1alpha1.OperatorSpec{
+			PackageName: "this-is-a-really-long-package-name-that-is-greater-than-48-characters",
+		}))
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("Too long: may not be longer than 48"))
+	})
+	It("should fail if version is valid semver but length is greater than 64 characters", func() {
+		err := cl.Create(ctx, operator(operatorsv1alpha1.OperatorSpec{
+			PackageName: "package",
+			Version:     "1234567890.1234567890.12345678901234567890123456789012345678901234",
+		}))
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(ContainSubstring("Too long: may not be longer than 64"))
+	})
+	It("should fail if an invalid semver is given", func() {
+		invalidSemvers := []string{
+			"1.2.3.4",
+			"1.02.3",
+			"1.2.03",
+			"1.2.3-beta!",
+			"1.2.3.alpha",
+			"1..2.3",
+			"1.2.3-pre+bad_metadata",
+			"1.2.-3",
+			".1.2.3",
+		}
+		for _, invalidSemver := range invalidSemvers {
+			err := cl.Create(ctx, operator(operatorsv1alpha1.OperatorSpec{
+				PackageName: "package",
+				Version:     invalidSemver,
+			}))
+
+			Expect(err).To(HaveOccurred(), "expected error for invalid semver %q", invalidSemver)
+			Expect(err.Error()).To(ContainSubstring("spec.version in body should match '^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(-(0|[1-9]\\d*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\\.(0|[1-9]\\d*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*)?(\\+([0-9a-zA-Z-]+(\\.[0-9a-zA-Z-]+)*))?$'"))
+		}
+	})
+})
@@ -34,6 +34,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
+	"github.com/operator-framework/operator-controller/controllers/validators"
+
 	operatorsv1alpha1 "github.com/operator-framework/operator-controller/api/v1alpha1"
 	"github.com/operator-framework/operator-controller/internal/resolution"
 	"github.com/operator-framework/operator-controller/internal/resolution/variable_sources/bundles_and_dependencies"
@@ -108,6 +110,18 @@ func checkForUnexpectedFieldChange(a, b operatorsv1alpha1.Operator) bool {
 
 // Helper function to do the actual reconcile
 func (r *OperatorReconciler) reconcile(ctx context.Context, op *operatorsv1alpha1.Operator) (ctrl.Result, error) {
+	// validate spec
+	if err := validators.ValidateOperatorSpec(op); err != nil {
+		apimeta.SetStatusCondition(&op.Status.Conditions, metav1.Condition{
+			Type:               operatorsv1alpha1.TypeReady,
+			Status:             metav1.ConditionFalse,
+			Reason:             operatorsv1alpha1.ReasonInvalidSpec,
+			Message:            err.Error(),
+			ObservedGeneration: op.GetGeneration(),
+		})
+		return ctrl.Result{}, nil
+	}
+
 	// run resolution
 	solution, err := r.Resolver.Resolve(ctx)
 	if err != nil {
 
@@ -16,6 +16,7 @@ import (
 	"k8s.io/utils/pointer"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	operatorsv1alpha1 "github.com/operator-framework/operator-controller/api/v1alpha1"
 	"github.com/operator-framework/operator-controller/controllers"
@@ -80,6 +81,38 @@ var _ = Describe("Operator Controller Test", func() {
 				Expect(cond.Message).To(Equal(fmt.Sprintf("package '%s' not found", pkgName)))
 			})
 		})
+		When("the operator specifies a version that does not exist", func() {
+			var pkgName string
+			BeforeEach(func() {
+				By("initializing cluster state")
+				pkgName = fmt.Sprintf("exists-%s", rand.String(6))
+				operator = &operatorsv1alpha1.Operator{
+					ObjectMeta: metav1.ObjectMeta{Name: opKey.Name},
+					Spec: operatorsv1alpha1.OperatorSpec{
+						PackageName: pkgName,
+						Version:     "0.50.0", // this version of the package does not exist
+					},
+				}
+				err := cl.Create(ctx, operator)
+				Expect(err).NotTo(HaveOccurred())
+			})
+			It("sets resolution failure status", func() {
+				By("running reconcile")
+				res, err := reconciler.Reconcile(ctx, ctrl.Request{NamespacedName: opKey})
+				Expect(res).To(Equal(ctrl.Result{}))
+				Expect(err).To(MatchError(fmt.Sprintf("package '%s' at version '0.50.0' not found", pkgName)))
+
+				By("fetching updated operator after reconcile")
+				Expect(cl.Get(ctx, opKey, operator)).NotTo(HaveOccurred())
+
+				By("checking the expected conditions")
+				cond := apimeta.FindStatusCondition(operator.Status.Conditions, operatorsv1alpha1.TypeReady)
+				Expect(cond).NotTo(BeNil())
+				Expect(cond.Status).To(Equal(metav1.ConditionFalse))
+				Expect(cond.Reason).To(Equal(operatorsv1alpha1.ReasonResolutionFailed))
+				Expect(cond.Message).To(Equal(fmt.Sprintf("package '%s' at version '0.50.0' not found", pkgName)))
+			})
+		})
 		When("the operator specifies a valid available package", func() {
 			const pkgName = "prometheus"
 			BeforeEach(func() {
@@ -568,6 +601,54 @@ var _ = Describe("Operator Controller Test", func() {
 			Expect(err).To(Not(HaveOccurred()))
 		})
 	})
+	When("an invalid semver is provided that bypasses the regex validation", func() {
+		var (
+			operator   *operatorsv1alpha1.Operator
+			opKey      types.NamespacedName
+			pkgName    string
+			fakeClient client.Client
+		)
+		BeforeEach(func() {
+			opKey = types.NamespacedName{Name: fmt.Sprintf("operator-validation-test-%s", rand.String(8))}
+
+			By("injecting creating a client with the bad operator CR")
+			pkgName = fmt.Sprintf("exists-%s", rand.String(6))
+			operator = &operatorsv1alpha1.Operator{
+				ObjectMeta: metav1.ObjectMeta{Name: opKey.Name},
+				Spec: operatorsv1alpha1.OperatorSpec{
+					PackageName: pkgName,
+					Version:     "1.2.3-123abc_def", // bad semver that matches the regex on the CR validation
+				},
+			}
+
+			// this bypasses client/server-side CR validation and allows us to test the reconciler's validation
+			fakeClient = fake.NewClientBuilder().WithScheme(sch).WithObjects(operator).Build()
+
+			By("changing the reconciler client to the fake client")
+			reconciler.Client = fakeClient
+		})
+		AfterEach(func() {
+			By("changing the reconciler client back to the real client")
+			reconciler.Client = cl
+		})
+
+		It("should add an invalid spec condition and *not* re-enqueue for reconciliation", func() {
+			By("running reconcile")
+			res, err := reconciler.Reconcile(ctx, ctrl.Request{NamespacedName: opKey})
+			Expect(res).To(Equal(ctrl.Result{}))
+			Expect(err).ToNot(HaveOccurred())
+
+			By("fetching updated operator after reconcile")
+			Expect(fakeClient.Get(ctx, opKey, operator)).NotTo(HaveOccurred())
+
+			By("checking the expected conditions")
+			cond := apimeta.FindStatusCondition(operator.Status.Conditions, operatorsv1alpha1.TypeReady)
+			Expect(cond).NotTo(BeNil())
+			Expect(cond.Status).To(Equal(metav1.ConditionFalse))
+			Expect(cond.Reason).To(Equal(operatorsv1alpha1.ReasonInvalidSpec))
+			Expect(cond.Message).To(Equal("invalid .spec.version: Invalid character(s) found in prerelease \"123abc_def\""))
+		})
+	})
 })
 
 func verifyInvariants(ctx context.Context, op *operatorsv1alpha1.Operator) {
 
@@ -0,0 +1,43 @@
+package validators
+
+import (
+	"fmt"
+
+	"github.com/blang/semver/v4"
+
+	operatorsv1alpha1 "github.com/operator-framework/operator-controller/api/v1alpha1"
+)
+
+type operatorCRValidatorFunc func(operator *operatorsv1alpha1.Operator) error
+
+// validateSemver validates that the operator's version is a valid SemVer.
+// this validation should already be happening at the CRD level. But, it depends
+// on a regex that could possibly fail to validate a valid SemVer. This is added as an
+// extra measure to ensure a valid spec before the CR is processed for resolution
+func validateSemver(operator *operatorsv1alpha1.Operator) error {
+	if operator.Spec.Version == "" {
+		return nil
+	}
+	if _, err := semver.Parse(operator.Spec.Version); err != nil {
+		return fmt.Errorf("invalid .spec.version: %w", err)
+	}
+	return nil
+}
+
+// ValidateOperatorSpec validates the operator spec, e.g. ensuring that .spec.version, if provided, is a valid SemVer
+func ValidateOperatorSpec(operator *operatorsv1alpha1.Operator) error {
+	validators := []operatorCRValidatorFunc{
+		validateSemver,
+	}
+
+	// TODO: currently we only have a single validator, but more will likely be added in the future
+	//  we need to make a decision on whether we want to run all validators or stop at the first error. If the the former,
+	//  we should consider how to present this to the user in a way that is easy to understand and fix.
+	//  this issue is tracked here: https://github.com/operator-framework/operator-controller/issues/167
+	for _, validator := range validators {
+		if err := validator(operator); err != nil {
+			return err
+		}
+	}
+	return nil
+}
@@ -0,0 +1,13 @@
+package validators
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestValidators(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Validators Suite")
+}
@@ -0,0 +1,63 @@
+package validators_test
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/operator-framework/operator-controller/api/v1alpha1"
+	"github.com/operator-framework/operator-controller/controllers/validators"
+)
+
+var _ = Describe("Validators", func() {
+	Describe("ValidateOperatorSpec", func() {
+		It("should not return an error for valid SemVer", func() {
+			operator := &v1alpha1.Operator{
+				Spec: v1alpha1.OperatorSpec{
+					Version: "1.2.3",
+				},
+			}
+			err := validators.ValidateOperatorSpec(operator)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should return an error for invalid SemVer", func() {
+			operator := &v1alpha1.Operator{
+				Spec: v1alpha1.OperatorSpec{
+					Version: "invalid-semver",
+				},
+			}
+			err := validators.ValidateOperatorSpec(operator)
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("should not return an error for empty SemVer", func() {
+			operator := &v1alpha1.Operator{
+				Spec: v1alpha1.OperatorSpec{
+					Version: "",
+				},
+			}
+			err := validators.ValidateOperatorSpec(operator)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should not return an error for valid SemVer with pre-release and metadata", func() {
+			operator := &v1alpha1.Operator{
+				Spec: v1alpha1.OperatorSpec{
+					Version: "1.2.3-alpha.1+metadata",
+				},
+			}
+			err := validators.ValidateOperatorSpec(operator)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should not return an error for valid SemVer with pre-release", func() {
+			operator := &v1alpha1.Operator{
+				Spec: v1alpha1.OperatorSpec{
+					Version: "1.2.3-alpha-beta",
+				},
+			}
+			err := validators.ValidateOperatorSpec(operator)
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+})
@@ -10,6 +10,7 @@ require (
 	github.com/operator-framework/deppy v0.0.0-20230125110717-dc02e928470f
 	github.com/operator-framework/operator-registry v1.26.2
 	github.com/operator-framework/rukpak v0.11.0
+	go.uber.org/zap v1.21.0
 	golang.org/x/net v0.0.0-20220722155237-a158d28d115b
 	google.golang.org/grpc v1.47.0
 	k8s.io/api v0.25.0
@@ -70,7 +71,6 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	go.uber.org/zap v1.21.0 // indirect
 	golang.org/x/crypto v0.0.0-20220408190544-5352b0902921 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect