chore: load and prep dp validator

[Frostman]

No description provided.

[Copilot]

Pull request overview

This PR adds support for loading and preparing a dataplane validator component implemented as a WebAssembly (WASM) module. The validator is downloaded from an OCI registry using credentials and CA certificates, compiled at startup, and passed to the Gateway webhook for validation purposes.

Changes:

• Added a new Validator type that manages WASM runtime and compiled module lifecycle
• Integrated validator loading into application startup with credentials and CA certificate mounting
• Updated Gateway webhook to accept and store the validator instance

Reviewed changes

Copilot reviewed 6 out of 462 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
pkg/ctrl/validator.go	Implements the Validator type with methods to download WASM from OCI registry, compile it, and manage cleanup
pkg/ctrl/gateway_wh.go	Updates GatewayWebhook to accept and store a Validator instance
cmd/main.go	Initializes validator at startup with credentials and CA paths, passes it to webhook setup
config/manager/manager.yaml	Adds volume mounts for CA certificate and registry credentials
go.mod	Adds dependencies for wazero (WASM runtime) and oras-go (OCI registry client)
api/meta/config.go	Adds configuration fields for dataplane validator reference and tag

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The error variable err is being wrapped here, but it will always be nil at this point since it was only set on line 51 (the ReadFile call). If AppendCertsFromPEM fails, you should return a new error without wrapping, such as fmt.Errorf("failed to append CA cert to rootCAs\").

Suggested change

	return nil, fmt.Errorf("appending CA cert to rootCAs: %w", err)
	return nil, fmt.Errorf("failed to append CA cert %s to rootCAs", caPath)

[Copilot]

The Close method doesn't check if v.compiled or v.runtime are nil before attempting to close them. If NewValidator returns early (lines 34-38), these fields will be nil and calling Close will panic. Add nil checks before calling Close on these fields.

Suggested change

	if err := v.compiled.Close(ctx); err != nil {
	slog.Warn("Error closing compiled validator module", "err", err.Error())
	}
	if err := v.runtime.Close(ctx); err != nil {
	slog.Warn("Error closing validator runtime", "err", err.Error())
	}
	if v == nil {
	return
	}
	if v.compiled != nil {
	if err := v.compiled.Close(ctx); err != nil {
	slog.Warn("Error closing compiled validator module", "err", err.Error())
	}
	}
	if v.runtime != nil {
	if err := v.runtime.Close(ctx); err != nil {
	slog.Warn("Error closing validator runtime", "err", err.Error())
	}
	}

[Copilot]

The variable name close shadows the built-in close function. Consider renaming it to cancel which is the conventional name for context cancellation functions.

Suggested change

	ctx, close := context.WithTimeout(context.Background(), 5*time.Minute)
	defer close()
	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
	defer cancel()

[Copilot]

The storeOpts variable is initialized with an empty struct and never modified. Consider using credentials.StoreOptions{} directly inline on line 45 to reduce unnecessary variable declaration.

Suggested change

	storeOpts := credentials.StoreOptions{}
	credStore, err := credentials.NewStore(credsPath, storeOpts)
	credStore, err := credentials.NewStore(credsPath, credentials.StoreOptions{})