As we allow external images set in the SonataFlow resource introduced by KOGITO-9265, we must guarantee that the informed image is valid.

This means that the .spec.flow definition must match with the workflow definition in the image. Without it, theoretically, a user could define a "hello world" workflow in the .spec.flow and a highly complex one in the image itself.

Having a conciliation between the flow and the one served by the image is important for the operator to configure correctly the deployment in the topology.

The operator won't deploy a SonataFlow instance if the given image integrity doesn't match the definition. Preferably, the operator should do static analysis in the image.

Workarounds

If use our tooling to generate CRs, this won't be a problem since we can control every aspect of the deployment, but won't prohibit one from changing the flow as they please.