feat: linodecluster: add validating admission webhook on create (#320)

* feat: linodecluster: kubebuilder create webhook

Scaffold a validating admission webhook for the LinodeCluster resource
with Kubebuider via the command:
kubebuilder create webhook --group infrastructure --version v1alpha1 --kind LinodeCluster --programmatic-validation

* fixup! feat: linodecluster: kubebuilder create webhook

* api: linodecluster: add create validation

* fixup! add spec for LinodeCluster

Author: cbzzz

PROJECT

@@ -17,6 +17,9 @@ resources:
   kind: LinodeCluster
   path: github.com/linode/cluster-api-provider-linode/api/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 - api:
     crdVersion: v1
     namespaced: true

api/v1alpha1/linodecluster_types.go

@@ -26,6 +26,7 @@ import (
 // LinodeClusterSpec defines the desired state of LinodeCluster
 type LinodeClusterSpec struct {
 	// The Linode Region the LinodeCluster lives in.
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	Region string `json:"region"`
 
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the LinodeCluster control plane.

api/v1alpha1/linodecluster_webhook.go

@@ -0,0 +1,102 @@
+/*
+Copyright 2023 Akamai Technologies, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"slices"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	. "github.com/linode/cluster-api-provider-linode/clients"
+)
+
+// log is for logging in this package.
+var linodeclusterlog = logf.Log.WithName("linodecluster-resource")
+
+// SetupWebhookWithManager will setup the manager to manage the webhooks
+func (r *LinodeCluster) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable updation and deletion validation.
+//+kubebuilder:webhook:path=/validate-infrastructure-cluster-x-k8s-io-v1alpha1-linodecluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=infrastructure.cluster.x-k8s.io,resources=linodeclusters,verbs=create,versions=v1alpha1,name=vlinodecluster.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &LinodeCluster{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *LinodeCluster) ValidateCreate() (admission.Warnings, error) {
+	linodeclusterlog.Info("validate create", "name", r.Name)
+
+	ctx, cancel := context.WithTimeout(context.Background(), defaultWebhookTimeout)
+	defer cancel()
+
+	return nil, r.validateLinodeCluster(ctx, &defaultLinodeClient)
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *LinodeCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+	linodeclusterlog.Info("validate update", "name", r.Name)
+
+	// TODO(user): fill in your validation logic upon object update.
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *LinodeCluster) ValidateDelete() (admission.Warnings, error) {
+	linodeclusterlog.Info("validate delete", "name", r.Name)
+
+	// TODO(user): fill in your validation logic upon object deletion.
+	return nil, nil
+}
+
+func (r *LinodeCluster) validateLinodeCluster(ctx context.Context, client LinodeClient) error {
+	var errs field.ErrorList
+
+	if err := r.validateLinodeClusterSpec(ctx, client); err != nil {
+		errs = slices.Concat(errs, err)
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(
+		schema.GroupKind{Group: "infrastructure.cluster.x-k8s.io", Kind: "LinodeCluster"},
+		r.Name, errs)
+}
+
+func (r *LinodeCluster) validateLinodeClusterSpec(ctx context.Context, client LinodeClient) field.ErrorList {
+	var errs field.ErrorList
+
+	if err := validateRegion(ctx, client, r.Spec.Region, field.NewPath("spec").Child("region")); err != nil {
+		errs = append(errs, err)
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+	return errs
+}

api/v1alpha1/linodecluster_webhook_test.go

@@ -0,0 +1,68 @@
+/*
+Copyright 2023 Akamai Technologies, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"go.uber.org/mock/gomock"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/linode/cluster-api-provider-linode/mock"
+
+	. "github.com/linode/cluster-api-provider-linode/mock/mocktest"
+)
+
+func TestValidateLinodeCluster(t *testing.T) {
+	t.Parallel()
+
+	var (
+		cluster = LinodeCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "example",
+				Namespace: "example",
+			},
+			Spec: LinodeClusterSpec{
+				Region: "example",
+			},
+		}
+	)
+
+	NewSuite(t, mock.MockLinodeClient{}).Run(
+		OneOf(
+			Path(
+				Call("valid", func(ctx context.Context, mck Mock) {
+					mck.LinodeClient.EXPECT().GetRegion(gomock.Any(), gomock.Any()).Return(nil, nil).AnyTimes()
+				}),
+				Result("success", func(ctx context.Context, mck Mock) {
+					assert.NoError(t, cluster.validateLinodeCluster(ctx, mck.LinodeClient))
+				}),
+			),
+		),
+		OneOf(
+			Path(Call("invalid region", func(ctx context.Context, mck Mock) {
+				mck.LinodeClient.EXPECT().GetRegion(gomock.Any(), gomock.Any()).Return(nil, errors.New("invalid region")).AnyTimes()
+			})),
+		),
+		Result("error", func(ctx context.Context, mck Mock) {
+			assert.Error(t, cluster.validateLinodeCluster(ctx, mck.LinodeClient))
+		}),
+	)
+}

api/v1alpha1/webhook_suite_test.go

@@ -114,6 +114,9 @@ var _ = BeforeSuite(func() {
 	})
 	Expect(err).NotTo(HaveOccurred())
 
+	err = (&LinodeCluster{}).SetupWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
 	err = (&LinodeMachine{}).SetupWebhookWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 

cmd/main.go

@@ -150,6 +150,10 @@ func main() {
 		os.Exit(1)
 	}
 	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+		if err = (&infrastructurev1alpha1.LinodeCluster{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "LinodeCluster")
+			os.Exit(1)
+		}
 		if err = (&infrastructurev1alpha1.LinodeMachine{}).SetupWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "LinodeMachine")
 			os.Exit(1)

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeclusters.yaml

@@ -116,6 +116,9 @@ spec:
               region:
                 description: The Linode Region the LinodeCluster lives in.
                 type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
               vpcRef:
                 description: |-
                   ObjectReference contains enough information to let you inspect or modify the referred object.

config/crd/bases/infrastructure.cluster.x-k8s.io_linodeclustertemplates.yaml

@@ -110,6 +110,9 @@ spec:
                       region:
                         description: The Linode Region the LinodeCluster lives in.
                         type: string
+                        x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                       vpcRef:
                         description: |-
                           ObjectReference contains enough information to let you inspect or modify the referred object.

config/crd/kustomization.yaml

@@ -21,7 +21,7 @@ resources:
 patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-#- path: patches/webhook_in_linodeclusters.yaml
+- path: patches/webhook_in_linodeclusters.yaml
 - path: patches/webhook_in_linodemachines.yaml
 #- path: patches/webhook_in_linodemachinetemplates.yaml
 #- path: patches/webhook_in_linodeclustertemplates.yaml
@@ -30,7 +30,7 @@ patches:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_linodeclusters.yaml
+- path: patches/cainjection_in_linodeclusters.yaml
 - path: patches/cainjection_in_linodemachines.yaml
 #- path: patches/cainjection_in_linodemachinetemplates.yaml
 #- path: patches/cainjection_in_linodeclustertemplates.yaml

config/webhook/manifests.yaml

@@ -4,6 +4,25 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-infrastructure-cluster-x-k8s-io-v1alpha1-linodecluster
+  failurePolicy: Fail
+  name: vlinodecluster.kb.io
+  rules:
+  - apiGroups:
+    - infrastructure.cluster.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    resources:
+    - linodeclusters
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig: