Adding validation for nfspvc(webhook and CRD validation)

PROJECT

@@ -17,4 +17,7 @@ resources:
   kind: NfsPvc
   path: github.com/dana-team/nfspvc-operator/api/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

api/v1alpha1/nfspvc_types.go

@@ -29,8 +29,10 @@ type NfsPvcSpec struct {
 	// capacity is the description of the persistent volume's resources and capacity.
 	Capacity corev1.ResourceList `json:"capacity" protobuf:"bytes,1,rep,name=capacity,casttype=ResourceList,castkey=ResourceName"`
 	// path that is exported by the NFS server.
+	// +kubebuilder:validation:Pattern="^/"
 	Path string `json:"path" protobuf:"bytes,2,opt,name=path"`
 	// server is the hostname or IP address of the NFS server.
+	// +kubebuilder:validation:MinLength=1
 	Server string `json:"server" protobuf:"bytes,1,opt,name=server"`
 }
 

api/v1alpha1/nfspvc_webhook.go

@@ -0,0 +1,132 @@
+/*
+Copyright 2023.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/sets"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+var c client.Client
+
+const (
+	UpdateNfsPvcError      = "forbidden: NFSPVC spec is immutable after creation"
+	PVCAlreadyExists       = "a PVC of this name already exists in the namespace. Please rename your NFSPVC"
+	InvalidAccessModeError = "forbidden: only the following AccessModes are permitted"
+)
+
+var supportedAccessModes = sets.New(
+	corev1.ReadWriteOnce,
+	corev1.ReadOnlyMany,
+	corev1.ReadWriteMany,
+	corev1.ReadWriteOncePod,
+)
+
+// log is for logging in this package.
+var nfspvclog = logf.Log.WithName("nfspvc-resource")
+
+func (r *NfsPvc) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	c = mgr.GetClient()
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//+kubebuilder:webhook:path=/validate-nfspvc-dana-io-v1alpha1-nfspvc,mutating=false,failurePolicy=fail,sideEffects=None,groups=nfspvc.dana.io,resources=nfspvcs,verbs=create;update,versions=v1alpha1,name=vnfspvc.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &NfsPvc{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *NfsPvc) ValidateCreate() (admission.Warnings, error) {
+	nfspvclog.Info("validate create", "name", r.Name)
+
+	if r.doesPVCExist(c) {
+		return admission.Warnings{PVCAlreadyExists}, fmt.Errorf(PVCAlreadyExists)
+	}
+
+	if !r.validateAccessMode(r.Spec.AccessModes) {
+		return admission.Warnings{InvalidAccessModeError}, fmt.Errorf(InvalidAccessModeError+": %v", supportedAccessModes)
+	}
+
+	return nil, nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *NfsPvc) ValidateUpdate(old runtime.Object) (admission.Warnings, error) {
+	nfspvclog.Info("validate update", "name", r.Name)
+
+	if updated := r.isRestrictedFieldUpdated(old.(*NfsPvc)); updated {
+		return admission.Warnings{UpdateNfsPvcError}, fmt.Errorf(UpdateNfsPvcError)
+	}
+
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *NfsPvc) ValidateDelete() (admission.Warnings, error) {
+	nfspvclog.Info("validate delete", "name", r.Name)
+
+	return nil, nil
+}
+
+func (r *NfsPvc) isRestrictedFieldUpdated(old *NfsPvc) bool {
+	// modifying these fields is forbidden.
+	if !reflect.DeepEqual(r.Spec.Server, old.Spec.Server) {
+		return true
+	}
+	if !reflect.DeepEqual(r.Spec.Path, old.Spec.Path) {
+		return true
+	}
+	if !reflect.DeepEqual(r.Spec.AccessModes, old.Spec.AccessModes) {
+		return true
+	}
+	if !reflect.DeepEqual(r.Spec.Capacity, old.Spec.Capacity) {
+		return true
+	}
+	return false
+}
+
+func (r *NfsPvc) validateAccessMode(accessMode []corev1.PersistentVolumeAccessMode) bool {
+	for _, mode := range accessMode {
+		if !supportedAccessModes.Has(mode) {
+			return false
+		}
+	}
+	return true
+}
+
+func (r *NfsPvc) doesPVCExist(K8sClient client.Client) bool {
+	pvc := corev1.PersistentVolumeClaim{}
+	if err := K8sClient.Get(context.Background(), types.NamespacedName{Namespace: r.Namespace, Name: r.Name}, &pvc); err != nil {
+		if errors.IsNotFound(err) {
+			return false
+		}
+	}
+	return true
+}

cmd/main.go

@@ -24,9 +24,6 @@ import (
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
-	nfspvcv1alpha1 "github.com/dana-team/nfspvc-operator/api/v1alpha1"
-	"github.com/dana-team/nfspvc-operator/internal/controller"
-	utils "github.com/dana-team/nfspvc-operator/internal/controller/utils"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -35,6 +32,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	nfspvcv1alpha1 "github.com/dana-team/nfspvc-operator/api/v1alpha1"
+	"github.com/dana-team/nfspvc-operator/internal/controller"
+	utils "github.com/dana-team/nfspvc-operator/internal/controller/utils"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -95,6 +96,10 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "NfsPvc")
 		os.Exit(1)
 	}
+	if err = (&nfspvcv1alpha1.NfsPvc{}).SetupWebhookWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create webhook", "webhook", "NfsPvc")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

config/certmanager/certificate.yaml

@@ -0,0 +1,39 @@
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/name: certificate
+    app.kubernetes.io/instance: serving-cert
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: nfspvc-operator
+    app.kubernetes.io/part-of: nfspvc-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: selfsigned-issuer
+  namespace: system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/name: certificate
+    app.kubernetes.io/instance: serving-cert
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: nfspvc-operator
+    app.kubernetes.io/part-of: nfspvc-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
+  namespace: system
+spec:
+  # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize
+  dnsNames:
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc
+  - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize

config/certmanager/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+- certificate.yaml
+
+configurations:
+- kustomizeconfig.yaml

config/certmanager/kustomizeconfig.yaml

@@ -0,0 +1,8 @@
+# This configuration is for teaching kustomize how to update name ref substitution
+nameReference:
+- kind: Issuer
+  group: cert-manager.io
+  fieldSpecs:
+  - kind: Certificate
+    group: cert-manager.io
+    path: spec/issuerRef/name

config/crd/bases/nfspvc.dana.io_nfspvcs.yaml

@@ -52,9 +52,11 @@ spec:
                 type: object
               path:
                 description: path that is exported by the NFS server.
+                pattern: ^/
                 type: string
               server:
                 description: server is the hostname or IP address of the NFS server.
+                minLength: 1
                 type: string
             required:
             - accessModes

config/crd/kustomization.yaml

@@ -8,12 +8,12 @@ resources:
 patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-#- path: patches/webhook_in_nfspvcs.yaml
+- path: patches/webhook_in_nfspvcs.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-#- path: patches/cainjection_in_nfspvcs.yaml
+- path: patches/cainjection_in_nfspvcs.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.