feat: support bigip object verification in ingressLink and tlsProfile

Author: charanm08

pkg/bigiphandler/bigiphandler.go

@@ -122,6 +122,7 @@ type BigIPHandlerInterface interface {
 	GetHTMLProfile(name string) (any, error)
 	GetFTPProfile(name string) (any, error)
 	GetHTTPCompressionProfile(name string) (any, error)
+	GetMonitor(name string) (*bigip.Monitor, error)
 	// Add more methods as needed for other BIG-IP resources
 }
 
@@ -555,6 +556,7 @@ func (handler *BigIPHandler) GetMonitor(name string) (*bigip.Monitor, error) {
 			default:
 				monitor, err := handler.Bigip.GetMonitor(name, mType)
 				if err == nil {
+					log.Debugf("Found monitor %s of type %s,monitor: %v", name, mType, monitor)
 					// Found a valid monitor, send result and cancel others
 					resultCh <- result{monitor, nil}
 					cancel()

pkg/bigiphandler/bigiphandler_test.go

@@ -296,6 +296,11 @@ type MockBigIPClientForPersistence struct {
 	errorMsg          string
 }
 
+func (m *MockBigIPClientForPersistence) GetMonitor(name string, parent string) (*bigip.Monitor, error) {
+	//TODO implement me
+	return nil, nil
+}
+
 func NewMockBigIPClientForPersistence(successfulProfile string, shouldError bool, errorMsg string) *MockBigIPClientForPersistence {
 	return &MockBigIPClientForPersistence{
 		successfulProfile: successfulProfile,
@@ -417,6 +422,10 @@ func (m *MockBigIPClientForPersistence) GetAnalyticsProfile(name string) (*bigip
 	return &bigip.AnalyticsProfile{Name: name}, nil
 }
 
+func (m *MockBigIPClient) GetMonitor(name, parent string) (*bigip.Monitor, error) {
+	return &bigip.Monitor{Name: name}, nil
+}
+
 // Persistence profile methods that control the test behavior
 func (m *MockBigIPClientForPersistence) GetCookiePersistenceProfile(name string) (*bigip.CookiePersistenceProfile, error) {
 	if m.successfulProfile == "cookie" && !m.shouldError {

pkg/controller/controller_suit_test.go

@@ -54,6 +54,10 @@ type (
 	}
 )
 
+func (m *mockBigIPHandler) GetMonitor(name string) (*bigip.Monitor, error) {
+	return nil, nil
+}
+
 func newMockController() *mockController {
 	return &mockController{
 		Controller: &Controller{

pkg/controller/informers.go

@@ -962,7 +962,7 @@ func (ctlr *Controller) enqueueTLSProfile(obj interface{}, event string) {
 		tlsKey := tls.ObjectMeta.Namespace + "/" + tls.ObjectMeta.Name
 		valid, errMsg := ctlr.checkValidTLSProfile(tls)
 		if !valid {
-			log.Errorf("IngressLink %s is not valid: %s", tlsKey, errMsg)
+			log.Errorf("TLSProfile %s is not valid: %s", tlsKey, errMsg)
 			ctlr.updateTLSProfileStatus(tls, StatusError, errors.New(errMsg))
 			return
 		}

pkg/controller/resourceConfig.go

@@ -1746,36 +1746,37 @@ func (ctlr *Controller) handleVirtualServerTLS(
 
 // validate TLSProfile
 // validation includes valid parameters for the type of termination(edge, re-encrypt and Pass-through)
-func validateTLSProfile(tls *cisapiv1.TLSProfile) bool {
+func validateTLSProfile(tls *cisapiv1.TLSProfile) (bool, error) {
 	// validation for re-encrypt termination
+	var err error
 	if tls.Spec.TLS.Termination == "reencrypt" {
 		// Should contain both client and server SSL profiles
 		if (tls.Spec.TLS.ClientSSL == "" || tls.Spec.TLS.ServerSSL == "") && (len(tls.Spec.TLS.ClientSSLs) == 0 || len(tls.Spec.TLS.ServerSSLs) == 0) {
-			log.Errorf("TLSProfile %s of type re-encrypt termination should contain both "+
+			err = fmt.Errorf("TLSProfile %s of type re-encrypt termination should contain both "+
 				"ClientSSLs and ServerSSLs", tls.ObjectMeta.Name)
-			return false
+			return false, err
 		}
 	} else if tls.Spec.TLS.Termination == "edge" {
 		// Should contain only client SSL
 		if tls.Spec.TLS.ClientSSL == "" && len(tls.Spec.TLS.ClientSSLs) == 0 {
-			log.Errorf("TLSProfile %s of type edge termination should contain ClientSSLs",
+			err = fmt.Errorf("TLSProfile %s of type edge termination should contain ClientSSLs",
 				tls.ObjectMeta.Name)
-			return false
+			return false, err
 		}
 		if tls.Spec.TLS.ServerSSL != "" || len(tls.Spec.TLS.ServerSSLs) != 0 {
-			log.Errorf("TLSProfile %s of type edge termination should NOT contain ServerSSLs",
+			err = fmt.Errorf("TLSProfile %s of type edge termination should NOT contain ServerSSLs",
 				tls.ObjectMeta.Name)
-			return false
+			return false, err
 		}
 	} else {
 		// Pass-through
 		if (tls.Spec.TLS.ClientSSL != "") || (tls.Spec.TLS.ServerSSL != "") || len(tls.Spec.TLS.ClientSSLs) != 0 || len(tls.Spec.TLS.ServerSSLs) != 0 {
-			log.Errorf("TLSProfile %s of type Pass-through termination should NOT contain either "+
+			err = fmt.Errorf("TLSProfile %s of type Pass-through termination should NOT contain either "+
 				"ClientSSLs or ServerSSLs", tls.ObjectMeta.Name)
-			return false
+			return false, err
 		}
 	}
-	return true
+	return true, nil
 }
 
 // ConvertStringToProfileRef converts strings to profile references

pkg/controller/resourceConfig_test.go

@@ -1017,31 +1017,31 @@ var _ = Describe("Resource Config Tests", func() {
 			},
 		)
 
-		ok := validateTLSProfile(tlsRenc)
+		ok, _ := validateTLSProfile(tlsRenc)
 		Expect(ok).To(BeTrue(), "TLS Re-encryption Validation Failed")
 
-		ok = validateTLSProfile(tlsEdge)
+		ok, _ = validateTLSProfile(tlsEdge)
 		Expect(ok).To(BeTrue(), "TLS Edge Validation Failed")
 
-		ok = validateTLSProfile(tlsPst)
+		ok, _ = validateTLSProfile(tlsPst)
 		Expect(ok).To(BeTrue(), "TLS Passthrough Validation Failed")
 
 		// Negative cases
 		tlsPst.Spec.TLS.Termination = TLSEdge
 		tlsEdge.Spec.TLS.Termination = TLSReencrypt
 		tlsRenc.Spec.TLS.Termination = TLSPassthrough
 
-		ok = validateTLSProfile(tlsRenc)
+		ok, _ = validateTLSProfile(tlsRenc)
 		Expect(ok).To(BeFalse(), "TLS Re-encryption Validation Failed")
 
-		ok = validateTLSProfile(tlsEdge)
+		ok, _ = validateTLSProfile(tlsEdge)
 		Expect(ok).To(BeFalse(), "TLS Edge Validation Failed")
 
-		ok = validateTLSProfile(tlsPst)
+		ok, _ = validateTLSProfile(tlsPst)
 		Expect(ok).To(BeFalse(), "TLS Passthrough Validation Failed")
 
 		tlsRenc.Spec.TLS.Termination = TLSEdge
-		ok = validateTLSProfile(tlsRenc)
+		ok, _ = validateTLSProfile(tlsRenc)
 		Expect(ok).To(BeFalse(), "TLS Edge Validation Failed")
 	})
 
@@ -1095,34 +1095,34 @@ var _ = Describe("Resource Config Tests", func() {
 			},
 		)
 
-		ok := validateTLSProfile(tlsRenc)
+		ok, _ := validateTLSProfile(tlsRenc)
 		Expect(ok).To(BeTrue(), "TLS Re-encryption Validation Failed")
 
-		ok = validateTLSProfile(tlsRencComb)
+		ok, _ = validateTLSProfile(tlsRencComb)
 		Expect(ok).To(BeFalse(), "TLS Re-encryption Validation Failed")
 
-		ok = validateTLSProfile(tlsEdge)
+		ok, _ = validateTLSProfile(tlsEdge)
 		Expect(ok).To(BeTrue(), "TLS Edge Validation Failed")
 
-		ok = validateTLSProfile(tlsPst)
+		ok, _ = validateTLSProfile(tlsPst)
 		Expect(ok).To(BeTrue(), "TLS Passthrough Validation Failed")
 
 		// Negative cases
 		tlsPst.Spec.TLS.Termination = TLSEdge
 		tlsEdge.Spec.TLS.Termination = TLSReencrypt
 		tlsRenc.Spec.TLS.Termination = TLSPassthrough
 
-		ok = validateTLSProfile(tlsRenc)
+		ok, _ = validateTLSProfile(tlsRenc)
 		Expect(ok).To(BeFalse(), "TLS Re-encryption Validation Failed")
 
-		ok = validateTLSProfile(tlsEdge)
+		ok, _ = validateTLSProfile(tlsEdge)
 		Expect(ok).To(BeFalse(), "TLS Edge Validation Failed")
 
-		ok = validateTLSProfile(tlsPst)
+		ok, _ = validateTLSProfile(tlsPst)
 		Expect(ok).To(BeFalse(), "TLS Passthrough Validation Failed")
 
 		tlsRenc.Spec.TLS.Termination = TLSEdge
-		ok = validateTLSProfile(tlsRenc)
+		ok, _ = validateTLSProfile(tlsRenc)
 		Expect(ok).To(BeFalse(), "TLS Edge Validation Failed")
 	})
 

pkg/controller/validate.go

@@ -111,7 +111,16 @@ func (ctlr *Controller) validateResource(req *admissionv1.AdmissionRequest) *adm
 		}
 		allowed, errMsg = ctlr.checkValidIngressLink(il)
 	case TLSProfile:
-		allowed = true
+		tlsProf := &cisapiv1.TLSProfile{}
+		if _, _, err := deserializer.Decode(req.Object.Raw, nil, tlsProf); err != nil {
+			return &admissionv1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Message: fmt.Sprintf("could not decode object: %v", err),
+				},
+			}
+		}
+		allowed, errMsg = ctlr.checkValidTLSProfile(tlsProf)
 
 	case CustomPolicy:
 		pl := &cisapiv1.Policy{}
@@ -536,7 +545,7 @@ func (ctlr *Controller) checkValidIngressLink(
 
 	// Validate monitors
 	for _, monitor := range il.Spec.Monitors {
-		if monitor.Type != BIGIP {
+		if monitor.Reference != BIGIP {
 			continue
 		}
 		wg.Add(1)
@@ -566,6 +575,11 @@ func (ctlr *Controller) checkValidIngressLink(
 }
 
 func (ctlr *Controller) checkValidTLSProfile(tlsProfile *cisapiv1.TLSProfile) (bool, string) {
+	isValid, err := validateTLSProfile(tlsProfile)
+	if !isValid {
+		return false, err.Error()
+	}
+
 	if tlsProfile.Spec.TLS.Reference == Secret {
 		return true, ""
 	}

pkg/controller/worker.go

@@ -1250,7 +1250,7 @@ func (ctlr *Controller) getTLSProfileForVirtualServer(vs *cisapiv1.VirtualServer
 	}
 
 	// validate TLSProfile
-	validation := validateTLSProfile(tlsProfile)
+	validation, _ := validateTLSProfile(tlsProfile)
 	if validation == false {
 		return nil
 	}