Merge pull request #5 from PDOK/jd/wfs-admission

WFS validation

Author: jelledijkstra97

PROJECT

@@ -33,6 +33,7 @@ resources:
     conversion: true
     spoke:
     - v2beta1
+    validation: true
     webhookVersion: v1
 - api:
     crdVersion: v1

api/v3/wfs_types.go

@@ -86,13 +86,13 @@ type WFSService struct {
 	Title             string   `json:"title"`
 	Abstract          string   `json:"abstract"`
 	Keywords          []string `json:"keywords"`
-	Fees              *string  `json:"fees"`
+	Fees              *string  `json:"fees,omitempty"`
 	AccessConstraints string   `json:"accessConstraints"`
 	DefaultCrs        string   `json:"defaultCrs"`
 	OtherCrs          []string `json:"otherCrs,omitempty"`
-	Bbox              *Bbox    `json:"bbox"`
+	Bbox              *Bbox    `json:"bbox,omitempty"`
 	// CountDefault -> wfs_maxfeatures in mapfile
-	CountDefault *string       `json:"countDefault"`
+	CountDefault *string       `json:"countDefault,omitempty"`
 	FeatureTypes []FeatureType `json:"featureTypes"`
 }
 

api/v3/wfs_validation.go

@@ -0,0 +1,76 @@
+package v3
+
+import (
+	"fmt"
+	sharedValidation "github.com/pdok/smooth-operator/pkg/validation"
+	"strings"
+)
+
+func (wfs *WFS) ValidateCreate() ([]string, error) {
+	warnings := []string{}
+	reasons := []string{}
+
+	err := sharedValidation.ValidateLabelsOnCreate(wfs.Labels)
+	if err != nil {
+		reasons = append(reasons, fmt.Sprintf("%v", err))
+	}
+
+	validateWFS(wfs, &warnings, &reasons)
+
+	if len(reasons) > 0 {
+		return warnings, fmt.Errorf("%s", strings.Join(reasons, ". "))
+	} else {
+		return warnings, nil
+	}
+}
+
+func (wfs *WFS) ValidateUpdate(wfsOld *WFS) ([]string, error) {
+	warnings := []string{}
+	reasons := []string{}
+
+	// Check labels did not change
+	err := sharedValidation.ValidateLabelsOnUpdate(wfsOld.Labels, wfs.Labels)
+	if err != nil {
+		reasons = append(reasons, fmt.Sprintf("%v", err))
+	}
+
+	// Check service.baseURL did not change
+	if wfs.Spec.Service.BaseURL != wfsOld.Spec.Service.BaseURL {
+		reasons = append(reasons, fmt.Sprintf("service.baseURL is immutable"))
+	}
+
+	if (wfs.Spec.Service.Inspire == nil && wfsOld.Spec.Service.Inspire != nil) || (wfs.Spec.Service.Inspire != nil && wfsOld.Spec.Service.Inspire == nil) {
+		reasons = append(reasons, fmt.Sprintf("services cannot change from inspire to not inspire or the other way around"))
+	}
+
+	validateWFS(wfs, &warnings, &reasons)
+
+	if len(reasons) > 0 {
+		return warnings, fmt.Errorf("%s", strings.Join(reasons, ". "))
+	} else {
+		return warnings, nil
+	}
+}
+
+func validateWFS(wfs *WFS, warnings *[]string, reasons *[]string) {
+	if strings.Contains(wfs.GetName(), "wfs") {
+		*warnings = append(*warnings, sharedValidation.FormatValidationWarning("name should not contain wfs", wfs.GroupVersionKind(), wfs.GetName()))
+	}
+
+	service := wfs.Spec.Service
+
+	err := sharedValidation.ValidateBaseURL(service.BaseURL)
+	if err != nil {
+		*reasons = append(*reasons, fmt.Sprintf("%v", err))
+	}
+
+	if service.Mapfile == nil && service.DefaultCrs != "EPSG:28992" && service.Bbox == nil {
+		*reasons = append(*reasons, fmt.Sprintf("service.bbox.defaultCRS is required when service.defaultCRS is not 'EPSG:28992'"))
+	}
+
+	if service.Mapfile != nil {
+		if service.Bbox != nil {
+			*warnings = append(*warnings, sharedValidation.FormatValidationWarning("service.bbox is not used when service.mapfile is configured", wfs.GroupVersionKind(), wfs.GetName()))
+		}
+	}
+}

build-push-deploy-locally.sh

@@ -6,21 +6,31 @@ echo "Running: make generate"
 make generate
 
 echo ""
-echo "Running: build -t local-registry:5000/wfs-wms-operator:$TAG --build-context repos=./.. ."
-docker build -t "local-registry:5000/wfs-wms-operator:$TAG" --build-context repos=./.. .
+echo "Running: build -t local-registry:5000/mapserver-operator:$TAG --build-context repos=./.. ."
+docker build -t "local-registry:5000/mapserver-operator:$TAG" --build-context repos=./.. .
 
 echo ""
-echo "Running: push local-registry:5000/wfs-wms-operator:$TAG"
-docker push "local-registry:5000/wfs-wms-operator:$TAG"
+echo "Running: push local-registry:5000/mapserver-operator:$TAG"
+docker push "local-registry:5000/mapserver-operator:$TAG"
 
-echo ""
-echo "Installing cert-manager"
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
+if [[ $(kubectl get pod -l app=webhook -n cert-manager | grep "cert-manager") ]]; then
+  echo "Cert-manager already installed"
+else
+  echo ""
+  echo "Installing cert-manager"
+  kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
+fi
+
+echo "Waiting for cert-manager"
+while [[ $(kubectl get pod -l app=webhook -n cert-manager -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do
+  sleep 1
+done
+echo "Cert-manager ready"
 
 echo ""
 echo "Running: make install"
 make install
 
 echo ""
-echo "Running: deploy IMG=local-registry:5000/wfs-wms-operator:$TAG"
-make deploy "IMG=local-registry:5000/wfs-wms-operator:$TAG"
+echo "Running: deploy IMG=local-registry:5000/mapserver-operator:$TAG"
+make deploy "IMG=local-registry:5000/mapserver-operator:$TAG"

cmd/main.go

@@ -233,6 +233,13 @@ func main() {
 			os.Exit(1)
 		}
 	}
+	// nolint:goconst
+	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+		if err = webhookpdoknlv3.SetupWFSWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "WFS")
+			os.Exit(1)
+		}
+	}
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {

config/crd/bases/pdok.nl_wfs.yaml

@@ -1157,11 +1157,8 @@ spec:
                 - abstract
                 - accessConstraints
                 - baseUrl
-                - bbox
-                - countDefault
                 - defaultCrs
                 - featureTypes
-                - fees
                 - keywords
                 - ownerInfoRef
                 - prefix

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: local-registry:5000/wfs-wms-operator
-  newTag: v3.0.17
+  newName: local-registry:5000/mapserver-operator
+  newTag: v3.0.10

config/samples/v3_wfs.yaml

@@ -37,7 +37,7 @@ spec:
     includeIngress: false
   service:
     prefix: ""
-    baseUrl: https://service.pdok.nl
+    baseUrl: https://service.pdok.nl/test
     inspire:
       serviceMetadataUrl:
         csw:

config/webhook/kustomization.yaml

@@ -1,5 +1,5 @@
 resources:
-#- manifests.yaml see https://github.com/kubernetes-sigs/kubebuilder/issues/2231
+- manifests.yaml
 - service.yaml
 
 configurations:

config/webhook/manifests.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-pdok-nl-v3-wfs
+  failurePolicy: Fail
+  name: vwfs-v3.kb.io
+  rules:
+  - apiGroups:
+    - pdok.nl
+    apiVersions:
+    - v3
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - wfs
+  sideEffects: None