Add validation for GC tasks annotation (#4485)

* Move GC annotation constants from exp/api/v1beta2 to api/v1beta2

To prevent a breaking change we keep the constants in exp/api/v1beta2,
and they will have the same values as ones in api/v1beta2

* Add validation for GC tasks annotation

Author: Fedosin

api/v1beta2/awscluster_webhook.go

@@ -18,6 +18,7 @@ package v1beta2
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/google/go-cmp/cmp"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -70,6 +71,8 @@ func (r *AWSCluster) ValidateDelete() error {
 func (r *AWSCluster) ValidateUpdate(old runtime.Object) error {
 	var allErrs field.ErrorList
 
+	allErrs = append(allErrs, r.validateGCTasksAnnotation()...)
+
 	oldC, ok := old.(*AWSCluster)
 	if !ok {
 		return apierrors.NewBadRequest(fmt.Sprintf("expected an AWSCluster but got a %T", old))
@@ -175,6 +178,42 @@ func (r *AWSCluster) Default() {
 	SetObjectDefaults_AWSCluster(r)
 }
 
+func (r *AWSCluster) validateGCTasksAnnotation() field.ErrorList {
+	var allErrs field.ErrorList
+
+	annotations := r.GetAnnotations()
+	if annotations == nil {
+		return nil
+	}
+
+	if gcTasksAnnotationValue := annotations[ExternalResourceGCTasksAnnotation]; gcTasksAnnotationValue != "" {
+		gcTasks := strings.Split(gcTasksAnnotationValue, ",")
+
+		supportedGCTasks := []GCTask{GCTaskLoadBalancer, GCTaskTargetGroup, GCTaskSecurityGroup}
+
+		for _, gcTask := range gcTasks {
+			found := false
+
+			for _, supportedGCTask := range supportedGCTasks {
+				if gcTask == string(supportedGCTask) {
+					found = true
+					break
+				}
+			}
+
+			if !found {
+				allErrs = append(allErrs,
+					field.Invalid(field.NewPath("metadata", "annotations"),
+						r.Annotations,
+						fmt.Sprintf("annotation %s contains unsupported GC task %s", ExternalResourceGCTasksAnnotation, gcTask)),
+				)
+			}
+		}
+	}
+
+	return allErrs
+}
+
 func (r *AWSCluster) validateSSHKeyName() field.ErrorList {
 	return validateSSHKeyName(r.Spec.SSHKeyName)
 }

api/v1beta2/awscluster_webhook_test.go

@@ -655,6 +655,48 @@ func TestAWSClusterValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "correct GC tasks annotation",
+			oldCluster: &AWSCluster{
+				Spec: AWSClusterSpec{},
+			},
+			newCluster: &AWSCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ExternalResourceGCTasksAnnotation: "load-balancer,target-group,security-group",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "empty GC tasks annotation",
+			oldCluster: &AWSCluster{
+				Spec: AWSClusterSpec{},
+			},
+			newCluster: &AWSCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ExternalResourceGCTasksAnnotation: "",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "incorrect GC tasks annotation",
+			oldCluster: &AWSCluster{
+				Spec: AWSClusterSpec{},
+			},
+			newCluster: &AWSCluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ExternalResourceGCTasksAnnotation: "load-balancer,INVALID,security-group",
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

api/v1beta2/types.go

@@ -70,6 +70,29 @@ const (
 	MachineCreated AWSMachineProviderConditionType = "MachineCreated"
 )
 
+const (
+	// ExternalResourceGCAnnotation is the name of an annotation that indicates if
+	// external resources should be garbage collected for the cluster.
+	ExternalResourceGCAnnotation = "aws.cluster.x-k8s.io/external-resource-gc"
+
+	// ExternalResourceGCTasksAnnotation is the name of an annotation that indicates what
+	// external resources tasks should be executed by garbage collector for the cluster.
+	ExternalResourceGCTasksAnnotation = "aws.cluster.x-k8s.io/external-resource-tasks-gc"
+)
+
+type GCTask string
+
+var (
+	// GCTaskLoadBalancer defines a task to cleaning up resources for AWS load balancers.
+	GCTaskLoadBalancer = GCTask("load-balancer")
+
+	// GCTaskTargetGroup defines a task to cleaning up resources for AWS target groups.
+	GCTaskTargetGroup = GCTask("target-group")
+
+	// GCTaskSecurityGroup defines a task to cleaning up resources for AWS security groups.
+	GCTaskSecurityGroup = GCTask("security-group")
+)
+
 // AZSelectionScheme defines the scheme of selecting AZs.
 type AZSelectionScheme string
 

cmd/clusterawsadm/gc/gc.go

@@ -29,7 +29,6 @@ import (
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
-	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/annotations"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controllers/external"
@@ -132,7 +131,7 @@ func (c *CmdProcessor) setAnnotationAndPatch(ctx context.Context, annotationValu
 		return fmt.Errorf("creating patch helper: %w", err)
 	}
 
-	annotations.Set(infraObj, expinfrav1.ExternalResourceGCAnnotation, annotationValue)
+	annotations.Set(infraObj, infrav1.ExternalResourceGCAnnotation, annotationValue)
 
 	if err := patchHelper.Patch(ctx, infraObj); err != nil {
 		return fmt.Errorf("patching infra cluster with gc annotation: %w", err)

cmd/clusterawsadm/gc/gc_test.go

@@ -29,7 +29,6 @@ import (
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
-	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/annotations"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/controllers/external"
@@ -73,7 +72,7 @@ func TestEnableGC(t *testing.T) {
 		{
 			name:         "with managed control plane and existing annotation",
 			clusterName:  testClusterName,
-			existingObjs: newManagedClusterWithAnnotations(testClusterName, map[string]string{expinfrav1.ExternalResourceGCAnnotation: "false"}),
+			existingObjs: newManagedClusterWithAnnotations(testClusterName, map[string]string{infrav1.ExternalResourceGCAnnotation: "false"}),
 			expectError:  false,
 		},
 	}
@@ -107,7 +106,7 @@ func TestEnableGC(t *testing.T) {
 			g.Expect(err).NotTo(HaveOccurred())
 			g.Expect(obj).NotTo(BeNil())
 
-			annotationVal, hasAnnotation := annotations.Get(obj, expinfrav1.ExternalResourceGCAnnotation)
+			annotationVal, hasAnnotation := annotations.Get(obj, infrav1.ExternalResourceGCAnnotation)
 			g.Expect(hasAnnotation).To(BeTrue())
 			g.Expect(annotationVal).To(Equal("true"))
 		})
@@ -140,13 +139,13 @@ func TestDisableGC(t *testing.T) {
 		{
 			name:         "with managed control plane and with annotation",
 			clusterName:  testClusterName,
-			existingObjs: newManagedClusterWithAnnotations(testClusterName, map[string]string{expinfrav1.ExternalResourceGCAnnotation: "true"}),
+			existingObjs: newManagedClusterWithAnnotations(testClusterName, map[string]string{infrav1.ExternalResourceGCAnnotation: "true"}),
 			expectError:  false,
 		},
 		{
 			name:         "with awscluster and with annotation",
 			clusterName:  testClusterName,
-			existingObjs: newUnManagedClusterWithAnnotations(testClusterName, map[string]string{expinfrav1.ExternalResourceGCAnnotation: "true"}),
+			existingObjs: newUnManagedClusterWithAnnotations(testClusterName, map[string]string{infrav1.ExternalResourceGCAnnotation: "true"}),
 			expectError:  false,
 		},
 	}
@@ -180,7 +179,7 @@ func TestDisableGC(t *testing.T) {
 			g.Expect(err).NotTo(HaveOccurred())
 			g.Expect(obj).NotTo(BeNil())
 
-			annotationVal, hasAnnotation := annotations.Get(obj, expinfrav1.ExternalResourceGCAnnotation)
+			annotationVal, hasAnnotation := annotations.Get(obj, infrav1.ExternalResourceGCAnnotation)
 			g.Expect(hasAnnotation).To(BeTrue())
 			g.Expect(annotationVal).To(Equal("false"))
 		})

exp/api/v1beta2/types.go

@@ -22,16 +22,6 @@ import (
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 )
 
-const (
-	// ExternalResourceGCAnnotation is the name of an annotation that indicates if
-	// external resources should be garbage collected for the cluster.
-	ExternalResourceGCAnnotation = "aws.cluster.x-k8s.io/external-resource-gc"
-
-	// ExternalResourceGCTasksAnnotation is the name of an annotation that indicates what
-	// external resources tasks should be executed by garbage collector for the cluster.
-	ExternalResourceGCTasksAnnotation = "aws.cluster.x-k8s.io/external-resource-tasks-gc"
-)
-
 // EBS can be used to automatically set up EBS volumes when an instance is launched.
 type EBS struct {
 	// Encrypted is whether the volume should be encrypted or not.

pkg/cloud/services/gc/cleanup.go

@@ -27,7 +27,6 @@ import (
 	rgapi "github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
-	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/annotations"
 )
 
@@ -42,14 +41,14 @@ const (
 func (s *Service) ReconcileDelete(ctx context.Context) error {
 	s.scope.Info("reconciling deletion for garbage collection", "cluster", s.scope.InfraClusterName())
 
-	val, found := annotations.Get(s.scope.InfraCluster(), expinfrav1.ExternalResourceGCAnnotation)
+	val, found := annotations.Get(s.scope.InfraCluster(), infrav1.ExternalResourceGCAnnotation)
 	if !found {
 		val = "true"
 	}
 
 	shouldGC, err := strconv.ParseBool(val)
 	if err != nil {
-		return fmt.Errorf("converting value %s of annotation %s to bool: %w", val, expinfrav1.ExternalResourceGCAnnotation, err)
+		return fmt.Errorf("converting value %s of annotation %s to bool: %w", val, infrav1.ExternalResourceGCAnnotation, err)
 	}
 
 	if !shouldGC {
@@ -71,21 +70,19 @@ func (s *Service) deleteResources(ctx context.Context) error {
 
 	cleanupFuncs := s.cleanupFuncs
 
-	if val, found := annotations.Get(s.scope.InfraCluster(), expinfrav1.ExternalResourceGCTasksAnnotation); found {
-		var gcTaskToFunc = map[string]ResourceCleanupFunc{
-			"load-balancer":  s.deleteLoadBalancers,
-			"target-group":   s.deleteTargetGroups,
-			"security-group": s.deleteSecurityGroups,
+	if val, found := annotations.Get(s.scope.InfraCluster(), infrav1.ExternalResourceGCTasksAnnotation); found {
+		var gcTaskToFunc = map[infrav1.GCTask]ResourceCleanupFunc{
+			infrav1.GCTaskLoadBalancer:  s.deleteLoadBalancers,
+			infrav1.GCTaskTargetGroup:   s.deleteTargetGroups,
+			infrav1.GCTaskSecurityGroup: s.deleteSecurityGroups,
 		}
 
 		cleanupFuncs = ResourceCleanupFuncs{}
 
 		tasks := strings.Split(val, ",")
 
-		// TODO: add some validation here.
-
 		for _, task := range tasks {
-			cleanupFuncs = append(cleanupFuncs, gcTaskToFunc[task])
+			cleanupFuncs = append(cleanupFuncs, gcTaskToFunc[infrav1.GCTask(task)])
 		}
 	}
 

pkg/cloud/services/gc/cleanup_test.go

@@ -36,7 +36,6 @@ import (
 
 	infrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	ekscontrolplanev1 "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
-	expinfrav1 "sigs.k8s.io/cluster-api-provider-aws/v2/exp/api/v1beta2"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/pkg/cloud/scope"
 	"sigs.k8s.io/cluster-api-provider-aws/v2/test/mocks"
@@ -924,16 +923,16 @@ func createManagedControlPlane(gcAnnotationValue, gcTasksAnnotationValue string)
 
 	if gcAnnotationValue != "" {
 		cp.ObjectMeta.Annotations = map[string]string{
-			expinfrav1.ExternalResourceGCAnnotation: gcAnnotationValue,
+			infrav1.ExternalResourceGCAnnotation: gcAnnotationValue,
 		}
 	}
 
 	if gcTasksAnnotationValue != "" {
 		if cp.ObjectMeta.Annotations != nil {
-			cp.ObjectMeta.Annotations[expinfrav1.ExternalResourceGCTasksAnnotation] = gcTasksAnnotationValue
+			cp.ObjectMeta.Annotations[infrav1.ExternalResourceGCTasksAnnotation] = gcTasksAnnotationValue
 		} else {
 			cp.ObjectMeta.Annotations = map[string]string{
-				expinfrav1.ExternalResourceGCTasksAnnotation: gcTasksAnnotationValue,
+				infrav1.ExternalResourceGCTasksAnnotation: gcTasksAnnotationValue,
 			}
 		}
 	}
@@ -956,16 +955,16 @@ func createAWSCluser(gcAnnotationValue, gcTasksAnnotationValue string) *infrav1.
 
 	if gcAnnotationValue != "" {
 		awsc.ObjectMeta.Annotations = map[string]string{
-			expinfrav1.ExternalResourceGCAnnotation: gcAnnotationValue,
+			infrav1.ExternalResourceGCAnnotation: gcAnnotationValue,
 		}
 	}
 
 	if gcTasksAnnotationValue != "" {
 		if awsc.ObjectMeta.Annotations != nil {
-			awsc.ObjectMeta.Annotations[expinfrav1.ExternalResourceGCTasksAnnotation] = gcTasksAnnotationValue
+			awsc.ObjectMeta.Annotations[infrav1.ExternalResourceGCTasksAnnotation] = gcTasksAnnotationValue
 		} else {
 			awsc.ObjectMeta.Annotations = map[string]string{
-				expinfrav1.ExternalResourceGCTasksAnnotation: gcTasksAnnotationValue,
+				infrav1.ExternalResourceGCTasksAnnotation: gcTasksAnnotationValue,
 			}
 		}
 	}