validations: validate vpc and subnet CIDR

Validation for specified VPC and subnet CIDRs is added for early
feedback from the webhook.

There are already existing checks for bastion and nodePort CIDRs.

Author: tthvo

api/v1beta2/awscluster_webhook.go

@@ -301,10 +301,35 @@ func (r *AWSCluster) validateSSHKeyName() field.ErrorList {
 
 func (r *AWSCluster) validateNetwork() field.ErrorList {
 	var allErrs field.ErrorList
-	for _, subnet := range r.Spec.NetworkSpec.Subnets {
+
+	vpcSpec := r.Spec.NetworkSpec.VPC
+	vpcField := field.NewPath("spec", "network", "vpc")
+	if vpcSpec.CidrBlock != "" {
+		if _, _, err := net.ParseCIDR(vpcSpec.CidrBlock); err != nil {
+			allErrs = append(allErrs, field.Invalid(vpcField.Child("cidrBlock"), vpcSpec.CidrBlock, "VPC CIDR block is invalid"))
+		}
+	}
+	if vpcSpec.IPv6 != nil && vpcSpec.IPv6.CidrBlock != "" {
+		if _, _, err := net.ParseCIDR(vpcSpec.IPv6.CidrBlock); err != nil {
+			allErrs = append(allErrs, field.Invalid(vpcField.Child("ipv6", "cidrBlock"), vpcSpec.IPv6.CidrBlock, "VPC IPv6 CIDR block is invalid"))
+		}
+	}
+
+	subnetField := field.NewPath("spec", "network", "subnets")
+	for i, subnet := range r.Spec.NetworkSpec.Subnets {
 		if subnet.ZoneType != nil && subnet.IsEdge() {
 			if subnet.ParentZoneName == nil {
-				allErrs = append(allErrs, field.Invalid(field.NewPath("subnets"), r.Spec.NetworkSpec.Subnets, "ParentZoneName must be set when ZoneType is 'local-zone'."))
+				allErrs = append(allErrs, field.Invalid(subnetField.Index(i).Child("parentZoneName"), subnet.ParentZoneName, "ParentZoneName must be set when ZoneType is 'local-zone'."))
+			}
+		}
+		if subnet.CidrBlock != "" {
+			if _, _, err := net.ParseCIDR(subnet.CidrBlock); err != nil {
+				allErrs = append(allErrs, field.Invalid(subnetField.Index(i).Child("cidrBlock"), subnet.CidrBlock, "subnet CIDR block is invalid"))
+			}
+		}
+		if subnet.IPv6CidrBlock != "" {
+			if _, _, err := net.ParseCIDR(subnet.IPv6CidrBlock); err != nil {
+				allErrs = append(allErrs, field.Invalid(subnetField.Index(i).Child("ipv6CidrBlock"), subnet.IPv6CidrBlock, "subnet IPv6 CIDR block is invalid"))
 			}
 		}
 	}
@@ -344,10 +369,15 @@ func (r *AWSCluster) validateNetwork() field.ErrorList {
 
 	secondaryCidrBlocks := r.Spec.NetworkSpec.VPC.SecondaryCidrBlocks
 	secondaryCidrBlocksField := field.NewPath("spec", "network", "vpc", "secondaryCidrBlocks")
-	for _, cidrBlock := range secondaryCidrBlocks {
+	for i, cidrBlock := range secondaryCidrBlocks {
 		if r.Spec.NetworkSpec.VPC.CidrBlock != "" && r.Spec.NetworkSpec.VPC.CidrBlock == cidrBlock.IPv4CidrBlock {
 			allErrs = append(allErrs, field.Invalid(secondaryCidrBlocksField, secondaryCidrBlocks, fmt.Sprintf("AWSCluster.spec.network.vpc.secondaryCidrBlocks must not contain the primary AWSCluster.spec.network.vpc.cidrBlock %v", r.Spec.NetworkSpec.VPC.CidrBlock)))
 		}
+		if cidrBlock.IPv4CidrBlock != "" {
+			if _, _, err := net.ParseCIDR(cidrBlock.IPv4CidrBlock); err != nil {
+				allErrs = append(allErrs, field.Invalid(secondaryCidrBlocksField.Index(i).Child("ipv4CidrBlock"), cidrBlock.IPv4CidrBlock, "secondary VPC CIDR block is invalid"))
+			}
+		}
 	}
 
 	return allErrs

api/v1beta2/awscluster_webhook_test.go

@@ -324,7 +324,59 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "accepts ipv6",
+			name: "accepts vpc cidr",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							CidrBlock: "10.0.0.0/16",
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "rejects invalid vpc cidr",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							CidrBlock: "10.0.0.0",
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "accepts vpc secondary cidr",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							CidrBlock: "10.0.1.0/24",
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "rejects invalid vpc secondary cidr",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							CidrBlock: "10.0.1.0",
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "accepts vpc ipv6 cidr",
 			cluster: &AWSCluster{
 				Spec: AWSClusterSpec{
 					NetworkSpec: NetworkSpec{
@@ -339,6 +391,22 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "reject invalid vpc ipv6 cidr",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						VPC: VPCSpec{
+							IPv6: &IPv6{
+								CidrBlock: "2001:2345:5678::",
+								PoolID:    "pool-id",
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "accepts ipv6 enabled subnet",
 			cluster: &AWSCluster{
@@ -358,6 +426,38 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "accepts cidr block for subnets",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						Subnets: []SubnetSpec{
+							{
+								ID:        "sub-1",
+								CidrBlock: "10.0.10.0/24",
+							},
+						},
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "rejects invalid cidr block for subnets",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						Subnets: []SubnetSpec{
+							{
+								ID:        "sub-1",
+								CidrBlock: "10.0.10.0",
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "accepts ipv6 cidr block for subnets",
 			cluster: &AWSCluster{
@@ -374,6 +474,22 @@ func TestAWSClusterValidateCreate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "rejects invalid ipv6 cidr block for subnets",
+			cluster: &AWSCluster{
+				Spec: AWSClusterSpec{
+					NetworkSpec: NetworkSpec{
+						Subnets: []SubnetSpec{
+							{
+								ID:            "sub-1",
+								IPv6CidrBlock: "2022:1234:5678:9101::",
+							},
+						},
+					},
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "rejects ingress rules with cidr block and source security group id",
 			cluster: &AWSCluster{