rosa: use CEL validation for versions

The webhooks we had were only giving us a nice error message on top of
the parsing validation, and we can get all of that benefit by just using
a CEL matcher and a custom error message. Not having to deploy and run
webhooks simplifies things for us a sizeable amount and makes local
testing much easier, as well.

Signed-off-by: Steve Kuznetsov <[email protected]>

Author: stevekuznetsov

config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml

@@ -286,8 +286,11 @@ spec:
               supportRoleARN:
                 type: string
               version:
-                description: Openshift version, for example "4.14.5".
+                description: OpenShift semantic version, for example "4.14.5".
                 type: string
+                x-kubernetes-validations:
+                - message: version must be a valid semantic version
+                  rule: self.matches('^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$')
               workerRoleARN:
                 type: string
             required:

config/crd/bases/infrastructure.cluster.x-k8s.io_rosamachinepools.yaml

@@ -98,6 +98,9 @@ spec:
                 description: Version specifies the penshift version of the nodes associated
                   with this machinepool. ROSAControlPlane version is used if not set.
                 type: string
+                x-kubernetes-validations:
+                - message: version must be a valid semantic version
+                  rule: self.matches('^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$')
             required:
             - nodePoolName
             type: object

config/webhook/manifests.yaml

@@ -201,28 +201,6 @@ webhooks:
     resources:
     - awsmanagedmachinepools
   sideEffects: None
-- admissionReviewVersions:
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /mutate-infrastructure-cluster-x-k8s-io-v1beta2-rosamachinepool
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: default.rosamachinepool.infrastructure.cluster.x-k8s.io
-  rules:
-  - apiGroups:
-    - infrastructure.cluster.x-k8s.io
-    apiVersions:
-    - v1beta2
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - rosamachinepools
-  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1beta1
@@ -289,28 +267,6 @@ webhooks:
     resources:
     - awsmanagedcontrolplanes
   sideEffects: None
-- admissionReviewVersions:
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /mutate-controlplane-cluster-x-k8s-io-v1beta2-rosacontrolplane
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: default.rosacontrolplanes.controlplane.cluster.x-k8s.io
-  rules:
-  - apiGroups:
-    - controlplane.cluster.x-k8s.io
-    apiVersions:
-    - v1beta2
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - rosacontrolplanes
-  sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -537,28 +493,6 @@ webhooks:
     resources:
     - awsmanagedmachinepools
   sideEffects: None
-- admissionReviewVersions:
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validate-infrastructure-cluster-x-k8s-io-v1beta2-rosamachinepool
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: validation.rosamachinepool.infrastructure.cluster.x-k8s.io
-  rules:
-  - apiGroups:
-    - infrastructure.cluster.x-k8s.io
-    apiVersions:
-    - v1beta2
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - rosamachinepools
-  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1beta1
@@ -625,25 +559,3 @@ webhooks:
     resources:
     - awsmanagedcontrolplanes
   sideEffects: None
-- admissionReviewVersions:
-  - v1
-  - v1beta1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /validate-controlplane-cluster-x-k8s-io-v1beta2-rosacontrolplane
-  failurePolicy: Fail
-  matchPolicy: Equivalent
-  name: validation.rosacontrolplanes.controlplane.cluster.x-k8s.io
-  rules:
-  - apiGroups:
-    - controlplane.cluster.x-k8s.io
-    apiVersions:
-    - v1beta2
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - rosacontrolplanes
-  sideEffects: None

controlplane/rosa/api/v1beta2/rosacontrolplane_types.go

@@ -49,7 +49,8 @@ type RosaControlPlaneSpec struct { //nolint: maligned
 	// The AWS Region the cluster lives in.
 	Region *string `json:"region"`
 
-	// Openshift version, for example "4.14.5".
+	// OpenShift semantic version, for example "4.14.5".
+	// +kubebuilder:validation:XValidation:rule=`self.matches('^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$')`, message="version must be a valid semantic version"
 	Version string `json:"version"`
 
 	// ControlPlaneEndpoint represents the endpoint used to communicate with the control plane.

controlplane/rosa/api/v1beta2/rosacontrolplane_webhook.go

@@ -37,6 +37,7 @@ type RosaMachinePoolSpec struct {
 	// ROSAControlPlane version is used if not set.
 	//
 	// +optional
+	// +kubebuilder:validation:XValidation:rule=`self.matches('^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)$')`, message="version must be a valid semantic version"
 	Version string `json:"version,omitempty"`
 
 	// AvailabilityZone is an optinal field specifying the availability zone where instances of this machine pool should run

controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go

@@ -254,16 +254,6 @@ func main() {
 			setupLog.Error(err, "unable to create controller", "controller", "ROSAMachinePool")
 			os.Exit(1)
 		}
-
-		if err := (&rosacontrolplanev1.ROSAControlPlane{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "ROSAControlPlane")
-			os.Exit(1)
-		}
-
-		if err := (&expinfrav1.ROSAMachinePool{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "ROSAMachinePool")
-			os.Exit(1)
-		}
 	}
 
 	// +kubebuilder:scaffold:builder