add validations for control plane outbound lb

Author: shysank

api/v1alpha4/azurecluster_validation.go

@@ -137,6 +137,8 @@ func validateNetworkSpec(networkSpec NetworkSpec, old NetworkSpec, fldPath *fiel
 
 	allErrs = append(allErrs, validateNodeOutboundLB(networkSpec.NodeOutboundLB, old.NodeOutboundLB, networkSpec.APIServerLB, nodeSubnet, fldPath.Child("nodeOutboundLB"))...)
 
+	allErrs = append(allErrs, validateControlPlaneOutboundLB(networkSpec.ControlPlaneOutboundLB, networkSpec.APIServerLB, fldPath.Child("controlPlaneOutboundLB"))...)
+
 	allErrs = append(allErrs, validatePrivateDNSZoneName(networkSpec, fldPath)...)
 
 	if len(allErrs) == 0 {
@@ -420,6 +422,34 @@ func validateNodeOutboundLB(lb *LoadBalancerSpec, old *LoadBalancerSpec, apiserv
 	return allErrs
 }
 
+func validateControlPlaneOutboundLB(lb *LoadBalancerSpec, apiserverLB LoadBalancerSpec, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	switch apiserverLB.Type {
+	case Public:
+		if lb != nil {
+			allErrs = append(allErrs, field.Forbidden(fldPath, "Control plane outbound load balancer cannot be set for public clusters."))
+		}
+	case Internal:
+		// Control plane outbound lb can be nil when it's disabled for private clusters.
+		if lb == nil {
+			return nil
+		}
+
+		if lb.FrontendIPsCount != nil && *lb.FrontendIPsCount > MaxLoadBalancerOutboundIPs {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("frontendIPsCount"), *lb.FrontendIPsCount,
+				fmt.Sprintf("Max front end ips allowed is %d", MaxLoadBalancerOutboundIPs)))
+		}
+
+		if lb.IdleTimeoutInMinutes != nil && (*lb.IdleTimeoutInMinutes < MinLBIdleTimeoutInMinutes || *lb.IdleTimeoutInMinutes > MaxLBIdleTimeoutInMinutes) {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("idleTimeoutInMinutes"), *lb.IdleTimeoutInMinutes,
+				fmt.Sprintf("Control plane outbound idle timeout should be between %d and %d minutes", MinLBIdleTimeoutInMinutes, MaxLoadBalancerOutboundIPs)))
+		}
+	}
+
+	return allErrs
+}
+
 // validatePrivateDNSZoneName validate the PrivateDNSZoneName.
 func validatePrivateDNSZoneName(networkSpec NetworkSpec, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList

api/v1alpha4/azurecluster_validation_test.go

@@ -1118,6 +1118,78 @@ func TestValidateNodeOutboundLB(t *testing.T) {
 	}
 }
 
+func TestValidateControlPlaneNodeOutboundLB(t *testing.T) {
+	g := NewWithT(t)
+
+	testcases := []struct {
+		name        string
+		lb          *LoadBalancerSpec
+		old         *LoadBalancerSpec
+		apiServerLB LoadBalancerSpec
+		wantErr     bool
+		expectedErr field.Error
+	}{
+		{
+			name:        "cp outbound lb cannot be set for public clusters",
+			lb:          &LoadBalancerSpec{Name: "foo"},
+			apiServerLB: LoadBalancerSpec{Type: Public},
+			wantErr:     true,
+			expectedErr: field.Error{
+				Type:     "FieldValueForbidden",
+				Field:    "controlPlaneOutboundLB",
+				BadValue: LoadBalancerSpec{Name: "foo"},
+				Detail:   "Control plane outbound load balancer cannot be set for public clusters.",
+			},
+		},
+		{
+			name:        "cp outbound lb can be set for private clusters",
+			lb:          &LoadBalancerSpec{Name: "foo"},
+			apiServerLB: LoadBalancerSpec{Type: Internal},
+			wantErr:     false,
+		},
+		{
+			name:        "cp outbound lb can be nil for private clusters",
+			lb:          nil,
+			apiServerLB: LoadBalancerSpec{Type: Internal},
+			wantErr:     false,
+		},
+		{
+			name: "frontend ips count exceeds max value",
+			lb: &LoadBalancerSpec{
+				FrontendIPsCount: pointer.Int32Ptr(100),
+			},
+			apiServerLB: LoadBalancerSpec{Type: Internal},
+			wantErr:     true,
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "controlPlaneOutboundLB.frontendIPsCount",
+				BadValue: 100,
+				Detail:   "Max front end ips allowed is 16",
+			},
+		},
+	}
+
+	for _, test := range testcases {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			err := validateControlPlaneOutboundLB(test.lb, test.apiServerLB, field.NewPath("controlPlaneOutboundLB"))
+			if test.wantErr {
+				g.Expect(err).NotTo(HaveLen(0))
+				found := false
+				for _, actual := range err {
+					if actual.Error() == test.expectedErr.Error() {
+						found = true
+					}
+				}
+				g.Expect(found).To(BeTrue())
+			} else {
+				g.Expect(err).To(HaveLen(0))
+			}
+		})
+	}
+}
+
 func TestValidateCloudProviderConfigOverrides(t *testing.T) {
 	g := NewWithT(t)
 

api/v1alpha4/azurecluster_webhook.go

@@ -106,6 +106,13 @@ func (c *AzureCluster) ValidateUpdate(oldRaw runtime.Object) error {
 		)
 	}
 
+	if !reflect.DeepEqual(c.Spec.NetworkSpec.ControlPlaneOutboundLB, old.Spec.NetworkSpec.ControlPlaneOutboundLB) {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "networkSpec", "controlPlaneOutboundLB"),
+				c.Spec.NetworkSpec.ControlPlaneOutboundLB, "field is immutable"),
+		)
+	}
+
 	if len(allErrs) == 0 {
 		return c.validateCluster(old)
 	}

api/v1alpha4/azurecluster_webhook_test.go

@@ -214,6 +214,38 @@ func TestAzureCluster_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "azurecluster azureEnvironment is immutable",
+			oldCluster: &AzureCluster{
+				Spec: AzureClusterSpec{
+					AzureEnvironment: "AzureGermanCloud",
+				},
+			},
+			cluster: &AzureCluster{
+				Spec: AzureClusterSpec{
+					AzureEnvironment: "AzureChinaCloud",
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "control plane outbound lb is immutable",
+			oldCluster: &AzureCluster{
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						ControlPlaneOutboundLB: &LoadBalancerSpec{Name: "cp-lb"},
+					},
+				},
+			},
+			cluster: &AzureCluster{
+				Spec: AzureClusterSpec{
+					NetworkSpec: NetworkSpec{
+						ControlPlaneOutboundLB: &LoadBalancerSpec{Name: "cp-lb-new"},
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {