Webhook tests pass now.

Joshua Reed · Joshua Reed · commit cb61164c01e8 · 2022-02-28T22:23:55.000-08:00
diff --git a/api/v1beta1/cloudstackcluster_webhook.go b/api/v1beta1/cloudstackcluster_webhook.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"fmt"
+	"reflect"
 
 	"github.com/aws/cluster-api-provider-cloudstack/pkg/webhookutil"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -63,14 +64,20 @@ func (r *CloudStackCluster) ValidateCreate() error {
 	}
 
 	if (r.Spec.Account != "") && (r.Spec.Domain == "") {
-		errorList = append(errorList, field.Required(field.NewPath("spec", "account"), "specifying account requires additionally specifying domain"))
+		errorList = append(errorList, field.Required(
+			field.NewPath("spec", "account"), "specifying account requires additionally specifying domain"))
 	}
 
-	// 	errorList = webhook_utilities.EnsureFieldExists(r.Spec.Zones, "Zone", errorList)
-
-	// Zone and Network are required fields
+	// Require Zones and their respective Networks.
 	if len(r.Spec.Zones) <= 0 {
-		errorList = append(errorList, field.Required(field.NewPath("spec", "Zones"), "asdfasdfasdf"))
+		errorList = append(errorList, field.Required(field.NewPath("spec", "Zones"), "Zones"))
+	} else {
+		for _, zone := range r.Spec.Zones {
+			if zone.Network.Name == "" && zone.Network.ID == "" {
+				errorList = append(errorList, field.Required(
+					field.NewPath("spec", "Zones", "Network"), "each Zone requires a Network specification"))
+			}
+		}
 	}
 
 	return webhookutil.AggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, errorList)
@@ -81,8 +88,7 @@ func (r *CloudStackCluster) ValidateUpdate(old runtime.Object) error {
 	cloudstackclusterlog.Info("validate update", "name", r.Name)
 
 	var (
-		errorList field.ErrorList
-		spec      = r.Spec
+		spec = r.Spec
 	)
 
 	oldCluster, ok := old.(*CloudStackCluster)
@@ -91,25 +97,29 @@ func (r *CloudStackCluster) ValidateUpdate(old runtime.Object) error {
 	}
 	oldSpec := oldCluster.Spec
 
-	// IdentityRefs must be Secrets.
-	if spec.IdentityRef != nil && spec.IdentityRef.Kind != defaultIdentityRefKind {
-		errorList = append(errorList, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+	// No spec fields may be updated.
+	errorList := field.ErrorList(nil)
+	if !reflect.DeepEqual(oldSpec.Zones, spec.Zones) {
+		errorList = append(errorList, field.Forbidden(
+			field.NewPath("spec", "Zones"), "Zones and sub-attributes may not be modified after creation"))
 	}
-
-	// No spec fields may be changed
-	// errorList = webhook_utilities.EnsureStringFieldsAreEqual(spec.Zone, oldSpec.Zone, "zone", errorList)
-	// errorList = webhook_utilities.EnsureStringFieldsAreEqual(spec.Network, oldSpec.Network, "network", errorList)
 	if oldSpec.ControlPlaneEndpoint.Host != "" { // Need to allow one time endpoint setting via CAPC cluster controller.
 		errorList = webhookutil.EnsureStringFieldsAreEqual(
 			spec.ControlPlaneEndpoint.Host, oldSpec.ControlPlaneEndpoint.Host, "controlplaneendpointhost", errorList)
 		errorList = webhookutil.EnsureStringFieldsAreEqual(
 			string(spec.ControlPlaneEndpoint.Port), string(oldSpec.ControlPlaneEndpoint.Port), "controlplaneendpointport", errorList)
 	}
 	if spec.IdentityRef != nil && oldSpec.IdentityRef != nil {
-		errorList = webhookutil.EnsureStringFieldsAreEqual(spec.IdentityRef.Kind, oldSpec.IdentityRef.Kind, "identityRef.Kind", errorList)
+		errorList = webhookutil.EnsureStringFieldsAreEqual(
+			spec.IdentityRef.Kind, oldSpec.IdentityRef.Kind, "identityRef.Kind", errorList)
 		errorList = webhookutil.EnsureStringFieldsAreEqual(spec.IdentityRef.Name, oldSpec.IdentityRef.Name, "identityRef.Name", errorList)
 	}
 
+	// IdentityRefs must be Secrets.
+	if spec.IdentityRef != nil && spec.IdentityRef.Kind != defaultIdentityRefKind {
+		errorList = append(errorList, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+	}
+
 	return webhookutil.AggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, errorList)
 }
 
diff --git a/api/v1beta1/cloudstackcluster_webhook_test.go b/api/v1beta1/cloudstackcluster_webhook_test.go
@@ -18,85 +18,87 @@ package v1beta1_test
 
 import (
 	"context"
-	"fmt"
 
 	infrav1 "github.com/aws/cluster-api-provider-cloudstack/api/v1beta1"
 	"github.com/aws/cluster-api-provider-cloudstack/test/dummies"
 	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/ginkgo/extensions/table"
 	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/types"
 )
 
-var _ = Describe("CloudStackCluster webhooks", func() {
+var errString = func(err error) string { return err.Error() }
+
+func BeErrorAndMatchRegexp(regexp string, args ...interface{}) types.GomegaMatcher {
+	return SatisfyAll(HaveOccurred(), WithTransform(errString, MatchRegexp(regexp, args)))
+}
 
+var _ = Describe("CloudStackCluster webhooks", func() {
 	var ctx context.Context
+	forbiddenRegex := "admission webhook.*denied the request.*Forbidden\\: %s"
+	requiredRegex := "admission webhook.*denied the request.*Required value\\: %s"
 
 	BeforeEach(func() { // Reset test vars to initial state.
-		dummies.SetDummyVars()
 		ctx = context.Background()
+		dummies.SetDummyVars()                       // Reset cluster var.
+		_ = k8sClient.Delete(ctx, dummies.CSCluster) // Delete any remnants.
+		dummies.SetDummyVars()                       // Reset again since the k8s client can set this on delete.
 	})
 
-	Context("When creating a CloudStackCluster with all validated attributes", func() {
-		It("Should succeed", func() {
+	Context("When creating a CloudStackCluster", func() {
+		It("Should accept a CloudStackCluster with all attributes present", func() {
 			Ω(k8sClient.Create(ctx, dummies.CSCluster)).Should(Succeed())
 		})
-	})
 
-	Context("When creating a CloudStackCluster with missing Network attribute", func() {
-		It("Should be rejected by the validating webhooks", func() {
-			Ω(k8sClient.Create(ctx, dummies.CSCluster).Error()).
-				Should(MatchRegexp("admission webhook.*denied the request.*Required value\\: Network"))
+		It("Should reject a CloudStackCluster with missing Zones.Network attribute", func() {
+			dummies.CSCluster.Spec.Zones = []infrav1.Zone{{Name: "ZoneWNoNetwork"}}
+			Ω(k8sClient.Create(ctx, dummies.CSCluster).Error()).Should(
+				MatchRegexp(requiredRegex, "each Zone requires a Network specification"))
 		})
-	})
 
-	Context("When creating a CloudStackCluster with missing Zone attribute", func() {
-		It("Should be rejected by the validating webhooks", func() {
-			Ω(k8sClient.Create(ctx, dummies.CSCluster).Error()).
-				Should(MatchRegexp("admission webhook.*denied the request.*Required value\\: Zone"))
+		It("Should reject a CloudStackCluster with missing Zones attribute", func() {
+			dummies.CSCluster.Spec.Zones = []infrav1.Zone{}
+			Ω(k8sClient.Create(ctx, dummies.CSCluster).Error()).Should(MatchRegexp(requiredRegex, "Zones"))
 		})
-	})
 
-	Context("When creating a CloudStackCluster with the wrong kind of IdentityReference", func() {
-		It("Should be rejected by the validating webhooks", func() {
-			dummies.CSCluster.Spec.IdentityRef.Kind = "Wrong"
-			Ω(k8sClient.Create(ctx, dummies.CSCluster).Error()).
-				Should(MatchRegexp("admission webhook.*denied the request.*Forbidden\\: must be a Secret"))
+		It("Should reject a CloudStackCluster with IdentityRef not of kind 'Secret'", func() {
+			dummies.CSCluster.Spec.IdentityRef.Kind = "ConfigMap"
+			Ω(k8sClient.Create(ctx, dummies.CSCluster).Error()).Should(MatchRegexp(forbiddenRegex, "must be a Secret"))
 		})
 	})
 
 	Context("When updating a CloudStackCluster", func() {
-		type CSClusterModFunc func(*infrav1.CloudStackCluster)
-		description := func() func(string, CSClusterModFunc) string {
-			return func(field string, mod CSClusterModFunc) string {
-				return fmt.Sprintf(
-					"CloudStackCluster.Spec %s modification should be rejected by the validating webhooks", field)
-			}
-		}
-		DescribeTable("Forbidden field modification",
-			func(field string, mod CSClusterModFunc) {
-				Ω(k8sClient.Create(ctx, dummies.CSCluster)).Should(Succeed())
-				forbiddenRegex := "admission webhook.*denied the request.*Forbidden\\: %s"
-				mod(dummies.CSCluster)
-				Ω(k8sClient.Update(ctx, dummies.CSCluster).Error()).Should(MatchRegexp(forbiddenRegex, field))
-			},
-			Entry(description(), "zone", func(CSC *infrav1.CloudStackCluster) {
-				CSC.Spec.Zones = []infrav1.Zone{dummies.Zone1}
-			}),
-			Entry(description(), "zonenetwork", func(CSC *infrav1.CloudStackCluster) {
-				CSC.Spec.Zones[0].Network.Name = "ArbitraryNetworkName"
-			}),
-			Entry(description(), "controlplaneendpoint\\.host", func(CSC *infrav1.CloudStackCluster) {
-				CSC.Spec.ControlPlaneEndpoint.Host = "1.1.1.1"
-			}),
-			Entry(description(), "identityRef\\.Kind", func(CSC *infrav1.CloudStackCluster) {
-				CSC.Spec.IdentityRef.Kind = "ArbitraryKind"
-			}),
-			Entry(description(), "identityRef\\.Name", func(CSC *infrav1.CloudStackCluster) {
-				CSC.Spec.IdentityRef.Name = "ArbitraryName"
-			}),
-			Entry(description(), "controlplaneendpoint\\.port", func(CSC *infrav1.CloudStackCluster) {
-				CSC.Spec.ControlPlaneEndpoint.Port = int32(1234)
-			}),
-		)
+		BeforeEach(func() {
+			Ω(k8sClient.Create(ctx, dummies.CSCluster)).Should(Succeed())
+		})
+
+		It("Should reject updates to CloudStackCluster Zones", func() {
+			dummies.CSCluster.Spec.Zones = []infrav1.Zone{dummies.Zone1}
+			Ω(k8sClient.Update(ctx, dummies.CSCluster)).Should(BeErrorAndMatchRegexp(forbiddenRegex, "Zones and sub"))
+		})
+		It("Should reject updates to CloudStackCluster Zones", func() {
+			dummies.CSCluster.Spec.Zones[0].Network.Name = "ArbitraryUpdateNetworkName"
+			Ω(k8sClient.Update(ctx, dummies.CSCluster)).Should(BeErrorAndMatchRegexp(forbiddenRegex, "Zones and sub"))
+		})
+		It("Should reject updates to CloudStackCluster controlplaneendpoint.host", func() {
+			dummies.CSCluster.Spec.ControlPlaneEndpoint.Host = "1.1.1.1"
+			Ω(k8sClient.Update(ctx, dummies.CSCluster)).
+				Should(BeErrorAndMatchRegexp(forbiddenRegex, "controlplaneendpoint\\.host"))
+		})
+
+		It("Should reject updates to CloudStackCluster controlplaneendpoint.port", func() {
+			dummies.CSCluster.Spec.ControlPlaneEndpoint.Port = int32(1234)
+			Ω(k8sClient.Update(ctx, dummies.CSCluster)).
+				Should(BeErrorAndMatchRegexp(forbiddenRegex, "controlplaneendpoint\\.port"))
+		})
+		It("Should reject updates to the CloudStackCluster identity reference kind", func() {
+			dummies.CSCluster.Spec.IdentityRef.Kind = "ConfigMap"
+			Ω(k8sClient.Update(ctx, dummies.CSCluster)).
+				Should(BeErrorAndMatchRegexp(forbiddenRegex, "identityRef\\.Kind"))
+		})
+		It("Should reject updates to the CloudStackCluster identity reference name", func() {
+			dummies.CSCluster.Spec.IdentityRef.Name = "ConfigMap"
+			Ω(k8sClient.Update(ctx, dummies.CSCluster)).
+				Should(BeErrorAndMatchRegexp(forbiddenRegex, "identityRef\\.name"))
+		})
 	})
 })
diff --git a/api/v1beta1/cloudstackmachine_webhook_test.go b/api/v1beta1/cloudstackmachine_webhook_test.go
@@ -26,49 +26,39 @@ import (
 
 var _ = Describe("CloudStackMachine webhook", func() {
 	var ctx context.Context
+	forbiddenRegex := "admission webhook.*denied the request.*Forbidden\\: %s"
+	requiredRegex := "admission webhook.*denied the request.*Required value\\: %s"
 
 	BeforeEach(func() { // Reset test vars to initial state.
 		dummies.SetDummyVars()
 		ctx = context.Background()
-		// Clear out any remaining machines. Ignore errors.
-		_ = k8sClient.Delete(ctx, dummies.CSMachine1)
+		_ = k8sClient.Delete(ctx, dummies.CSMachine1) // Clear out any remaining machines. Ignore errors.
 	})
 
-	Context("When creating a CloudStackMachine with all attributes", func() {
-		It("Should succeed", func() {
+	Context("When creating a CloudStackMachine", func() {
+		It("Should accept CloudStackMachine with all attributes", func() {
 			Expect(k8sClient.Create(ctx, dummies.CSMachine1)).Should(Succeed())
 		})
-	})
 
-	Context("When creating a CloudStackMachine with missing Offering attribute", func() {
-		It("Should be rejected by the validating webhooks", func() {
+		It("Should reject a CloudStackMachine with missing Offering attribute", func() {
 			dummies.CSMachine1.Spec.Offering = ""
-			Expect(k8sClient.Create(ctx, dummies.CSMachine1).Error()).
-				Should(MatchRegexp("admission webhook.*denied the request.*Required value\\: Offering"))
+			Expect(k8sClient.Create(ctx, dummies.CSMachine1).Error()).Should(MatchRegexp(requiredRegex, "Offering"))
 		})
-	})
 
-	Context("When creating a CloudStackMachine with missing Template attribute", func() {
-		It("Should be rejected by the validating webhooks", func() {
+		It("Should be reject a CloudStackMachine with missint Template attribute", func() {
 			dummies.CSMachine1.Spec.Template = ""
-			Expect(k8sClient.Create(ctx, dummies.CSMachine1).Error()).
-				Should(MatchRegexp("admission webhook.*denied the request.*Required value\\: Template"))
+			Expect(k8sClient.Create(ctx, dummies.CSMachine1).Error()).Should(MatchRegexp(requiredRegex, "Template"))
 		})
-	})
 
-	Context("When creating a CloudStackMachine with the wrong kind of IdentityReference", func() {
-		It("Should be rejected by the validating webhooks", func() {
+		It("Should be reject a CloudStackMachine with IdentityRef not of kind 'Secret'", func() {
 			dummies.CSMachine1.Spec.IdentityRef.Kind = "ConfigMap"
 			Expect(k8sClient.Create(ctx, dummies.CSMachine1).Error()).
-				Should(MatchRegexp("admission webhook.*denied the request.*Forbidden\\: must be a Secret"))
+				Should(MatchRegexp(forbiddenRegex, "must be a Secret"))
 		})
 	})
 
-	// Need the `-- not template` here to make the context unique. Apparently ginkgo uses startswith.
 	Context("When updating a CloudStackMachine", func() {
-		forbiddenRegex := "admission webhook.*denied the request.*Forbidden\\: %s"
-
-		BeforeEach(func() { // Reset test vars to initial state.
+		BeforeEach(func() {
 			Ω(k8sClient.Create(ctx, dummies.CSMachine1)).Should(Succeed())
 		})
 
diff --git a/test/dummies/vars.go b/test/dummies/vars.go
@@ -50,14 +50,15 @@ func SetTestTags() {
 func SetDummyVars() {
 	// These need to be in order as they build upon eachother.
 	SetDummyCAPCClusterVars()
+	SetDummyCAPIClusterVars()
 	SetDummyCSMachineTemplateVars()
 	SetDummyCSMachineVars()
-	SetDummyCAPIClusterVars()
 	SetDummyTagVars()
 }
 
 // SetDummyClusterSpecVars resets the values in each of the exported CloudStackMachines related dummy variables.
 func SetDummyCSMachineTemplateVars() {
+	DomainID = "FakeDomainId"
 	CSMachineTemplate1 = &infrav1.CloudStackMachineTemplate{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
@@ -91,6 +92,7 @@ func SetDummyCSMachineTemplateVars() {
 
 // SetDummyClusterSpecVars resets the values in each of the exported CloudStackMachines related dummy variables.
 func SetDummyCSMachineVars() {
+	DomainID = "FakeDomainId"
 	CSMachine1 = &infrav1.CloudStackMachine{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: CSApiVersion,
@@ -127,24 +129,29 @@ func SetDummyCAPCClusterVars() {
 		Name: "FakeAffinityGroup",
 		Type: cloud.AffinityGroupType}
 	Net1 = infrav1.Network{Name: "SharedGuestNet1"}
+	Net2 = infrav1.Network{Name: "SharedGuestNet2"}
 	Zone1 = infrav1.Zone{Name: "Zone1", Network: Net1}
 	Zone2 = infrav1.Zone{Name: "Zone2", Network: Net2}
+
 	CSCluster = &infrav1.CloudStackCluster{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: CSApiVersion,
+			Kind:       CSClusterKind,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      CSClusterName,
+			Namespace: "default",
+			UID:       "0",
+		},
 		Spec: infrav1.CloudStackClusterSpec{
 			IdentityRef: &infrav1.CloudStackIdentityReference{
 				Kind: "Secret",
 				Name: "IdentitySecret",
 			},
-			Zones: []infrav1.Zone{Zone1, Zone2}},
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "cs-cluster-test1-",
-			UID:          "0",
-			Namespace:    "default"},
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
-			Kind:       "CloudStackCluster"}}
-	CAPIMachine = &capiv1.Machine{}
-	DomainID = "FakeDomainId"
+			ControlPlaneEndpoint: clusterv1.APIEndpoint{Host: "EndpointHost", Port: int32(8675309)},
+			Zones:                []infrav1.Zone{Zone1, Zone2},
+		},
+	}
 }
 
 // SetDummyCapiCluster resets the values in each of the exported CAPICluster related dummy variables.
