Allow IdentityRef.Name change and add unit test to OpenStackCluster webhooks

tobiasgiese · tobiasgiese · commit 8e3bbaf3902d · 2021-12-08T09:24:43.000+01:00
Signed-off-by: Tobias Giese &lt;tobias.giese@daimler.com&gt;
diff --git a/api/v1alpha4/openstackcluster_webhook.go b/api/v1alpha4/openstackcluster_webhook.go
@@ -74,7 +74,29 @@ func (r *OpenStackCluster) ValidateUpdate(oldRaw runtime.Object) error {
 	}
 
 	if r.Spec.IdentityRef != nil && r.Spec.IdentityRef.Kind != defaultIdentityRefKind {
-		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "identityRef", "kind"), "must be a Secret"))
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "identityRef", "kind"),
+				r.Spec.IdentityRef, "must be a Secret"),
+		)
+	}
+
+	// Allow changes to Spec.IdentityRef.Name.
+	if old.Spec.IdentityRef != nil && r.Spec.IdentityRef != nil {
+		old.Spec.IdentityRef.Name = ""
+		r.Spec.IdentityRef.Name = ""
+	}
+
+	// Allow changes to Spec.IdentityRef if it was unset.
+	if old.Spec.IdentityRef == nil && r.Spec.IdentityRef != nil {
+		old.Spec.IdentityRef = &OpenStackIdentityReference{}
+		r.Spec.IdentityRef = &OpenStackIdentityReference{}
+	}
+
+	if old.Spec.IdentityRef != nil && r.Spec.IdentityRef == nil {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec", "identityRef"),
+				r.Spec.IdentityRef, "field cannot be set to nil"),
+		)
 	}
 
 	// Allow change only for the first time.
diff --git a/api/v1alpha4/openstackcluster_webhook_test.go b/api/v1alpha4/openstackcluster_webhook_test.go
@@ -0,0 +1,172 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha4
+
+import (
+	"testing"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestOpenStackCluster_ValidateUpdate(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name        string
+		oldTemplate *OpenStackCluster
+		newTemplate *OpenStackCluster
+		wantErr     bool
+	}{
+		{
+			name: "OpenStackCluster.Spec.IdentityRef.Kind must always be Secret",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "Secret",
+						Name: "foobar",
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "foobar",
+						Name: "foobar",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Changing OpenStackCluster.Spec.IdentityRef.Name is allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "Secret",
+						Name: "foobar",
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "Secret",
+						Name: "foobarbaz",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "OpenStackCluster.Spec.IdentityRef can be changed if it was unset",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "Secret",
+						Name: "foobar",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "OpenStackCluster.Spec.IdentityRef must not be removed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "Secret",
+						Name: "foobar",
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.newTemplate.ValidateUpdate(tt.oldTemplate)
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+		})
+	}
+}
+
+func TestOpenStackCluster_ValidateCreate(t *testing.T) {
+	g := NewWithT(t)
+
+	tests := []struct {
+		name     string
+		template *OpenStackCluster
+		wantErr  bool
+	}{
+		{
+			name: "OpenStackCluster.Spec.IdentityRef with correct spec on create",
+			template: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "Secret",
+						Name: "foobar",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "OpenStackCluster.Spec.IdentityRef with faulty spec on create",
+			template: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					IdentityRef: &OpenStackIdentityReference{
+						Kind: "foobar",
+						Name: "foobar",
+					},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.template.ValidateCreate()
+			if tt.wantErr {
+				g.Expect(err).To(HaveOccurred())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+		})
+	}
+}
