Add validation for nested ObjectMeta fields in webhook

LuBingtan · LuBingtan · commit 5e210ca0ccea · 2023-07-10T14:36:20.000+08:00
diff --git a/api/v1beta1/common_validate.go b/api/v1beta1/common_validate.go
@@ -0,0 +1,19 @@
+package v1beta1
+
+import (
+	metavalidation "k8s.io/apimachinery/pkg/api/validation"
+	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func (metadata *ObjectMeta) Validate(parent *field.Path) field.ErrorList {
+	allErrs := metav1validation.ValidateLabels(
+		metadata.Labels,
+		parent.Child("labels"),
+	)
+	allErrs = append(allErrs, metavalidation.ValidateAnnotations(
+		metadata.Annotations,
+		parent.Child("annotations"),
+	)...)
+	return allErrs
+}
diff --git a/api/v1beta1/machinedeployment_webhook.go b/api/v1beta1/machinedeployment_webhook.go
@@ -266,6 +266,9 @@ func (m *MachineDeployment) validate(old *MachineDeployment) error {
 		}
 	}
 
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}
diff --git a/api/v1beta1/machineset_webhook.go b/api/v1beta1/machineset_webhook.go
@@ -152,6 +152,9 @@ func (m *MachineSet) validate(old *MachineSet) error {
 		}
 	}
 
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}
diff --git a/bootstrap/kubeadm/api/v1beta1/kubeadmconfigtemplate_webhook.go b/bootstrap/kubeadm/api/v1beta1/kubeadmconfigtemplate_webhook.go
@@ -63,6 +63,8 @@ func (r *KubeadmConfigTemplateSpec) validate(name string) error {
 	var allErrs field.ErrorList
 
 	allErrs = append(allErrs, r.Template.Spec.Validate(field.NewPath("spec", "template", "spec"))...)
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, r.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
 
 	if len(allErrs) == 0 {
 		return nil
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
@@ -330,6 +330,9 @@ func validateKubeadmControlPlaneSpec(s KubeadmControlPlaneSpec, namespace string
 		)
 	}
 
+	// Validate the metadata of the MachineTemplate
+	allErrs = append(allErrs, s.MachineTemplate.ObjectMeta.Validate(pathPrefix.Child("machineTemplate", "metadata"))...)
+
 	if !version.KubeSemver.MatchString(s.Version) {
 		allErrs = append(allErrs, field.Invalid(pathPrefix.Child("version"), s.Version, "must be a valid semantic version"))
 	}
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadmcontrolplanetemplate_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadmcontrolplanetemplate_webhook.go
@@ -69,6 +69,8 @@ func (r *KubeadmControlPlaneTemplate) ValidateCreate() (admission.Warnings, erro
 	allErrs := validateKubeadmControlPlaneTemplateResourceSpec(spec, field.NewPath("spec", "template", "spec"))
 	allErrs = append(allErrs, validateClusterConfiguration(spec.KubeadmConfigSpec.ClusterConfiguration, nil, field.NewPath("spec", "template", "spec", "kubeadmConfigSpec", "clusterConfiguration"))...)
 	allErrs = append(allErrs, spec.KubeadmConfigSpec.Validate(field.NewPath("spec", "template", "spec", "kubeadmConfigSpec"))...)
+	// Validate the metadata of the KubeadmControlPlaneTemplateResource
+	allErrs = append(allErrs, r.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
 	if len(allErrs) > 0 {
 		return nil, apierrors.NewInvalid(GroupVersion.WithKind("KubeadmControlPlaneTemplate").GroupKind(), r.Name, allErrs)
 	}
@@ -108,5 +110,10 @@ func validateKubeadmControlPlaneTemplateResourceSpec(s KubeadmControlPlaneTempla
 	allErrs = append(allErrs, validateRolloutBefore(s.RolloutBefore, pathPrefix.Child("rolloutBefore"))...)
 	allErrs = append(allErrs, validateRolloutStrategy(s.RolloutStrategy, nil, pathPrefix.Child("rolloutStrategy"))...)
 
+	if s.MachineTemplate != nil {
+		// Validate the metadata of the MachineTemplate
+		allErrs = append(allErrs, s.MachineTemplate.ObjectMeta.Validate(pathPrefix.Child("machineTemplate", "metadata"))...)
+	}
+
 	return allErrs
 }
diff --git a/exp/api/v1beta1/machinepool_webhook.go b/exp/api/v1beta1/machinepool_webhook.go
@@ -152,6 +152,9 @@ func (m *MachinePool) validate(old *MachinePool) error {
 		}
 	}
 
+	// Validate the metadata of the MachinePool template.
+	allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}
diff --git a/test/infrastructure/docker/api/v1beta1/dockerclustertemplate_webhook.go b/test/infrastructure/docker/api/v1beta1/dockerclustertemplate_webhook.go
@@ -63,6 +63,10 @@ func (r *DockerClusterTemplate) ValidateCreate() (admission.Warnings, error) {
 	}
 
 	allErrs := validateDockerClusterSpec(r.Spec.Template.Spec)
+
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, r.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
+
 	if len(allErrs) > 0 {
 		return nil, apierrors.NewInvalid(GroupVersion.WithKind("DockerClusterTemplate").GroupKind(), r.Name, allErrs)
 	}
diff --git a/test/infrastructure/docker/api/v1beta1/dockermachinetemplate_webhook.go b/test/infrastructure/docker/api/v1beta1/dockermachinetemplate_webhook.go
@@ -49,7 +49,16 @@ type DockerMachineTemplateWebhook struct{}
 var _ webhook.CustomValidator = &DockerMachineTemplateWebhook{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
-func (*DockerMachineTemplateWebhook) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+func (*DockerMachineTemplateWebhook) ValidateCreate(_ context.Context, raw runtime.Object) (admission.Warnings, error) {
+	obj, ok := raw.(*DockerMachineTemplate)
+	if !ok {
+		return nil, apierrors.NewBadRequest(fmt.Sprintf("expected a DockerMachineTemplate but got a %T", raw))
+	}
+	// Validate the metadata of the template.
+	allErrs := obj.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))
+	if len(allErrs) > 0 {
+		return nil, apierrors.NewInvalid(GroupVersion.WithKind("DockerClusterTemplate").GroupKind(), obj.Name, allErrs)
+	}
 	return nil, nil
 }
 
@@ -74,6 +83,9 @@ func (*DockerMachineTemplateWebhook) ValidateUpdate(ctx context.Context, oldRaw
 		!reflect.DeepEqual(newObj.Spec.Template.Spec, oldObj.Spec.Template.Spec) {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "template", "spec"), newObj, dockerMachineTemplateImmutableMsg))
 	}
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, newObj.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil, nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -266,6 +266,9 @@ func (m MachineDeployment) validate(old MachineDeployment) error {`
`266`	`266`	`}`
`267`	`267`	`}`
`268`	`268`
	`269`	`+ // Validate the metadata of the template.`
	`270`	`+ allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)`
	`271`	`+`
`269`	`272`	`if len(allErrs) == 0 {`
`270`	`273`	`return nil`
`271`	`274`	`}`
Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,9 @@ func (m MachineSet) validate(old MachineSet) error {`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`
	`155`	`+ // Validate the metadata of the template.`
	`156`	`+ allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)`
	`157`	`+`
`155`	`158`	`if len(allErrs) == 0 {`
`156`	`159`	`return nil`
`157`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -330,6 +330,9 @@ func validateKubeadmControlPlaneSpec(s KubeadmControlPlaneSpec, namespace string`
`330`	`330`	`)`
`331`	`331`	`}`
`332`	`332`
	`333`	`+ // Validate the metadata of the MachineTemplate`
	`334`	`+ allErrs = append(allErrs, s.MachineTemplate.ObjectMeta.Validate(pathPrefix.Child("machineTemplate", "metadata"))...)`
	`335`	`+`
`333`	`336`	`if !version.KubeSemver.MatchString(s.Version) {`
`334`	`337`	`allErrs = append(allErrs, field.Invalid(pathPrefix.Child("version"), s.Version, "must be a valid semantic version"))`
`335`	`338`	`}`
Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,9 @@ func (m MachinePool) validate(old MachinePool) error {`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`
	`155`	`+ // Validate the metadata of the MachinePool template.`
	`156`	`+ allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)`
	`157`	`+`
`155`	`158`	`if len(allErrs) == 0 {`
`156`	`159`	`return nil`
`157`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,10 @@ func (r *DockerClusterTemplate) ValidateCreate() (admission.Warnings, error) {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`allErrs := validateDockerClusterSpec(r.Spec.Template.Spec)`
	`66`	`+`
	`67`	`+ // Validate the metadata of the template.`
	`68`	`+ allErrs = append(allErrs, r.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)`
	`69`	`+`
`66`	`70`	`if len(allErrs) > 0 {`
`67`	`71`	`return nil, apierrors.NewInvalid(GroupVersion.WithKind("DockerClusterTemplate").GroupKind(), r.Name, allErrs)`
`68`	`72`	`}`