Merge pull request #7242 from sbueringer/pr-improve-patch-selector-validation

🌱 ClusterClass: make patch selector validation more robust

Author: k8s-ci-robot

internal/webhooks/patch_validation.go

@@ -166,44 +166,58 @@ func validateSelectors(selector clusterv1.PatchSelector, class *clusterv1.Cluste
 				"no selector enabled",
 			))
 	}
+
 	if selector.MatchResources.InfrastructureCluster {
-		if selectorMatchTemplate(selector, class.Spec.Infrastructure.Ref) {
-			return nil
+		if !selectorMatchTemplate(selector, class.Spec.Infrastructure.Ref) {
+			allErrs = append(allErrs, field.Invalid(
+				path.Child("matchResources", "infrastructureCluster"),
+				selector.MatchResources.InfrastructureCluster,
+				"selector is enabled but does not match the infrastructure ref",
+			))
 		}
 	}
+
 	if selector.MatchResources.ControlPlane {
+		match := false
 		if selectorMatchTemplate(selector, class.Spec.ControlPlane.Ref) {
-			return nil
+			match = true
 		}
-	}
-
-	if selector.MatchResources.ControlPlane && class.Spec.ControlPlane.MachineInfrastructure != nil {
-		if selectorMatchTemplate(selector, class.Spec.ControlPlane.MachineInfrastructure.Ref) {
-			return nil
+		if class.Spec.ControlPlane.MachineInfrastructure != nil &&
+			selectorMatchTemplate(selector, class.Spec.ControlPlane.MachineInfrastructure.Ref) {
+			match = true
+		}
+		if !match {
+			allErrs = append(allErrs, field.Invalid(
+				path.Child("matchResources", "controlPlane"),
+				selector.MatchResources.ControlPlane,
+				"selector is enabled but matches neither the controlPlane ref nor the controlPlane machineInfrastructure ref",
+			))
 		}
 	}
 
 	if selector.MatchResources.MachineDeploymentClass != nil && len(selector.MatchResources.MachineDeploymentClass.Names) > 0 {
-		for _, name := range selector.MatchResources.MachineDeploymentClass.Names {
+		for i, name := range selector.MatchResources.MachineDeploymentClass.Names {
+			match := false
 			for _, md := range class.Spec.Workers.MachineDeployments {
 				if md.Class == name {
-					if selectorMatchTemplate(selector, md.Template.Infrastructure.Ref) {
-						return nil
-					}
-					if selectorMatchTemplate(selector, md.Template.Bootstrap.Ref) {
-						return nil
+					if selectorMatchTemplate(selector, md.Template.Infrastructure.Ref) ||
+						selectorMatchTemplate(selector, md.Template.Bootstrap.Ref) {
+						match = true
+						break
 					}
 				}
 			}
+			if !match {
+				allErrs = append(allErrs, field.Invalid(
+					path.Child("matchResources", "machineDeploymentClass", "names").Index(i),
+					name,
+					"selector is enabled but matches neither the bootstrap ref nor the infrastructure ref of a MachineDeployment class",
+				))
+			}
 		}
 	}
-	// if the code has not returned at this point there is no matching template in the ClusterClass. Return an error.
-	return append(allErrs,
-		field.Invalid(
-			path,
-			prettyPrint(selector),
-			"selector did not match any template in the ClusterClass",
-		))
+
+	return allErrs
 }
 
 // selectorMatchTemplate returns true if APIVersion and Kind for the given selector match the reference.

internal/webhooks/patch_validation_test.go

@@ -1538,7 +1538,7 @@ func Test_validateSelectors(t *testing.T) {
 		wantErr      bool
 	}{
 		{
-			name: "error if no selectors are all set to false or empty",
+			name: "error if selectors are all set to false or empty",
 			selector: clusterv1.PatchSelector{
 				APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
 				Kind:       "InfrastructureClusterTemplate",
@@ -1787,6 +1787,65 @@ func Test_validateSelectors(t *testing.T) {
 				Build(),
 			wantErr: true,
 		},
+		{
+			name: "fail if selector targets ControlPlane Machine Infrastructure but does not have MatchResources.ControlPlane enabled",
+			selector: clusterv1.PatchSelector{
+				APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+				Kind:       "InfrastructureMachineTemplate",
+				MatchResources: clusterv1.PatchSelectorMatch{
+					MachineDeploymentClass: &clusterv1.PatchSelectorMatchMachineDeploymentClass{
+						Names: []string{"bb"},
+					},
+					ControlPlane: false,
+				},
+			},
+			clusterClass: builder.ClusterClass(metav1.NamespaceDefault, "class1").
+				WithControlPlaneInfrastructureMachineTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+							Kind:       "InfrastructureMachineTemplate",
+						}),
+				).
+				Build(),
+			wantErr: true,
+		},
+		// The following tests have selectors which match multiple resources at the same time.
+		{
+			name: "fail if selector targets a matching infrastructureCluster reference and a not matching control plane",
+			selector: clusterv1.PatchSelector{
+				APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+				Kind:       "InfrastructureClusterTemplate",
+				MatchResources: clusterv1.PatchSelectorMatch{
+					InfrastructureCluster: true,
+					ControlPlane:          true,
+				},
+			},
+			clusterClass: builder.ClusterClass(metav1.NamespaceDefault, "class1").
+				WithInfrastructureClusterTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+							Kind:       "InfrastructureClusterTemplate",
+						}),
+				).
+				WithControlPlaneTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "controlplane.cluster.x-k8s.io/v1beta1",
+							Kind:       "NonMatchingControlPlaneTemplate",
+						}),
+				).
+				WithControlPlaneInfrastructureMachineTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+							Kind:       "NonMatchingInfrastructureMachineTemplate",
+						}),
+				).
+				Build(),
+			wantErr: true,
+		},
 		{
 			name: "pass if selector targets BOTH an existing ControlPlane MachineInfrastructureTemplate and an existing MachineDeploymentClass InfrastructureTemplate",
 			selector: clusterv1.PatchSelector{
@@ -1837,25 +1896,154 @@ func Test_validateSelectors(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "fail if selector targets ControlPlane Machine Infrastructure but does not have MatchResources.ControlPlane enabled",
+			name: "fail if selector targets BOTH an existing ControlPlane MachineInfrastructureTemplate and an existing MachineDeploymentClass InfrastructureTemplate but does not match all MachineDeployment classes",
+			selector: clusterv1.PatchSelector{
+				APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+				Kind:       "InfrastructureMachineTemplate",
+				MatchResources: clusterv1.PatchSelectorMatch{
+					MachineDeploymentClass: &clusterv1.PatchSelectorMatchMachineDeploymentClass{
+						Names: []string{"aa", "bb"},
+					},
+					ControlPlane: true,
+				},
+			},
+			clusterClass: builder.ClusterClass(metav1.NamespaceDefault, "class1").
+				WithControlPlaneTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "controlplane.cluster.x-k8s.io/v1beta1",
+							Kind:       "NonMatchingControlPlaneTemplate",
+						}),
+				).
+				WithControlPlaneInfrastructureMachineTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+							Kind:       "InfrastructureMachineTemplate",
+						}),
+				).
+				WithWorkerMachineDeploymentClasses(
+					*builder.MachineDeploymentClass("aa").
+						WithInfrastructureTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+								Kind:       "NonMatchingInfrastructureMachineTemplate",
+							})).
+						WithBootstrapTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "bootstrap.cluster.x-k8s.io/v1beta1",
+								Kind:       "BootstrapTemplate",
+							})).
+						Build(),
+					*builder.MachineDeploymentClass("bb").
+						WithInfrastructureTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+								Kind:       "InfrastructureMachineTemplate",
+							})).
+						WithBootstrapTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "bootstrap.cluster.x-k8s.io/v1beta1",
+								Kind:       "BootstrapTemplate",
+							})).
+						Build(),
+				).
+				Build(),
+			wantErr: true,
+		},
+		{
+			name: "fail if selector targets BOTH an existing ControlPlane MachineInfrastructureTemplate and an existing MachineDeploymentClass InfrastructureTemplate but matches only one",
 			selector: clusterv1.PatchSelector{
 				APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
 				Kind:       "InfrastructureMachineTemplate",
 				MatchResources: clusterv1.PatchSelectorMatch{
 					MachineDeploymentClass: &clusterv1.PatchSelectorMatchMachineDeploymentClass{
 						Names: []string{"bb"},
 					},
-					ControlPlane: false,
+					ControlPlane: true,
+				},
+			},
+			clusterClass: builder.ClusterClass(metav1.NamespaceDefault, "class1").
+				WithControlPlaneTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "controlplane.cluster.x-k8s.io/v1beta1",
+							Kind:       "NonMatchingControlPlaneTemplate",
+						}),
+				).
+				WithControlPlaneInfrastructureMachineTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+							Kind:       "InfrastructureMachineTemplate",
+						}),
+				).
+				WithWorkerMachineDeploymentClasses(
+					*builder.MachineDeploymentClass("bb").
+						WithInfrastructureTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+								Kind:       "OtherInfrastructureMachineTemplate",
+							})).
+						WithBootstrapTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "bootstrap.cluster.x-k8s.io/v1beta1",
+								Kind:       "BootstrapTemplate",
+							})).
+						Build(),
+				).
+				Build(),
+			wantErr: true,
+		},
+		{
+			name: "fail if selector targets everything but nothing matches",
+			selector: clusterv1.PatchSelector{
+				APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+				Kind:       "NotMatchingInfrastructureMachineTemplate",
+				MatchResources: clusterv1.PatchSelectorMatch{
+					ControlPlane:          true,
+					InfrastructureCluster: true,
+					MachineDeploymentClass: &clusterv1.PatchSelectorMatchMachineDeploymentClass{
+						Names: []string{"bb"},
+					},
 				},
 			},
 			clusterClass: builder.ClusterClass(metav1.NamespaceDefault, "class1").
+				WithInfrastructureClusterTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+							Kind:       "InfrastructureClusterTemplate",
+						}),
+				).
+				WithControlPlaneTemplate(
+					refToUnstructured(
+						&corev1.ObjectReference{
+							APIVersion: "controlplane.cluster.x-k8s.io/v1beta1",
+							Kind:       "NonMatchingControlPlaneTemplate",
+						}),
+				).
 				WithControlPlaneInfrastructureMachineTemplate(
 					refToUnstructured(
 						&corev1.ObjectReference{
 							APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
 							Kind:       "InfrastructureMachineTemplate",
 						}),
 				).
+				WithWorkerMachineDeploymentClasses(
+					*builder.MachineDeploymentClass("bb").
+						WithInfrastructureTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "infrastructure.cluster.x-k8s.io/v1beta1",
+								Kind:       "OtherInfrastructureMachineTemplate",
+							})).
+						WithBootstrapTemplate(
+							refToUnstructured(&corev1.ObjectReference{
+								APIVersion: "bootstrap.cluster.x-k8s.io/v1beta1",
+								Kind:       "BootstrapTemplate",
+							})).
+						Build(),
+				).
 				Build(),
 			wantErr: true,
 		},