add validation admission webhook checks for resource name length

Author: AshleyDumaine

internal/webhook/v1alpha2/linodecluster_webhook.go

@@ -63,7 +63,9 @@ func (r *linodeClusterValidator) ValidateCreate(ctx context.Context, obj runtime
 
 	// TODO: instrument with tracing, might need refactor to preserve readability
 	var errs field.ErrorList
-
+	if err := validateLabelLength(cluster.GetName(), field.NewPath("metadata").Child("name")); err != nil {
+		errs = append(errs, err)
+	}
 	if err := r.validateLinodeClusterSpec(ctx, linodeClient, spec, skipAPIValidation); err != nil {
 		errs = slices.Concat(errs, err)
 	}

internal/webhook/v1alpha2/linodecluster_webhook_test.go

@@ -89,7 +89,7 @@ func TestValidateLinodeCluster(t *testing.T) {
 	)
 }
 
-func TestValidateCreate(t *testing.T) {
+func TestValidateLinodeClusterCreate(t *testing.T) {
 	t.Parallel()
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -109,8 +109,19 @@ func TestValidateCreate(t *testing.T) {
 				},
 			},
 		}
-		expectedErrorSubString = "\"example\" is invalid: spec.region: Not found:"
-		credentialsRefCluster  = infrav1alpha2.LinodeCluster{
+		clusterLongName = infrav1alpha2.LinodeCluster{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      longName,
+				Namespace: "example",
+			},
+			Spec: infrav1alpha2.LinodeClusterSpec{
+				Region: "example",
+				Network: infrav1alpha2.NetworkSpec{
+					LoadBalancerType: "NodeBalancer",
+				},
+			},
+		}
+		credentialsRefCluster = infrav1alpha2.LinodeCluster{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example",
 				Namespace: "example",
@@ -136,7 +147,16 @@ func TestValidateCreate(t *testing.T) {
 				}),
 				Result("error", func(ctx context.Context, mck Mock) {
 					_, err := validator.ValidateCreate(ctx, &cluster)
-					assert.ErrorContains(t, err, expectedErrorSubString)
+					assert.ErrorContains(t, err, "\"example\" is invalid: spec.region: Not found:")
+				}),
+			),
+			Path(
+				Call("name too long", func(ctx context.Context, mck Mock) {
+
+				}),
+				Result("error", func(ctx context.Context, mck Mock) {
+					_, err := validator.ValidateCreate(ctx, &clusterLongName)
+					assert.ErrorContains(t, err, labelLengthDetail)
 				}),
 			),
 		),

internal/webhook/v1alpha2/linodefirewall_webhook.go

@@ -20,7 +20,10 @@ import (
 	"context"
 	"fmt"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
@@ -38,9 +41,6 @@ func SetupLinodeFirewallWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
-// TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-
-// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
 // NOTE: The 'path' attribute must follow a specific pattern and should not be modified directly here.
 // Modifying the path for an invalid path can cause API server errors; failing to locate the webhook.
 // +kubebuilder:webhook:path=/validate-infrastructure-cluster-x-k8s-io-v1alpha2-linodefirewall,mutating=false,failurePolicy=fail,sideEffects=None,groups=infrastructure.cluster.x-k8s.io,resources=linodefirewalls,verbs=create;update,versions=v1alpha2,name=validation.linodefirewall.infrastructure.cluster.x-k8s.io,admissionReviewVersions=v1
@@ -64,8 +64,17 @@ func (v *LinodeFirewallCustomValidator) ValidateCreate(ctx context.Context, obj
 	}
 	linodefirewalllog.Info("Validation for LinodeFirewall upon creation", "name", linodefirewall.GetName())
 
-	// TODO(user): fill in your validation logic upon object creation.
-	return nil, nil
+	var errs field.ErrorList
+	if err := validateLabelLength(linodefirewall.GetName(), field.NewPath("metadata").Child("name")); err != nil {
+		errs = append(errs, err)
+	}
+
+	if len(errs) == 0 {
+		return nil, nil
+	}
+	return nil, apierrors.NewInvalid(
+		schema.GroupKind{Group: "infrastructure.cluster.x-k8s.io", Kind: "LinodeFirewall"},
+		linodefirewall.Name, errs)
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type LinodeFirewall.

internal/webhook/v1alpha2/linodefirewall_webhook_test.go

@@ -17,34 +17,65 @@ limitations under the License.
 package v1alpha2
 
 import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	infrav1alpha2 "github.com/linode/cluster-api-provider-linode/api/v1alpha2"
+	"github.com/linode/cluster-api-provider-linode/mock"
 
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
+	. "github.com/linode/cluster-api-provider-linode/mock/mocktest"
 )
 
-var _ = Describe("LinodeFirewall Webhook", func() {
+func TestValidateLinodeFirewallCreate(t *testing.T) {
+	t.Parallel()
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
 	var (
-		obj       *infrav1alpha2.LinodeFirewall
-		oldObj    *infrav1alpha2.LinodeFirewall
-		validator LinodeFirewallCustomValidator
+		lfw = infrav1alpha2.LinodeFirewall{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "example",
+				Namespace: "example",
+			},
+			Spec: infrav1alpha2.LinodeFirewallSpec{},
+		}
+		lfwLongName = infrav1alpha2.LinodeFirewall{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      longName,
+				Namespace: "example",
+			},
+			Spec: infrav1alpha2.LinodeFirewallSpec{},
+		}
+		validator = &LinodeFirewallCustomValidator{}
 	)
 
-	BeforeEach(func() {
-		obj = &infrav1alpha2.LinodeFirewall{}
-		oldObj = &infrav1alpha2.LinodeFirewall{}
-		validator = LinodeFirewallCustomValidator{}
-		Expect(validator).NotTo(BeNil(), "Expected validator to be initialized")
-		Expect(oldObj).NotTo(BeNil(), "Expected oldObj to be initialized")
-		Expect(obj).NotTo(BeNil(), "Expected obj to be initialized")
-		// TODO (user): Add any setup logic common to all tests
-	})
-
-	AfterEach(func() {
-		// TODO (user): Add any teardown logic common to all tests
-	})
-
-	Context("When creating or updating LinodeFirewall under Validating Webhook", func() {
-		// TODO (user): Add logic for validating webhooks
-	})
-})
+	NewSuite(t, mock.MockLinodeClient{}).Run(
+		OneOf(
+			Path(
+				Call("name too long", func(ctx context.Context, mck Mock) {
+
+				}),
+				Result("error", func(ctx context.Context, mck Mock) {
+					_, err := validator.ValidateCreate(ctx, &lfwLongName)
+					assert.ErrorContains(t, err, labelLengthDetail)
+				}),
+			),
+		),
+		OneOf(
+			Path(
+				Call("valid", func(ctx context.Context, mck Mock) {
+
+				}),
+				Result("success", func(ctx context.Context, mck Mock) {
+					_, err := validator.ValidateCreate(ctx, &lfw)
+					require.NoError(t, err)
+				}),
+			),
+		),
+	)
+}

internal/webhook/v1alpha2/linodemachine_webhook.go

@@ -69,8 +69,6 @@ func SetupLinodeMachineWebhookWithManager(mgr ctrl.Manager) error {
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (r *linodeMachineValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	var errs field.ErrorList
-
 	machine, ok := obj.(*infrav1alpha2.LinodeMachine)
 	if !ok {
 		return nil, apierrors.NewBadRequest("expected a LinodeMachine Resource")
@@ -81,6 +79,10 @@ func (r *linodeMachineValidator) ValidateCreate(ctx context.Context, obj runtime
 	skipAPIValidation, linodeClient := setupClientWithCredentials(ctx, r.Client, spec.CredentialsRef,
 		machine.Name, machine.GetNamespace(), linodemachinelog)
 
+	var errs field.ErrorList
+	if err := validateLabelLength(machine.GetName(), field.NewPath("metadata").Child("name")); err != nil {
+		errs = append(errs, err)
+	}
 	if err := r.validateLinodeMachineSpec(ctx, linodeClient, spec, skipAPIValidation); err != nil {
 		errs = slices.Concat(errs, err)
 	}

internal/webhook/v1alpha2/linodemachine_webhook_test.go

@@ -237,6 +237,16 @@ func TestValidateCreateLinodeMachine(t *testing.T) {
 				Type:   "example",
 			},
 		}
+		machineLongName = infrav1alpha2.LinodeMachine{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      longName,
+				Namespace: "example",
+			},
+			Spec: infrav1alpha2.LinodeMachineSpec{
+				Region: "example",
+				Type:   "example",
+			},
+		}
 		credentialsRefMachine = infrav1alpha2.LinodeMachine{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example",
@@ -250,8 +260,7 @@ func TestValidateCreateLinodeMachine(t *testing.T) {
 				Type:   "example",
 			},
 		}
-		expectedErrorSubString = "\"example\" is invalid: [spec.region: Not found: \"example\", spec.type: Not found: \"example\"]"
-		validator              = &linodeMachineValidator{}
+		validator = &linodeMachineValidator{}
 	)
 
 	NewSuite(t, mock.MockLinodeClient{}).Run(
@@ -261,7 +270,15 @@ func TestValidateCreateLinodeMachine(t *testing.T) {
 				}),
 				Result("error", func(ctx context.Context, mck Mock) {
 					_, err := validator.ValidateCreate(ctx, &machine)
-					assert.ErrorContains(t, err, expectedErrorSubString)
+					assert.ErrorContains(t, err, "\"example\" is invalid: [spec.region: Not found: \"example\", spec.type: Not found: \"example\"]")
+				}),
+			),
+			Path(
+				Call("name too long", func(ctx context.Context, mck Mock) {
+				}),
+				Result("error", func(ctx context.Context, mck Mock) {
+					_, err := validator.ValidateCreate(ctx, &machineLongName)
+					assert.ErrorContains(t, err, labelLengthDetail)
 				}),
 			),
 		),

internal/webhook/v1alpha2/linodeobjectstoragebucket_webhook.go

@@ -64,7 +64,21 @@ func (v *LinodeObjectStorageBucketCustomValidator) ValidateCreate(ctx context.Co
 	linodeobjectstoragebucketlog.Info("validate create", "name", bucket.Name)
 	skipAPIValidation, linodeClient := setupClientWithCredentials(ctx, v.Client, bucket.Spec.CredentialsRef,
 		bucket.Name, bucket.GetNamespace(), linodemachinelog)
-	return nil, v.validateLinodeObjectStorageBucket(ctx, bucket, linodeClient, skipAPIValidation)
+
+	var errs field.ErrorList
+	if err := validateLabelLength(bucket.GetName(), field.NewPath("metadata").Child("name")); err != nil {
+		errs = append(errs, err)
+	}
+	if err := v.validateLinodeObjectStorageBucketSpec(ctx, bucket, linodeClient, skipAPIValidation); err != nil {
+		errs = slices.Concat(errs, err)
+	}
+
+	if len(errs) == 0 {
+		return nil, nil
+	}
+	return nil, apierrors.NewInvalid(
+		schema.GroupKind{Group: "infrastructure.cluster.x-k8s.io", Kind: "LinodeObjectStorageBucket"},
+		bucket.Name, errs)
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type LinodeObjectStorageBucket.
@@ -90,21 +104,6 @@ func (v *LinodeObjectStorageBucketCustomValidator) ValidateDelete(ctx context.Co
 	return nil, nil
 }
 
-func (v *LinodeObjectStorageBucketCustomValidator) validateLinodeObjectStorageBucket(ctx context.Context, bucket *infrav1alpha2.LinodeObjectStorageBucket, linodeClient clients.LinodeClient, skipAPIValidation bool) error {
-	var errs field.ErrorList
-
-	if err := v.validateLinodeObjectStorageBucketSpec(ctx, bucket, linodeClient, skipAPIValidation); err != nil {
-		errs = slices.Concat(errs, err)
-	}
-
-	if len(errs) == 0 {
-		return nil
-	}
-	return apierrors.NewInvalid(
-		schema.GroupKind{Group: "infrastructure.cluster.x-k8s.io", Kind: "LinodeObjectStorageBucket"},
-		bucket.Name, errs)
-}
-
 func (v *LinodeObjectStorageBucketCustomValidator) validateLinodeObjectStorageBucketSpec(ctx context.Context, bucket *infrav1alpha2.LinodeObjectStorageBucket, linodeClient clients.LinodeClient, skipAPIValidation bool) field.ErrorList {
 	var errs field.ErrorList
 	if skipAPIValidation {

internal/webhook/v1alpha2/linodeobjectstoragebucket_webhook_test.go

@@ -33,7 +33,7 @@ import (
 	. "github.com/linode/cluster-api-provider-linode/mock/mocktest"
 )
 
-func TestValidateLinodeObjectStorageBucket(t *testing.T) {
+func TestValidateLinodeObjectStorageBucketSpec(t *testing.T) {
 	t.Parallel()
 
 	var (
@@ -63,7 +63,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 				Result("success", func(ctx context.Context, mck Mock) {
 					bucket := bucket
 					bucket.Spec.Region = "iad"
-					assert.NoError(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, true))
+					assert.Nil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, true))
 				}),
 			),
 			Path(
@@ -75,7 +75,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 				Result("success", func(ctx context.Context, mck Mock) {
 					bucket := bucket
 					bucket.Spec.Region = "us-iad"
-					assert.NoError(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, true))
+					assert.Nil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, true))
 				}),
 			),
 			Path(
@@ -87,7 +87,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 				Result("success", func(ctx context.Context, mck Mock) {
 					bucket := bucket
 					bucket.Spec.Region = "us-iad-1"
-					assert.NoError(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, true))
+					assert.Nil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, true))
 				}),
 			),
 		),
@@ -98,7 +98,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 				Result("error", func(ctx context.Context, mck Mock) {
 					bucket := bucket
 					bucket.Spec.Region = "123invalid"
-					assert.Error(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, false))
+					assert.NotNil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, false))
 				}),
 			),
 			Path(
@@ -107,7 +107,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 				Result("error", func(ctx context.Context, mck Mock) {
 					bucket := bucket
 					bucket.Spec.Region = "invalid-2-2"
-					assert.Error(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, false))
+					assert.NotNil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, false))
 				}),
 			),
 			Path(
@@ -117,7 +117,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 				Result("error", func(ctx context.Context, mck Mock) {
 					bucket := bucket
 					bucket.Spec.Region = "us-1"
-					assert.Error(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, false))
+					assert.NotNil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, false))
 				}),
 			),
 			Path(
@@ -127,7 +127,7 @@ func TestValidateLinodeObjectStorageBucket(t *testing.T) {
 					mck.LinodeClient.EXPECT().GetRegion(gomock.Any(), gomock.Any()).Return(&region, nil).AnyTimes()
 				}),
 				Result("error", func(ctx context.Context, mck Mock) {
-					assert.Error(t, objvalidator.validateLinodeObjectStorageBucket(ctx, &bucket, mck.LinodeClient, false))
+					assert.NotNil(t, objvalidator.validateLinodeObjectStorageBucketSpec(ctx, &bucket, mck.LinodeClient, false))
 				}),
 			),
 		),