feat: adds a generic checker package with registry checks

faiq · faiq · commit 9435dce218de · 2025-06-26T14:47:18.000-07:00
diff --git a/cmd/main.go b/cmd/main.go
@@ -42,6 +42,7 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/options"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/cluster"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+	preflightgeneric "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/generic"
 	preflightnutanix "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/nutanix"
 )
 
@@ -241,6 +242,7 @@ func main() {
 		Handler: preflight.New(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme()),
 			[]preflight.Checker{
 				// Add your preflight checkers here.
+				preflightgeneric.Checker,
 				preflightnutanix.Checker,
 			}...,
 		),
diff --git a/go.mod b/go.mod
@@ -28,6 +28,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
 	github.com/pkg/errors v0.9.1
+	github.com/regclient/regclient v0.8.3
 	github.com/samber/lo v1.51.0
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
diff --git a/go.sum b/go.sum
@@ -270,6 +270,8 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/regclient/regclient v0.8.3 h1:AFAPu/vmOYGyY22AIgzdBUKbzH+83lEpRioRYJ/reCs=
+github.com/regclient/regclient v0.8.3/go.mod h1:gjQh5uBVZoo/CngchghtQh9Hx81HOMKRRDd5WPcPkbk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.2 h1:YwD0ulJSJytLpiaWua0sBDusfsCZohxjxzVTYjwxfV8=
 github.com/rivo/uniseg v0.4.2/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
diff --git a/pkg/webhook/preflight/generic/checker.go b/pkg/webhook/preflight/generic/checker.go
@@ -0,0 +1,47 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package generic
+
+import (
+	"context"
+
+	"github.com/go-logr/logr"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+var Checker = &genericChecker{
+	registryCheckFactory: newRegistryCheck,
+}
+
+type genericChecker struct {
+	registryCheckFactory func(
+		cd *checkDependencies,
+	) []preflight.Check
+}
+
+type checkDependencies struct {
+	kclient                  ctrlclient.Client
+	cluster                  *clusterv1.Cluster
+	genericClusterConfigSpec *carenv1.GenericClusterConfigSpec
+	log                      logr.Logger
+}
+
+func (g *genericChecker) Init(
+	ctx context.Context,
+	kclient ctrlclient.Client,
+	cluster *clusterv1.Cluster,
+) []preflight.Check {
+	cd := &checkDependencies{
+		kclient: kclient,
+		cluster: cluster,
+		log:     ctrl.LoggerFrom(ctx).WithName("preflight/generic"),
+	}
+	checks := []preflight.Check{}
+	checks = append(checks, g.registryCheckFactory(cd)...)
+	return checks
+}
diff --git a/pkg/webhook/preflight/generic/registry.go b/pkg/webhook/preflight/generic/registry.go
@@ -0,0 +1,176 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package generic
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+
+	"github.com/regclient/regclient"
+	"github.com/regclient/regclient/config"
+	"github.com/regclient/regclient/types/ref"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+var (
+	registryMirrorVarPath    = "cluster.spec.topology.variables[.name=clusterConfig].value.globalImageRegistryMirror"
+	mirrorURLValidationRegex = regexp.MustCompile(`^https?://`) // in order to use regclient we need to pass just a hostname
+	// this regex allows us to strip it so we can verify connectivity for this test.
+)
+
+type registyCheck struct {
+	registryMirror *carenv1.GlobalImageRegistryMirror
+	imageRegistry  *carenv1.ImageRegistry
+	field          string
+	kclient        ctrlclient.Client
+	cluster        *clusterv1.Cluster
+}
+
+func (r *registyCheck) Name() string {
+	return "RegistryCredentials"
+}
+
+func (r *registyCheck) Run(ctx context.Context) preflight.CheckResult {
+	if r.registryMirror != nil {
+		return r.checkRegistry(
+			ctx,
+			mirrorURLValidationRegex.ReplaceAllString(r.registryMirror.URL, ""),
+			r.registryMirror.Credentials,
+		)
+	}
+	if r.imageRegistry != nil {
+		return r.checkRegistry(
+			ctx,
+			mirrorURLValidationRegex.ReplaceAllString(r.imageRegistry.URL, ""),
+			r.imageRegistry.Credentials,
+		)
+	}
+	return preflight.CheckResult{
+		Allowed: true,
+	}
+}
+
+func (r *registyCheck) checkRegistry(ctx context.Context, registryURL string, credentials *carenv1.RegistryCredentials) preflight.CheckResult {
+	result := preflight.CheckResult{
+		Allowed: false,
+	}
+	mirrorHost := config.Host{
+		Name: registryURL,
+	}
+	if credentials != nil && credentials.SecretRef != nil {
+		mirrorCredentialsSecret := &corev1.Secret{}
+		err := r.kclient.Get(
+			ctx,
+			types.NamespacedName{
+				Namespace: r.cluster.Namespace,
+				Name:      r.registryMirror.Credentials.SecretRef.Name,
+			},
+			mirrorCredentialsSecret,
+		)
+		if err != nil {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes,
+				preflight.Cause{
+					Message: fmt.Sprintf("failed to get Registry credentials Secret: %s", err),
+					Field:   fmt.Sprintf("%s.credentials.secretRef", registryMirrorVarPath),
+				},
+			)
+			return result
+		}
+		username, ok := mirrorCredentialsSecret.Data["username"]
+		if !ok {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes,
+				preflight.Cause{
+					Message: "failed to get username from Registry credentials Secret. secret must have field username.",
+					Field:   fmt.Sprintf("%s.credentials.secretRef", registryMirrorVarPath),
+				},
+			)
+			return result
+		}
+		password, ok := mirrorCredentialsSecret.Data["password"]
+		if !ok {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes,
+				preflight.Cause{
+					Message: "failed to get username from Registry credentials Secret. secret must have field password.",
+					Field:   fmt.Sprintf("%s.credentials.secretRef", registryMirrorVarPath),
+				},
+			)
+			return result
+		}
+		mirrorHost.User = string(username)
+		mirrorHost.Pass = string(password)
+		if caCert, ok := mirrorCredentialsSecret.Data["ca.crt"]; ok {
+			mirrorHost.RegCert = string(caCert)
+		}
+	}
+	rc := regclient.New(
+		regclient.WithConfigHost(mirrorHost),
+		regclient.WithUserAgent("regclient/example"),
+	)
+	mirrorRef, err := ref.NewHost(mirrorHost.Hostname)
+	if err != nil {
+		result.Allowed = false
+		result.Error = true
+		result.Causes = append(result.Causes,
+			preflight.Cause{
+				Message: "failed to create a client to verify registry configuration",
+				Field:   registryMirrorVarPath,
+			},
+		)
+		return result
+	}
+	_, err = rc.Ping(ctx, mirrorRef) // ping will return an error for anything that's not 200
+	if err != nil {
+		result.Allowed = false
+		result.Error = true
+		result.Causes = append(result.Causes,
+			preflight.Cause{
+				Message: fmt.Sprintf("failed to ping registry %s with err: %s", mirrorHost.Hostname, err.Error()),
+				Field:   registryMirrorVarPath,
+			},
+		)
+		return result
+	}
+	result.Allowed = true
+	result.Error = false
+	return result
+}
+
+func newRegistryCheck(
+	cd *checkDependencies,
+) []preflight.Check {
+	checks := []preflight.Check{}
+	if cd.genericClusterConfigSpec != nil &&
+		cd.genericClusterConfigSpec.GlobalImageRegistryMirror != nil {
+		checks = append(checks, &registyCheck{
+			field:          "cluster.spec.topology.variables[.name=clusterConfig].value.globalImageRegistryMirror",
+			kclient:        cd.kclient,
+			registryMirror: cd.genericClusterConfigSpec.GlobalImageRegistryMirror,
+			cluster:        cd.cluster,
+		})
+	}
+	if cd.genericClusterConfigSpec != nil && len(cd.genericClusterConfigSpec.ImageRegistries) > 0 {
+		for i, registry := range cd.genericClusterConfigSpec.ImageRegistries {
+			checks = append(checks, &registyCheck{
+				field:         fmt.Sprintf("cluster.spec.topology.variables[.name=clusterConfig].value.imageRegistries[%d]", i),
+				kclient:       cd.kclient,
+				imageRegistry: &registry,
+				cluster:       cd.cluster,
+			})
+		}
+	}
+	return checks
+}
