feat: Preflight check opt-out

Author: dlipovetsky

pkg/webhook/preflight/optout/optout.go

@@ -0,0 +1,80 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package optout
+
+import (
+	"strings"
+
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+)
+
+const (
+	// AnnotationKey is the key of the annotation on the Cluster used to opt out preflight checks.
+	AnnotationKey = "preflight.cluster.caren.nutanix.com/opt-out"
+
+	// OptOutAllChecksAnnotationValue is the value used in the cluster's annotations to indicate
+	// that all checks are opted out.
+	OptOutAllChecksAnnotationValue = "all"
+)
+
+type Evaluator struct {
+	normalizedCheckNames map[string]struct{}
+	all                  bool
+}
+
+// New creates a new Evaluator from the cluster's annotations.
+func New(cluster *clusterv1.Cluster) *Evaluator {
+	o := &Evaluator{
+		normalizedCheckNames: make(map[string]struct{}),
+	}
+
+	annotations := cluster.GetAnnotations()
+	if annotations == nil {
+		// If there are no annotations, return an Evaluator with no prefixes.
+		return o
+	}
+
+	value, exists := annotations[AnnotationKey]
+	if !exists {
+		// If the annotation does not exist, return an Evaluator with no prefixes.
+		return o
+	}
+
+	for _, checkName := range strings.Split(value, ",") {
+		if checkName == "" {
+			// Ignore whitespace between commas.
+			continue
+		}
+		normalizedCheckName := strings.TrimSpace(strings.ToLower(checkName))
+		o.normalizedCheckNames[normalizedCheckName] = struct{}{}
+	}
+	if _, exists := o.normalizedCheckNames[OptOutAllChecksAnnotationValue]; exists && len(o.normalizedCheckNames) == 1 {
+		o.all = true
+	}
+	return o
+}
+
+// For checks if the cluster has opted out of a specific check.
+// It returns true if the cluster has opted out of the check with the given name.
+// The check name is case-insensitive, so "CheckName1" and "checkname1" will both match.
+// If the cluster has opted out of all checks, For will return true for any check name.
+//
+// For example, if the cluster has opted out of "CheckName1", then calling
+// For("CheckName1") or For("checkname1") will return true, but For("CheckName2") will
+// return false.
+func (o *Evaluator) For(checkName string) bool {
+	if o.all {
+		// If the cluster has opted out of all checks, return true for any check name.
+		return true
+	}
+	normalizedCheckName := strings.TrimSpace(strings.ToLower(checkName))
+	_, exists := o.normalizedCheckNames[normalizedCheckName]
+	return exists
+}
+
+// ForAll checks if the cluster has opted out of all checks.
+// It returns true if the cluster has a single prefix "all" in its opt-out annotations.
+// The check is case-insensitive, so "all", "ALL", and "All" will all match.
+func (o *Evaluator) ForAll() bool {
+	return o.all
+}

pkg/webhook/preflight/optout/optout_test.go

@@ -0,0 +1,255 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package optout
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+)
+
+func TestNew(t *testing.T) {
+	testCases := []struct {
+		name             string
+		annotations      map[string]string
+		expectCheckNames map[string]struct{}
+	}{
+		{
+			name:             "ignores nil annotations",
+			annotations:      nil,
+			expectCheckNames: map[string]struct{}{},
+		},
+		{
+			name:             "ignores empty annotations",
+			annotations:      map[string]string{},
+			expectCheckNames: map[string]struct{}{},
+		},
+		{
+			name: "ignores missing annotation key",
+			annotations: map[string]string{
+				"some-other-key": "value",
+			},
+			expectCheckNames: map[string]struct{}{},
+		},
+		{
+			name: "ignores empty opt-out value",
+			annotations: map[string]string{
+				AnnotationKey: "",
+			},
+			expectCheckNames: map[string]struct{}{},
+		},
+		{
+			name: "ignores empty check names",
+			annotations: map[string]string{
+				AnnotationKey: "InfraVMImage,,InfraCredentials,",
+			},
+			expectCheckNames: map[string]struct{}{
+				"infravmimage":     {},
+				"infracredentials": {},
+			},
+		},
+		{
+			name: "ignores value of only commas",
+			annotations: map[string]string{
+				AnnotationKey: ",,,",
+			},
+			expectCheckNames: map[string]struct{}{},
+		},
+		{
+			name: "accepts single check name",
+			annotations: map[string]string{
+				AnnotationKey: "InfraVMImage",
+			},
+			expectCheckNames: map[string]struct{}{
+				"infravmimage": {},
+			},
+		},
+		{
+			name: "accepts multiple check names",
+			annotations: map[string]string{
+				AnnotationKey: "InfraVMImage,InfraCredentials",
+			},
+			expectCheckNames: map[string]struct{}{
+				"infravmimage":     {},
+				"infracredentials": {},
+			},
+		},
+		{
+			name: "trims spaces from check names",
+			annotations: map[string]string{
+				AnnotationKey: " InfraVMImage , InfraCredentials ",
+			},
+			expectCheckNames: map[string]struct{}{
+				"infravmimage":     {},
+				"infracredentials": {},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cluster := &clusterv1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tc.annotations,
+				},
+			}
+
+			evaluator := New(cluster)
+			assert.Equal(t, tc.expectCheckNames, evaluator.normalizedCheckNames)
+		})
+	}
+}
+
+func TestEvaluator_For(t *testing.T) {
+	testCases := []struct {
+		name        string
+		annotations map[string]string
+		checkName   string
+		expectMatch bool
+	}{
+		{
+			name:        "no annotations",
+			annotations: nil,
+			checkName:   "InfraVMImage",
+			expectMatch: false,
+		},
+		{
+			name:        "no opt-out annotation",
+			annotations: map[string]string{},
+			checkName:   "InfraVMImage",
+			expectMatch: false,
+		},
+		{
+			name: "empty annotation value",
+			annotations: map[string]string{
+				AnnotationKey: "",
+			},
+			checkName:   "InfraVMImage",
+			expectMatch: false,
+		},
+		{
+			name: "opt out of InfraVMImage check",
+			annotations: map[string]string{
+				AnnotationKey: "InfraVMImage,InfraCredentials",
+			},
+			checkName:   "InfraVMImage",
+			expectMatch: true,
+		},
+		{
+			name: "opt out of credentials, but not image",
+			annotations: map[string]string{
+				AnnotationKey: "InfraCredentials",
+			},
+			checkName:   "InfraVMImage",
+			expectMatch: false,
+		},
+		{
+			name: "opt out with spaces and case mixing",
+			annotations: map[string]string{
+				AnnotationKey: " infraVMImage , InfraCredentials ",
+			},
+			checkName:   "InfraVMImage",
+			expectMatch: true,
+		},
+		{
+			name: "extra commas do not affect matching",
+			annotations: map[string]string{
+				AnnotationKey: "InfraVMImage,,InfraCredentials,",
+			},
+			checkName:   "InfraVMImage",
+			expectMatch: true,
+		},
+		{
+			name: "opt out of all checks",
+			annotations: map[string]string{
+				AnnotationKey: "all",
+			},
+			checkName:   "InfraVMImage",
+			expectMatch: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cluster := &clusterv1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tc.annotations,
+				},
+			}
+
+			evaluator := New(cluster)
+			result := evaluator.For(tc.checkName)
+			assert.Equal(t, tc.expectMatch, result)
+		})
+	}
+}
+
+func TestEvaluator_ForAll(t *testing.T) {
+	testCases := []struct {
+		name        string
+		annotations map[string]string
+		expectMatch bool
+	}{
+		{
+			name:        "no annotations",
+			annotations: nil,
+			expectMatch: false,
+		},
+		{
+			name:        "no opt-out annotation",
+			annotations: map[string]string{},
+			expectMatch: false,
+		},
+		{
+			name: "empty annotation value",
+			annotations: map[string]string{
+				AnnotationKey: "",
+			},
+		},
+		{
+			name: "opt out of all checks with spaces and case mixing",
+			annotations: map[string]string{
+				AnnotationKey: " aLL ",
+			},
+			expectMatch: true,
+		},
+		{
+			name: "opt out of all checks with extra commas",
+			annotations: map[string]string{
+				AnnotationKey: ",all,,",
+			},
+			expectMatch: true,
+		},
+		{
+			name: "opt out of all checks",
+			annotations: map[string]string{
+				AnnotationKey: "all",
+			},
+			expectMatch: true,
+		},
+		{
+			name: "opt out of some checks, but not all",
+			annotations: map[string]string{
+				AnnotationKey: "OneCheck,AnotherCheck",
+			},
+			expectMatch: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			cluster := &clusterv1.Cluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: tc.annotations,
+				},
+			}
+
+			evaluator := New(cluster)
+			result := evaluator.ForAll()
+			assert.Equal(t, tc.expectMatch, result)
+		})
+	}
+}

pkg/webhook/preflight/preflight.go

@@ -15,6 +15,8 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/optout"
 )
 
 type (
@@ -93,6 +95,11 @@ func (h *WebhookHandler) Handle(ctx context.Context, req admission.Request) admi
 		return admission.Allowed("")
 	}
 
+	if optout.New(cluster).ForAll() {
+		// If the cluster has opted out of all checks, return allowed.
+		return admission.Allowed("Cluster has opted out of all preflight checks")
+	}
+
 	resultsOrderedByCheckerAndCheck := run(ctx, h.client, cluster, h.checkers)
 
 	// Summarize the results.