feat(preflight): Add VM Image kubernetes version check

This check ensures images that have the standard NKP naming scheme
have the image with the same kubernetes version as the cluster
version.

Author: thunderboltsid

pkg/webhook/preflight/nutanix/checker.go

@@ -18,9 +18,10 @@ import (
 )
 
 var Checker = &nutanixChecker{
-	configurationCheckFactory: newConfigurationCheck,
-	credentialsCheckFactory:   newCredentialsCheck,
-	vmImageChecksFactory:      newVMImageChecks,
+	configurationCheckFactory:             newConfigurationCheck,
+	credentialsCheckFactory:               newCredentialsCheck,
+	vmImageChecksFactory:                  newVMImageChecks,
+	vmImageKubernetesVersionChecksFactory: newVMImageKubernetesVersionChecks,
 }
 
 type nutanixChecker struct {
@@ -37,6 +38,10 @@ type nutanixChecker struct {
 	vmImageChecksFactory func(
 		cd *checkDependencies,
 	) []preflight.Check
+
+	vmImageKubernetesVersionChecksFactory func(
+		cd *checkDependencies,
+	) []preflight.Check
 }
 
 type checkDependencies struct {
@@ -69,6 +74,7 @@ func (n *nutanixChecker) Init(
 	}
 
 	checks = append(checks, n.vmImageChecksFactory(cd)...)
+	checks = append(checks, n.vmImageKubernetesVersionChecksFactory(cd)...)
 
 	// Add more checks here as needed.
 

pkg/webhook/preflight/nutanix/checker_test.go

@@ -33,22 +33,24 @@ func (m *mockCheck) Run(ctx context.Context) preflight.CheckResult {
 
 func TestNutanixChecker_Init(t *testing.T) {
 	tests := []struct {
-		name                    string
-		nutanixConfig           *carenv1.NutanixClusterConfigSpec
-		workerNodeConfigs       map[string]*carenv1.NutanixWorkerNodeConfigSpec
-		expectedCheckCount      int
-		expectedFirstCheckName  string
-		expectedSecondCheckName string
-		vmImageCheckCount       int
+		name                               string
+		nutanixConfig                      *carenv1.NutanixClusterConfigSpec
+		workerNodeConfigs                  map[string]*carenv1.NutanixWorkerNodeConfigSpec
+		expectedCheckCount                 int
+		expectedFirstCheckName             string
+		expectedSecondCheckName            string
+		vmImageCheckCount                  int
+		vmImageKubernetesVersionCheckCount int
 	}{
 		{
-			name:                    "basic initialization with no configs",
-			nutanixConfig:           nil,
-			workerNodeConfigs:       nil,
-			expectedCheckCount:      2, // config check and credentials check
-			expectedFirstCheckName:  "NutanixConfiguration",
-			expectedSecondCheckName: "NutanixCredentials",
-			vmImageCheckCount:       0,
+			name:                               "basic initialization with no configs",
+			nutanixConfig:                      nil,
+			workerNodeConfigs:                  nil,
+			expectedCheckCount:                 2, // config check and credentials check
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  0,
+			vmImageKubernetesVersionCheckCount: 0,
 		},
 		{
 			name: "initialization with control plane config",
@@ -57,11 +59,12 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			workerNodeConfigs:       nil,
-			expectedCheckCount:      3, // config check, credentials check, 1 VM image check
-			expectedFirstCheckName:  "NutanixConfiguration",
-			expectedSecondCheckName: "NutanixCredentials",
-			vmImageCheckCount:       1,
+			workerNodeConfigs:                  nil,
+			expectedCheckCount:                 4, // config check, credentials check, 1 VM image check
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  1,
+			vmImageKubernetesVersionCheckCount: 1,
 		},
 		{
 			name:          "initialization with worker node configs",
@@ -74,10 +77,11 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			expectedCheckCount:      4, // config check, credentials check, 2 VM image checks
-			expectedFirstCheckName:  "NutanixConfiguration",
-			expectedSecondCheckName: "NutanixCredentials",
-			vmImageCheckCount:       2,
+			expectedCheckCount:                 6, // config check, credentials check, 2 VM image checks
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  2,
+			vmImageKubernetesVersionCheckCount: 2,
 		},
 		{
 			name: "initialization with both control plane and worker node configs",
@@ -91,10 +95,11 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			expectedCheckCount:      4, // config check, credentials check, 2 VM image checks (1 CP + 1 worker)
-			expectedFirstCheckName:  "NutanixConfiguration",
-			expectedSecondCheckName: "NutanixCredentials",
-			vmImageCheckCount:       2,
+			expectedCheckCount:                 6, // config check, credentials check, 2 VM image checks (1 CP + 1 worker)
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  2,
+			vmImageKubernetesVersionCheckCount: 2,
 		},
 	}
 
@@ -107,6 +112,7 @@ func TestNutanixChecker_Init(t *testing.T) {
 			configCheckCalled := false
 			credsCheckCalled := false
 			vmImageCheckCount := 0
+			vmImageKubernetesVersionCheckCount := 0
 
 			checker.configurationCheckFactory = func(cd *checkDependencies) preflight.Check {
 				configCheckCalled = true
@@ -144,6 +150,22 @@ func TestNutanixChecker_Init(t *testing.T) {
 				return checks
 			}
 
+			checker.vmImageKubernetesVersionChecksFactory = func(cd *checkDependencies) []preflight.Check {
+				checks := []preflight.Check{}
+				for i := 0; i < tt.vmImageKubernetesVersionCheckCount; i++ {
+					vmImageKubernetesVersionCheckCount++
+					checks = append(checks,
+						&mockCheck{
+							name: fmt.Sprintf("NutanixVMImageKubernetesVersion-%d", i),
+							result: preflight.CheckResult{
+								Allowed: true,
+							},
+						},
+					)
+				}
+				return checks
+			}
+
 			// Call Init
 			ctx := context.Background()
 			checks := checker.Init(ctx, nil, &clusterv1.Cluster{

pkg/webhook/preflight/nutanix/imagekubernetesversioncheck.go

@@ -0,0 +1,171 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package nutanix
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	vmmv4 "github.com/nutanix/ntnx-api-golang-clients/vmm-go-client/v4/models/vmm/v4/content"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+// Examples: nkp-ubuntu-22.04-vgpu-1.32.3-20250604180644, nkp-rocky-9.5-release-cis-1.32.3-20250430150550.
+var kubernetesVersionRegex = regexp.MustCompile(`-(\d+\.\d+\.\d+)-\d{14}$`)
+
+type imageKubernetesVersionCheck struct {
+	machineDetails    *carenv1.NutanixMachineDetails
+	field             string
+	nclient           client
+	clusterK8sVersion string
+}
+
+func (c *imageKubernetesVersionCheck) Name() string {
+	return "NutanixVMImageKubernetesVersion"
+}
+
+func (c *imageKubernetesVersionCheck) Run(ctx context.Context) preflight.CheckResult {
+	result := preflight.CheckResult{
+		Allowed: false,
+	}
+
+	if c.machineDetails.ImageLookup != nil {
+		result.Allowed = true
+		result.Warnings = append(
+			result.Warnings,
+			fmt.Sprintf("%s uses imageLookup, which is not yet supported by checks", c.field),
+		)
+		return result
+	}
+
+	if c.machineDetails.Image != nil {
+		images, err := getVMImages(c.nclient, c.machineDetails.Image)
+		if err != nil {
+			result.Allowed = false
+			result.Error = true
+			result.Causes = append(result.Causes, preflight.Cause{
+				Message: fmt.Sprintf("failed to get VM Image: %s", err),
+				Field:   c.field,
+			})
+			return result
+		}
+
+		if len(images) != 1 {
+			result.Allowed = false
+			result.Causes = append(result.Causes, preflight.Cause{
+				Message: fmt.Sprintf("expected to find 1 VM Image, found %d", len(images)),
+				Field:   c.field,
+			})
+			return result
+		}
+
+		// Check Kubernetes version if cluster version is provided
+		if c.clusterK8sVersion != "" {
+			if err := c.checkKubernetesVersion(&images[0]); err != nil {
+				result.Allowed = false
+				result.Error = true
+				result.Causes = append(result.Causes, preflight.Cause{
+					Message: err.Error(),
+					Field:   c.field,
+				})
+				return result
+			}
+		}
+
+		result.Allowed = true
+		return result
+	}
+
+	// Neither ImageLookup nor Image is specified.
+	return result
+}
+
+func (c *imageKubernetesVersionCheck) checkKubernetesVersion(image *vmmv4.Image) error {
+	imageName := ""
+	if image.Name != nil {
+		imageName = *image.Name
+	}
+
+	if imageName == "" {
+		return fmt.Errorf("VM image name is empty")
+	}
+
+	imageK8sVersion, err := extractKubernetesVersionFromImageName(imageName)
+	if err != nil {
+		return fmt.Errorf("failed to extract Kubernetes version from image name '%s': %s. "+
+			"This check assumes NKP image naming convention. "+
+			"You can opt out of this check if using custom image naming", imageName, err)
+	}
+
+	if imageK8sVersion != c.clusterK8sVersion {
+		return fmt.Errorf(
+			"kubernetes version mismatch: cluster version '%s' does not match image version '%s' (from image name '%s')",
+			c.clusterK8sVersion,
+			imageK8sVersion,
+			imageName,
+		)
+	}
+
+	return nil
+}
+
+// Examples: nkp-ubuntu-22.04-vgpu-1.32.3-20250604180644 -> 1.32.3.
+func extractKubernetesVersionFromImageName(imageName string) (string, error) {
+	matches := kubernetesVersionRegex.FindStringSubmatch(imageName)
+	if len(matches) < 2 {
+		return "", fmt.Errorf(
+			"image name does not match expected NKP naming convention (expected pattern: *-<k8s-version>-<timestamp>)",
+		)
+	}
+	return matches[1], nil
+}
+
+func newVMImageKubernetesVersionChecks(
+	cd *checkDependencies,
+) []preflight.Check {
+	checks := make([]preflight.Check, 0)
+
+	if cd.nclient == nil {
+		return checks
+	}
+
+	// Get cluster Kubernetes version for version matching
+	clusterK8sVersion := ""
+	if cd.cluster != nil && cd.cluster.Spec.Topology != nil && cd.cluster.Spec.Topology.Version != "" {
+		clusterK8sVersion = strings.TrimPrefix(cd.cluster.Spec.Topology.Version, "v")
+	}
+
+	if cd.nutanixClusterConfigSpec != nil && cd.nutanixClusterConfigSpec.ControlPlane != nil &&
+		cd.nutanixClusterConfigSpec.ControlPlane.Nutanix != nil {
+		checks = append(checks,
+			&imageKubernetesVersionCheck{
+				machineDetails: &cd.nutanixClusterConfigSpec.ControlPlane.Nutanix.MachineDetails,
+				field: "cluster.spec.topology.variables[.name=clusterConfig]" +
+					".value.nutanix.controlPlane.machineDetails",
+				nclient:           cd.nclient,
+				clusterK8sVersion: clusterK8sVersion,
+			},
+		)
+	}
+
+	for mdName, nutanixWorkerNodeConfigSpec := range cd.nutanixWorkerNodeConfigSpecByMachineDeploymentName {
+		if nutanixWorkerNodeConfigSpec.Nutanix != nil {
+			checks = append(checks,
+				&imageKubernetesVersionCheck{
+					machineDetails: &nutanixWorkerNodeConfigSpec.Nutanix.MachineDetails,
+					field: fmt.Sprintf("cluster.spec.topology.workers.machineDeployments[.name=%s]"+
+						".variables[.name=workerConfig].value.nutanix.machineDetails", mdName),
+					nclient:           cd.nclient,
+					clusterK8sVersion: clusterK8sVersion,
+				},
+			)
+		}
+	}
+
+	return checks
+}