feat(preflight): Add VM Image kubernetes version check

thunderboltsid · thunderboltsid · commit e775ae4e1311 · 2025-06-23T23:53:01.000+02:00
This check ensures images that have the standard NKP naming scheme
have the image with the same kubernetes version as the cluster
version.
diff --git a/pkg/webhook/preflight/nutanix/checker.go b/pkg/webhook/preflight/nutanix/checker.go
@@ -18,10 +18,11 @@ import (
 )
 
 var Checker = &nutanixChecker{
-	configurationCheckFactory:     newConfigurationCheck,
-	credentialsCheckFactory:       newCredentialsCheck,
-	vmImageChecksFactory:          newVMImageChecks,
-	storageContainerChecksFactory: newStorageContainerChecks,
+	configurationCheckFactory:             newConfigurationCheck,
+	credentialsCheckFactory:               newCredentialsCheck,
+	vmImageChecksFactory:                  newVMImageChecks,
+	vmImageKubernetesVersionChecksFactory: newVMImageKubernetesVersionChecks,
+	storageContainerChecksFactory:         newStorageContainerChecks,
 }
 
 type nutanixChecker struct {
@@ -39,6 +40,10 @@ type nutanixChecker struct {
 		cd *checkDependencies,
 	) []preflight.Check
 
+	vmImageKubernetesVersionChecksFactory func(
+		cd *checkDependencies,
+	) []preflight.Check
+
 	storageContainerChecksFactory func(
 		cd *checkDependencies,
 	) []preflight.Check
@@ -74,6 +79,7 @@ func (n *nutanixChecker) Init(
 	}
 
 	checks = append(checks, n.vmImageChecksFactory(cd)...)
+	checks = append(checks, n.vmImageKubernetesVersionChecksFactory(cd)...)
 	checks = append(checks, n.storageContainerChecksFactory(cd)...)
 
 	// Add more checks here as needed.
diff --git a/pkg/webhook/preflight/nutanix/checker_test.go b/pkg/webhook/preflight/nutanix/checker_test.go
@@ -33,24 +33,26 @@ func (m *mockCheck) Run(ctx context.Context) preflight.CheckResult {
 
 func TestNutanixChecker_Init(t *testing.T) {
 	tests := []struct {
-		name                       string
-		nutanixConfig              *carenv1.NutanixClusterConfigSpec
-		workerNodeConfigs          map[string]*carenv1.NutanixWorkerNodeConfigSpec
-		expectedCheckCount         int
-		expectedFirstCheckName     string
-		expectedSecondCheckName    string
-		vmImageCheckCount          int
-		storageContainerCheckCount int
+		name                               string
+		nutanixConfig                      *carenv1.NutanixClusterConfigSpec
+		workerNodeConfigs                  map[string]*carenv1.NutanixWorkerNodeConfigSpec
+		expectedCheckCount                 int
+		expectedFirstCheckName             string
+		expectedSecondCheckName            string
+		vmImageCheckCount                  int
+		vmImageKubernetesVersionCheckCount int
+		storageContainerCheckCount         int
 	}{
 		{
-			name:                       "basic initialization with no configs",
-			nutanixConfig:              nil,
-			workerNodeConfigs:          nil,
-			expectedCheckCount:         2, // config check and credentials check
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          0,
-			storageContainerCheckCount: 0,
+			name:                               "basic initialization with no configs",
+			nutanixConfig:                      nil,
+			workerNodeConfigs:                  nil,
+			expectedCheckCount:                 2, // config check and credentials check
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  0,
+			vmImageKubernetesVersionCheckCount: 0,
+			storageContainerCheckCount:         0,
 		},
 		{
 			name: "initialization with control plane config",
@@ -59,12 +61,13 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			workerNodeConfigs:          nil,
-			expectedCheckCount:         4, // config check, credentials check, 1 VM image check, 1 storage container check
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          1,
-			storageContainerCheckCount: 1,
+			workerNodeConfigs:                  nil,
+			expectedCheckCount:                 5, //nolint:lll // config check, credentials check, 1 VM image check, 1 storage container check, 1 VM image Kubernetes version check
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  1,
+			vmImageKubernetesVersionCheckCount: 1,
+			storageContainerCheckCount:         1,
 		},
 		{
 			name:          "initialization with worker node configs",
@@ -77,11 +80,12 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			expectedCheckCount:         6, // config check, credentials check, 2 VM image checks, 2 storage container checks
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          2,
-			storageContainerCheckCount: 2,
+			expectedCheckCount:                 8, //nolint:lll // config check, credentials check, 2 VM image checks, 2 storage container checks, 2 VM image Kubernetes version checks
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  2,
+			vmImageKubernetesVersionCheckCount: 2,
+			storageContainerCheckCount:         2,
 		},
 		{
 			name: "initialization with both control plane and worker node configs",
@@ -95,12 +99,12 @@ func TestNutanixChecker_Init(t *testing.T) {
 					Nutanix: &carenv1.NutanixNodeSpec{},
 				},
 			},
-			// config check, credentials check, 2 VM image checks (1 CP + 1 worker), 2 storage container checks (1 CP + 1 worker)
-			expectedCheckCount:         6,
-			expectedFirstCheckName:     "NutanixConfiguration",
-			expectedSecondCheckName:    "NutanixCredentials",
-			vmImageCheckCount:          2,
-			storageContainerCheckCount: 2,
+			expectedCheckCount:                 8, //nolint:lll // config check, credentials check, 2 VM image checks (1 CP + 1 worker), 2 storage container checks (1 CP + 1 worker), 2 VM image Kubernetes version checks
+			expectedFirstCheckName:             "NutanixConfiguration",
+			expectedSecondCheckName:            "NutanixCredentials",
+			vmImageCheckCount:                  2,
+			vmImageKubernetesVersionCheckCount: 2,
+			storageContainerCheckCount:         2,
 		},
 	}
 
@@ -114,6 +118,7 @@ func TestNutanixChecker_Init(t *testing.T) {
 			credsCheckCalled := false
 			vmImageCheckCount := 0
 			storageContainerCheckCount := 0
+			vmImageKubernetesVersionCheckCount := 0
 
 			checker.configurationCheckFactory = func(cd *checkDependencies) preflight.Check {
 				configCheckCalled = true
@@ -167,6 +172,22 @@ func TestNutanixChecker_Init(t *testing.T) {
 				return checks
 			}
 
+			checker.vmImageKubernetesVersionChecksFactory = func(cd *checkDependencies) []preflight.Check {
+				checks := []preflight.Check{}
+				for i := 0; i < tt.vmImageKubernetesVersionCheckCount; i++ {
+					vmImageKubernetesVersionCheckCount++
+					checks = append(checks,
+						&mockCheck{
+							name: fmt.Sprintf("NutanixVMImageKubernetesVersion-%d", i),
+							result: preflight.CheckResult{
+								Allowed: true,
+							},
+						},
+					)
+				}
+				return checks
+			}
+
 			// Call Init
 			ctx := context.Background()
 			checks := checker.Init(ctx, nil, &clusterv1.Cluster{
diff --git a/pkg/webhook/preflight/nutanix/imagekubernetesversioncheck.go b/pkg/webhook/preflight/nutanix/imagekubernetesversioncheck.go
@@ -0,0 +1,167 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package nutanix
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	vmmv4 "github.com/nutanix/ntnx-api-golang-clients/vmm-go-client/v4/models/vmm/v4/content"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+// Examples: nkp-ubuntu-22.04-vgpu-1.32.3-20250604180644, nkp-rocky-9.5-release-cis-1.32.3-20250430150550.
+var kubernetesVersionRegex = regexp.MustCompile(`-(\d+\.\d+\.\d+)-\d{14}$`)
+
+type imageKubernetesVersionCheck struct {
+	machineDetails    *carenv1.NutanixMachineDetails
+	field             string
+	nclient           client
+	clusterK8sVersion string
+}
+
+func (c *imageKubernetesVersionCheck) Name() string {
+	return "NutanixVMImageKubernetesVersion"
+}
+
+func (c *imageKubernetesVersionCheck) Run(ctx context.Context) preflight.CheckResult {
+	if c.machineDetails.ImageLookup != nil {
+		return preflight.CheckResult{
+			Allowed:  true,
+			Warnings: []string{fmt.Sprintf("%s uses imageLookup, which is not yet supported by checks", c.field)},
+		}
+	}
+
+	if c.machineDetails.Image != nil {
+		images, err := getVMImages(c.nclient, c.machineDetails.Image)
+		if err != nil {
+			return preflight.CheckResult{
+				Allowed: false,
+				Error:   true,
+				Causes: []preflight.Cause{
+					{
+						Message: fmt.Sprintf("failed to get VM Image: %s", err),
+						Field:   c.field,
+					},
+				},
+			}
+		}
+
+		if len(images) == 0 {
+			return preflight.CheckResult{
+				Allowed:  true,
+				Warnings: []string{"expected to find 1 VM Image, found none"},
+			}
+		}
+
+		if err := c.checkKubernetesVersion(&images[0]); err != nil {
+			return preflight.CheckResult{
+				Allowed: false,
+				Error:   true,
+				Causes: []preflight.Cause{
+					{
+						Message: err.Error(),
+						Field:   c.field,
+					},
+				},
+			}
+		}
+	}
+
+	return preflight.CheckResult{Allowed: true}
+}
+
+func (c *imageKubernetesVersionCheck) checkKubernetesVersion(image *vmmv4.Image) error {
+	imageName := ""
+	if image.Name != nil {
+		imageName = *image.Name
+	}
+
+	if imageName == "" {
+		return fmt.Errorf("VM image name is empty")
+	}
+
+	imageK8sVersion, err := extractKubernetesVersionFromImageName(imageName)
+	if err != nil {
+		return fmt.Errorf("failed to extract Kubernetes version from image name '%s': %s. "+
+			"This check assumes NKP image naming convention. "+
+			"You can opt out of this check if using custom image naming", imageName, err)
+	}
+
+	if imageK8sVersion != c.clusterK8sVersion {
+		return fmt.Errorf(
+			"kubernetes version mismatch: cluster version '%s' does not match image version '%s' (from image name '%s')",
+			c.clusterK8sVersion,
+			imageK8sVersion,
+			imageName,
+		)
+	}
+
+	return nil
+}
+
+// Examples: nkp-ubuntu-22.04-vgpu-1.32.3-20250604180644 -> 1.32.3.
+func extractKubernetesVersionFromImageName(imageName string) (string, error) {
+	matches := kubernetesVersionRegex.FindStringSubmatch(imageName)
+	if len(matches) < 2 {
+		return "", fmt.Errorf(
+			"image name does not match expected NKP naming convention (expected pattern: *-<k8s-version>-<timestamp>)",
+		)
+	}
+	return matches[1], nil
+}
+
+func newVMImageKubernetesVersionChecks(
+	cd *checkDependencies,
+) []preflight.Check {
+	checks := make([]preflight.Check, 0)
+
+	if cd.nclient == nil {
+		return checks
+	}
+
+	// Get cluster Kubernetes version for version matching
+	clusterK8sVersion := ""
+	if cd.cluster != nil && cd.cluster.Spec.Topology != nil && cd.cluster.Spec.Topology.Version != "" {
+		clusterK8sVersion = strings.TrimPrefix(cd.cluster.Spec.Topology.Version, "v")
+	}
+
+	// If cluster Kubernetes version is not specified, skip the check.
+	if clusterK8sVersion == "" {
+		return checks
+	}
+
+	if cd.nutanixClusterConfigSpec != nil && cd.nutanixClusterConfigSpec.ControlPlane != nil &&
+		cd.nutanixClusterConfigSpec.ControlPlane.Nutanix != nil {
+		checks = append(checks,
+			&imageKubernetesVersionCheck{
+				machineDetails: &cd.nutanixClusterConfigSpec.ControlPlane.Nutanix.MachineDetails,
+				field: "cluster.spec.topology.variables[.name=clusterConfig]" +
+					".value.nutanix.controlPlane.machineDetails",
+				nclient:           cd.nclient,
+				clusterK8sVersion: clusterK8sVersion,
+			},
+		)
+	}
+
+	for mdName, nutanixWorkerNodeConfigSpec := range cd.nutanixWorkerNodeConfigSpecByMachineDeploymentName {
+		if nutanixWorkerNodeConfigSpec.Nutanix != nil {
+			checks = append(checks,
+				&imageKubernetesVersionCheck{
+					machineDetails: &nutanixWorkerNodeConfigSpec.Nutanix.MachineDetails,
+					field: fmt.Sprintf("cluster.spec.topology.workers.machineDeployments[.name=%s]"+
+						".variables[.name=workerConfig].value.nutanix.machineDetails", mdName),
+					nclient:           cd.nclient,
+					clusterK8sVersion: clusterK8sVersion,
+				},
+			)
+		}
+	}
+
+	return checks
+}
diff --git a/pkg/webhook/preflight/nutanix/imagekubernetesversioncheck_test.go b/pkg/webhook/preflight/nutanix/imagekubernetesversioncheck_test.go
