Merge pull request #309 from rabi/validate_Secrets

Ensure userData and networkData secrets are in bmhNamespace

Author: openshift-merge-bot[bot]

api/v1beta1/openstackbaremetalset_webhook.go

@@ -29,7 +29,9 @@ import (
 	metal3v1 "github.com/metal3-io/baremetal-operator/apis/metal3.io/v1alpha1"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/labels"
 	"k8s.io/apimachinery/pkg/api/equality"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
 	goClient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -72,8 +74,17 @@ func (r *OpenStackBaremetalSet) ValidateCreate() (admission.Warnings, error) {
 			field.NewPath("Name"),
 			r.Name,
 			fmt.Sprintf("Error validating OpenStackBaremetalSet name %s, name must follow RFC1123", r.Name)))
+		return nil, apierrors.NewInvalid(
+			schema.GroupKind{Group: "baremetal.openstack.org", Kind: "OpenStackBaremetalSet"},
+			r.Name,
+			errors)
 	}
 
+	// Validate userData and networkData secrets namespace
+	err := r.ValidateCloudInitSecrets()
+	if err != nil {
+		return nil, err
+	}
 	//
 	// Validate that there are enough available BMHs for the initial requested count
 	//
@@ -94,6 +105,26 @@ func (r *OpenStackBaremetalSet) ValidateCreate() (admission.Warnings, error) {
 	return nil, nil
 }
 
+// ValidateCloudInitSecrets checks if userData and networkData secrets are in the same namespace as bmh
+func (r *OpenStackBaremetalSet) ValidateCloudInitSecrets() error {
+	var secretsWithIssue []string
+
+	for _, host := range r.Spec.BaremetalHosts {
+		if host.NetworkData != nil && host.NetworkData.Namespace != r.Spec.BmhNamespace {
+			secretsWithIssue = append(secretsWithIssue, host.NetworkData.Name)
+		}
+		if host.UserData != nil && host.UserData.Namespace != r.Spec.BmhNamespace {
+			secretsWithIssue = append(secretsWithIssue, host.UserData.Name)
+		}
+	}
+
+	if len(secretsWithIssue) > 0 {
+		return fmt.Errorf("userData and networkData secrets %v should exist in the bmh namespace %s",
+			secretsWithIssue, r.Spec.BmhNamespace)
+	}
+	return nil
+}
+
 // Validate implements OpenStackBaremetalSetTemplateSpec validation
 func (spec OpenStackBaremetalSetTemplateSpec) ValidateTemplate(oldCount int, oldSpec OpenStackBaremetalSetTemplateSpec) error {
 	if oldCount > 0 &&

pkg/openstackbaremetalset/baremetalhost.go

@@ -79,7 +79,7 @@ func BaremetalHostProvision(
 
 		userDataSt := util.Template{
 			Name:               userDataSecretName,
-			Namespace:          instance.Namespace,
+			Namespace:          instance.Spec.BmhNamespace,
 			Type:               util.TemplateTypeConfig,
 			InstanceType:       instance.Kind,
 			AdditionalTemplate: map[string]string{"userData": "/openstackbaremetalset/cloudinit/userdata"},
@@ -89,7 +89,7 @@ func BaremetalHostProvision(
 		sts = append(sts, userDataSt)
 		userDataSecret = &corev1.SecretReference{
 			Name:      userDataSecretName,
-			Namespace: instance.Namespace,
+			Namespace: instance.Spec.BmhNamespace,
 		}
 
 	}
@@ -147,7 +147,7 @@ func BaremetalHostProvision(
 
 		networkDataSt := util.Template{
 			Name:               networkDataSecretName,
-			Namespace:          instance.Namespace,
+			Namespace:          instance.Spec.BmhNamespace,
 			Type:               util.TemplateTypeConfig,
 			InstanceType:       instance.Kind,
 			AdditionalTemplate: map[string]string{"networkData": "/openstackbaremetalset/cloudinit/networkdata"},
@@ -157,7 +157,7 @@ func BaremetalHostProvision(
 		sts = append(sts, networkDataSt)
 		networkDataSecret = &corev1.SecretReference{
 			Name:      networkDataSecretName,
-			Namespace: instance.Namespace,
+			Namespace: instance.Spec.BmhNamespace,
 		}
 	}