Complete webhook validation for topology references

fmount · fmount · commit 1789572140b0 · 2025-03-21T15:04:06.000+01:00
This patch is a follow up of [1] in the validation webhook area. It enhances the validation workflow and it aims to complete the pattern by distributing the ValidateTopology logic across the API instances. It is based on [2] and the key improvements include: - Distributed validation: it provides a ValidateTopology function across all API instances, ensuring consistent validation throughout the system - Optimized validation calls: it refines how validation is triggered and reduce code duplication; it still requires a basic struct refactor to fully de-duplicate the existing functions, but it can be done as part of a follow up This patch leverages the centralized topology validator introduced in infra-operator [3]. Jira: https://issues.redhat.com/browse/OSPRH-14626 [1] openstack-k8s-operators#924 [2] openstack-k8s-operators/nova-operator#936 [3] openstack-k8s-operators/infra-operator#356 Signed-off-by: Francesco Pantano <fpantano@redhat.com>
diff --git a/api/go.mod b/api/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/google/uuid v1.6.0
 	github.com/onsi/gomega v1.34.1
-	github.com/openstack-k8s-operators/infra-operator/apis v0.6.0
+	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250319162810-463dd75a4cc4
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250315090821-34e570d2d5fb
 	k8s.io/api v0.29.15
 	k8s.io/apimachinery v0.29.15
diff --git a/api/go.sum b/api/go.sum
@@ -78,8 +78,8 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6Beb1gQ96Ptej9AE/BvwCBiRj1E=
 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.0 h1:28i9Yc3UAdQK8VNzk0ubwq4n+qLuhD0nk6/7iHgD9us=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.0/go.mod h1:JgcmYJyyMKfArK8ulZnbls0L01qt8Dq6s5LH8TZH63A=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250319162810-463dd75a4cc4 h1:wb2zsr9x9LantNLN/9dmYM42c3yLq3QuzsoOlGpDUxM=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250319162810-463dd75a4cc4/go.mod h1:n5DV/lGE9DHryAJ+JLJSgUXI2QHTj+aN4KoeSNC3PfU=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250315090821-34e570d2d5fb h1:UAFYEHnbyhO0+yymquFmIqxc9QGji9mzreuYrDS1Ev4=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250315090821-34e570d2d5fb/go.mod h1:1CtBP0MQffdjE6buOv5jP2rB3+h7WH0a11lcyrpmxOk=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
diff --git a/api/v1beta1/ovncontroller_types.go b/api/v1beta1/ovncontroller_types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 
@@ -208,3 +209,15 @@ func (instance *OVNController) GetLastAppliedTopology() *topologyv1.TopoRef {
 func (instance *OVNController) SetLastAppliedTopology(topologyRef *topologyv1.TopoRef) {
 	instance.Status.LastAppliedTopology = topologyRef
 }
+
+// ValidateTopology -
+func (instance *OVNControllerSpecCore) ValidateTopology(
+	basePath *field.Path,
+	namespace string,
+) field.ErrorList {
+	var allErrs field.ErrorList
+	allErrs = append(allErrs, topologyv1.ValidateTopologyRef(
+		instance.TopologyRef,
+		*basePath.Child("topologyRef"), namespace)...)
+	return allErrs
+}
diff --git a/api/v1beta1/ovncontroller_webhook.go b/api/v1beta1/ovncontroller_webhook.go
@@ -17,7 +17,6 @@ limitations under the License.
 package v1beta1
 
 import (
-	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -106,11 +105,8 @@ func (r *OVNControllerSpecCore) ValidateCreate(basePath *field.Path, namespace s
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.TopologyRef.Namespace, *basePath, namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
+	errors = append(errors, r.ValidateTopology(basePath, namespace)...)
+
 	return errors
 }
 
@@ -123,11 +119,8 @@ func (r *OVNController) ValidateUpdate(old runtime.Object) (admission.Warnings,
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.Spec.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.Spec.TopologyRef.Namespace, *basePath, r.Namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
+	errors = append(errors, r.Spec.ValidateTopology(basePath, r.Namespace)...)
+
 	if len(errors) != 0 {
 		return nil, apierrors.NewInvalid(
 			schema.GroupKind{Group: "ovn.openstack.org", Kind: "OVNController"},
@@ -141,16 +134,13 @@ func (r OVNControllerSpec) ValidateUpdate(old OVNControllerSpec, basePath *field
 }
 
 func (r *OVNControllerSpecCore) ValidateUpdate(old OVNControllerSpec, basePath *field.Path, namespace string) field.ErrorList {
-	errors := field.ErrorList{}
+	allErrs := field.ErrorList{}
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.TopologyRef.Namespace, *basePath, namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
-	return errors
+	allErrs = append(allErrs, r.ValidateTopology(basePath, namespace)...)
+
+	return allErrs
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
diff --git a/api/v1beta1/ovndbcluster_types.go b/api/v1beta1/ovndbcluster_types.go
@@ -23,6 +23,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -244,3 +245,15 @@ func (instance *OVNDBCluster) GetLastAppliedTopology() *topologyv1.TopoRef {
 func (instance *OVNDBCluster) SetLastAppliedTopology(topologyRef *topologyv1.TopoRef) {
 	instance.Status.LastAppliedTopology = topologyRef
 }
+
+// ValidateTopology -
+func (instance *OVNDBClusterSpecCore) ValidateTopology(
+	basePath *field.Path,
+	namespace string,
+) field.ErrorList {
+	var allErrs field.ErrorList
+	allErrs = append(allErrs, topologyv1.ValidateTopologyRef(
+		instance.TopologyRef,
+		*basePath.Child("topologyRef"), namespace)...)
+	return allErrs
+}
diff --git a/api/v1beta1/ovndbcluster_webhook.go b/api/v1beta1/ovndbcluster_webhook.go
@@ -28,7 +28,6 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -100,11 +99,8 @@ func (r *OVNDBCluster) ValidateCreate() (admission.Warnings, error) {
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.Spec.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.Spec.TopologyRef.Namespace, *basePath, r.Namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
+	errors = append(errors, r.Spec.ValidateTopology(basePath, r.Namespace)...)
+
 	if len(errors) != 0 {
 		return nil, apierrors.NewInvalid(
 			schema.GroupKind{Group: "ovn.openstack.org", Kind: "OVNDBCluster"},
@@ -122,11 +118,8 @@ func (r *OVNDBCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, e
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.Spec.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.Spec.TopologyRef.Namespace, *basePath, r.Namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
+	errors = append(errors, r.Spec.ValidateTopology(basePath, r.Namespace)...)
+
 	if len(errors) != 0 {
 		return nil, apierrors.NewInvalid(
 			schema.GroupKind{Group: "ovn.openstack.org", Kind: "OVNDBCluster"},
diff --git a/api/v1beta1/ovnnorthd_types.go b/api/v1beta1/ovnnorthd_types.go
@@ -20,6 +20,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -163,3 +164,15 @@ func (instance *OVNNorthd) GetLastAppliedTopology() *topologyv1.TopoRef {
 func (instance *OVNNorthd) SetLastAppliedTopology(topologyRef *topologyv1.TopoRef) {
 	instance.Status.LastAppliedTopology = topologyRef
 }
+
+// ValidateTopology -
+func (instance *OVNNorthdSpecCore) ValidateTopology(
+	basePath *field.Path,
+	namespace string,
+) field.ErrorList {
+	var allErrs field.ErrorList
+	allErrs = append(allErrs, topologyv1.ValidateTopologyRef(
+		instance.TopologyRef,
+		*basePath.Child("topologyRef"), namespace)...)
+	return allErrs
+}
diff --git a/api/v1beta1/ovnnorthd_webhook.go b/api/v1beta1/ovnnorthd_webhook.go
@@ -28,7 +28,6 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -95,11 +94,8 @@ func (r *OVNNorthd) ValidateCreate() (admission.Warnings, error) {
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.Spec.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.Spec.TopologyRef.Namespace, *basePath, r.Namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
+	errors = append(errors, r.Spec.ValidateTopology(basePath, r.Namespace)...)
+
 	if len(errors) != 0 {
 		return nil, apierrors.NewInvalid(
 			schema.GroupKind{Group: "ovn.openstack.org", Kind: "OVNNorthd"},
@@ -117,11 +113,8 @@ func (r *OVNNorthd) ValidateUpdate(old runtime.Object) (admission.Warnings, erro
 
 	// When a TopologyRef CR is referenced, fail if a different Namespace is
 	// referenced because is not supported
-	if r.Spec.TopologyRef != nil {
-		if err := topologyv1.ValidateTopologyNamespace(r.Spec.TopologyRef.Namespace, *basePath, r.Namespace); err != nil {
-			errors = append(errors, err)
-		}
-	}
+	errors = append(errors, r.Spec.ValidateTopology(basePath, r.Namespace)...)
+
 	if len(errors) != 0 {
 		return nil, apierrors.NewInvalid(
 			schema.GroupKind{Group: "ovn.openstack.org", Kind: "OVNNorthd"},
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.5
 	github.com/onsi/ginkgo/v2 v2.20.1
 	github.com/onsi/gomega v1.34.1
-	github.com/openstack-k8s-operators/infra-operator/apis v0.6.0
+	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250319162810-463dd75a4cc4
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250315090821-34e570d2d5fb
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20250315090821-34e570d2d5fb
 	github.com/openstack-k8s-operators/ovn-operator/api v0.0.0-20230418071801-b5843d9e05fb
diff --git a/go.sum b/go.sum
@@ -76,8 +76,8 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6Beb1gQ96Ptej9AE/BvwCBiRj1E=
 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.0 h1:28i9Yc3UAdQK8VNzk0ubwq4n+qLuhD0nk6/7iHgD9us=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.0/go.mod h1:JgcmYJyyMKfArK8ulZnbls0L01qt8Dq6s5LH8TZH63A=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250319162810-463dd75a4cc4 h1:wb2zsr9x9LantNLN/9dmYM42c3yLq3QuzsoOlGpDUxM=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250319162810-463dd75a4cc4/go.mod h1:n5DV/lGE9DHryAJ+JLJSgUXI2QHTj+aN4KoeSNC3PfU=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250315090821-34e570d2d5fb h1:UAFYEHnbyhO0+yymquFmIqxc9QGji9mzreuYrDS1Ev4=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250315090821-34e570d2d5fb/go.mod h1:1CtBP0MQffdjE6buOv5jP2rB3+h7WH0a11lcyrpmxOk=
 github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20250315090821-34e570d2d5fb h1:7ADU3ZLE0l9/3A5l0jzAZt9XywzchosoY/m7VlFWu3I=
diff --git a/tests/functional/ovncontroller_controller_test.go b/tests/functional/ovncontroller_controller_test.go
@@ -33,7 +33,9 @@ import (
 	ovn_common "github.com/openstack-k8s-operators/ovn-operator/pkg/common"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 var _ = Describe("OVNController controller", func() {
@@ -1358,4 +1360,29 @@ var _ = Describe("OVNController controller", func() {
 			}, timeout, interval).Should(Succeed())
 		})
 	})
+	It("rejects a wrong topologyRef on a different namespace", func() {
+		spec := map[string]interface{}{}
+		// Inject a topologyRef that points to a different namespace
+		spec["topologyRef"] = map[string]interface{}{
+			"name":      "foo",
+			"namespace": "bar",
+		}
+		raw := map[string]interface{}{
+			"apiVersion": "ovn.openstack.org/v1beta1",
+			"kind":       "OVNController",
+			"metadata": map[string]interface{}{
+				"name":      "ovncontroller-sample",
+				"namespace": namespace,
+			},
+			"spec": spec,
+		}
+		unstructuredObj := &unstructured.Unstructured{Object: raw}
+		_, err := controllerutil.CreateOrPatch(
+			th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(
+			ContainSubstring(
+				"spec.topologyRef.namespace: Invalid value: \"namespace\": Customizing namespace field is not supported"),
+		)
+	})
 })
diff --git a/tests/functional/ovndbcluster_controller_test.go b/tests/functional/ovndbcluster_controller_test.go
@@ -33,6 +33,7 @@ import (
 	ovnv1 "github.com/openstack-k8s-operators/ovn-operator/api/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
@@ -1307,5 +1308,31 @@ var _ = Describe("OVNDBCluster controller", func() {
 				g.Expect(th.GetStatefulSet(statefulSetName).Spec.Template.Spec.Affinity).ToNot(BeNil())
 			}, timeout, interval).Should(Succeed())
 		})
+
+		It("rejects a wrong topologyRef on a different namespace", func() {
+			spec := map[string]interface{}{}
+			// Inject a topologyRef that points to a different namespace
+			spec["topologyRef"] = map[string]interface{}{
+				"name":      "foo",
+				"namespace": "bar",
+			}
+			raw := map[string]interface{}{
+				"apiVersion": "ovn.openstack.org/v1beta1",
+				"kind":       "OVNDBCluster",
+				"metadata": map[string]interface{}{
+					"name":      "ovndbcluster-sample",
+					"namespace": namespace,
+				},
+				"spec": spec,
+			}
+			unstructuredObj := &unstructured.Unstructured{Object: raw}
+			_, err := controllerutil.CreateOrPatch(
+				th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(
+				ContainSubstring(
+					"spec.topologyRef.namespace: Invalid value: \"namespace\": Customizing namespace field is not supported"),
+			)
+		})
 	})
 })
diff --git a/tests/functional/ovnnorthd_controller_test.go b/tests/functional/ovnnorthd_controller_test.go
@@ -28,7 +28,9 @@ import (
 
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
 
 var _ = Describe("OVNNorthd controller", func() {
@@ -483,6 +485,30 @@ var _ = Describe("OVNNorthd controller", func() {
 				g.Expect(th.GetDeployment(deploymentName).Spec.Template.Spec.Affinity).ToNot(BeNil())
 			}, timeout, interval).Should(Succeed())
 		})
-
+	})
+	It("rejects a wrong topologyRef on a different namespace", func() {
+		spec := map[string]interface{}{}
+		// Inject a topologyRef that points to a different namespace
+		spec["topologyRef"] = map[string]interface{}{
+			"name":      "foo",
+			"namespace": "bar",
+		}
+		raw := map[string]interface{}{
+			"apiVersion": "ovn.openstack.org/v1beta1",
+			"kind":       "OVNNorthd",
+			"metadata": map[string]interface{}{
+				"name":      "ovnnorthd-sample",
+				"namespace": namespace,
+			},
+			"spec": spec,
+		}
+		unstructuredObj := &unstructured.Unstructured{Object: raw}
+		_, err := controllerutil.CreateOrPatch(
+			th.Ctx, th.K8sClient, unstructuredObj, func() error { return nil })
+		Expect(err).To(HaveOccurred())
+		Expect(err.Error()).To(
+			ContainSubstring(
+				"spec.topologyRef.namespace: Invalid value: \"namespace\": Customizing namespace field is not supported"),
+		)
 	})
 })
