Support for passing old resource to validator (#330)

jonesbusy · web-flow · commit 9559e32ef512 · 2025-05-21T09:06:57.000+02:00
* Support for passing old resource to validator

* Pass directly the resource/oldResource for validator
diff --git a/core/src/main/java/io/javaoperatorsdk/webhook/admission/validation/AsyncDefaultAdmissionRequestValidator.java b/core/src/main/java/io/javaoperatorsdk/webhook/admission/validation/AsyncDefaultAdmissionRequestValidator.java
@@ -12,7 +12,6 @@
 import io.javaoperatorsdk.webhook.admission.Operation;
 
 import static io.javaoperatorsdk.webhook.admission.AdmissionUtils.allowedAdmissionResponse;
-import static io.javaoperatorsdk.webhook.admission.AdmissionUtils.getTargetResource;
 import static io.javaoperatorsdk.webhook.admission.AdmissionUtils.notAllowedExceptionToAdmissionResponse;
 
 public class AsyncDefaultAdmissionRequestValidator<T extends KubernetesResource>
@@ -28,9 +27,11 @@ public AsyncDefaultAdmissionRequestValidator(Validator<T> validator) {
   @SuppressWarnings("unchecked")
   public CompletionStage<AdmissionResponse> handle(AdmissionRequest admissionRequest) {
     var operation = Operation.valueOf(admissionRequest.getOperation());
-    var originalResource = (T) getTargetResource(admissionRequest, operation);
+    var originalResource = (T) admissionRequest.getObject();
+    var oldResource = (T) admissionRequest.getOldObject();
     var asyncValidate =
-        CompletableFuture.runAsync(() -> validator.validate(originalResource, operation));
+        CompletableFuture
+            .runAsync(() -> validator.validate(originalResource, oldResource, operation));
     return asyncValidate
         .thenApply(v -> allowedAdmissionResponse())
         .exceptionally(e -> {
diff --git a/core/src/main/java/io/javaoperatorsdk/webhook/admission/validation/DefaultAdmissionRequestValidator.java b/core/src/main/java/io/javaoperatorsdk/webhook/admission/validation/DefaultAdmissionRequestValidator.java
@@ -8,7 +8,6 @@
 import io.javaoperatorsdk.webhook.admission.Operation;
 
 import static io.javaoperatorsdk.webhook.admission.AdmissionUtils.allowedAdmissionResponse;
-import static io.javaoperatorsdk.webhook.admission.AdmissionUtils.getTargetResource;
 import static io.javaoperatorsdk.webhook.admission.AdmissionUtils.notAllowedExceptionToAdmissionResponse;
 
 public class DefaultAdmissionRequestValidator<T extends KubernetesResource>
@@ -24,9 +23,10 @@ public DefaultAdmissionRequestValidator(Validator<T> validator) {
   @SuppressWarnings("unchecked")
   public AdmissionResponse handle(AdmissionRequest admissionRequest) {
     var operation = Operation.valueOf(admissionRequest.getOperation());
-    var originalResource = (T) getTargetResource(admissionRequest, operation);
+    var originalResource = (T) admissionRequest.getObject();
+    var oldResource = (T) admissionRequest.getOldObject();
     try {
-      validator.validate(originalResource, operation);
+      validator.validate(originalResource, oldResource, operation);
       return allowedAdmissionResponse();
     } catch (NotAllowedException e) {
       return notAllowedExceptionToAdmissionResponse(e);
diff --git a/core/src/main/java/io/javaoperatorsdk/webhook/admission/validation/Validator.java b/core/src/main/java/io/javaoperatorsdk/webhook/admission/validation/Validator.java
@@ -6,5 +6,5 @@
 
 public interface Validator<T extends KubernetesResource> {
 
-  void validate(T resource, Operation operation) throws NotAllowedException;
+  void validate(T resource, T oldResource, Operation operation) throws NotAllowedException;
 }
diff --git a/core/src/test/java/io/javaoperatorsdk/webhook/admission/AdmissionControllerTest.java b/core/src/test/java/io/javaoperatorsdk/webhook/admission/AdmissionControllerTest.java
@@ -15,15 +15,16 @@ class AdmissionControllerTest {
 
   @Test
   void validatesResource() {
-    var admissionController = new AdmissionController<HasMetadata>((resource, operation) -> {
-    });
+    var admissionController =
+        new AdmissionController<HasMetadata>((resource, oldResource, operation) -> {
+        });
     admissionTestSupport.validatesResource(admissionController::handle);
   }
 
   @Test
   void validatesResource_whenNotAllowedException() {
     var admissionController =
-        new AdmissionController<>((Validator<HasMetadata>) (resource, operation) -> {
+        new AdmissionController<>((Validator<HasMetadata>) (resource, oldResource, operation) -> {
           throw new NotAllowedException(MISSING_REQUIRED_LABEL);
         });
     admissionTestSupport.notAllowedException(admissionController::handle);
@@ -32,7 +33,7 @@ void validatesResource_whenNotAllowedException() {
   @Test
   void validatesResource_whenOtherException() {
     var admissionController =
-        new AdmissionController<>((Validator<HasMetadata>) (resource, operation) -> {
+        new AdmissionController<>((Validator<HasMetadata>) (resource, oldResource, operation) -> {
           throw new IllegalArgumentException("Invalid resource");
         });
 
diff --git a/core/src/test/java/io/javaoperatorsdk/webhook/admission/AsyncAdmissionControllerTest.java b/core/src/test/java/io/javaoperatorsdk/webhook/admission/AsyncAdmissionControllerTest.java
@@ -20,8 +20,9 @@ class AsyncAdmissionControllerTest {
 
   @Test
   void validatesResource() {
-    var admissionController = new AsyncAdmissionController<HasMetadata>((resource, operation) -> {
-    });
+    var admissionController =
+        new AsyncAdmissionController<HasMetadata>((resource, oldResource, operation) -> {
+        });
 
     admissionTestSupport
         .validatesResource(res -> admissionController.handle(res).toCompletableFuture().join());
@@ -30,9 +31,10 @@ void validatesResource() {
   @Test
   void validatesResource_whenNotAllowedException() {
     var admissionController =
-        new AsyncAdmissionController<>((Validator<HasMetadata>) (resource, operation) -> {
-          throw new NotAllowedException(MISSING_REQUIRED_LABEL);
-        });
+        new AsyncAdmissionController<>(
+            (Validator<HasMetadata>) (resource, oldResource, operation) -> {
+              throw new NotAllowedException(MISSING_REQUIRED_LABEL);
+            });
 
     admissionTestSupport
         .notAllowedException(res -> admissionController.handle(res).toCompletableFuture().join());
@@ -41,9 +43,10 @@ void validatesResource_whenNotAllowedException() {
   @Test
   void validatesResource_whenOtherException() {
     var admissionController =
-        new AsyncAdmissionController<>((Validator<HasMetadata>) (resource, operation) -> {
-          throw new IllegalArgumentException("Invalid resource");
-        });
+        new AsyncAdmissionController<>(
+            (Validator<HasMetadata>) (resource, oldResource, operation) -> {
+              throw new IllegalArgumentException("Invalid resource");
+            });
 
     admissionTestSupport.assertThatThrownBy(
         res -> admissionController.handle(res).toCompletableFuture()
diff --git a/samples/commons/src/main/java/io/javaoperatorsdk/webhook/sample/commons/AdmissionControllers.java b/samples/commons/src/main/java/io/javaoperatorsdk/webhook/sample/commons/AdmissionControllers.java
@@ -36,7 +36,7 @@ public static AsyncAdmissionController<Ingress> asyncValidatingController() {
   }
 
   public static AdmissionController<Ingress> errorMutatingController() {
-    return new AdmissionController<>((Validator<Ingress>) (resource, operation) -> {
+    return new AdmissionController<>((Validator<Ingress>) (resource, oldResource, operation) -> {
       throw new IllegalStateException(ERROR_MESSAGE);
     });
   }
@@ -54,9 +54,10 @@ public static AsyncAdmissionController<Ingress> errorAsyncMutatingController() {
   }
 
   public static AsyncAdmissionController<Ingress> errorAsyncValidatingController() {
-    return new AsyncAdmissionController<>((Validator<Ingress>) (resource, operation) -> {
-      throw new IllegalStateException(ERROR_MESSAGE);
-    });
+    return new AsyncAdmissionController<>(
+        (Validator<Ingress>) (resource, oldResource, operation) -> {
+          throw new IllegalStateException(ERROR_MESSAGE);
+        });
   }
 
   private static class IngressMutator implements Mutator<Ingress> {
@@ -72,11 +73,20 @@ public Ingress mutate(Ingress resource, Operation operation) throws NotAllowedEx
 
   private static class IngressValidator implements Validator<Ingress> {
     @Override
-    public void validate(Ingress resource, Operation operation) throws NotAllowedException {
+    public void validate(Ingress resource, Ingress oldResource, Operation operation)
+        throws NotAllowedException {
+      if (operation.equals(Operation.DELETE)) {
+        return;
+      }
       if (resource.getMetadata().getLabels() == null
           || resource.getMetadata().getLabels().get(VALIDATION_TARGET_LABEL) == null) {
         throw new NotAllowedException("Missing label: " + VALIDATION_TARGET_LABEL);
       }
+      if (operation.equals(Operation.UPDATE)
+          && !resource.getSpec().getIngressClassName()
+              .equals(oldResource.getSpec().getIngressClassName())) {
+        throw new NotAllowedException("IngressClassName cannot be changed");
+      }
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,5 @@`
`6`	`6`
`7`	`7`	`public interface Validator<T extends KubernetesResource> {`
`8`	`8`
`9`		`- void validate(T resource, Operation operation) throws NotAllowedException;`
	`9`	`+ void validate(T resource, T oldResource, Operation operation) throws NotAllowedException;`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public static AsyncAdmissionController<Ingress> asyncValidatingController() {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`public static AdmissionController<Ingress> errorMutatingController() {`
`39`		`- return new AdmissionController<>((Validator<Ingress>) (resource, operation) -> {`
	`39`	`+ return new AdmissionController<>((Validator<Ingress>) (resource, oldResource, operation) -> {`
`40`	`40`	`throw new IllegalStateException(ERROR_MESSAGE);`
`41`	`41`	`});`
`42`	`42`	`}`
`@@ -54,9 +54,10 @@ public static AsyncAdmissionController<Ingress> errorAsyncMutatingController() {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`public static AsyncAdmissionController<Ingress> errorAsyncValidatingController() {`
`57`		`- return new AsyncAdmissionController<>((Validator<Ingress>) (resource, operation) -> {`
`58`		`- throw new IllegalStateException(ERROR_MESSAGE);`
`59`		`- });`
	`57`	`+ return new AsyncAdmissionController<>(`
	`58`	`+ (Validator<Ingress>) (resource, oldResource, operation) -> {`
	`59`	`+ throw new IllegalStateException(ERROR_MESSAGE);`
	`60`	`+ });`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`private static class IngressMutator implements Mutator<Ingress> {`
`@@ -72,11 +73,20 @@ public Ingress mutate(Ingress resource, Operation operation) throws NotAllowedEx`
`72`	`73`
`73`	`74`	`private static class IngressValidator implements Validator<Ingress> {`
`74`	`75`	`@Override`
`75`		`- public void validate(Ingress resource, Operation operation) throws NotAllowedException {`
	`76`	`+ public void validate(Ingress resource, Ingress oldResource, Operation operation)`
	`77`	`+ throws NotAllowedException {`
	`78`	`+ if (operation.equals(Operation.DELETE)) {`
	`79`	`+ return;`
	`80`	`+ }`
`76`	`81`	`if (resource.getMetadata().getLabels() == null`
`77`	`82`	`\|\| resource.getMetadata().getLabels().get(VALIDATION_TARGET_LABEL) == null) {`
`78`	`83`	`throw new NotAllowedException("Missing label: " + VALIDATION_TARGET_LABEL);`
`79`	`84`	`}`
	`85`	`+ if (operation.equals(Operation.UPDATE)`
	`86`	`+ && !resource.getSpec().getIngressClassName()`
	`87`	`+ .equals(oldResource.getSpec().getIngressClassName())) {`
	`88`	`+ throw new NotAllowedException("IngressClassName cannot be changed");`
	`89`	`+ }`
`80`	`90`	`}`
`81`	`91`	`}`
`82`	`92`	`}`