🐛 fix(OscMachine/validation/webhook): loadbalancer disabling fixes

- validate assertion against empty loadbalancer when disabled
- prevent validation of osc loadbalancer attributes when disabled
- prevent setdefault values in osc loadbalancer while reconciling oscmachine vms
- prevent osc loadbalancer webhook validation in update webhook when disabled

Co-Authored-By: Jean-François Bustarret
<jean-francois.bustarret@outscale.com>

Author: ddavid-numspot

api/v1beta1/osccluster_validation.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"net/netip"
 	"regexp"
+	"slices"
 
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -29,11 +30,14 @@ const (
 // ValidateOscClusterSpec validates a OscClusterSpec.
 func ValidateOscClusterSpec(spec OscClusterSpec) field.ErrorList {
 	var allErrs field.ErrorList
+
+	lbDisabled := slices.Contains(spec.Network.Disable, DisableLB)
+
+	allErrs = append(allErrs, ValidateLoadbalancer(spec.Network.LoadBalancer, lbDisabled)...)
 	allErrs = append(allErrs, ValidateNet(spec.Network.Net, spec.Network.UseExisting)...)
 	allErrs = append(allErrs, ValidateSubnets(spec.Network.Subnets, spec.Network.Net, spec.Network.UseExisting)...)
 	allErrs = append(allErrs, ValidateNatServices(spec.Network.NatServices, spec.Network.Subnets, spec.Network.Net, spec.Network.UseExisting)...)
 	allErrs = append(allErrs, ValidateSecurityGroups(spec.Network.SecurityGroups, spec.Network.Net, spec.Network.UseExisting)...)
-	allErrs = append(allErrs, ValidateLoadbalancer(spec.Network.LoadBalancer)...)
 	allErrs = append(allErrs, ValidateAllowFromIPs(spec.Network.AllowFromIPRanges)...)
 	return allErrs
 }
@@ -143,8 +147,11 @@ func ValidateSecurityGroupRules(specs []OscSecurityGroupRule) field.ErrorList {
 	return erl
 }
 
-func ValidateLoadbalancer(spec OscLoadBalancer) field.ErrorList {
+func ValidateLoadbalancer(spec OscLoadBalancer, lbDisabled bool) field.ErrorList {
 	var erl field.ErrorList
+	if lbDisabled {
+		return AppendValidation(erl, ValidateEmptyLoadBalancer(field.NewPath("network", "loadBalancer"), spec))
+	}
 	erl = AppendValidation(erl,
 		ValidateLoadBalancerName(field.NewPath("network", "loadBalancer", "loadbalancername"), spec.LoadBalancerName),
 		Optional(ValidateLoadBalancerType(field.NewPath("network", "loadBalancer", "loadbalancertype"), spec.LoadBalancerType)),
@@ -274,6 +281,14 @@ func ValidatePortRange(p *field.Path, from, to int32, msg string) *field.Error {
 	}
 }
 
+// ValidateEmptyLoadBalancer checks that the loadBalancerName is a valid name of load balancer
+func ValidateEmptyLoadBalancer(p *field.Path, spec OscLoadBalancer) *field.Error {
+	if spec != (OscLoadBalancer{}) {
+		return field.Forbidden(p, "loadBalancer must be empty when disabled")
+	}
+	return nil
+}
+
 var isValidateLoadBalancerName = regexp.MustCompile(`^[0-9A-Za-z\s\-]{0,32}$`).MatchString
 
 // ValidateLoadBalancerName checks that the loadBalancerName is a valid name of load balancer

api/v1beta1/osccluster_webhook.go

@@ -9,6 +9,7 @@ package v1beta1
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -61,18 +62,19 @@ func (OscClusterWebhook) ValidateUpdate(_ context.Context, obj runtime.Object, o
 	}
 	var allErrs field.ErrorList
 	old := oldRaw.(*OscCluster)
-
-	if r.Spec.Network.LoadBalancer.LoadBalancerName != old.Spec.Network.LoadBalancer.LoadBalancerName {
-		allErrs = append(allErrs,
-			field.Invalid(field.NewPath("network", "loadBalancer", "loadbalancername"),
-				r.Spec.Network.LoadBalancer.LoadBalancerName, "field is immutable"),
-		)
-	}
-	if r.Spec.Network.LoadBalancer.LoadBalancerType != old.Spec.Network.LoadBalancer.LoadBalancerType {
-		allErrs = append(allErrs,
-			field.Invalid(field.NewPath("network", "loadBalancer", "loadbalancertype"),
-				r.Spec.Network.LoadBalancer.LoadBalancerType, "field is immutable"),
-		)
+	if !slices.Contains(r.Spec.Network.Disable, DisableLB) {
+		if r.Spec.Network.LoadBalancer.LoadBalancerName != old.Spec.Network.LoadBalancer.LoadBalancerName {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("network", "loadBalancer", "loadbalancername"),
+					r.Spec.Network.LoadBalancer.LoadBalancerName, "field is immutable"),
+			)
+		}
+		if r.Spec.Network.LoadBalancer.LoadBalancerType != old.Spec.Network.LoadBalancer.LoadBalancerType {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("network", "loadBalancer", "loadbalancertype"),
+					r.Spec.Network.LoadBalancer.LoadBalancerType, "field is immutable"),
+			)
+		}
 	}
 	if len(allErrs) == 0 {
 		return nil, nil

api/v1beta1/osccluster_webhook_test.go

@@ -22,6 +22,30 @@ func TestOscCluster_ValidateCreate(t *testing.T) {
 		clusterSpec          infrastructurev1beta1.OscClusterSpec
 		expValidateCreateErr error
 	}{
+		{
+			name: "disabled and empty loadBalancer",
+			clusterSpec: infrastructurev1beta1.OscClusterSpec{
+				Network: infrastructurev1beta1.OscNetwork{
+					Disable: []infrastructurev1beta1.OscDisable{
+						infrastructurev1beta1.DisableLB,
+					},
+				},
+			},
+		},
+		{
+			name: "disabled and non empty loadBalancer",
+			clusterSpec: infrastructurev1beta1.OscClusterSpec{
+				Network: infrastructurev1beta1.OscNetwork{
+					Disable: []infrastructurev1beta1.OscDisable{
+						infrastructurev1beta1.DisableLB,
+					},
+					LoadBalancer: infrastructurev1beta1.OscLoadBalancer{
+						LoadBalancerName: "test-webhook@test",
+					},
+				},
+			},
+			expValidateCreateErr: errors.New("OscCluster.infrastructure.cluster.x-k8s.io \"webhook-test\" is invalid: network.loadBalancer: Forbidden: loadBalancer must be empty when disabled"),
+		},
 		{
 			name: "bad loadBalancerName",
 			clusterSpec: infrastructurev1beta1.OscClusterSpec{

controllers/oscmachine_vm.go

@@ -145,7 +145,7 @@ func (r *OscMachineReconciler) reconcileVm(ctx context.Context, clusterScope *sc
 
 	machineScope.SetReady()
 
-	if vmSpec.GetRole() == infrastructurev1beta1.RoleControlPlane {
+	if vmSpec.GetRole() == infrastructurev1beta1.RoleControlPlane && !clusterScope.IsLBDisabled() {
 		svc := r.Cloud.LoadBalancer(clusterScope.Tenant)
 		loadBalancerName := clusterScope.GetLoadBalancer().LoadBalancerName
 		loadbalancer, err := svc.GetLoadBalancer(ctx, loadBalancerName)
@@ -220,7 +220,7 @@ func (r *OscMachineReconciler) reconcileDeleteVm(ctx context.Context, clusterSco
 	}
 
 	vmSpec := machineScope.GetVm()
-	if vmSpec.GetRole() == infrastructurev1beta1.RoleControlPlane {
+	if vmSpec.GetRole() == infrastructurev1beta1.RoleControlPlane && !clusterScope.IsLBDisabled() {
 		svc := r.Cloud.LoadBalancer(clusterScope.Tenant)
 		loadBalancerName := clusterScope.GetLoadBalancer().LoadBalancerName
 		loadbalancer, err := svc.GetLoadBalancer(ctx, loadBalancerName)