Validate install config with feature gates

Enable checking install config fields with the feature gate package.
Allows install config fields to be validated with CustomNoUpgrade
feature sets in addition to the TechPreviewNoUpgrade feature set.

Author: patrickdillon

pkg/types/gcp/validation/featuregates.go

@@ -0,0 +1,27 @@
+package validation
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/installer/pkg/types"
+	"github.com/openshift/installer/pkg/types/featuregates"
+)
+
+// GatedFeatures determines all of the install config fields that should
+// be validated to ensure that the proper featuregate is enabled when the field is used.
+func GatedFeatures(c *types.InstallConfig) []featuregates.GatedInstallConfigFeature {
+	g := c.GCP
+	return []featuregates.GatedInstallConfigFeature{
+		{
+			FeatureGateName: configv1.FeatureGateGCPLabelsTags,
+			Condition:       len(g.UserLabels) > 0,
+			Field:           field.NewPath("platform", "gcp", "userLabels"),
+		},
+		{
+			FeatureGateName: configv1.FeatureGateGCPLabelsTags,
+			Condition:       len(g.UserTags) > 0,
+			Field:           field.NewPath("platform", "gcp", "userTags"),
+		},
+	}
+}

pkg/types/installconfig.go

@@ -13,6 +13,7 @@ import (
 	"github.com/openshift/installer/pkg/types/azure"
 	"github.com/openshift/installer/pkg/types/baremetal"
 	"github.com/openshift/installer/pkg/types/external"
+	"github.com/openshift/installer/pkg/types/featuregates"
 	"github.com/openshift/installer/pkg/types/gcp"
 	"github.com/openshift/installer/pkg/types/ibmcloud"
 	"github.com/openshift/installer/pkg/types/libvirt"
@@ -516,3 +517,22 @@ func (c *InstallConfig) WorkerMachinePool() *MachinePool {
 
 	return nil
 }
+
+// EnabledFeatureGates returns a FeatureGate that can be checked (using the Enabled function)
+// to determine if a feature gate is enabled in the current feature sets.
+func (c *InstallConfig) EnabledFeatureGates() (featuregates.FeatureGate, error) {
+	var customFS *configv1.CustomFeatureGates
+	var err error
+	if c.FeatureSet == configv1.CustomNoUpgrade {
+		customFS, err = featuregates.GenerateCustomFeatures(c.FeatureGates)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error generating feature set from custom features: %w", err)
+	}
+
+	fg, err := featuregates.FeatureGateFromFeatureSets(configv1.FeatureSets, c.FeatureSet, customFS)
+	if err != nil {
+		return nil, fmt.Errorf("error generating feature gates from feature sets: %w", err)
+	}
+	return fg, nil
+}

pkg/types/validation/featuregate_test.go

@@ -0,0 +1,115 @@
+package validation
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	v1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/installer/pkg/types"
+	"github.com/openshift/installer/pkg/types/gcp"
+	"github.com/openshift/installer/pkg/types/vsphere"
+)
+
+func TestFeatureGates(t *testing.T) {
+	cases := []struct {
+		name          string
+		installConfig *types.InstallConfig
+		expected      string
+	}{
+		{
+			name: "GCP UserTags is allowed with Feature Gates enabled",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.FeatureSet = v1.TechPreviewNoUpgrade
+				c.GCP = validGCPPlatform()
+				c.GCP.UserTags = []gcp.UserTag{{ParentID: "a", Key: "b", Value: "c"}}
+				return c
+			}(),
+		},
+		{
+			name: "GCP UserTags is not allowed without Feature Gates",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.GCP = validGCPPlatform()
+				c.GCP.UserTags = []gcp.UserTag{{ParentID: "a", Key: "b", Value: "c"}}
+				return c
+			}(),
+			expected: `^platform.gcp.userTags: Forbidden: this field is protected by the GCPLabelsTags feature gate which must be enabled through either the TechPreviewNoUpgrade or CustomNoUpgrade feature set$`,
+		},
+		{
+			name: "GCP UserLabels is allowed with Feature Gates enabled",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.FeatureSet = v1.TechPreviewNoUpgrade
+				c.GCP = validGCPPlatform()
+				c.GCP.UserLabels = []gcp.UserLabel{{Key: "a", Value: "b"}}
+				return c
+			}(),
+		},
+		{
+			name: "GCP UserLabels is not allowed without Feature Gates",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.GCP = validGCPPlatform()
+				c.GCP.UserLabels = []gcp.UserLabel{{Key: "a", Value: "b"}}
+				return c
+			}(),
+			expected: `^platform.gcp.userLabels: Forbidden: this field is protected by the GCPLabelsTags feature gate which must be enabled through either the TechPreviewNoUpgrade or CustomNoUpgrade feature set$`,
+		},
+		{
+			name: "vSphere hosts is allowed with Feature Gates enabled",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.FeatureSet = v1.TechPreviewNoUpgrade
+				c.VSphere = validVSpherePlatform()
+				c.VSphere.Hosts = []*vsphere.Host{{Role: "test"}}
+				return c
+			}(),
+		},
+		{
+			name: "vSphere hosts is not allowed without Feature Gates",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.VSphere = validVSpherePlatform()
+				c.VSphere.Hosts = []*vsphere.Host{{Role: "test"}}
+				return c
+			}(),
+			expected: `^platform.vsphere.hosts: Forbidden: this field is protected by the VSphereStaticIPs feature gate which must be enabled through either the TechPreviewNoUpgrade or CustomNoUpgrade feature set$`,
+		},
+		{
+			name: "vSphere hosts is allowed with custom Feature Gates",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.FeatureSet = v1.CustomNoUpgrade
+				c.FeatureGates = []string{"VSphereStaticIPs=true"}
+				c.VSphere = validVSpherePlatform()
+				c.VSphere.Hosts = []*vsphere.Host{{Role: "test"}}
+				return c
+			}(),
+		},
+		{
+			name: "vSphere hosts is not allowed with custom Feature Gate disabled",
+			installConfig: func() *types.InstallConfig {
+				c := validInstallConfig()
+				c.FeatureSet = v1.CustomNoUpgrade
+				c.FeatureGates = []string{"VSphereStaticIPs=false"}
+				c.VSphere = validVSpherePlatform()
+				c.VSphere.Hosts = []*vsphere.Host{{Role: "test"}}
+				return c
+			}(),
+			expected: `^platform.vsphere.hosts: Forbidden: this field is protected by the VSphereStaticIPs feature gate which must be enabled through either the TechPreviewNoUpgrade or CustomNoUpgrade feature set$`,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			err := ValidateFeatureSet(tc.installConfig).ToAggregate()
+			if tc.expected == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.Regexp(t, tc.expected, err)
+			}
+		})
+	}
+}

pkg/types/validation/installconfig.go

@@ -32,6 +32,7 @@ import (
 	azurevalidation "github.com/openshift/installer/pkg/types/azure/validation"
 	"github.com/openshift/installer/pkg/types/baremetal"
 	baremetalvalidation "github.com/openshift/installer/pkg/types/baremetal/validation"
+	"github.com/openshift/installer/pkg/types/featuregates"
 	"github.com/openshift/installer/pkg/types/gcp"
 	gcpvalidation "github.com/openshift/installer/pkg/types/gcp/validation"
 	"github.com/openshift/installer/pkg/types/ibmcloud"
@@ -169,7 +170,7 @@ func ValidateInstallConfig(c *types.InstallConfig, usingAgentMethod bool) field.
 		}
 	}
 
-	allErrs = append(allErrs, validateFeatureSet(c)...)
+	allErrs = append(allErrs, ValidateFeatureSet(c)...)
 
 	return allErrs
 }
@@ -1047,8 +1048,8 @@ func validateAdditionalCABundlePolicy(c *types.InstallConfig) error {
 	}
 }
 
-// validateFeatureSet returns an error if a gated feature is used without opting into the feature set.
-func validateFeatureSet(c *types.InstallConfig) field.ErrorList {
+// ValidateFeatureSet returns an error if a gated feature is used without opting into the feature set.
+func ValidateFeatureSet(c *types.InstallConfig) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	if _, ok := configv1.FeatureSets[c.FeatureSet]; !ok {
@@ -1070,29 +1071,10 @@ func validateFeatureSet(c *types.InstallConfig) field.ErrorList {
 		allErrs = append(allErrs, validateCustomFeatureGates(c)...)
 	}
 
-	if c.FeatureSet != configv1.TechPreviewNoUpgrade {
-		errMsg := "the TechPreviewNoUpgrade feature set must be enabled to use this field"
-
-		if c.OpenStack != nil {
-			for _, f := range openstackvalidation.FilledInTechPreviewFields(c) {
-				allErrs = append(allErrs, field.Forbidden(f, errMsg))
-			}
-		}
-
-		if c.VSphere != nil {
-			if len(c.VSphere.Hosts) > 0 {
-				allErrs = append(allErrs, field.Forbidden(field.NewPath("platform", "vsphere", "hosts"), errMsg))
-			}
-		}
-
-		if c.GCP != nil {
-			if len(c.GCP.UserTags) > 0 {
-				allErrs = append(allErrs, field.Forbidden(field.NewPath("platform", "gcp", "userTags"), errMsg))
-			}
-			if len(c.GCP.UserLabels) > 0 {
-				allErrs = append(allErrs, field.Forbidden(field.NewPath("platform", "gcp", "userLabels"), errMsg))
-			}
-		}
+	// We can only accurately check gated features
+	// if feature sets are correctly configured.
+	if len(allErrs) == 0 {
+		allErrs = append(allErrs, validateGatedFeatures(c)...)
 	}
 
 	return allErrs
@@ -1117,3 +1099,48 @@ func validateCustomFeatureGates(c *types.InstallConfig) field.ErrorList {
 
 	return allErrs
 }
+
+// validateGatedFeatures ensures that any gated features used in
+// the install config are enabled.
+func validateGatedFeatures(c *types.InstallConfig) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	// legacy feature gating
+	if c.FeatureSet != configv1.TechPreviewNoUpgrade {
+		errMsg := "the TechPreviewNoUpgrade feature set must be enabled to use this field"
+
+		if c.OpenStack != nil {
+			for _, f := range openstackvalidation.FilledInTechPreviewFields(c) {
+				allErrs = append(allErrs, field.Forbidden(f, errMsg))
+			}
+		}
+	}
+
+	gatedFeatures := []featuregates.GatedInstallConfigFeature{}
+	switch {
+	case c.GCP != nil:
+		gatedFeatures = append(gatedFeatures, gcpvalidation.GatedFeatures(c)...)
+	case c.VSphere != nil:
+		gatedFeatures = append(gatedFeatures, vspherevalidation.GatedFeatures(c)...)
+	}
+
+	fg, err := c.EnabledFeatureGates()
+	if err != nil {
+		errMsg := fmt.Errorf("error getting feature gates: %w", err)
+		return append(allErrs, field.InternalError(field.NewPath("featureSets"), errMsg))
+	}
+
+	errMsgTemplate := "this field is protected by the %s feature gate which must be enabled through either the TechPreviewNoUpgrade or CustomNoUpgrade feature set"
+	fgCheck := func(c featuregates.GatedInstallConfigFeature) {
+		if !fg.Enabled(c.FeatureGateName) && c.Condition {
+			errMsg := fmt.Sprintf(errMsgTemplate, c.FeatureGateName)
+			allErrs = append(allErrs, field.Forbidden(c.Field, errMsg))
+		}
+	}
+
+	for _, gf := range gatedFeatures {
+		fgCheck(gf)
+	}
+
+	return allErrs
+}

pkg/types/vsphere/validation/featuregates.go

@@ -0,0 +1,22 @@
+package validation
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/installer/pkg/types"
+	"github.com/openshift/installer/pkg/types/featuregates"
+)
+
+// GatedFeatures determines all of the OpenStack install config fields that should
+// be validated to ensure that the proper featuregate is enabled when the field is used.
+func GatedFeatures(c *types.InstallConfig) []featuregates.GatedInstallConfigFeature {
+	v := c.VSphere
+	return []featuregates.GatedInstallConfigFeature{
+		{
+			FeatureGateName: configv1.FeatureGateVSphereStaticIPs,
+			Condition:       len(v.Hosts) > 0,
+			Field:           field.NewPath("platform", "vsphere", "hosts"),
+		},
+	}
+}