Add tests for xvshnpostgresql webhook

Author: mikeshootzz

pkg/comp-functions/functions/common/postgresql.go

@@ -163,16 +163,15 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() (string, error) {
 	params.Instances = a.comp.GetInstances()
 
 	// Preserve the compositionRef of an already-existing nested PostgreSQL composite.
-	// If we always wrote defaultPGComposition, switching that default (e.g. Stackgres → CNPG)
-	// would silently migrate live instances on the next reconcile, which is destructive.
-	// If the observed composite exists but has no compositionRef we return an error rather than
-	// falling back to the default — an empty ref on an existing instance is unexpected and
-	// silently overwriting it could trigger an unintended backend migration.
 	compositionName := a.svc.Config.Data["defaultPGComposition"]
 	observedPg := &vshnv1.XVSHNPostgreSQL{}
-	if err := a.svc.GetObservedComposedResource(observedPg, a.comp.GetName()+PgInstanceNameSuffix); err == nil {
+	err := a.svc.GetObservedComposedResource(observedPg, a.comp.GetName()+PgInstanceNameSuffix)
+	if err != nil && err != runtime.ErrNotFound {
+		return "", fmt.Errorf("couldn't read observed nested postgresql composite: %w", err)
+	}
+	if err == nil {
 		if observedPg.Spec.CompositionRef.Name == "" {
-			return "", fmt.Errorf("observed nested postgresql composite %q has no compositionRef, refusing to overwrite with default to prevent unintended backend migration", observedPg.GetName())
+			return "", fmt.Errorf("observed nested postgresql composite %q has no compositionRef, refusing to overwrite with default", observedPg.GetName())
 		}
 		compositionName = observedPg.Spec.CompositionRef.Name
 	}
@@ -204,7 +203,7 @@ func (a *PostgreSQLDependencyBuilder) CreateDependency() (string, error) {
 		pg.Labels[runtime.ProviderConfigLabel] = v
 	}
 
-	err := CustomCreateNetworkPolicy([]string{a.comp.GetInstanceNamespace()}, pg.GetInstanceNamespace(), pg.GetName()+"-"+a.comp.GetServiceName(), "", false, a.svc)
+	err = CustomCreateNetworkPolicy([]string{a.comp.GetInstanceNamespace()}, pg.GetInstanceNamespace(), pg.GetName()+"-"+a.comp.GetServiceName(), "", false, a.svc)
 	if err != nil {
 		return "", err
 	}

pkg/comp-functions/functions/vshnpostgrescnpg/connection_details.go

@@ -51,7 +51,8 @@ func AddConnectionSecrets(ctx context.Context, comp *vshnv1.VSHNPostgreSQL, svc
 	port := string(cd[PostgresqlPort])
 	db := string(cd[PostgresqlDb])
 	if user != "" && password != "" && port != "" {
-		svc.SetConnectionDetail(PostgresqlURL, []byte(fmt.Sprintf("postgresql://%s:%s@%s:%s/%s", user, password, host, port, db)))
+		svc.SetConnectionDetail(PostgresqlURL, []byte(fmt.Sprintf("postgresql://%s:%s@%s:%s/%s",
+			user, password, host, port, db)))
 	}
 
 	return nil

pkg/controller/webhooks/postgresql.go

@@ -24,8 +24,7 @@ import (
 // See https://book.kubebuilder.io/reference/markers/webhook for docs
 //+kubebuilder:webhook:verbs=create;update;delete,path=/validate-vshn-appcat-vshn-io-v1-vshnpostgresql,mutating=false,failurePolicy=fail,groups=vshn.appcat.vshn.io,resources=vshnpostgresqls,versions=v1,name=postgresql.vshn.appcat.vshn.io,sideEffects=None,admissionReviewVersions=v1
 
-// Protect the nested XVSHNPostgreSQL composite from having its compositionRef changed once set.
-// This prevents accidental backend migrations (e.g. StackGres → CNPG) on live instances.
+// Protect the XVSHNPostgreSQL composite from having its compositionRef changed once set.
 //+kubebuilder:webhook:verbs=update,path=/validate-vshn-appcat-vshn-io-v1-xvshnpostgresql,mutating=false,failurePolicy=fail,groups=vshn.appcat.vshn.io,resources=xvshnpostgresqls,versions=v1,name=xvshnpostgresql.vshn.appcat.vshn.io,sideEffects=None,admissionReviewVersions=v1
 
 //RBAC
@@ -91,8 +90,6 @@ func SetupPostgreSQLWebhookHandlerWithManager(mgr ctrl.Manager, withQuota bool)
 }
 
 // XVSHNPostgreSQLWebhookHandler validates the nested XVSHNPostgreSQL composite resource.
-// Its sole purpose is to make compositionRef immutable once set, preventing accidental
-// backend migrations on live nested instances (e.g. those created by VSHNKeycloak).
 type XVSHNPostgreSQLWebhookHandler struct{}
 
 // SetupXVSHNPostgreSQLWebhookHandlerWithManager registers the XVSHNPostgreSQL validation webhook.
@@ -122,7 +119,9 @@ func (x *XVSHNPostgreSQLWebhookHandler) ValidateUpdate(_ context.Context, oldObj
 	}
 
 	allErrs := newFielErrors(newPg.Name, xpgGK)
-	allErrs.Add(validateCompositionRefImmutability(oldPg.Spec.CompositionRef.Name, newPg.Spec.CompositionRef.Name))
+	if err := validateCompositionRefImmutability(oldPg.Spec.CompositionRef.Name, newPg.Spec.CompositionRef.Name); err != nil {
+		allErrs.Add(err)
+	}
 	return nil, allErrs.Get()
 }
 
@@ -197,7 +196,9 @@ func (p *PostgreSQLWebhookHandler) validatePostgreSQL(ctx context.Context, newOb
 
 		// Do not allow changing compositionRef if it has been set previously.
 		// When creating a new VSHNPostgresQL, crossplane will automatically set this field if unset.
-		allErrs.Add(validateCompositionRefImmutability(oldPg.Spec.CompositionRef.Name, newPg.Spec.CompositionRef.Name))
+		if err := validateCompositionRefImmutability(oldPg.Spec.CompositionRef.Name, newPg.Spec.CompositionRef.Name); err != nil {
+			allErrs.Add(err)
+		}
 
 		// Check for disk downsizing
 		if diskErr := p.DefaultWebhookHandler.ValidateDiskDownsizing(ctx, oldPg, newPg, p.gk.Kind); diskErr != nil {

pkg/controller/webhooks/postgresql_test.go

@@ -732,6 +732,97 @@ func TestPostgreSQLWebhookHandler_ValidateCreateWithPinImageTag(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestValidateCompositionRefImmutability(t *testing.T) {
+	tests := []struct {
+		name      string
+		oldRef    string
+		newRef    string
+		expectErr bool
+	}{
+		{
+			name:      "GivenBothEmpty_ThenNoError",
+			oldRef:    "",
+			newRef:    "",
+			expectErr: false,
+		},
+		{
+			name:      "GivenOldEmptyNewSet_ThenNoError",
+			oldRef:    "",
+			newRef:    "vshnpostgrescnpg.vshn.appcat.vshn.io",
+			expectErr: false,
+		},
+		{
+			name:      "GivenSameRef_ThenNoError",
+			oldRef:    "vshnpostgres.vshn.appcat.vshn.io",
+			newRef:    "vshnpostgres.vshn.appcat.vshn.io",
+			expectErr: false,
+		},
+		{
+			name:      "GivenOldSetNewDifferent_ThenError",
+			oldRef:    "vshnpostgres.vshn.appcat.vshn.io",
+			newRef:    "vshnpostgrescnpg.vshn.appcat.vshn.io",
+			expectErr: true,
+		},
+		{
+			name:      "GivenOldSetNewEmpty_ThenError",
+			oldRef:    "vshnpostgres.vshn.appcat.vshn.io",
+			newRef:    "",
+			expectErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateCompositionRefImmutability(tt.oldRef, tt.newRef)
+			if tt.expectErr {
+				assert.NotNil(t, err)
+				assert.Contains(t, err.Error(), "compositionRef is immutable")
+			} else {
+				assert.Nil(t, err)
+			}
+		})
+	}
+}
+
+func TestXVSHNPostgreSQLWebhookHandler_ValidateUpdate(t *testing.T) {
+	ctx := context.TODO()
+	handler := XVSHNPostgreSQLWebhookHandler{}
+
+	base := &vshnv1.XVSHNPostgreSQL{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "keycloak-pg",
+			Namespace: "vshn-keycloak-myinstance",
+		},
+	}
+
+	// Allow: compositionRef not yet set on either side
+	_, err := handler.ValidateUpdate(ctx, base, base.DeepCopy())
+	assert.NoError(t, err)
+
+	// Allow: first assignment (old empty, new set)
+	withRef := base.DeepCopy()
+	withRef.Spec.CompositionRef.Name = "vshnpostgrescnpg.vshn.appcat.vshn.io"
+	_, err = handler.ValidateUpdate(ctx, base, withRef)
+	assert.NoError(t, err)
+
+	// Allow: compositionRef unchanged
+	_, err = handler.ValidateUpdate(ctx, withRef, withRef.DeepCopy())
+	assert.NoError(t, err)
+
+	// Reject: compositionRef changed on existing instance
+	changedRef := base.DeepCopy()
+	changedRef.Spec.CompositionRef.Name = "vshnpostgres.vshn.appcat.vshn.io"
+	_, err = handler.ValidateUpdate(ctx, withRef, changedRef)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "compositionRef is immutable")
+
+	// Allow: object is being deleted even if compositionRef would change
+	deletingObj := changedRef.DeepCopy()
+	now := metav1.Now()
+	deletingObj.DeletionTimestamp = &now
+	_, err = handler.ValidateUpdate(ctx, withRef, deletingObj)
+	assert.NoError(t, err)
+}
+
 // disabling this temporarily
 // func TestPostgreSQLWebhookHandler_ValidateMajorVersionUpgrade(t *testing.T) {
 // 	tests := []struct {

test/functions/vshnkeycloak/01_default.yaml

@@ -18,6 +18,14 @@ input:
 observed:
   resources:
     mycloak-pg:
+      resource:
+        apiVersion: vshn.appcat.vshn.io/v1
+        kind: XVSHNPostgreSQL
+        metadata:
+          name: mycloak-pg
+        spec:
+          compositionRef:
+            name: vshnpostgrescnpg.vshn.appcat.vshn.io
       connection_details:
         foo: YmFyCg==
     # necessary for keycloak custom env variables

test/functions/vshnnextcloud/01_default.yaml

@@ -103,70 +103,13 @@ observed:
         admin: czNjcjN0UGFzcwo=
     nextcloud-gc9x4-pg:
       resource:
-        apiVersion: v1
-        kind: Object
+        apiVersion: vshn.appcat.vshn.io/v1
+        kind: XVSHNPostgreSQL
         metadata:
           name: "nextcloud-gc9x4-pg"
         spec:
-          forProvider:
-            manifest:
-              apiVersion: vshn.appcat.vshn.io/v1
-              kind: VSHNNextcloud
-              metadata:
-                name: "nextcloud-gc9x4-pg"
-              spec:
-                parameters:
-                  service:
-                    fqdn:
-                      - nextcloud.example.com
-                    repackEnabled: false
-                    vacuumEnabled: false
-                  backup:
-                    retention: 6
-                    deletionProtection: true
-                    deletionRetention: 7
-                  encryption:
-                    enabled: false
-                  instances: 1
-                  security:
-                    allowAllNamespaces: false
-        status:
-          atProvider:
-            manifest:
-              apiVersion: vshn.appcat.vshn.io/v1
-              kind: VSHNNextcloud
-              metadata:
-                annotations: null
-                creationTimestamp: "2024-07-08T16:30:28Z"
-                generation: 8
-                name: "nextcloud-gc9x4-pg"
-                namespace: vshn-postgresql-nextcloud-gc9x4
-                resourceVersion: "583272583"
-                uid: 44ead047-98de-4e73-9cc0-d99454090a36
-              spec:
-                parameters:
-                  service:
-                    repackEnabled: false
-                    vacuumEnabled: false
-                  backup:
-                    retention: 6
-                    deletionProtection: true
-                    deletionRetention: 7
-                  encryption:
-                    enabled: false
-                  instances: 1
-                  security:
-                    allowAllNamespaces: false
-              status:
-                conditions:
-                - lastTransitionTime: "2024-07-08T14:50:19Z"
-                  reason: Available
-                  status: "True"
-                  type: Ready
-                - lastTransitionTime: "2024-07-08T14:50:18Z"
-                  reason: ReconcileSuccess
-                  status: "True"
-                  type: Synced
+          compositionRef:
+            name: vshnpostgres.vshn.appcat.vshn.io
       connection_details:
         POSTGRESQL_HOST: bmV4dGNsb3VkLWdjOXg0LnZzaG4tcG9zdGdyZXNxbC1uZXh0Y2xvdWQtZ2N4NC5zdmMuY2x1c3Rlci5sb2NhbAo=
         POSTGRESQL_DB: cG9zdGdyZXMK