Implement reconciliation of the VWC for object schema validation

Author: JoelSpeed

pkg/controllers/crdcompatibility/objectvalidation/handle.go

@@ -52,7 +52,7 @@ func compatibilityRequrementFromContext(ctx context.Context) string {
 // of the CompatibilityRequirement from it and adds it to the context so it can later
 // be read inside the Handle functions.
 func compatibilityRequrementIntoContext(ctx context.Context, r *http.Request) context.Context {
-	compatibilityRequirementName := strings.TrimPrefix(r.URL.Path, webhookPrefix)
+	compatibilityRequirementName := strings.TrimPrefix(r.URL.Path, WebhookPrefix)
 	return context.WithValue(ctx, compatibilityRequirementContextKey{}, compatibilityRequirementName)
 }
 

pkg/controllers/crdcompatibility/objectvalidation/handle_test.go

@@ -40,7 +40,7 @@ import (
 
 // createValidatingWebhookConfig creates a ValidatingWebhookConfiguration for end-to-end testing
 func createValidatingWebhookConfig(crd *apiextensionsv1.CustomResourceDefinition, compatibilityRequirement *apiextensionsv1alpha1.CompatibilityRequirement) *admissionv1.ValidatingWebhookConfiguration {
-	webhookPath := fmt.Sprintf("%s%s", webhookPrefix, compatibilityRequirement.Name)
+	webhookPath := fmt.Sprintf("%s%s", WebhookPrefix, compatibilityRequirement.Name)
 
 	// Get webhook server configuration from test environment
 	hostPort := fmt.Sprintf("%s:%d", testEnv.WebhookInstallOptions.LocalServingHost, testEnv.WebhookInstallOptions.LocalServingPort)
@@ -479,7 +479,7 @@ var _ = Describe("End-to-End Admission Webhook Integration", Ordered, ContinueOn
 			// This test verifies the webhook URL path processing works correctly
 			// The webhook is configured with path patterns that include the CompatibilityRequirement name
 
-			testPath := fmt.Sprintf("%s%s", webhookPrefix, compatibilityRequirement.Name)
+			testPath := fmt.Sprintf("%s%s", WebhookPrefix, compatibilityRequirement.Name)
 			req := &http.Request{}
 			req.URL = &url.URL{Path: testPath}
 

pkg/controllers/crdcompatibility/objectvalidation/webhook.go

@@ -44,10 +44,10 @@ import (
 )
 
 const (
-	// webhookPrefix is the static path prefix of our object admission endpoint.
+	// WebhookPrefix is the static path prefix of our object admission endpoint.
 	// Requests will be sent to a sub-path with the next component of the path
 	// as a compatibility requirement name.
-	webhookPrefix = "/compatibility-requirement-object-admission/"
+	WebhookPrefix = "/compatibility-requirement-object-admission/"
 )
 
 var (
@@ -91,7 +91,7 @@ func (v *validator) SetupWithManager(ctx context.Context, mgr ctrl.Manager, opts
 	// Register a webhook on a path with a dynamic component for the compatibility requirement name.
 	// we will extract this component into the context so that the handler can identify which compatibility
 	// requirement the request was intended to validate against.
-	mgr.GetWebhookServer().Register(webhookPrefix+"{CompatibilityRequirement}", &admission.Webhook{
+	mgr.GetWebhookServer().Register(WebhookPrefix+"{CompatibilityRequirement}", &admission.Webhook{
 		Handler:         v,
 		WithContextFunc: compatibilityRequrementIntoContext,
 	})

pkg/controllers/crdcompatibility/reconcile.go

@@ -23,14 +23,18 @@ import (
 	"slices"
 
 	"github.com/go-logr/logr"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/yaml"
 
 	apiextensionsv1alpha1 "github.com/openshift/api/apiextensions/v1alpha1"
+	"github.com/openshift/cluster-capi-operator/pkg/controllers/crdcompatibility/objectvalidation"
 	"github.com/openshift/cluster-capi-operator/pkg/crdchecker"
 	"github.com/openshift/cluster-capi-operator/pkg/util"
 )
@@ -155,6 +159,7 @@ func (r *reconcileState) reconcileCreateOrUpdate(ctx context.Context, obj *apiex
 		r.parseCompatibilityCRD(obj),
 		r.fetchCurrentCRD(ctx, logger),
 		r.checkCompatibilityRequirement(),
+		r.ensureObjectValidationWebhook(ctx, obj),
 	)
 
 	if err != nil {
@@ -169,9 +174,107 @@ func (r *reconcileState) reconcileDelete(ctx context.Context, obj *apiextensions
 
 	logger.Info("Reconciling CompatibilityRequirement deletion")
 
-	if err := clearFinalizer(ctx, r.client, obj); err != nil {
+	err := errors.Join(
+		clearFinalizer(ctx, r.client, obj),
+		r.removeObjectValidationWebhook(ctx, obj),
+	)
+
+	if err != nil {
 		return ctrl.Result{}, err
 	}
 
 	return ctrl.Result{}, nil
 }
+
+func (r *reconcileState) ensureObjectValidationWebhook(ctx context.Context, obj *apiextensionsv1alpha1.CompatibilityRequirement) error {
+	if isObjectValidationWebhookEnabled(obj) {
+		return nil
+	}
+
+	webhookConfig := validatingWebhookConfigurationFor(obj, r.compatibilityCRD)
+	if err := r.client.Get(ctx, types.NamespacedName{Name: webhookConfig.Name}, webhookConfig); err != nil {
+		if apierrors.IsNotFound(err) {
+			return r.client.Create(ctx, webhookConfig)
+		}
+
+		return err
+	}
+
+	return r.client.Update(ctx, webhookConfig)
+}
+
+func (r *reconcileState) removeObjectValidationWebhook(ctx context.Context, obj *apiextensionsv1alpha1.CompatibilityRequirement) error {
+	webhookConfig := &admissionregistrationv1.ValidatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: obj.Name,
+		},
+	}
+
+	if err := r.client.Get(ctx, types.NamespacedName{Name: webhookConfig.Name}, webhookConfig); err != nil {
+		if apierrors.IsNotFound(err) {
+			return nil
+		}
+		return err
+	}
+
+	return r.client.Delete(ctx, webhookConfig)
+}
+
+func isObjectValidationWebhookEnabled(obj *apiextensionsv1alpha1.CompatibilityRequirement) bool {
+	osv := obj.Spec.ObjectSchemaValidation
+	return osv.Action == "" && osv.MatchConditions == nil && labelSelectorIsEmpty(osv.NamespaceSelector) && labelSelectorIsEmpty(osv.ObjectSelector)
+}
+
+func labelSelectorIsEmpty(ls metav1.LabelSelector) bool {
+	return len(ls.MatchLabels) == 0 && len(ls.MatchExpressions) == 0
+}
+
+func validatingWebhookConfigurationFor(obj *apiextensionsv1alpha1.CompatibilityRequirement, crd *apiextensionsv1.CustomResourceDefinition) *admissionregistrationv1.ValidatingWebhookConfiguration {
+	return &admissionregistrationv1.ValidatingWebhookConfiguration{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "ValidatingWebhookConfiguration",
+			APIVersion: "admissionregistration.k8s.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: obj.Name,
+			Annotations: map[string]string{
+				"service.beta.openshift.io/inject-cabundle": "true",
+			},
+		},
+		Webhooks: []admissionregistrationv1.ValidatingWebhook{
+			{
+				AdmissionReviewVersions: []string{"v1"},
+				ClientConfig: admissionregistrationv1.WebhookClientConfig{
+					Service: &admissionregistrationv1.ServiceReference{
+						Name:      "compatibility-requirements-controllers-validation-webhook-service",
+						Namespace: "openshift-compatibility-requirements-operator",
+						Path:      ptr.To(fmt.Sprintf("%s%s", objectvalidation.WebhookPrefix, obj.Name)),
+					},
+				},
+				SideEffects:   ptr.To(admissionregistrationv1.SideEffectClassNone),
+				FailurePolicy: ptr.To(admissionregistrationv1.Fail),
+				MatchPolicy:   ptr.To(admissionregistrationv1.Exact),
+				Name:          "compatibilityrequirement.operator.openshift.io",
+				Rules: []admissionregistrationv1.RuleWithOperations{
+					{
+						Rule: admissionregistrationv1.Rule{
+							APIGroups:   []string{crd.Spec.Group},
+							APIVersions: mapFunc(crd.Spec.Versions, func(version apiextensionsv1.CustomResourceDefinitionVersion) string { return version.Name }),
+							Resources:   []string{crd.Spec.Names.Plural},
+							Scope:       ptr.To(admissionregistrationv1.ScopeType(crd.Spec.Scope)),
+						},
+						Operations: []admissionregistrationv1.OperationType{"CREATE", "UPDATE"},
+					},
+				},
+			},
+		},
+	}
+}
+
+func mapFunc[T any, R any](items []T, transform func(T) R) []R {
+	result := make([]R, len(items))
+	for i, item := range items {
+		result[i] = transform(item)
+	}
+	return result
+}

pkg/controllers/crdcompatibility/reconcile_test.go

@@ -18,16 +18,19 @@ package crdcompatibility
 
 import (
 	"context"
+	"fmt"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	apiextensionsv1alpha1 "github.com/openshift/api/apiextensions/v1alpha1"
 	"github.com/openshift/cluster-capi-operator/pkg/controllers/crdcompatibility/crdvalidation"
+	"github.com/openshift/cluster-capi-operator/pkg/controllers/crdcompatibility/objectvalidation"
 	"github.com/openshift/cluster-capi-operator/pkg/test"
 )
 
@@ -216,6 +219,73 @@ var _ = Describe("CompatibilityRequirement", Ordered, ContinueOnFailure, func()
 
 	})
 
+	Context("When creating a CompatibilityRequirement with configured object schema validation", Ordered, func() {
+		var webhookConfig *admissionregistrationv1.ValidatingWebhookConfiguration
+		var requirement *apiextensionsv1alpha1.CompatibilityRequirement
+
+		BeforeAll(func(ctx context.Context) {
+			requirement = test.GenerateTestCompatibilityRequirement(testCRDClean)
+			requirement.Spec.ObjectSchemaValidation = apiextensionsv1alpha1.ObjectSchemaValidation{
+				Action: apiextensionsv1alpha1.CRDAdmitActionDeny,
+				NamespaceSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"test": "test",
+					},
+				},
+				ObjectSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"test": "test",
+					},
+				},
+				MatchConditions: []admissionregistrationv1.MatchCondition{
+					{
+						Name:       "test",
+						Expression: "true",
+					},
+				},
+			}
+
+			createTestObject(ctx, requirement, "CompatibilityRequirement")
+
+			webhookConfig = &admissionregistrationv1.ValidatingWebhookConfiguration{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: requirement.Name,
+				},
+			}
+		})
+
+		It("Should create a validating webhook configuration to implement the compatiblity requirement", func(ctx context.Context) {
+			Eventually(kWithCtx(ctx).Object(webhookConfig)).Should(SatisfyAll(
+				HaveField("ObjectMeta.Name", BeEquivalentTo(requirement.Name)),
+				HaveField("ObjectMeta.Annotations", HaveKey("service.beta.openshift.io/inject-cabundle")),
+				HaveField("Webhooks", ConsistOf(SatisfyAll(
+					HaveField("Name", BeEquivalentTo("compatibilityrequirement.operator.openshift.io")),
+					HaveField("ClientConfig.Service.Name", BeEquivalentTo("compatibility-requirements-controllers-validation-webhook-service")),
+					HaveField("ClientConfig.Service.Namespace", BeEquivalentTo("openshift-compatibility-requirements-operator")),
+					HaveField("ClientConfig.Service.Path", HaveValue(BeEquivalentTo(fmt.Sprintf("%s%s", objectvalidation.WebhookPrefix, requirement.Name)))),
+					HaveField("SideEffects", HaveValue(BeEquivalentTo(admissionregistrationv1.SideEffectClassNone))),
+					HaveField("FailurePolicy", HaveValue(BeEquivalentTo(admissionregistrationv1.Fail))),
+					HaveField("MatchPolicy", HaveValue(BeEquivalentTo(admissionregistrationv1.Exact))),
+					HaveField("Rules", ConsistOf(SatisfyAll(
+						HaveField("APIGroups", BeEquivalentTo([]string{testCRDClean.Spec.Group})),
+						HaveField("APIVersions", BeEquivalentTo([]string{testCRDClean.Spec.Versions[0].Name})),
+						HaveField("Resources", BeEquivalentTo([]string{testCRDClean.Spec.Names.Plural})),
+						HaveField("Scope", HaveValue(BeEquivalentTo(admissionregistrationv1.ScopeType(testCRDClean.Spec.Scope)))),
+						HaveField("Operations", ConsistOf(
+							BeEquivalentTo("CREATE"),
+							BeEquivalentTo("UPDATE"),
+						)),
+					))),
+				))),
+			))
+		})
+
+		It("Should delete the validating webhook configuration when the CompatibilityRequirement is deleted", func(ctx context.Context) {
+			Expect(cl.Delete(ctx, requirement)).To(Succeed())
+			Eventually(kWithCtx(ctx).Get(webhookConfig)).Should(test.BeK8SNotFound())
+		})
+	})
+
 	Context("When creating or modifying a CRD", func() {
 		testIncompatibleCRD := func(ctx context.Context, testCRD *apiextensionsv1.CustomResourceDefinition, requirement *apiextensionsv1alpha1.CompatibilityRequirement, createOrUpdateCRD func(context.Context, client.Object, func()) func() error) {
 			// Create a working copy of the CRD so we maintain a clean version