webhook: add webhooks for csiaddonsnode

Add webhook for csiaddonsnode object to avoid users from changing the driver name, and NodeID once created. Below is the command to generate webhook for csiaddonsnode object ```bash $ operator-sdk create webhook --group csiaddons --version v1alpha1 --kind csiAddonsNode --programmatic-validation ``` Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
csi-addons · Nov 25, 2022 · e2a80f8 · e2a80f8
1 parent 17fd578
commit e2a80f8
Show file tree

Hide file tree

Showing 6 changed files with 129 additions and 0 deletions.
diff --git a/PROJECT b/PROJECT
@@ -14,6 +14,9 @@ resources:
   kind: CSIAddonsNode
   path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 - api:
     crdVersion: v1
     namespaced: true

diff --git a/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go b/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go
@@ -0,0 +1,80 @@
+/*
+Copyright 2022 The Kubernetes-CSI-Addons Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"errors"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// log is for logging in this package.
+var csnLog = logf.Log.WithName("csiaddonsnode-webhook")
+
+func (c *CSIAddonsNode) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(c).
+		Complete()
+}
+
+//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=csiaddonsnodes,verbs=update,versions=v1alpha1,name=vcsiaddonsnode.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &CSIAddonsNode{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (c *CSIAddonsNode) ValidateCreate() error {
+	return nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (c *CSIAddonsNode) ValidateUpdate(old runtime.Object) error {
+	csnLog.Info("validate update", "name", c.Name)
+
+	oldCSIAddonsNode, ok := old.(*CSIAddonsNode)
+	if !ok {
+		return errors.New("error casting CSIAddonsNode object")
+	}
+
+	var allErrs field.ErrorList
+
+	if c.Spec.Driver.NodeID != oldCSIAddonsNode.Spec.Driver.NodeID {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "driver", "nodeID"), c.Spec.Driver.NodeID, "nodeID cannot be updated"))
+	}
+
+	if c.Spec.Driver.Name != oldCSIAddonsNode.Spec.Driver.Name {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "driver", "name"), c.Spec.Driver.Name, "name cannot be updated"))
+	}
+
+	if len(allErrs) != 0 {
+		return apierrors.NewInvalid(
+			schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "CSIAddonsNode"},
+			c.Name, allErrs)
+	}
+
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *CSIAddonsNode) ValidateDelete() error {
+	return nil
+}
diff --git a/apis/csiaddons/v1alpha1/webhook_suite_test.go b/apis/csiaddons/v1alpha1/webhook_suite_test.go
@@ -111,6 +111,9 @@ var _ = BeforeSuite(func() {
 	err = (&NetworkFence{}).SetupWebhookWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 
+	err = (&CSIAddonsNode{}).SetupWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
 	//+kubebuilder:scaffold:webhook
 
 	go func() {

diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -177,6 +177,11 @@ func main() {
 			setupLog.Error(err, "unable to create webhook", "webhook", "NetworkFence")
 			os.Exit(1)
 		}
+
+		if err = (&csiaddonsv1alpha1.CSIAddonsNode{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "CSIAddonsNode")
+			os.Exit(1)
+		}
 	}
 
 	//+kubebuilder:scaffold:builder

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -5,6 +5,25 @@ metadata:
   creationTimestamp: null
   name: validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode
+  failurePolicy: Fail
+  name: vcsiaddonsnode.kb.io
+  rules:
+  - apiGroups:
+    - csiaddons.openshift.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - UPDATE
+    resources:
+    - csiaddonsnodes
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

diff --git a/deploy/controller/install-all-in-one.yaml b/deploy/controller/install-all-in-one.yaml
@@ -1417,6 +1417,25 @@ metadata:
     cert-manager.io/inject-ca-from: csi-addons-system/csi-addons-serving-cert
   name: csi-addons-validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: csi-addons-webhook-service
+      namespace: csi-addons-system
+      path: /validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode
+  failurePolicy: Fail
+  name: vcsiaddonsnode.kb.io
+  rules:
+  - apiGroups:
+    - csiaddons.openshift.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - UPDATE
+    resources:
+    - csiaddonsnodes
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig: