Allow webhook changes to OpenStackCluster.Spec.Bastion

Signed-off-by: Tobias Giese <tobias.giese@daimler.com>
kubernetes-sigs · Dec 7, 2021 · a32fe32 · a32fe32
1 parent 565a051
commit a32fe32
Show file tree

Hide file tree

Showing 5 changed files with 427 additions and 0 deletions.
diff --git a/api/v1alpha4/openstackcluster_webhook.go b/api/v1alpha4/openstackcluster_webhook.go
@@ -105,6 +105,19 @@ func (r *OpenStackCluster) ValidateUpdate(oldRaw runtime.Object) error {
 		r.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{}
 	}
 
+	// Allow changes to the bastion spec only if no bastion host is deployed (i.e. Spec.Bastion.Enabled=false)
+	// or the bastion host is going to be destroyed anyway.
+	if old.Status.Bastion == nil || (r.Spec.Bastion != nil && r.Spec.Bastion.Enabled == false) {
+		old.Spec.Bastion = &Bastion{}
+		r.Spec.Bastion = &Bastion{}
+	}
+
+	// Allow toggling the bastion enabled flag.
+	if old.Spec.Bastion != nil && r.Spec.Bastion != nil {
+		old.Spec.Bastion.Enabled = true
+		r.Spec.Bastion.Enabled = true
+	}
+
 	if !reflect.DeepEqual(old.Spec, r.Spec) {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "cannot be modified"))
 	}

diff --git a/api/v1alpha4/openstackcluster_webhook_test.go b/api/v1alpha4/openstackcluster_webhook_test.go
@@ -111,6 +111,204 @@ func TestOpenStackCluster_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "Toggle OpenStackCluster.Spec.Bastion.Enabled flag is allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "minimal",
+						},
+						Enabled: false,
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobarbaz",
+							Image:     "foobarbaz",
+							Flavor:    "medium",
+						},
+						Enabled: true,
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Changing empty OpenStackCluster.Spec.Bastion is allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "medium",
+						},
+						Enabled: true,
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Changing OpenStackCluster.Spec.Bastion with no deployed bastion host is allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "minimal",
+						},
+						Enabled: false,
+					},
+				},
+				Status: OpenStackClusterStatus{},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobarbaz",
+							Image:     "foobarbaz",
+							Flavor:    "medium",
+						},
+						Enabled: true,
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Changing OpenStackCluster.Spec.Bastion with deployed bastion host is not allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "minimal",
+						},
+						Enabled: true,
+					},
+				},
+				Status: OpenStackClusterStatus{
+					Bastion: &Instance{
+						Name: "foobar",
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobarbaz",
+							Image:     "foobarbaz",
+							Flavor:    "medium",
+						},
+						Enabled: true,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Disabling the OpenStackCluster.Spec.Bastion while it's running is allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "minimal",
+						},
+						Enabled: true,
+					},
+				},
+				Status: OpenStackClusterStatus{
+					Bastion: &Instance{
+						Name: "foobar",
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "minimal",
+						},
+						Enabled: false,
+					},
+				},
+				Status: OpenStackClusterStatus{
+					Bastion: &Instance{
+						Name: "foobar",
+					},
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "Disabling and changing the OpenStackCluster.Spec.Bastion while it's running is allowed",
+			oldTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobar",
+							Image:     "foobar",
+							Flavor:    "minimal",
+						},
+						Enabled: true,
+					},
+				},
+				Status: OpenStackClusterStatus{
+					Bastion: &Instance{
+						Name: "foobar",
+					},
+				},
+			},
+			newTemplate: &OpenStackCluster{
+				Spec: OpenStackClusterSpec{
+					CloudName: "foobar",
+					Bastion: &Bastion{
+						Instance: OpenStackMachineSpec{
+							CloudName: "foobarbaz",
+							Image:     "foobarbaz",
+							Flavor:    "medium",
+						},
+						Enabled: false,
+					},
+				},
+				Status: OpenStackClusterStatus{
+					Bastion: &Instance{
+						Name: "foobar",
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/api/v1beta1/openstackcluster_webhook.go b/api/v1beta1/openstackcluster_webhook.go
@@ -105,6 +105,19 @@ func (r *OpenStackCluster) ValidateUpdate(oldRaw runtime.Object) error {
 		r.Spec.ControlPlaneEndpoint = clusterv1.APIEndpoint{}
 	}
 
+	// Allow changes to the bastion spec only if no bastion host is deployed (i.e. Spec.Bastion.Enabled=false)
+	// or the bastion host is going to be destroyed anyway.
+	if old.Status.Bastion == nil || (r.Spec.Bastion != nil && r.Spec.Bastion.Enabled == false) {
+		old.Spec.Bastion = &Bastion{}
+		r.Spec.Bastion = &Bastion{}
+	}
+
+	// Allow toggling the bastion enabled flag.
+	if old.Spec.Bastion != nil && r.Spec.Bastion != nil {
+		old.Spec.Bastion.Enabled = true
+		r.Spec.Bastion.Enabled = true
+	}
+
 	if !reflect.DeepEqual(old.Spec, r.Spec) {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "cannot be modified"))
 	}