sigs.k8s.io/cluster-api-provider-azure@v1.14.3/api/v1beta1/azuremachinetemplate_webhook.go (about) 1 /* 2 Copyright 2021 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1beta1 18 19 import ( 20 "context" 21 "fmt" 22 "reflect" 23 24 apierrors "k8s.io/apimachinery/pkg/api/errors" 25 "k8s.io/apimachinery/pkg/runtime" 26 "k8s.io/apimachinery/pkg/util/validation/field" 27 "sigs.k8s.io/cluster-api/util/topology" 28 ctrl "sigs.k8s.io/controller-runtime" 29 "sigs.k8s.io/controller-runtime/pkg/webhook" 30 "sigs.k8s.io/controller-runtime/pkg/webhook/admission" 31 ) 32 33 // AzureMachineTemplateImmutableMsg ... 34 const ( 35 AzureMachineTemplateImmutableMsg = "AzureMachineTemplate spec.template.spec field is immutable. Please create new resource instead. ref doc: https://cluster-api.sigs.k8s.io/tasks/updating-machine-templates.html" 36 AzureMachineTemplateRoleAssignmentNameMsg = "AzureMachineTemplate spec.template.spec.roleAssignmentName field can't be set" 37 AzureMachineTemplateSystemAssignedIdentityRoleNameMsg = "AzureMachineTemplate spec.template.spec.systemAssignedIdentityRole.name field can't be set" 38 ) 39 40 // SetupWebhookWithManager sets up and registers the webhook with the manager. 41 func (r *AzureMachineTemplate) SetupWebhookWithManager(mgr ctrl.Manager) error { 42 return ctrl.NewWebhookManagedBy(mgr). 43 For(r). 44 WithValidator(r). 45 WithDefaulter(r). 46 Complete() 47 } 48 49 // +kubebuilder:webhook:verbs=create;update,path=/mutate-infrastructure-cluster-x-k8s-io-v1beta1-azuremachinetemplate,mutating=true,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=azuremachinetemplates,versions=v1beta1,name=default.azuremachinetemplate.infrastructure.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1 50 // +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1beta1-azuremachinetemplate,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=azuremachinetemplates,versions=v1beta1,name=validation.azuremachinetemplate.infrastructure.cluster.x-k8s.io,sideEffects=None,admissionReviewVersions=v1;v1beta1 51 52 var _ webhook.CustomDefaulter = &AzureMachineTemplate{} 53 var _ webhook.CustomValidator = &AzureMachineTemplate{} 54 55 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type. 56 func (r *AzureMachineTemplate) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { 57 t := obj.(*AzureMachineTemplate) 58 spec := t.Spec.Template.Spec 59 60 allErrs := ValidateAzureMachineSpec(spec) 61 62 if spec.RoleAssignmentName != "" { 63 allErrs = append(allErrs, 64 field.Invalid(field.NewPath("AzureMachineTemplate", "spec", "template", "spec", "roleAssignmentName"), t, AzureMachineTemplateRoleAssignmentNameMsg), 65 ) 66 } 67 68 if spec.SystemAssignedIdentityRole != nil && spec.SystemAssignedIdentityRole.Name != "" { 69 allErrs = append(allErrs, 70 field.Invalid(field.NewPath("AzureMachineTemplate", "spec", "template", "spec", "systemAssignedIdentityRole", "name"), t, AzureMachineTemplateSystemAssignedIdentityRoleNameMsg), 71 ) 72 } 73 74 if (r.Spec.Template.Spec.NetworkInterfaces != nil) && len(r.Spec.Template.Spec.NetworkInterfaces) > 0 && r.Spec.Template.Spec.SubnetName != "" { 75 allErrs = append(allErrs, field.Invalid(field.NewPath("AzureMachineTemplate", "spec", "template", "spec", "networkInterfaces"), r.Spec.Template.Spec.NetworkInterfaces, "cannot set both NetworkInterfaces and machine SubnetName")) 76 } 77 78 if (r.Spec.Template.Spec.NetworkInterfaces != nil) && len(r.Spec.Template.Spec.NetworkInterfaces) > 0 && r.Spec.Template.Spec.AcceleratedNetworking != nil { 79 allErrs = append(allErrs, field.Invalid(field.NewPath("AzureMachineTemplate", "spec", "template", "spec", "acceleratedNetworking"), r.Spec.Template.Spec.NetworkInterfaces, "cannot set both NetworkInterfaces and machine AcceleratedNetworking")) 80 } 81 82 for i, networkInterface := range r.Spec.Template.Spec.NetworkInterfaces { 83 if networkInterface.PrivateIPConfigs < 1 { 84 allErrs = append(allErrs, field.Invalid(field.NewPath("AzureMachineTemplate", "spec", "template", "spec", "networkInterfaces", "privateIPConfigs"), r.Spec.Template.Spec.NetworkInterfaces[i].PrivateIPConfigs, "networkInterface privateIPConfigs must be set to a minimum value of 1")) 85 } 86 } 87 88 if len(allErrs) == 0 { 89 return nil, nil 90 } 91 92 return nil, apierrors.NewInvalid(GroupVersion.WithKind(AzureMachineTemplateKind).GroupKind(), t.Name, allErrs) 93 } 94 95 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type. 96 func (r *AzureMachineTemplate) ValidateUpdate(ctx context.Context, oldRaw runtime.Object, newRaw runtime.Object) (admission.Warnings, error) { 97 var allErrs field.ErrorList 98 old := oldRaw.(*AzureMachineTemplate) 99 t := newRaw.(*AzureMachineTemplate) 100 101 req, err := admission.RequestFromContext(ctx) 102 if err != nil { 103 return nil, apierrors.NewBadRequest(fmt.Sprintf("expected a admission.Request inside context: %v", err)) 104 } 105 106 if !topology.ShouldSkipImmutabilityChecks(req, t) && 107 !reflect.DeepEqual(t.Spec.Template.Spec, old.Spec.Template.Spec) { 108 // The equality failure could be because of default mismatch between v1alpha3 and v1beta1. This happens because 109 // the new object `r` will have run through the default webhooks but the old object `old` would not have so. 110 // This means if the old object was in v1alpha3, it would not get the new defaults set in v1beta1 resulting 111 // in object inequality. To workaround this, we set the v1beta1 defaults here so that the old object also gets 112 // the new defaults. 113 114 // We need to set ssh key explicitly, otherwise Default() will create a new one. 115 if old.Spec.Template.Spec.SSHPublicKey == "" { 116 old.Spec.Template.Spec.SSHPublicKey = t.Spec.Template.Spec.SSHPublicKey 117 } 118 119 if err := r.Default(ctx, old); err != nil { 120 allErrs = append(allErrs, 121 field.Invalid(field.NewPath("AzureMachineTemplate"), r, fmt.Sprintf("Unable to apply defaults: %v", err)), 122 ) 123 } 124 125 // if it's still not equal, return error. 126 if !reflect.DeepEqual(t.Spec.Template.Spec, old.Spec.Template.Spec) { 127 allErrs = append(allErrs, 128 field.Invalid(field.NewPath("AzureMachineTemplate", "spec", "template", "spec"), t, AzureMachineTemplateImmutableMsg), 129 ) 130 } 131 } 132 133 if len(allErrs) == 0 { 134 return nil, nil 135 } 136 return nil, apierrors.NewInvalid(GroupVersion.WithKind(AzureMachineTemplateKind).GroupKind(), t.Name, allErrs) 137 } 138 139 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type. 140 func (r *AzureMachineTemplate) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { 141 return nil, nil 142 } 143 144 // Default implements webhookutil.defaulter so a webhook will be registered for the type. 145 func (r *AzureMachineTemplate) Default(ctx context.Context, obj runtime.Object) error { 146 t := obj.(*AzureMachineTemplate) 147 if err := t.Spec.Template.Spec.SetDefaultSSHPublicKey(); err != nil { 148 ctrl.Log.WithName("SetDefault").Error(err, "SetDefaultSSHPublicKey failed") 149 } 150 t.Spec.Template.Spec.SetDefaultCachingType() 151 t.Spec.Template.Spec.SetDataDisksDefaults() 152 t.Spec.Template.Spec.SetNetworkInterfacesDefaults() 153 return nil 154 }