Merge pull request #387 from MartinBasti/ITS-name-lenght-validation

fix(STONEINTG-640): limit ITS name length

PROJECT

@@ -34,5 +34,6 @@ resources:
   version: v1beta1
   webhooks:
     conversion: true
+    validation: true
     webhookVersion: v1
 version: "3"

api/v1beta1/integrationtestscenario_suite_test.go

@@ -18,13 +18,19 @@ package v1beta1
 
 import (
 	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
 	"path/filepath"
 	"testing"
 	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/rest"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/envtest"
@@ -37,6 +43,7 @@ var (
 	testEnv   *envtest.Environment
 	ctx       context.Context
 	cancel    context.CancelFunc
+	cfg       *rest.Config
 )
 
 const (
@@ -56,35 +63,66 @@ var _ = BeforeSuite(func() {
 
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths: []string{
-			filepath.Join("..", "..", "config", "crd", "bases"),
+		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
+		ErrorIfCRDPathMissing: false,
+		WebhookInstallOptions: envtest.WebhookInstallOptions{
+			Paths: []string{filepath.Join("..", "..", "config", "webhook")},
 		},
 	}
 
-	cfg, err := testEnv.Start()
+	var err error
+	// cfg is defined in this file globally.
+	cfg, err = testEnv.Start()
 	Expect(err).NotTo(HaveOccurred())
 	Expect(cfg).NotTo(BeNil())
 
 	scheme := runtime.NewScheme()
 	Expect(AddToScheme(scheme)).To(Succeed())
 
+	err = admissionv1beta1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	//+kubebuilder:scaffold:scheme
+
 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme})
 	Expect(err).NotTo(HaveOccurred())
 	Expect(k8sClient).NotTo(BeNil())
 
 	// start webhook server using Manager
-	k8sManager, _ := ctrl.NewManager(cfg, ctrl.Options{
+	webhookInstallOptions := &testEnv.WebhookInstallOptions
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
 		Scheme:             scheme,
+		Host:               webhookInstallOptions.LocalServingHost,
+		Port:               webhookInstallOptions.LocalServingPort,
+		CertDir:            webhookInstallOptions.LocalServingCertDir,
 		LeaderElection:     false,
 		MetricsBindAddress: "0",
 	})
-	k8sClient = k8sManager.GetClient()
+	Expect(err).NotTo(HaveOccurred())
+
+	err = (&IntegrationTestScenario{}).SetupWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
+	//+kubebuilder:scaffold:webhook
 
 	go func() {
 		defer GinkgoRecover()
-		err = k8sManager.Start(ctx)
+		err = mgr.Start(ctx)
 		Expect(err).NotTo(HaveOccurred())
 	}()
+
+	// wait for the webhook server to get ready
+	dialer := &net.Dialer{Timeout: time.Second}
+	addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort)
+	Eventually(func() error {
+		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return err
+		}
+		conn.Close()
+		return nil
+	}).Should(Succeed())
+
 })
 
 var _ = AfterSuite(func() {

api/v1beta1/integrationtestscenario_webhook.go

@@ -17,11 +17,42 @@ limitations under the License.
 package v1beta1
 
 import (
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
 func (r *IntegrationTestScenario) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		Complete()
 }
+
+//+kubebuilder:webhook:path=/validate-appstudio-redhat-com-v1beta1-integrationtestscenario,mutating=false,failurePolicy=fail,sideEffects=None,groups=appstudio.redhat.com,resources=integrationtestscenarios,verbs=create;update;delete,versions=v1beta1,name=vintegrationtestscenario.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &IntegrationTestScenario{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *IntegrationTestScenario) ValidateCreate() error {
+	// We use the DNS-1035 format for application names, so ensure it conforms to that specification
+
+	if len(validation.IsDNS1035Label(r.Name)) != 0 {
+		return field.Invalid(field.NewPath("metadata").Child("name"), r.Name,
+			"an IntegrationTestScenario resource name must start with a lower case "+
+				"alphabetical character, be under 63 characters, and can only consist "+
+				"of lower case alphanumeric characters or ‘-’")
+	}
+	return nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *IntegrationTestScenario) ValidateUpdate(old runtime.Object) error {
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *IntegrationTestScenario) ValidateDelete() error {
+	return nil
+}

api/v1beta1/integrationtestscenario_webhook_test.go

@@ -0,0 +1,98 @@
+/*
+Copyright 2023 Red Hat Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/api/errors"
+
+	applicationapiv1alpha1 "github.com/redhat-appstudio/application-api/api/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var _ = Describe("IntegrationTestScenario webhook", func() {
+
+	var integrationTestScenario *IntegrationTestScenario
+
+	BeforeEach(func() {
+		integrationTestScenario = &IntegrationTestScenario{
+			TypeMeta: metav1.TypeMeta{
+				APIVersion: "appstudio.redhat.com/v1alpha1",
+				Kind:       "IntegrationTestScenario",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "integrationtestscenario",
+				Namespace: "default",
+			},
+			Spec: IntegrationTestScenarioSpec{
+				Application: "application-sample",
+				Params: []PipelineParameter{
+					{
+						Name:  "pipeline-param-name",
+						Value: "pipeline-param-value",
+					},
+				},
+				Environment: TestEnvironment{
+					Name: "environment-name",
+					Type: "POC",
+					Configuration: &applicationapiv1alpha1.EnvironmentConfiguration{
+						Env: []applicationapiv1alpha1.EnvVarPair{
+							{
+								Name:  "env-config-name",
+								Value: "env-config-value",
+							},
+						},
+					},
+				},
+				Contexts: []TestContext{
+					{
+						Name:        "test-ctx",
+						Description: "test-ctx-description",
+					},
+				},
+				ResolverRef: ResolverRef{
+					Resolver: "git",
+					Params: []ResolverParameter{
+						{
+							Name:  "url",
+							Value: "http://url",
+						},
+						{
+							Name:  "revision",
+							Value: "main",
+						},
+						{
+							Name:  "pathInRepo",
+							Value: "pipeline/helloworld.yaml",
+						},
+					},
+				},
+			},
+		}
+	})
+
+	AfterEach(func() {
+		err := k8sClient.Delete(ctx, integrationTestScenario)
+		Expect(err == nil || errors.IsNotFound(err)).To(BeTrue())
+	})
+
+	It("should fail to create scenario with long name", func() {
+		integrationTestScenario.Name = "this-name-is-too-long-it-has-64-characters-and-we-allow-max-63ch"
+		Expect(k8sClient.Create(ctx, integrationTestScenario)).ShouldNot(Succeed())
+	})
+})

config/default/webhookcainjection_patch.yaml

@@ -1,13 +1,6 @@
 # This patch add annotation to admission webhook config and
 # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
 apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: mutating-webhook-configuration
-  annotations:
-    service.beta.openshift.io/inject-cabundle: "true"
----
-apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration

config/webhook/kustomizeconfig.yaml

@@ -4,18 +4,11 @@ nameReference:
 - kind: Service
   version: v1
   fieldSpecs:
-  - kind: MutatingWebhookConfiguration
-    group: admissionregistration.k8s.io
-    path: webhooks/clientConfig/service/name
   - kind: ValidatingWebhookConfiguration
     group: admissionregistration.k8s.io
     path: webhooks/clientConfig/service/name
 
 namespace:
-- kind: MutatingWebhookConfiguration
-  group: admissionregistration.k8s.io
-  path: webhooks/clientConfig/service/namespace
-  create: true
 - kind: ValidatingWebhookConfiguration
   group: admissionregistration.k8s.io
   path: webhooks/clientConfig/service/namespace

config/webhook/manifests.yaml

@@ -1,32 +1,3 @@
-
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  creationTimestamp: null
-  name: mutating-webhook-configuration
-webhooks:
-- admissionReviewVersions:
-  - v1alpha1
-  - v1beta1
-  clientConfig:
-    service:
-      name: webhook-service
-      namespace: system
-      path: /mutate-appstudio-redhat-com-v1beta1-integrationtestscenario
-  failurePolicy: Fail
-  name: mintegration.kb.io
-  rules:
-  - apiGroups:
-    - appstudio.redhat.com
-    apiVersions:
-    - v1beta1
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - applications
-  sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
@@ -35,15 +6,14 @@ metadata:
   name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
-  - v1alpha1
-  - v1beta1
+  - v1
   clientConfig:
     service:
       name: webhook-service
       namespace: system
       path: /validate-appstudio-redhat-com-v1beta1-integrationtestscenario
   failurePolicy: Fail
-  name: vapplication.kb.io
+  name: vintegrationtestscenario.kb.io
   rules:
   - apiGroups:
     - appstudio.redhat.com
@@ -52,6 +22,7 @@ webhooks:
     operations:
     - CREATE
     - UPDATE
+    - DELETE
     resources:
-    - applications
+    - integrationtestscenarios
   sideEffects: None