forked from Azure/acs-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validate.go
295 lines (270 loc) · 10.4 KB
/
validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
package v20170701
import (
"errors"
"fmt"
"net"
"regexp"
"github.com/Azure/acs-engine/pkg/api/common"
validator "gopkg.in/go-playground/validator.v9"
)
var (
validate *validator.Validate
keyvaultIDRegex *regexp.Regexp
)
func init() {
validate = validator.New()
keyvaultIDRegex = regexp.MustCompile(`^/subscriptions/\S+/resourceGroups/\S+/providers/Microsoft.KeyVault/vaults/[^/\s]+$`)
}
// Validate implements APIObject
func (o *OrchestratorProfile) Validate(isUpdate bool) error {
// Don't need to call validate.Struct(o)
// It is handled by Properties.Validate()
// On updates we only need to make sure there is a supported patch version for the minor version
if !isUpdate {
switch o.OrchestratorType {
case Swarm:
case DCOS:
switch o.OrchestratorVersion {
case common.DCOSVersion1Dot10Dot0:
case common.DCOSVersion1Dot9Dot0:
case common.DCOSVersion1Dot8Dot8:
case "":
default:
return fmt.Errorf("OrchestratorProfile has unknown orchestrator version: %s", o.OrchestratorVersion)
}
case DockerCE:
case Kubernetes:
if k8sVersion := o.OrchestratorVersion; !common.AllKubernetesSupportedVersions[k8sVersion] && o.OrchestratorVersion != "" {
return fmt.Errorf("OrchestratorProfile has unknown orchestrator version: %s", o.OrchestratorVersion)
}
default:
return fmt.Errorf("OrchestratorProfile has unknown orchestrator: %s", o.OrchestratorType)
}
} else {
switch o.OrchestratorType {
case DCOS, Kubernetes:
patchVersion := common.GetValidPatchVersion(o.OrchestratorType, o.OrchestratorVersion)
// if there isn't a supported patch version for this version fail
if patchVersion == "" {
return fmt.Errorf("OrchestratorProfile has unknown orchestrator version: %s", o.OrchestratorVersion)
}
}
}
return nil
}
// Validate implements APIObject
func (m *MasterProfile) Validate() error {
// Don't need to call validate.Struct(m)
// It is handled by Properties.Validate()
if e := validateDNSName(m.DNSPrefix); e != nil {
return e
}
return nil
}
// Validate implements APIObject
func (a *AgentPoolProfile) Validate(orchestratorType string) error {
// Don't need to call validate.Struct(a)
// It is handled by Properties.Validate()
if e := validatePoolName(a.Name); e != nil {
return e
}
// Kubernetes don't allow agent DNSPrefix and ports
if orchestratorType == Kubernetes {
// The two lines below need to be removed after August 2017
a.DNSPrefix = ""
a.Ports = []int{}
if e := validate.Var(a.DNSPrefix, "len=0"); e != nil {
return fmt.Errorf("AgentPoolProfile.DNSPrefix must be empty for Kubernetes")
}
if e := validate.Var(a.Ports, "len=0"); e != nil {
return fmt.Errorf("AgentPoolProfile.Ports must be empty for Kubernetes")
}
}
if a.DNSPrefix != "" {
if e := validateDNSName(a.DNSPrefix); e != nil {
return e
}
if len(a.Ports) > 0 {
if e := validateUniquePorts(a.Ports, a.Name); e != nil {
return e
}
} else {
a.Ports = []int{80, 443, 8080}
}
} else {
if e := validate.Var(a.Ports, "len=0"); e != nil {
return fmt.Errorf("AgentPoolProfile.Ports must be empty when AgentPoolProfile.DNSPrefix is empty for Orchestrator: %s", string(orchestratorType))
}
}
return nil
}
// Validate implements APIObject
func (l *LinuxProfile) Validate() error {
// Don't need to call validate.Struct(l)
// It is handled by Properties.Validate()
if e := validate.Var(l.SSH.PublicKeys[0].KeyData, "required"); e != nil {
return fmt.Errorf("KeyData in LinuxProfile.SSH.PublicKeys cannot be empty string")
}
return nil
}
func handleValidationErrors(e validator.ValidationErrors) error {
// Override any version specific validation error message
// common.HandleValidationErrors if the validation error message is general
return common.HandleValidationErrors(e)
}
// Validate implements APIObject
func (a *Properties) Validate(isUpdate bool) error {
if e := validate.Struct(a); e != nil {
return handleValidationErrors(e.(validator.ValidationErrors))
}
if e := a.OrchestratorProfile.Validate(isUpdate); e != nil {
return e
}
if e := a.MasterProfile.Validate(); e != nil {
return e
}
if e := validateUniqueProfileNames(a.AgentPoolProfiles); e != nil {
return e
}
if a.OrchestratorProfile.OrchestratorType == Kubernetes {
if a.ServicePrincipalProfile == nil {
return fmt.Errorf("ServicePrincipalProfile must be specified with Orchestrator %s", a.OrchestratorProfile.OrchestratorType)
}
if e := validate.Var(a.ServicePrincipalProfile.ClientID, "required"); e != nil {
return fmt.Errorf("the service principal client ID must be specified with Orchestrator %s", a.OrchestratorProfile.OrchestratorType)
}
if (len(a.ServicePrincipalProfile.Secret) == 0 && a.ServicePrincipalProfile.KeyvaultSecretRef == nil) ||
(len(a.ServicePrincipalProfile.Secret) != 0 && a.ServicePrincipalProfile.KeyvaultSecretRef != nil) {
return fmt.Errorf("either the service principal client secret or keyvault secret reference must be specified with Orchestrator %s", a.OrchestratorProfile.OrchestratorType)
}
if a.ServicePrincipalProfile.KeyvaultSecretRef != nil {
if e := validate.Var(a.ServicePrincipalProfile.KeyvaultSecretRef.VaultID, "required"); e != nil {
return fmt.Errorf("the Keyvault ID must be specified for the Service Principle with Orchestrator %s", a.OrchestratorProfile.OrchestratorType)
}
if e := validate.Var(a.ServicePrincipalProfile.KeyvaultSecretRef.SecretName, "required"); e != nil {
return fmt.Errorf("the Keyvault Secret must be specified for the Service Principle with Orchestrator %s", a.OrchestratorProfile.OrchestratorType)
}
if !keyvaultIDRegex.MatchString(a.ServicePrincipalProfile.KeyvaultSecretRef.VaultID) {
return fmt.Errorf("service principal client keyvault secret reference is of incorrect format")
}
}
}
for _, agentPoolProfile := range a.AgentPoolProfiles {
if e := agentPoolProfile.Validate(a.OrchestratorProfile.OrchestratorType); e != nil {
return e
}
if agentPoolProfile.OSType == Windows {
if a.WindowsProfile == nil {
return fmt.Errorf("missing WindowsProfile")
}
switch a.OrchestratorProfile.OrchestratorType {
case Kubernetes:
default:
return fmt.Errorf("Orchestrator %s does not support Windows", a.OrchestratorProfile.OrchestratorType)
}
if a.WindowsProfile == nil {
return fmt.Errorf("WindowsProfile must not be empty since agent pool '%s' specifies windows", agentPoolProfile.Name)
}
if len(a.WindowsProfile.AdminUsername) == 0 {
return fmt.Errorf("WindowsProfile.AdminUsername must not be empty since agent pool '%s' specifies windows", agentPoolProfile.Name)
}
if len(a.WindowsProfile.AdminPassword) == 0 {
return fmt.Errorf("WindowsProfile.AdminPassword must not be empty since agent pool '%s' specifies windows", agentPoolProfile.Name)
}
}
}
if e := a.LinuxProfile.Validate(); e != nil {
return e
}
if e := validateVNET(a); e != nil {
return e
}
return nil
}
func validatePoolName(poolName string) error {
// we will cap at length of 12 and all lowercase letters since this makes up the VMName
poolNameRegex := `^([a-z][a-z0-9]{0,11})$`
re, err := regexp.Compile(poolNameRegex)
if err != nil {
return err
}
submatches := re.FindStringSubmatch(poolName)
if len(submatches) != 2 {
return fmt.Errorf("pool name '%s' is invalid. A pool name must start with a lowercase letter, have max length of 12, and only have characters a-z0-9", poolName)
}
return nil
}
func validateDNSName(dnsName string) error {
dnsNameRegex := `^([A-Za-z][A-Za-z0-9-]{1,43}[A-Za-z0-9])$`
re, err := regexp.Compile(dnsNameRegex)
if err != nil {
return err
}
if !re.MatchString(dnsName) {
return fmt.Errorf("DNS name '%s' is invalid. The DNS name must contain between 3 and 45 characters. The name can contain only letters, numbers, and hyphens. The name must start with a letter and must end with a letter or a number. (length was %d)", dnsName, len(dnsName))
}
return nil
}
func validateUniqueProfileNames(profiles []*AgentPoolProfile) error {
profileNames := make(map[string]bool)
for _, profile := range profiles {
if _, ok := profileNames[profile.Name]; ok {
return fmt.Errorf("profile name '%s' already exists, profile names must be unique across pools", profile.Name)
}
profileNames[profile.Name] = true
}
return nil
}
func validateUniquePorts(ports []int, name string) error {
portMap := make(map[int]bool)
for _, port := range ports {
if _, ok := portMap[port]; ok {
return fmt.Errorf("agent profile '%s' has duplicate port '%d', ports must be unique", name, port)
}
portMap[port] = true
}
return nil
}
func validateVNET(a *Properties) error {
isCustomVNET := a.MasterProfile.IsCustomVNET()
for _, agentPool := range a.AgentPoolProfiles {
if agentPool.IsCustomVNET() != isCustomVNET {
return fmt.Errorf("Multiple VNET Subnet configurations specified. The master profile and each agent pool profile must all specify a custom VNET Subnet, or none at all")
}
}
if isCustomVNET {
subscription, resourcegroup, vnetname, _, e := GetVNETSubnetIDComponents(a.MasterProfile.VnetSubnetID)
if e != nil {
return e
}
for _, agentPool := range a.AgentPoolProfiles {
agentSubID, agentRG, agentVNET, _, err := GetVNETSubnetIDComponents(agentPool.VnetSubnetID)
if err != nil {
return err
}
if agentSubID != subscription ||
agentRG != resourcegroup ||
agentVNET != vnetname {
return errors.New("Multiple VNETS specified. The master profile and each agent pool must reference the same VNET (but it is ok to reference different subnets on that VNET)")
}
}
masterFirstIP := net.ParseIP(a.MasterProfile.FirstConsecutiveStaticIP)
if masterFirstIP == nil {
return fmt.Errorf("MasterProfile.FirstConsecutiveStaticIP (with VNET Subnet specification) '%s' is an invalid IP address", a.MasterProfile.FirstConsecutiveStaticIP)
}
}
return nil
}
// GetVNETSubnetIDComponents extract subscription, resourcegroup, vnetname, subnetname from the vnetSubnetID
func GetVNETSubnetIDComponents(vnetSubnetID string) (string, string, string, string, error) {
vnetSubnetIDRegex := `^\/subscriptions\/([^\/]*)\/resourceGroups\/([^\/]*)\/providers\/Microsoft.Network\/virtualNetworks\/([^\/]*)\/subnets\/([^\/]*)$`
re, err := regexp.Compile(vnetSubnetIDRegex)
if err != nil {
return "", "", "", "", err
}
submatches := re.FindStringSubmatch(vnetSubnetID)
if len(submatches) != 4 {
return "", "", "", "", err
}
return submatches[1], submatches[2], submatches[3], submatches[4], nil
}