From 9a35478421318f99482d48396c2c41e0b64ee3eb Mon Sep 17 00:00:00 2001 From: Maksim Fedotov Date: Tue, 2 Dec 2025 13:53:03 +0300 Subject: [PATCH] fix(module): remove validationadmissionpolicy module hooks (#1771) Signed-off-by: Maksim Fedotov --- .../virtualization-module-hooks/register.go | 1 - .../hook.go | 131 ---------------- .../hook_test.go | 142 ------------------ 3 files changed, 274 deletions(-) delete mode 100644 images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook.go delete mode 100644 images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook_test.go diff --git a/images/hooks/cmd/virtualization-module-hooks/register.go b/images/hooks/cmd/virtualization-module-hooks/register.go index 37c9adfe49..8f6cebea9e 100644 --- a/images/hooks/cmd/virtualization-module-hooks/register.go +++ b/images/hooks/cmd/virtualization-module-hooks/register.go @@ -25,7 +25,6 @@ import ( _ "hooks/pkg/hooks/dvcr-garbage-collection" _ "hooks/pkg/hooks/generate-secret-for-dvcr" _ "hooks/pkg/hooks/install-vmclass-generic" - _ "hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy" _ "hooks/pkg/hooks/migrate-virthandler-kvm-node-labels" _ "hooks/pkg/hooks/tls-certificates-api" _ "hooks/pkg/hooks/tls-certificates-api-proxy" diff --git a/images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook.go b/images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook.go deleted file mode 100644 index a4d341b434..0000000000 --- a/images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook.go +++ /dev/null @@ -1,131 +0,0 @@ -/* -Copyright 2025 Flant JSC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package migrate_delete_renamed_validation_admission_policy - -import ( - "context" - "fmt" - - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "hooks/pkg/settings" - - "github.com/deckhouse/module-sdk/pkg" - "github.com/deckhouse/module-sdk/pkg/registry" - "github.com/deckhouse/module-sdk/pkg/utils/ptr" -) - -var _ = registry.RegisterFunc(config, reconcile) - -const ( - policySnapshotName = "validating_admission_policy" - bindingSnapshotName = "validating_admission_policy_binding" - managedByLabel = "app.kubernetes.io/managed-by" - managedByLabelValue = "virt-operator-internal-virtualization" - jqFilter = `{ - "apiVersion": .apiVersion, - "kind": .kind, - "metadata": .metadata, - }` -) - -var config = &pkg.HookConfig{ - Kubernetes: []pkg.KubernetesConfig{ - { - Name: policySnapshotName, - APIVersion: "admissionregistration.k8s.io/v1beta1", - Kind: "ValidatingAdmissionPolicy", - NameSelector: &pkg.NameSelector{ - MatchNames: []string{"kubevirt-node-restriction-policy"}, - }, - JqFilter: jqFilter, - ExecuteHookOnSynchronization: ptr.Bool(false), - ExecuteHookOnEvents: ptr.Bool(false), - }, - { - Name: bindingSnapshotName, - APIVersion: "admissionregistration.k8s.io/v1beta1", - Kind: "ValidatingAdmissionPolicyBinding", - NameSelector: &pkg.NameSelector{ - MatchNames: []string{"kubevirt-node-restriction-binding"}, - }, - JqFilter: jqFilter, - ExecuteHookOnSynchronization: ptr.Bool(false), - ExecuteHookOnEvents: ptr.Bool(false), - }, - }, - OnAfterHelm: &pkg.OrderedConfig{Order: 5}, - Queue: fmt.Sprintf("modules/%s", settings.ModuleName), -} - -func reconcile(ctx context.Context, input *pkg.HookInput) error { - input.Logger.Info("Start MigrateDeleteRenamedValidationAadmissionPolicy hook") - - var ( - foundDeprecatedCount int - uts []*unstructured.Unstructured - ) - - policySnapshots := input.Snapshots.Get(policySnapshotName) - bindingSnapshots := input.Snapshots.Get(bindingSnapshotName) - - snapObjs, err := snapsToUnstructured(policySnapshots) - if err != nil { - input.Logger.Error("Error unmarshalling snapshots for ValidatingAdmissionPolicy") - return err - } - uts = append(uts, snapObjs...) - - snapObjs, err = snapsToUnstructured(bindingSnapshots) - if err != nil { - input.Logger.Error("Error unmarshalling snapshots for ValidatingAdmissionPolicyBinding") - return err - } - uts = append(uts, snapObjs...) - - for _, obj := range uts { - if obj.GetLabels()[managedByLabel] == managedByLabelValue { - foundDeprecatedCount++ - name := obj.GetName() - kind := obj.GetObjectKind().GroupVersionKind().Kind - apiVersion := obj.GetAPIVersion() - input.Logger.Info("Delete deprecated %s %s", name, kind) - - input.PatchCollector.Delete(apiVersion, kind, "", name) - } - } - - if foundDeprecatedCount == 0 { - input.Logger.Info("No deprecated resources found, migration not required.") - } - - return nil -} - -func snapsToUnstructured(snaps []pkg.Snapshot) ([]*unstructured.Unstructured, error) { - objs := make([]*unstructured.Unstructured, len(snaps)) - - for i, snap := range snaps { - ut := &unstructured.Unstructured{} - if err := snap.UnmarshalTo(ut); err != nil { - return nil, err - } - objs[i] = ut - } - - return objs, nil -} diff --git a/images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook_test.go b/images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook_test.go deleted file mode 100644 index 696ef3e18a..0000000000 --- a/images/hooks/pkg/hooks/migrate-delete-renamed-validation-admission-policy/hook_test.go +++ /dev/null @@ -1,142 +0,0 @@ -/* -Copyright 2025 Flant JSC - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package migrate_delete_renamed_validation_admission_policy - -import ( - "context" - "testing" - - "github.com/deckhouse/deckhouse/pkg/log" - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "github.com/deckhouse/module-sdk/pkg" - "github.com/deckhouse/module-sdk/testing/mock" -) - -func TestMigrateDeleteRenamedValidationAdmissionPolicy(t *testing.T) { - RegisterFailHandler(Fail) - RunSpecs(t, "MigrateDeleteRenamedValidationAdmissionPolicy Suite") -} - -var _ = Describe("MigrateDeleteRenamedValidationAdmissionPolicy", func() { - var ( - pc *mock.PatchCollectorMock - snapshots *mock.SnapshotsMock - ) - - setSnapshots := func(snapPolicy, snapBinding pkg.Snapshot) { - snapshots.GetMock.When(policySnapshotName).Then([]pkg.Snapshot{snapPolicy}) - snapshots.GetMock.When(bindingSnapshotName).Then([]pkg.Snapshot{snapBinding}) - } - - newSnapshotPolicy := func(labels map[string]string) pkg.Snapshot { - snap := mock.NewSnapshotMock(GinkgoT()) - snap.UnmarshalToMock.Set(func(v any) (err error) { - data, ok := v.(*unstructured.Unstructured) - Expect(ok).To(BeTrue()) - data.SetName(policySnapshotName) - data.SetKind("ValidatingAdmissionPolicy") - data.SetAPIVersion("admissionregistration.k8s.io/v1") - data.SetLabels(labels) - return nil - }) - return snap - } - - newSnapshotBinding := func(labels map[string]string) pkg.Snapshot { - snap := mock.NewSnapshotMock(GinkgoT()) - snap.UnmarshalToMock.Set(func(v any) (err error) { - data, ok := v.(*unstructured.Unstructured) - Expect(ok).To(BeTrue()) - data.SetName(bindingSnapshotName) - data.SetKind("ValidatingAdmissionPolicyBinding") - data.SetAPIVersion("admissionregistration.k8s.io/v1") - data.SetLabels(labels) - return nil - }) - return snap - } - - newInput := func() *pkg.HookInput { - return &pkg.HookInput{ - Snapshots: snapshots, - PatchCollector: pc, - Logger: log.NewNop(), - } - } - - BeforeEach(func() { - pc = mock.NewPatchCollectorMock(GinkgoT()) - snapshots = mock.NewSnapshotsMock(GinkgoT()) - }) - - AfterEach(func() { - pc = nil - snapshots = nil - }) - - DescribeTable("Check obsolete resources state", - func(policyLabels map[string]string, policyShouldDelete bool, bindingLabels map[string]string, - bindingShouldDelete bool, - ) { - setSnapshots(newSnapshotPolicy(policyLabels), newSnapshotBinding(bindingLabels)) - - if policyShouldDelete || bindingShouldDelete { - pc.DeleteMock.Set( - func(apiVersion string, kind string, namespace string, name string) { - labelExist := name == policySnapshotName || name == bindingSnapshotName - - switch kind { - case "ValidatingAdmissionPolicy": - Expect(labelExist).To(Equal(policyShouldDelete)) - case "ValidatingAdmissionPolicyBinding": - Expect(labelExist).To(Equal(bindingShouldDelete)) - default: - Fail("unexpected kind") - } - }) - } - - Expect(reconcile(context.Background(), newInput())).To(Succeed()) - }, - Entry("should not delete VPA VPAB from original kubevirt installation", - map[string]string{managedByLabel: "virt-operator"}, - false, - map[string]string{managedByLabel: "virt-operator"}, - false), - Entry("should not delete VPAB from original kubevirt installation", - map[string]string{managedByLabel: managedByLabelValue}, - true, - map[string]string{"app.kubernetes.io/managed-by": "virt-operator"}, - false, - ), - Entry("should not delete VPA from original kubevirt installation", - map[string]string{managedByLabel: "virt-operator"}, - false, - map[string]string{managedByLabel: managedByLabelValue}, - true, - ), - Entry("should delete non renamed VPA VPAB", - map[string]string{managedByLabel: managedByLabelValue}, - true, - map[string]string{managedByLabel: managedByLabelValue}, - true, - ), - ) -})