fix vmi-create-admitter

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
kubevirt · Aug 4, 2023 · db250c6 · db250c6
1 parent 25249d9
commit db250c6
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter.go
@@ -1896,6 +1896,13 @@ func validateAccessCredentials(field *k8sfield.Path, accessCredentials []v1.Acce
 		return causes
 	}
 
+	hasNoCloudVolume := false
+	for _, volume := range volumes {
+		if volume.CloudInitConfigDrive != nil {
+			hasNoCloudVolume = true
+			break
+		}
+	}
 	hasConfigDriveVolume := false
 	for _, volume := range volumes {
 		if volume.CloudInitConfigDrive != nil {
@@ -1917,6 +1924,18 @@ func validateAccessCredentials(field *k8sfield.Path, accessCredentials []v1.Acce
 				sourceCount++
 			}
 
+			if accessCred.SSHPublicKey.PropagationMethod.NoCloud != nil {
+				methodCount++
+				if !hasNoCloudVolume {
+					causes = append(causes, metav1.StatusCause{
+						Type:    metav1.CauseTypeFieldValueInvalid,
+						Message: fmt.Sprintf("%s requires a noCloud volume to exist when the noCloud propagationMethod is in use.", field.Index(idx).String()),
+						Field:   field.Index(idx).Child("sshPublicKey", "propagationMethod").String(),
+					})
+
+				}
+			}
+
 			if accessCred.SSHPublicKey.PropagationMethod.ConfigDrive != nil {
 				methodCount++
 				if !hasConfigDriveVolume {
@@ -1928,6 +1947,7 @@ func validateAccessCredentials(field *k8sfield.Path, accessCredentials []v1.Acce
 
 				}
 			}
+
 			if accessCred.SSHPublicKey.PropagationMethod.QemuGuestAgent != nil {
 
 				if len(accessCred.SSHPublicKey.PropagationMethod.QemuGuestAgent.Users) == 0 {

diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmi-create-admitter_test.go
@@ -2694,6 +2694,36 @@ var _ = Describe("Validating VMICreate Admitter", func() {
 			Expect(causes).To(BeEmpty())
 		})
 
+		It("should reject a noCloud ssh access credential when no noCloud volume exists", func() {
+			vmi := api.NewMinimalVMI("testvmi")
+			vmi.Spec.Domain.Devices.Disks = append(vmi.Spec.Domain.Devices.Disks, v1.Disk{
+				Name: "testdisk",
+			})
+
+			vmi.Spec.Volumes = append(vmi.Spec.Volumes, v1.Volume{
+				Name: "testdisk",
+				VolumeSource: v1.VolumeSource{
+					CloudInitNoCloud: &v1.CloudInitNoCloudSource{UserData: " "},
+				},
+			})
+
+			vmi.Spec.AccessCredentials = []v1.AccessCredential{
+				{
+					SSHPublicKey: &v1.SSHPublicKeyAccessCredential{
+						Source: v1.SSHPublicKeyAccessCredentialSource{
+							Secret: &v1.AccessCredentialSecretSource{
+								SecretName: "my-pkey",
+							},
+						},
+						PropagationMethod: v1.SSHPublicKeyAccessCredentialPropagationMethod{
+							NoCloud: &v1.NoCloudSSHPublicKeyAccessCredentialPropagation{},
+						},
+					},
+				},
+			}
+			causes := ValidateVirtualMachineInstanceSpec(k8sfield.NewPath("fake"), &vmi.Spec, config)
+			Expect(causes).To(HaveLen(1))
+		})
 		It("should reject a configDrive ssh access credential when no configDrive volume exists", func() {
 			vmi := api.NewMinimalVMI("testvmi")
 			vmi.Spec.Domain.Devices.Disks = append(vmi.Spec.Domain.Devices.Disks, v1.Disk{