added namespace validation for custom resources

metallb · Jul 23, 2022 · c890960 · c890960
1 parent b8a1e46
commit c890960
Show file tree

Hide file tree

Showing 14 changed files with 157 additions and 8 deletions.
diff --git a/api/v1beta1/addresspool_webhook.go b/api/v1beta1/addresspool_webhook.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
@@ -41,6 +42,10 @@ var _ webhook.Validator = &AddressPool{}
 func (addressPool *AddressPool) ValidateCreate() error {
 	level.Debug(Logger).Log("webhook", "addressPool", "action", "create", "name", addressPool.Name, "namespace", addressPool.Namespace)
 
+	if addressPool.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
+
 	existingAddressPoolList, err := getExistingAddressPools()
 	if err != nil {
 		return err

diff --git a/api/v1beta1/addresspool_webhook_test.go b/api/v1beta1/addresspool_webhook_test.go
@@ -15,6 +15,7 @@ const (
 )
 
 func TestValidateAddressPool(t *testing.T) {
+	MetalLBNamespace = MetalLBTestNameSpace
 	addressPool := AddressPool{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-addresspool",
@@ -115,6 +116,18 @@ func TestValidateAddressPool(t *testing.T) {
 			},
 			failValidate: true,
 		},
+		{
+			desc: "Validation must fail if created in different namespace",
+			addressPool: &AddressPool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-addresspool2",
+					Namespace: "default",
+				},
+			},
+			isNewAddressPool: true,
+			expected:         nil,
+			failValidate:     true,
+		},
 	}
 
 	for _, test := range tests {

diff --git a/api/v1beta1/bfdprofile_webhook.go b/api/v1beta1/bfdprofile_webhook.go
@@ -38,6 +38,12 @@ var _ webhook.Validator = &BFDProfile{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for BFDProfile.
 func (bfdProfile *BFDProfile) ValidateCreate() error {
+	level.Debug(Logger).Log("webhook", "bfdProfile", "action", "create", "name", bfdProfile.Name, "namespace", bfdProfile.Namespace)
+
+	if bfdProfile.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
+
 	return nil
 }
 

diff --git a/api/v1beta1/bfdprofile_webhook_test.go b/api/v1beta1/bfdprofile_webhook_test.go
@@ -5,12 +5,15 @@ package v1beta1
 import (
 	"testing"
 
+	"github.com/go-kit/log"
 	"go.universe.tf/metallb/api/v1beta2"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestValidateBFDProfile(t *testing.T) {
+	MetalLBNamespace = MetalLBTestNameSpace
+	Logger = log.NewNopLogger()
 	toRestoreBGPPeers := v1beta2.GetExistingBGPPeers
 	v1beta2.GetExistingBGPPeers = func() (*v1beta2.BGPPeerList, error) {
 		return &v1beta2.BGPPeerList{
@@ -31,17 +34,51 @@ func TestValidateBFDProfile(t *testing.T) {
 		v1beta2.GetExistingBGPPeers = toRestoreBGPPeers
 	}()
 
-	desc := "Delete bfdprofile used by bgppeer"
-	bfdProfile := &BFDProfile{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "bfdprofile",
-			Namespace: MetalLBTestNameSpace,
+	const (
+		isNew int = iota
+		isDel
+	)
+	tests := []struct {
+		desc         string
+		bfdProfile   *BFDProfile
+		validateType int
+		failValidate bool
+	}{
+		{
+			desc:         "Delete bfdprofile used by bgppeer",
+			validateType: isDel,
+			bfdProfile: &BFDProfile{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "bfdprofile",
+					Namespace: MetalLBTestNameSpace,
+				},
+			},
+			failValidate: true,
+		},
+		{
+			desc:         "Validation must fail if created in different namespace",
+			validateType: isNew,
+			bfdProfile: &BFDProfile{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "bfdprofile1",
+					Namespace: "default",
+				},
+			},
+			failValidate: true,
 		},
 	}
 
-	err := bfdProfile.ValidateDelete()
+	for _, test := range tests {
+		var err error
+		switch test.validateType {
+		case isNew:
+			err = test.bfdProfile.ValidateCreate()
+		case isDel:
+			err = test.bfdProfile.ValidateDelete()
+		}
 
-	if err == nil {
-		t.Fatalf("test %s failed, expecting error", desc)
+		if test.failValidate && err == nil {
+			t.Fatalf("test %s failed, expecting error", test.desc)
+		}
 	}
 }
diff --git a/api/v1beta1/bgpadvertisement_webhook.go b/api/v1beta1/bgpadvertisement_webhook.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
@@ -41,6 +42,10 @@ var _ webhook.Validator = &BGPAdvertisement{}
 func (bgpAdv *BGPAdvertisement) ValidateCreate() error {
 	level.Debug(Logger).Log("webhook", "bgpadvertisement", "action", "create", "name", bgpAdv.Name, "namespace", bgpAdv.Namespace)
 
+	if bgpAdv.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
+
 	existingBGPAdvList, err := getExistingBGPAdvs()
 	if err != nil {
 		return err

diff --git a/api/v1beta1/bgpadvertisement_webhook_test.go b/api/v1beta1/bgpadvertisement_webhook_test.go
@@ -11,6 +11,7 @@ import (
 )
 
 func TestValidateBGPAdvertisement(t *testing.T) {
+	MetalLBNamespace = MetalLBTestNameSpace
 	bgpAdv := BGPAdvertisement{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-bgpadv",
@@ -117,6 +118,18 @@ func TestValidateBGPAdvertisement(t *testing.T) {
 			},
 			failValidate: true,
 		},
+		{
+			desc: "Validation must fail if created in different namespace",
+			bgpAdv: &BGPAdvertisement{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-bgpadv1",
+					Namespace: "default",
+				},
+			},
+			isNew:        true,
+			expected:     nil,
+			failValidate: true,
+		},
 	}
 	for _, test := range tests {
 		var err error

diff --git a/api/v1beta1/community_webhook.go b/api/v1beta1/community_webhook.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
@@ -41,6 +42,10 @@ var _ webhook.Validator = &Community{}
 func (community *Community) ValidateCreate() error {
 	level.Debug(Logger).Log("webhook", "community", "action", "create", "name", community.Name, "namespace", community.Namespace)
 
+	if community.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
+
 	existingCommunityList, err := getExistingCommunities()
 	if err != nil {
 		return err

diff --git a/api/v1beta1/community_webhook_test.go b/api/v1beta1/community_webhook_test.go
@@ -11,6 +11,7 @@ import (
 )
 
 func TestValidateCommunity(t *testing.T) {
+	MetalLBNamespace = MetalLBTestNameSpace
 	Logger = log.NewNopLogger()
 
 	toRestoreCommunities := getExistingCommunities
@@ -104,6 +105,18 @@ func TestValidateCommunity(t *testing.T) {
 			},
 			failValidate: true,
 		},
+		{
+			desc: "Validation must fail if created in different namespace",
+			commuinty: &Community{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-commuinty2",
+					Namespace: "default",
+				},
+			},
+			isNewCommunity: true,
+			expected:       nil,
+			failValidate:   true,
+		},
 	}
 	for _, test := range tests {
 		var err error

diff --git a/api/v1beta1/ipaddresspool_webhook.go b/api/v1beta1/ipaddresspool_webhook.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
@@ -41,6 +42,9 @@ var _ webhook.Validator = &IPAddressPool{}
 func (ipAddress *IPAddressPool) ValidateCreate() error {
 	level.Debug(Logger).Log("webhook", "ipaddresspool", "action", "create", "name", ipAddress.Name, "namespace", ipAddress.Namespace)
 
+	if ipAddress.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
 	existingIPAddressPoolList, err := getExistingIPAddressPools()
 	if err != nil {
 		return err

diff --git a/api/v1beta1/ipaddresspool_webhook_test.go b/api/v1beta1/ipaddresspool_webhook_test.go
@@ -11,6 +11,7 @@ import (
 )
 
 func TestValidateIPAddressPool(t *testing.T) {
+	MetalLBNamespace = MetalLBTestNameSpace
 	ipAddressPool := IPAddressPool{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-ippool",
@@ -111,6 +112,18 @@ func TestValidateIPAddressPool(t *testing.T) {
 			},
 			failValidate: true,
 		},
+		{
+			desc: "Validation must fail if created in different namespace",
+			ipAddressPool: &IPAddressPool{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-ippool2",
+					Namespace: "default",
+				},
+			},
+			isNew:        true,
+			expected:     nil,
+			failValidate: true,
+		},
 	}
 
 	for _, test := range tests {

diff --git a/api/v1beta1/l2advertisement_webhook.go b/api/v1beta1/l2advertisement_webhook.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
@@ -41,6 +42,10 @@ var _ webhook.Validator = &L2Advertisement{}
 func (l2Adv *L2Advertisement) ValidateCreate() error {
 	level.Debug(Logger).Log("webhook", "l2advertisement", "action", "create", "name", l2Adv.Name, "namespace", l2Adv.Namespace)
 
+	if l2Adv.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
+
 	existingL2AdvList, err := getExistingL2Advs()
 	if err != nil {
 		return err

diff --git a/api/v1beta1/l2advertisement_webhook_test.go b/api/v1beta1/l2advertisement_webhook_test.go
@@ -11,6 +11,7 @@ import (
 )
 
 func TestValidateL2Advertisement(t *testing.T) {
+	MetalLBNamespace = MetalLBTestNameSpace
 	l2Adv := L2Advertisement{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-l2adv",
@@ -117,6 +118,18 @@ func TestValidateL2Advertisement(t *testing.T) {
 			},
 			failValidate: true,
 		},
+		{
+			desc: "Validation must fail if created in different namespace",
+			l2Adv: &L2Advertisement{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-l2adv1",
+					Namespace: "default",
+				},
+			},
+			isNew:        true,
+			expected:     nil,
+			failValidate: true,
+		},
 	}
 	for _, test := range tests {
 		var err error

diff --git a/api/v1beta2/bgppeer_webhook.go b/api/v1beta2/bgppeer_webhook.go
@@ -18,6 +18,7 @@ package v1beta2
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/go-kit/log/level"
 	"github.com/pkg/errors"
@@ -41,6 +42,9 @@ var _ webhook.Validator = &BGPPeer{}
 func (bgpPeer *BGPPeer) ValidateCreate() error {
 	level.Debug(Logger).Log("webhook", "bgppeer", "action", "create", "name", bgpPeer.Name, "namespace", bgpPeer.Namespace)
 
+	if bgpPeer.Namespace != MetalLBNamespace {
+		return fmt.Errorf("resource must be created in %s namespace", MetalLBNamespace)
+	}
 	existingBGPPeers, err := GetExistingBGPPeers()
 	if err != nil {
 		return err

diff --git a/api/v1beta2/bgppeer_webhook_test.go b/api/v1beta2/bgppeer_webhook_test.go
@@ -13,6 +13,7 @@ import (
 const testNamespace = "namespace"
 
 func TestValidateBGPPeer(t *testing.T) {
+	MetalLBNamespace = testNamespace
 	bgpPeer := BGPPeer{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-peer",
@@ -109,6 +110,18 @@ func TestValidateBGPPeer(t *testing.T) {
 			},
 			failValidate: true,
 		},
+		{
+			desc: "Validation must fail if created in different namespace",
+			bgpPeer: &BGPPeer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-peer1",
+					Namespace: "default",
+				},
+			},
+			isNew:        true,
+			expected:     nil,
+			failValidate: true,
+		},
 	}
 	for _, test := range tests {
 		var err error