types/aws: validate Name and kubernetes.io/clustername/* keys are not…

… allowed Allowing these values as user defined tags causes problems defined in https://bugzilla.redhat.com/show_bug.cgi?id=1862209
openshift · Aug 4, 2020 · 3a6259e · 3a6259e
1 parent 0ceffc5
commit 3a6259e
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/pkg/types/aws/validation/platform.go b/pkg/types/aws/validation/platform.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net/url"
 	"regexp"
+	"sort"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
@@ -19,13 +21,35 @@ func ValidatePlatform(p *aws.Platform, fldPath *field.Path) field.ErrorList {
 	}
 
 	allErrs = append(allErrs, validateServiceEndpoints(p.ServiceEndpoints, fldPath.Child("serviceEndpoints"))...)
+	allErrs = append(allErrs, validateUserTags(p.UserTags, fldPath.Child("userTags"))...)
 
 	if p.DefaultMachinePlatform != nil {
 		allErrs = append(allErrs, ValidateMachinePool(p, p.DefaultMachinePlatform, fldPath.Child("defaultMachinePlatform"))...)
 	}
 	return allErrs
 }
 
+func validateUserTags(tags map[string]string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if len(tags) == 0 {
+		return allErrs
+	}
+	keys := make([]string, 0, len(tags))
+	for k := range tags {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	for _, key := range keys {
+		if strings.EqualFold(key, "Name") {
+			allErrs = append(allErrs, field.Invalid(fldPath.Key(key), tags[key], "Name key is not allowed for user defined tags"))
+		}
+		if strings.HasPrefix(key, "kubernetes.io/clustername/") {
+			allErrs = append(allErrs, field.Invalid(fldPath.Key(key), tags[key], "Keys with prefix 'kubernetes.io/clustername/' are not allowed for user defined tags"))
+		}
+	}
+	return allErrs
+}
+
 func validateServiceEndpoints(endpoints []aws.ServiceEndpoint, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	tracker := map[string]int{}

diff --git a/pkg/types/aws/validation/platform_test.go b/pkg/types/aws/validation/platform_test.go
@@ -117,6 +117,35 @@ func TestValidatePlatform(t *testing.T) {
 			},
 			expected: `^test-path\.defaultMachinePlatform\.iops: Invalid value: -10: Storage IOPS must be positive$`,
 		},
+		{
+			name: "invalid userTags, Name key",
+			platform: &aws.Platform{
+				Region: "us-east-1",
+				UserTags: map[string]string{
+					"Name": "test-cluster",
+				},
+			},
+			expected: `^\Qtest-path.userTags[Name]: Invalid value: "test-cluster": Name key is not allowed for user defined tags\E$`,
+		},
+		{
+			name: "invalid userTags, key with kubernetes.io/clustername/",
+			platform: &aws.Platform{
+				Region: "us-east-1",
+				UserTags: map[string]string{
+					"kubernetes.io/clustername/test-cluster": "shared",
+				},
+			},
+			expected: `^\Qtest-path.userTags[kubernetes.io/clustername/test-cluster]: Invalid value: "shared": Keys with prefix 'kubernetes.io/clustername/' are not allowed for user defined tags\E$`,
+		},
+		{
+			name: "valid userTags",
+			platform: &aws.Platform{
+				Region: "us-east-1",
+				UserTags: map[string]string{
+					"app": "production",
+				},
+			},
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {