|
| 1 | +/* |
| 2 | +Copyright 2024 The etcd-operator Authors. |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package v1alpha1 |
| 18 | + |
| 19 | +import ( |
| 20 | + "fmt" |
| 21 | + "path/filepath" |
| 22 | + "strings" |
| 23 | + |
| 24 | + "k8s.io/apimachinery/pkg/api/equality" |
| 25 | + "k8s.io/apimachinery/pkg/api/errors" |
| 26 | + "k8s.io/apimachinery/pkg/runtime" |
| 27 | + "k8s.io/apimachinery/pkg/runtime/schema" |
| 28 | + "k8s.io/apimachinery/pkg/util/validation/field" |
| 29 | + ctrl "sigs.k8s.io/controller-runtime" |
| 30 | + logf "sigs.k8s.io/controller-runtime/pkg/log" |
| 31 | + "sigs.k8s.io/controller-runtime/pkg/webhook" |
| 32 | + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" |
| 33 | +) |
| 34 | + |
| 35 | +var etcdbackuplog = logf.Log.WithName("etcdbackup-resource") |
| 36 | + |
| 37 | +// SetupWebhookWithManager will setup the manager to manage the webhooks |
| 38 | +func (r *EtcdBackup) SetupWebhookWithManager(mgr ctrl.Manager) error { |
| 39 | + return ctrl.NewWebhookManagedBy(mgr). |
| 40 | + For(r). |
| 41 | + Complete() |
| 42 | +} |
| 43 | + |
| 44 | +// +kubebuilder:webhook:path=/validate-etcd-aenix-io-v1alpha1-etcdbackup,mutating=false,failurePolicy=fail,sideEffects=None,groups=etcd.aenix.io,resources=etcdbackups,verbs=create;update,versions=v1alpha1,name=vetcdbackup.kb.io,admissionReviewVersions=v1 |
| 45 | + |
| 46 | +var _ webhook.Validator = &EtcdBackup{} |
| 47 | + |
| 48 | +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type |
| 49 | +func (r *EtcdBackup) ValidateCreate() (admission.Warnings, error) { |
| 50 | + etcdbackuplog.Info("validate create", "name", r.Name) |
| 51 | + |
| 52 | + var allErrors field.ErrorList |
| 53 | + |
| 54 | + if r.Spec.ClusterRef.Name == "" { |
| 55 | + allErrors = append(allErrors, field.Required( |
| 56 | + field.NewPath("spec", "clusterRef", "name"), |
| 57 | + "clusterRef.name is required", |
| 58 | + )) |
| 59 | + } |
| 60 | + |
| 61 | + destErrors := r.validateDestination() |
| 62 | + allErrors = append(allErrors, destErrors...) |
| 63 | + |
| 64 | + if len(allErrors) > 0 { |
| 65 | + return nil, errors.NewInvalid( |
| 66 | + schema.GroupKind{Group: GroupVersion.Group, Kind: "EtcdBackup"}, |
| 67 | + r.Name, allErrors) |
| 68 | + } |
| 69 | + |
| 70 | + return nil, nil |
| 71 | +} |
| 72 | + |
| 73 | +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type |
| 74 | +func (r *EtcdBackup) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { |
| 75 | + etcdbackuplog.Info("validate update", "name", r.Name) |
| 76 | + |
| 77 | + oldBackup, ok := old.(*EtcdBackup) |
| 78 | + if !ok { |
| 79 | + return nil, fmt.Errorf("expected EtcdBackup but got %T", old) |
| 80 | + } |
| 81 | + |
| 82 | + if !equality.Semantic.DeepEqual(r.Spec, oldBackup.Spec) { |
| 83 | + var allErrors field.ErrorList |
| 84 | + allErrors = append(allErrors, field.Forbidden( |
| 85 | + field.NewPath("spec"), |
| 86 | + "EtcdBackup spec is immutable", |
| 87 | + )) |
| 88 | + return nil, errors.NewInvalid( |
| 89 | + schema.GroupKind{Group: GroupVersion.Group, Kind: "EtcdBackup"}, |
| 90 | + r.Name, allErrors) |
| 91 | + } |
| 92 | + |
| 93 | + return nil, nil |
| 94 | +} |
| 95 | + |
| 96 | +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type |
| 97 | +func (r *EtcdBackup) ValidateDelete() (admission.Warnings, error) { |
| 98 | + etcdbackuplog.Info("validate delete", "name", r.Name) |
| 99 | + return nil, nil |
| 100 | +} |
| 101 | + |
| 102 | +func (r *EtcdBackup) validateDestination() field.ErrorList { |
| 103 | + return validateBackupDestination(r.Spec.Destination, field.NewPath("spec", "destination")) |
| 104 | +} |
| 105 | + |
| 106 | +// validateBackupDestination validates a BackupDestination at the given field path. |
| 107 | +// This is shared between EtcdBackup and EtcdCluster (bootstrap restore source) webhooks. |
| 108 | +func validateBackupDestination(dest BackupDestination, destPath *field.Path) field.ErrorList { |
| 109 | + var allErrors field.ErrorList |
| 110 | + |
| 111 | + if dest.S3 == nil && dest.PVC == nil { |
| 112 | + allErrors = append(allErrors, field.Required( |
| 113 | + destPath, |
| 114 | + "exactly one of s3 or pvc must be specified", |
| 115 | + )) |
| 116 | + return allErrors |
| 117 | + } |
| 118 | + |
| 119 | + if dest.S3 != nil && dest.PVC != nil { |
| 120 | + allErrors = append(allErrors, field.Invalid( |
| 121 | + destPath, |
| 122 | + "both s3 and pvc", |
| 123 | + "exactly one of s3 or pvc must be specified, not both", |
| 124 | + )) |
| 125 | + return allErrors |
| 126 | + } |
| 127 | + |
| 128 | + if s3 := dest.S3; s3 != nil { |
| 129 | + s3Path := destPath.Child("s3") |
| 130 | + if s3.Endpoint == "" { |
| 131 | + allErrors = append(allErrors, field.Required(s3Path.Child("endpoint"), "endpoint is required")) |
| 132 | + } else if !strings.HasPrefix(s3.Endpoint, "http://") && !strings.HasPrefix(s3.Endpoint, "https://") { |
| 133 | + allErrors = append(allErrors, field.Invalid(s3Path.Child("endpoint"), s3.Endpoint, |
| 134 | + "endpoint must start with http:// or https://")) |
| 135 | + } |
| 136 | + if s3.Bucket == "" { |
| 137 | + allErrors = append(allErrors, field.Required(s3Path.Child("bucket"), "bucket is required")) |
| 138 | + } |
| 139 | + if s3.CredentialsSecretRef.Name == "" { |
| 140 | + allErrors = append(allErrors, field.Required(s3Path.Child("credentialsSecretRef", "name"), "credentialsSecretRef.name is required")) |
| 141 | + } |
| 142 | + } |
| 143 | + |
| 144 | + if pvc := dest.PVC; pvc != nil { |
| 145 | + pvcPath := destPath.Child("pvc") |
| 146 | + if pvc.ClaimName == "" { |
| 147 | + allErrors = append(allErrors, field.Required(pvcPath.Child("claimName"), "claimName is required")) |
| 148 | + } |
| 149 | + if pvc.SubPath != "" { |
| 150 | + cleaned := filepath.Clean(pvc.SubPath) |
| 151 | + if strings.HasPrefix(cleaned, "..") || filepath.IsAbs(cleaned) { |
| 152 | + allErrors = append(allErrors, field.Invalid( |
| 153 | + pvcPath.Child("subPath"), pvc.SubPath, |
| 154 | + "subPath must be a relative path and must not contain '..' components", |
| 155 | + )) |
| 156 | + } |
| 157 | + } |
| 158 | + } |
| 159 | + |
| 160 | + return allErrors |
| 161 | +} |
0 commit comments