feat(webhook): add vmrestore validation

Signed-off-by: Frank Yang <poan.yang@suse.com>

pkg/controller/master/backup/backup.go

@@ -30,9 +30,9 @@ const (
 	backupControllerName = "harvester-vm-backup-controller"
 	vmBackupKindName     = "VirtualMachineBackup"
 
-	backupTargetAnnotation       = "backup.harvesterhci.io/backup-target"
-	backupBucketNameAnnotation   = "backup.harvesterhci.io/bucket-name"
-	backupBucketRegionAnnotation = "backup.harvesterhci.io/bucket-region"
+	BackupTargetAnnotation       = "backup.harvesterhci.io/backup-target"
+	BackupBucketNameAnnotation   = "backup.harvesterhci.io/bucket-name"
+	BackupBucketRegionAnnotation = "backup.harvesterhci.io/bucket-region"
 
 	volumeSnapshotMissingEvent = "VolumeSnapshotMissing"
 	volumeSnapshotCreateEvent  = "VolumeSnapshotCreated"
@@ -258,15 +258,15 @@ func (h *Handler) updateStatus(vmBackup *harvesterv1.VirtualMachineBackup, sourc
 		vmBackupCpy.Annotations = make(map[string]string)
 	}
 
-	if vmBackupCpy.Annotations[backupTargetAnnotation] == "" {
+	if vmBackupCpy.Annotations[BackupTargetAnnotation] == "" {
 		target, err := decodeTarget(settings.BackupTargetSet.Get())
 		if err != nil {
 			return err
 		}
-		vmBackupCpy.Annotations[backupTargetAnnotation] = target.Endpoint
+		vmBackupCpy.Annotations[BackupTargetAnnotation] = target.Endpoint
 		if target.Type == settings.S3BackupType {
-			vmBackupCpy.Annotations[backupBucketNameAnnotation] = target.BucketName
-			vmBackupCpy.Annotations[backupBucketRegionAnnotation] = target.BucketRegion
+			vmBackupCpy.Annotations[BackupBucketNameAnnotation] = target.BucketName
+			vmBackupCpy.Annotations[BackupBucketRegionAnnotation] = target.BucketRegion
 		}
 	}
 

pkg/webhook/resources/restore/validator.go

@@ -1,14 +1,19 @@
 package restore
 
 import (
+	"encoding/json"
+	"errors"
 	"fmt"
 
 	admissionregv1 "k8s.io/api/admissionregistration/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/harvester/harvester/pkg/apis/harvesterhci.io/v1beta1"
+	"github.com/harvester/harvester/pkg/controller/master/backup"
+	ctlharvesterv1 "github.com/harvester/harvester/pkg/generated/controllers/harvesterhci.io/v1beta1"
 	ctlkubevirtv1 "github.com/harvester/harvester/pkg/generated/controllers/kubevirt.io/v1"
+	"github.com/harvester/harvester/pkg/settings"
 	werror "github.com/harvester/harvester/pkg/webhook/error"
 	"github.com/harvester/harvester/pkg/webhook/types"
 )
@@ -19,16 +24,24 @@ const (
 	fieldNewVM                    = "spec.newVM"
 )
 
-func NewValidator(vms ctlkubevirtv1.VirtualMachineCache) types.Validator {
+func NewValidator(
+	vms ctlkubevirtv1.VirtualMachineCache,
+	setting ctlharvesterv1.SettingCache,
+	vmBackup ctlharvesterv1.VirtualMachineBackupCache,
+) types.Validator {
 	return &restoreValidator{
-		vms: vms,
+		vms:      vms,
+		setting:  setting,
+		vmBackup: vmBackup,
 	}
 }
 
 type restoreValidator struct {
 	types.DefaultValidator
 
-	vms ctlkubevirtv1.VirtualMachineCache
+	vms      ctlkubevirtv1.VirtualMachineCache
+	setting  ctlharvesterv1.SettingCache
+	vmBackup ctlharvesterv1.VirtualMachineBackupCache
 }
 
 func (v *restoreValidator) Resource() types.Resource {
@@ -58,6 +71,10 @@ func (v *restoreValidator) Create(request *types.Request, newObj runtime.Object)
 		return werror.NewInvalidError("backup name is empty", fieldVirtualMachineBackupName)
 	}
 
+	if err := v.checkBackupTarget(newRestore); err != nil {
+		return werror.NewInvalidError(err.Error(), fieldVirtualMachineBackupName)
+	}
+
 	vm, err := v.vms.Get(newRestore.Namespace, targetVM)
 	if err != nil {
 		if newVM && apierrors.IsNotFound(err) {
@@ -78,3 +95,30 @@ func (v *restoreValidator) Create(request *types.Request, newObj runtime.Object)
 
 	return nil
 }
+
+func (v *restoreValidator) checkBackupTarget(vmRestore *v1beta1.VirtualMachineRestore) error {
+	// get backup target
+	backupTargetSetting, err := v.setting.Get(settings.BackupTargetSettingName)
+	if err != nil {
+		return fmt.Errorf("can't get backup target setting, err: %w", err)
+	}
+	backupTarget := &settings.BackupTarget{}
+	if err := json.Unmarshal([]byte(backupTargetSetting.Value), backupTarget); err != nil {
+		return fmt.Errorf("unmarshal backup target failed, value: %s, err: %w", backupTargetSetting.Value, err)
+	}
+
+	// get vmbackup
+	vmBackup, err := v.vmBackup.Get(vmRestore.Spec.VirtualMachineBackupNamespace, vmRestore.Spec.VirtualMachineBackupName)
+	if err != nil {
+		return fmt.Errorf("can't get vmbackup %s/%s, err: %w", vmRestore.Spec.VirtualMachineBackupNamespace, vmRestore.Spec.VirtualMachineBackupName, err)
+	}
+
+	endpoint := vmBackup.Annotations[backup.BackupTargetAnnotation]
+	bucketName := vmBackup.Annotations[backup.BackupBucketNameAnnotation]
+	bucketRegion := vmBackup.Annotations[backup.BackupBucketRegionAnnotation]
+	if backupTarget.Endpoint != endpoint || backupTarget.BucketName != bucketName || backupTarget.BucketRegion != bucketRegion {
+		return errors.New("VM Backup is not matched with Backup Target")
+	}
+
+	return nil
+}

pkg/webhook/server/validation.go

@@ -30,7 +30,11 @@ func Validation(clients *clients.Clients, options *config.Options) (http.Handler
 			clients.Core.PersistentVolumeClaim().Cache(),
 			clients.K8s.AuthorizationV1().SelfSubjectAccessReviews()),
 		upgrade.NewValidator(clients.HarvesterFactory.Harvesterhci().V1beta1().Upgrade().Cache()),
-		restore.NewValidator(clients.KubevirtFactory.Kubevirt().V1().VirtualMachine().Cache()),
+		restore.NewValidator(
+			clients.KubevirtFactory.Kubevirt().V1().VirtualMachine().Cache(),
+			clients.HarvesterFactory.Harvesterhci().V1beta1().Setting().Cache(),
+			clients.HarvesterFactory.Harvesterhci().V1beta1().VirtualMachineBackup().Cache(),
+		),
 		templateversion.NewValidator(
 			clients.HarvesterFactory.Harvesterhci().V1beta1().VirtualMachineTemplate().Cache(),
 			clients.HarvesterFactory.Harvesterhci().V1beta1().VirtualMachineTemplateVersion().Cache(),