feat: webhooks

arturshadnik · arturshadnik · commit fd8bc62ce1e6 · 2025-09-12T15:32:24.000-07:00
Signed-off-by: Artur Shad Nik &lt;arturshadnik@gmail.com&gt;
diff --git a/fleetconfig-controller/api/v1beta1/groupversion_info.go b/fleetconfig-controller/api/v1beta1/groupversion_info.go
@@ -24,9 +24,18 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
 )
 
+const group = "fleetconfig.open-cluster-management.io"
+
 var (
+
+	// HubGroupKind is the group kind for the Hub API
+	HubGroupKind = schema.GroupKind{Group: group, Kind: "Hub"}
+
+	// SpokeGroupKind is the group kind for the Spoke API
+	SpokeGroupKind = schema.GroupKind{Group: group, Kind: "Spoke"}
+
 	// GroupVersion is group version used to register these objects.
-	GroupVersion = schema.GroupVersion{Group: "fleetconfig.open-cluster-management.io", Version: "v1beta1"}
+	GroupVersion = schema.GroupVersion{Group: group, Version: "v1beta1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
diff --git a/fleetconfig-controller/internal/webhook/v1beta1/hub_webhook.go b/fleetconfig-controller/internal/webhook/v1beta1/hub_webhook.go
@@ -14,22 +14,22 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// TODO - remove once hub webhooks are implemented.
-//
-//nolint:all // Required because of `dupl` between this file and spoke_webhook.go
 package v1beta1
 
 import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	fleetconfigopenclustermanagementiov1beta1 "github.com/open-cluster-management-io/lab/fleetconfig-controller/api/v1beta1"
+	"github.com/open-cluster-management-io/lab/fleetconfig-controller/api/v1beta1"
 )
 
 // nolint:unused
@@ -38,14 +38,12 @@ var hublog = logf.Log.WithName("hub-resource")
 
 // SetupHubWebhookWithManager registers the webhook for Hub in the manager.
 func SetupHubWebhookWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewWebhookManagedBy(mgr).For(&fleetconfigopenclustermanagementiov1beta1.Hub{}).
-		WithValidator(&HubCustomValidator{}).
+	return ctrl.NewWebhookManagedBy(mgr).For(&v1beta1.Hub{}).
+		WithValidator(&HubCustomValidator{client: mgr.GetClient()}).
 		WithDefaulter(&HubCustomDefaulter{}).
 		Complete()
 }
 
-// TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-
 // +kubebuilder:webhook:path=/mutate-fleetconfig-open-cluster-management-io-v1beta1-hub,mutating=true,failurePolicy=fail,sideEffects=None,groups=fleetconfig.open-cluster-management.io,resources=hubs,verbs=create;update,versions=v1beta1,name=mhub-v1beta1.kb.io,admissionReviewVersions=v1
 
 // HubCustomDefaulter struct is responsible for setting default values on the custom resource of the
@@ -61,7 +59,7 @@ var _ webhook.CustomDefaulter = &HubCustomDefaulter{}
 
 // Default implements webhook.CustomDefaulter so a webhook will be registered for the Kind Hub.
 func (d *HubCustomDefaulter) Default(_ context.Context, obj runtime.Object) error {
-	hub, ok := obj.(*fleetconfigopenclustermanagementiov1beta1.Hub)
+	hub, ok := obj.(*v1beta1.Hub)
 
 	if !ok {
 		return fmt.Errorf("expected an Hub object but got %T", obj)
@@ -84,40 +82,68 @@ func (d *HubCustomDefaulter) Default(_ context.Context, obj runtime.Object) erro
 // NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods,
 // as this struct is used only for temporary operations and does not need to be deeply copied.
 type HubCustomValidator struct {
-	// TODO(user): Add more fields as needed for validation
+	client client.Client
 }
 
 var _ webhook.CustomValidator = &HubCustomValidator{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type Hub.
-func (v *HubCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
-	hub, ok := obj.(*fleetconfigopenclustermanagementiov1beta1.Hub)
+func (v *HubCustomValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	hub, ok := obj.(*v1beta1.Hub)
 	if !ok {
 		return nil, fmt.Errorf("expected a Hub object but got %T", obj)
 	}
 	hublog.Info("Validation for Hub upon creation", "name", hub.GetName())
 
-	// TODO(user): fill in your validation logic upon object creation.
+	var allErrs field.ErrorList
+
+	if valid, msg := isKubeconfigValid(hub.Spec.Kubeconfig); !valid {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("hub"), hub.Spec.Kubeconfig, msg),
+		)
+	}
+	if hub.Spec.ClusterManager == nil && hub.Spec.SingletonControlPlane == nil {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("hub"), hub.Spec, "either hub.clusterManager or hub.singletonControlPlane must be specified"),
+		)
+	}
+
+	allErrs = append(allErrs, validateHubAddons(ctx, v.client, nil, hub)...)
 
+	if len(allErrs) > 0 {
+		return nil, errors.NewInvalid(v1beta1.HubGroupKind, hub.Name, allErrs)
+	}
 	return nil, nil
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type Hub.
-func (v *HubCustomValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
-	hub, ok := newObj.(*fleetconfigopenclustermanagementiov1beta1.Hub)
+func (v *HubCustomValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	hub, ok := newObj.(*v1beta1.Hub)
 	if !ok {
 		return nil, fmt.Errorf("expected a Hub object for the newObj but got %T", newObj)
 	}
+	oldHub, ok := oldObj.(*v1beta1.Hub)
+	if !ok {
+		return nil, fmt.Errorf("expected a Hub object for the oldObj but got %T", newObj)
+	}
 	hublog.Info("Validation for Hub upon update", "name", hub.GetName())
 
-	// TODO(user): fill in your validation logic upon object update.
+	err := allowHubUpdate(oldHub, hub)
+	if err != nil {
+		return nil, err
+	}
+
+	allErrs := validateHubAddons(ctx, v.client, nil, hub)
 
+	if len(allErrs) > 0 {
+		return nil, errors.NewInvalid(v1beta1.HubGroupKind, hub.Name, allErrs)
+	}
 	return nil, nil
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type Hub.
 func (v *HubCustomValidator) ValidateDelete(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
-	hub, ok := obj.(*fleetconfigopenclustermanagementiov1beta1.Hub)
+	hub, ok := obj.(*v1beta1.Hub)
 	if !ok {
 		return nil, fmt.Errorf("expected a Hub object but got %T", obj)
 	}
diff --git a/fleetconfig-controller/internal/webhook/v1beta1/spoke_webhook.go b/fleetconfig-controller/internal/webhook/v1beta1/spoke_webhook.go
@@ -14,22 +14,23 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// TODO - remove once spoke webhooks are implemented.
-//
-//nolint:all // Required because of `dupl` between this file and spoke_webhook.go
 package v1beta1
 
 import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	operatorv1 "open-cluster-management.io/api/operator/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	fleetconfigopenclustermanagementiov1beta1 "github.com/open-cluster-management-io/lab/fleetconfig-controller/api/v1beta1"
+	"github.com/open-cluster-management-io/lab/fleetconfig-controller/api/v1beta1"
 )
 
 // nolint:unused
@@ -38,14 +39,12 @@ var spokelog = logf.Log.WithName("spoke-resource")
 
 // SetupSpokeWebhookWithManager registers the webhook for Spoke in the manager.
 func SetupSpokeWebhookWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewWebhookManagedBy(mgr).For(&fleetconfigopenclustermanagementiov1beta1.Spoke{}).
-		WithValidator(&SpokeCustomValidator{}).
+	return ctrl.NewWebhookManagedBy(mgr).For(&v1beta1.Spoke{}).
+		WithValidator(&SpokeCustomValidator{client: mgr.GetClient()}).
 		WithDefaulter(&SpokeCustomDefaulter{}).
 		Complete()
 }
 
-// TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-
 // +kubebuilder:webhook:path=/mutate-fleetconfig-open-cluster-management-io-v1beta1-spoke,mutating=true,failurePolicy=fail,sideEffects=None,groups=fleetconfig.open-cluster-management.io,resources=spokes,verbs=create;update,versions=v1beta1,name=mspoke-v1beta1.kb.io,admissionReviewVersions=v1
 
 // SpokeCustomDefaulter struct is responsible for setting default values on the custom resource of the
@@ -61,15 +60,13 @@ var _ webhook.CustomDefaulter = &SpokeCustomDefaulter{}
 
 // Default implements webhook.CustomDefaulter so a webhook will be registered for the Kind Spoke.
 func (d *SpokeCustomDefaulter) Default(_ context.Context, obj runtime.Object) error {
-	spoke, ok := obj.(*fleetconfigopenclustermanagementiov1beta1.Spoke)
+	spoke, ok := obj.(*v1beta1.Spoke)
 
 	if !ok {
 		return fmt.Errorf("expected an Spoke object but got %T", obj)
 	}
 	spokelog.Info("Defaulting for Spoke", "name", spoke.GetName())
 
-	// TODO(user): fill in your defaulting logic.
-
 	return nil
 }
 
@@ -84,40 +81,79 @@ func (d *SpokeCustomDefaulter) Default(_ context.Context, obj runtime.Object) er
 // NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods,
 // as this struct is used only for temporary operations and does not need to be deeply copied.
 type SpokeCustomValidator struct {
-	// TODO(user): Add more fields as needed for validation
+	client client.Client
 }
 
 var _ webhook.CustomValidator = &SpokeCustomValidator{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type Spoke.
-func (v *SpokeCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
-	spoke, ok := obj.(*fleetconfigopenclustermanagementiov1beta1.Spoke)
+func (v *SpokeCustomValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	spoke, ok := obj.(*v1beta1.Spoke)
 	if !ok {
 		return nil, fmt.Errorf("expected a Spoke object but got %T", obj)
 	}
 	spokelog.Info("Validation for Spoke upon creation", "name", spoke.GetName())
 
-	// TODO(user): fill in your validation logic upon object creation.
+	var allErrs field.ErrorList
+
+	if spoke.Spec.Klusterlet.Mode == string(operatorv1.InstallModeHosted) {
+		if spoke.Spec.Klusterlet.ManagedClusterKubeconfig.SecretReference == nil {
+			allErrs = append(allErrs, field.Invalid(
+				field.NewPath("spec").Child("klusterlet").Child("managedClusterKubeconfig").Child("secretReference"),
+				spoke.Name, "managedClusterKubeconfig.secretReference is required in hosted mode"),
+			)
+		} else {
+			if valid, msg := isKubeconfigValid(spoke.Spec.Klusterlet.ManagedClusterKubeconfig); !valid {
+				allErrs = append(allErrs, field.Invalid(
+					field.NewPath("spec").Child("klusterlet").Child("managedClusterKubeconfig").Child("secretReference"),
+					spoke.Name, msg),
+				)
+			}
+		}
+	}
+	if valid, msg := isKubeconfigValid(spoke.Spec.Kubeconfig); !valid {
+		allErrs = append(allErrs, field.Invalid(
+			field.NewPath("spec").Child("kubeconfig"), spoke, msg),
+		)
+	}
+
+	warn, errs := validateAddons(ctx, v.client, spoke)
+	allErrs = append(allErrs, errs...)
 
-	return nil, nil
+	if len(allErrs) > 0 {
+		return warn, errors.NewInvalid(v1beta1.HubGroupKind, spoke.Name, allErrs)
+	}
+	return warn, nil
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type Spoke.
-func (v *SpokeCustomValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
-	spoke, ok := newObj.(*fleetconfigopenclustermanagementiov1beta1.Spoke)
+func (v *SpokeCustomValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	spoke, ok := newObj.(*v1beta1.Spoke)
+	if !ok {
+		return nil, fmt.Errorf("expected a Spoke object for the newObj but got %T", newObj)
+	}
+	oldSpoke, ok := oldObj.(*v1beta1.Spoke)
 	if !ok {
 		return nil, fmt.Errorf("expected a Spoke object for the newObj but got %T", newObj)
 	}
 	spokelog.Info("Validation for Spoke upon update", "name", spoke.GetName())
 
-	// TODO(user): fill in your validation logic upon object update.
+	err := allowSpokeUpdate(oldSpoke, spoke)
+	if err != nil {
+		return nil, err
+	}
 
-	return nil, nil
+	warn, allErrs := validateAddons(ctx, v.client, spoke)
+
+	if len(allErrs) > 0 {
+		return warn, errors.NewInvalid(v1beta1.SpokeGroupKind, spoke.Name, allErrs)
+	}
+	return warn, nil
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type Spoke.
 func (v *SpokeCustomValidator) ValidateDelete(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
-	spoke, ok := obj.(*fleetconfigopenclustermanagementiov1beta1.Spoke)
+	spoke, ok := obj.(*v1beta1.Spoke)
 	if !ok {
 		return nil, fmt.Errorf("expected a Spoke object but got %T", obj)
 	}
diff --git a/fleetconfig-controller/internal/webhook/v1beta1/validation.go b/fleetconfig-controller/internal/webhook/v1beta1/validation.go
