refactor: use crd validation rules

aiven · May 13, 2024 · 06939ae · 06939ae
1 parent 4b17d24
commit 06939ae
Show file tree

Hide file tree

Showing 50 changed files with 102 additions and 129 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@
 - Change `Kafka` field `userConfig.kafka_version`: enum ~~`[3.4, 3.5, 3.6]`~~ → `[3.4, 3.5, 3.6, 3.7]`
 - Add `ServiceIntegration` `flink_external_postgresql` type
 - Remove `CA_CERT` secret key for `Grafana`, `OpenSearch`, `Redis`, and `Clickhouse`. Can't be used with these service types
+- Move immutable fields validation from webhooks to CRD validation rules
 
 ## v0.19.0 - 2024-04-18
 

diff --git a/api/v1alpha1/cassandra_webhook.go b/api/v1alpha1/cassandra_webhook.go
@@ -35,22 +35,13 @@ var _ webhook.Validator = &Cassandra{}
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
 func (in *Cassandra) ValidateCreate() error {
 	cassandralog.Info("validate create", "name", in.Name)
-
 	return in.Spec.Validate()
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *Cassandra) ValidateUpdate(old runtime.Object) error {
 	cassandralog.Info("validate update", "name", in.Name)
 
-	if in.Spec.Project != old.(*Cassandra).Spec.Project {
-		return errors.New("cannot update a Cassandra service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*Cassandra).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a Cassandra service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/clickhouse_webhook.go b/api/v1alpha1/clickhouse_webhook.go
@@ -43,15 +43,6 @@ func (in *Clickhouse) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *Clickhouse) ValidateUpdate(old runtime.Object) error {
 	clickhouselog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*Clickhouse).Spec.Project {
-		return errors.New("cannot update a Clickhouse service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*Clickhouse).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a Clickhouse service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -24,6 +24,7 @@ type AuthSecretReference struct {
 
 // ConnInfoSecretTarget contains information secret name
 type ConnInfoSecretTarget struct {
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	// Name of the secret resource to be created. By default, it is equal to the resource name
 	Name string `json:"name"`
 	// +kubebuilder:pruning:PreserveUnknownFields

diff --git a/api/v1alpha1/connectionpool_webhook.go b/api/v1alpha1/connectionpool_webhook.go
@@ -3,8 +3,6 @@
 package v1alpha1
 
 import (
-	"errors"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -47,19 +45,6 @@ func (in *ConnectionPool) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *ConnectionPool) ValidateUpdate(old runtime.Object) error {
 	connectionpoollog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*ConnectionPool).Spec.Project {
-		return errors.New("cannot update a ConnectionPool, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ServiceName != old.(*ConnectionPool).Spec.ServiceName {
-		return errors.New("cannot update a ConnectionPool, serviceName field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*ConnectionPool).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a ConnectionPool, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return nil
 }
 

diff --git a/api/v1alpha1/grafana_webhook.go b/api/v1alpha1/grafana_webhook.go
@@ -42,15 +42,6 @@ func (in *Grafana) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *Grafana) ValidateUpdate(old runtime.Object) error {
 	grafanalog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*Grafana).Spec.Project {
-		return errors.New("cannot update a Grafana service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*Grafana).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a Grafana service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/kafka_webhook.go b/api/v1alpha1/kafka_webhook.go
@@ -43,15 +43,6 @@ func (in *Kafka) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *Kafka) ValidateUpdate(old runtime.Object) error {
 	kafkalog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*Kafka).Spec.Project {
-		return errors.New("cannot update a Kafka service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*Kafka).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a Kafka service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/mysql_webhook.go b/api/v1alpha1/mysql_webhook.go
@@ -43,15 +43,6 @@ func (in *MySQL) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *MySQL) ValidateUpdate(old runtime.Object) error {
 	mysqllog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*MySQL).Spec.Project {
-		return errors.New("cannot update a MySQL service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*MySQL).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a MySQL service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/opensearch_webhook.go b/api/v1alpha1/opensearch_webhook.go
@@ -43,15 +43,6 @@ func (in *OpenSearch) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *OpenSearch) ValidateUpdate(old runtime.Object) error {
 	opensearchlog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*OpenSearch).Spec.Project {
-		return errors.New("cannot update a OpenSearch service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*OpenSearch).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a OpenSearch service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/postgresql_webhook.go b/api/v1alpha1/postgresql_webhook.go
@@ -43,15 +43,6 @@ func (in *PostgreSQL) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *PostgreSQL) ValidateUpdate(old runtime.Object) error {
 	pglog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*PostgreSQL).Spec.Project {
-		return errors.New("cannot update a PostgreSQL service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*PostgreSQL).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a PostgreSQL service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/project_types.go b/api/v1alpha1/project_types.go
@@ -37,6 +37,7 @@ type ProjectSpec struct {
 
 	// +kubebuilder:validation:MaxLength=36
 	// +kubebuilder:validation:MinLength=36
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	// BillingGroup ID
 	BillingGroupID string `json:"billingGroupId,omitempty"`
 
@@ -50,6 +51,7 @@ type ProjectSpec struct {
 	Cloud string `json:"cloud,omitempty"`
 
 	// +kubebuilder:validation:MaxLength=63
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
 	// Project name from which to copy settings to the new project
 	CopyFromProject string `json:"copyFromProject,omitempty"`
 

diff --git a/api/v1alpha1/project_webhook.go b/api/v1alpha1/project_webhook.go
@@ -45,19 +45,6 @@ func (in *Project) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *Project) ValidateUpdate(old runtime.Object) error {
 	projectlog.Info("validate update", "name", in.Name)
-
-	if in.Spec.CopyFromProject != old.(*Project).Spec.CopyFromProject {
-		return errors.New("'copyFromProject' can only be set during creation of a project")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*Project).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a Project, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
-	if in.Spec.BillingGroupID != old.(*Project).Spec.BillingGroupID {
-		return errors.New("'billingGroupId' can only be set during creation of a project")
-	}
-
 	return nil
 }
 

diff --git a/api/v1alpha1/redis_webhook.go b/api/v1alpha1/redis_webhook.go
@@ -43,15 +43,6 @@ func (in *Redis) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *Redis) ValidateUpdate(old runtime.Object) error {
 	redislog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*Redis).Spec.Project {
-		return errors.New("cannot update a Redis service, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*Redis).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a Redis service, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return in.Spec.Validate()
 }
 

diff --git a/api/v1alpha1/serviceuser_webhook.go b/api/v1alpha1/serviceuser_webhook.go
@@ -3,8 +3,6 @@
 package v1alpha1
 
 import (
-	"errors"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -43,19 +41,6 @@ func (in *ServiceUser) ValidateCreate() error {
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
 func (in *ServiceUser) ValidateUpdate(old runtime.Object) error {
 	serviceuserlog.Info("validate update", "name", in.Name)
-
-	if in.Spec.Project != old.(*ServiceUser).Spec.Project {
-		return errors.New("cannot update a Service User, project field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ServiceName != old.(*ServiceUser).Spec.ServiceName {
-		return errors.New("cannot update a Service User, serviceName field is immutable and cannot be updated")
-	}
-
-	if in.Spec.ConnInfoSecretTarget.Name != old.(*ServiceUser).Spec.ConnInfoSecretTarget.Name {
-		return errors.New("cannot update a ServiceUser, connInfoSecretTarget.name field is immutable and cannot be updated")
-	}
-
 	return nil
 }
 

diff --git a/charts/aiven-operator-crds/templates/aiven.io_cassandras.yaml b/charts/aiven-operator-crds/templates/aiven.io_cassandras.yaml
@@ -90,6 +90,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_clickhouses.yaml b/charts/aiven-operator-crds/templates/aiven.io_clickhouses.yaml
@@ -76,6 +76,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_clickhouseusers.yaml b/charts/aiven-operator-crds/templates/aiven.io_clickhouseusers.yaml
@@ -83,6 +83,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_connectionpools.yaml b/charts/aiven-operator-crds/templates/aiven.io_connectionpools.yaml
@@ -93,6 +93,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_grafanas.yaml b/charts/aiven-operator-crds/templates/aiven.io_grafanas.yaml
@@ -90,6 +90,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_kafkas.yaml b/charts/aiven-operator-crds/templates/aiven.io_kafkas.yaml
@@ -92,6 +92,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_mysqls.yaml b/charts/aiven-operator-crds/templates/aiven.io_mysqls.yaml
@@ -90,6 +90,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_opensearches.yaml b/charts/aiven-operator-crds/templates/aiven.io_opensearches.yaml
@@ -76,6 +76,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_postgresqls.yaml b/charts/aiven-operator-crds/templates/aiven.io_postgresqls.yaml
@@ -91,6 +91,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_projects.yaml b/charts/aiven-operator-crds/templates/aiven.io_projects.yaml
@@ -90,6 +90,9 @@ spec:
                   maxLength: 36
                   minLength: 36
                   type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
                 cardId:
                   description:
                     Credit card ID; The ID may be either last 4 digits of
@@ -120,6 +123,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without
@@ -142,6 +148,9 @@ spec:
                   description: Project name from which to copy settings to the new project
                   maxLength: 63
                   type: string
+                  x-kubernetes-validations:
+                    - message: Value is immutable
+                      rule: self == oldSelf
                 countryCode:
                   description: Billing country code of the project
                   maxLength: 2

diff --git a/charts/aiven-operator-crds/templates/aiven.io_redis.yaml b/charts/aiven-operator-crds/templates/aiven.io_redis.yaml
@@ -76,6 +76,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/charts/aiven-operator-crds/templates/aiven.io_serviceusers.yaml b/charts/aiven-operator-crds/templates/aiven.io_serviceusers.yaml
@@ -90,6 +90,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without

diff --git a/config/crd/bases/aiven.io_cassandras.yaml b/config/crd/bases/aiven.io_cassandras.yaml
@@ -90,6 +90,9 @@ spec:
                         Name of the secret resource to be created. By default,
                         it is equal to the resource name
                       type: string
+                      x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                     prefix:
                       description:
                         Prefix for the secret's keys. Added "as is" without