Skip to content

Commit

Permalink
fix: add additional name validation for custom resources (#219)
Browse files Browse the repository at this point in the history
* fix: remove cluster nodebalancer label suffix

Removes the label suffix from cluster loadbalancers. This allows for
longer cluster names since Linode Nodebalancer labels are constrained
to strings of 3..32 characters in length.

See: https://www.linode.com/docs/api/nodebalancers/#nodebalancer-create

* fix: add name validation for custom resources

This propagates the label constraints of Linode resources to their associated
CustomResourceDefinitions via the Kubernetes Validation Rules feature. When a
custom resource is created, the Kubernetes object name is validated against the
label constraints of its backing Linode resources. This allows CAPL-managed
resources to maintain a human-readable naming scheme between its Kubernetes
representation and the backing Linode implementation.

Validation rules are implemented via Kustomize JSON patches due to limitations
with Kubebuilder and Strategic Merge Patching with CRDs in Kubernetes.

See:
- https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules
- https://www.github.com/kubernetes/kubernetes/issues/74620
- https://www.github.com/kubernetes-sigs/kubebuilder/issues/1074
- https://www.github.com/kubernetes/kubernetes/issues/113223

* fix: add name validation for custom resource templates

This further propagates the label constraints of Linode resources to their
associated CustomResourceDefinition templates via the Kubernetes Validation
Rules feature.

* chore: e2e: clean up cluster name format
  • Loading branch information
cbzzz authored Apr 3, 2024
1 parent 64db075 commit de59fb1
Show file tree
Hide file tree
Showing 10 changed files with 144 additions and 13 deletions.
6 changes: 3 additions & 3 deletions cloud/services/loadbalancers.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ const (
func CreateNodeBalancer(ctx context.Context, clusterScope *scope.ClusterScope, logger logr.Logger) (*linodego.NodeBalancer, error) {
var linodeNB *linodego.NodeBalancer

NBLabel := fmt.Sprintf("%s-api-server", clusterScope.LinodeCluster.Name)
NBLabel := clusterScope.LinodeCluster.Name
clusterUID := string(clusterScope.LinodeCluster.UID)
tags := []string{string(clusterScope.LinodeCluster.UID)}
listFilter := util.Filter{
Expand Down Expand Up @@ -53,9 +53,9 @@ func CreateNodeBalancer(ctx context.Context, clusterScope *scope.ClusterScope, l
return &linodeNBs[0], nil
}

logger.Info(fmt.Sprintf("Creating NodeBalancer %s-api-server", clusterScope.LinodeCluster.Name))
logger.Info(fmt.Sprintf("Creating NodeBalancer %s", clusterScope.LinodeCluster.Name))
createConfig := linodego.NodeBalancerCreateOptions{
Label: util.Pointer(fmt.Sprintf("%s-api-server", clusterScope.LinodeCluster.Name)),
Label: util.Pointer(clusterScope.LinodeCluster.Name),
Region: clusterScope.LinodeCluster.Spec.Region,
Tags: tags,
}
Expand Down
33 changes: 33 additions & 0 deletions config/crd/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,39 @@ patches:
#- path: patches/cainjection_in_linodeobjectstoragebuckets.yaml
#+kubebuilder:scaffold:crdkustomizecainjectionpatch

# [VALIDATION]
# patches here are for additional validation for each CRD
- target:
group: apiextensions.k8s.io
version: v1
kind: CustomResourceDefinition
name: linodeclusters.infrastructure.cluster.x-k8s.io
path: patches/validation_in_linodeclusters.yaml
- target:
group: apiextensions.k8s.io
version: v1
kind: CustomResourceDefinition
name: linodeclustertemplates.infrastructure.cluster.x-k8s.io
path: patches/validation_in_linodeclustertemplates.yaml
- target:
group: apiextensions.k8s.io
version: v1
kind: CustomResourceDefinition
name: linodemachines.infrastructure.cluster.x-k8s.io
path: patches/validation_in_linodemachines.yaml
- target:
group: apiextensions.k8s.io
version: v1
kind: CustomResourceDefinition
name: linodemachinetemplates.infrastructure.cluster.x-k8s.io
path: patches/validation_in_linodemachinetemplates.yaml
- target:
group: apiextensions.k8s.io
version: v1
kind: CustomResourceDefinition
name: linodevpcs.infrastructure.cluster.x-k8s.io
path: patches/validation_in_linodevpcs.yaml

# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml
11 changes: 11 additions & 0 deletions config/crd/patches/validation_in_linodeclusters.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# The following patch adds additional constraints after the built-in name validation for the CRD
- op: add
path: /spec/versions/0/schema/openAPIV3Schema/properties/metadata/properties
value:
name:
type: string
x-kubernetes-validations:
- rule: 3 <= size(self) && size(self) <= 32
message: >-
custom validation:
linode nodebalancer: labels must be between 3..32 characters
12 changes: 12 additions & 0 deletions config/crd/patches/validation_in_linodeclustertemplates.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# The following patch adds additional constraints after the built-in name validation for the CRD
- op: add
path: /spec/versions/0/schema/openAPIV3Schema/properties/metadata/properties
value:
name:
type: string
x-kubernetes-validations:
- rule: 3 <= size(self) && size(self) <= 26
message: >-
custom validation:
template: must be between 3..26 characters,
linode nodebalancer: labels must be between 3..32 characters
26 changes: 26 additions & 0 deletions config/crd/patches/validation_in_linodemachines.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# The following patch adds additional constraints after the built-in name validation for the CRD
- op: add
path: /spec/versions/0/schema/openAPIV3Schema/properties/metadata/properties
value:
name:
type: string
x-kubernetes-validations:
- rule: 3 <= size(self) && size(self) <= 64
message: >-
custom validation:
linode instance: labels must be between 3..64 characters
- rule: self.matches('^[[:alnum:]]([-_.[:alnum:]]+[[:alnum:]])*$')
message: >-
custom validation:
linode instance: labels:
must begin and end with an alphanumeric character,
may only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.),
cannot have two hyphens (--), underscores (__) or periods (..) in a row,
regex used for validation is: '^[[:alnum:]]([-_.[:alnum:]]+[[:alnum:]])*$',
see: https://www.linode.com/docs/api/linode-instances/#linode-create
# TODO: Consider combining this into the regex above to minimize time complexity
# See: https://github.com/google/cel-spec/blob/master/doc/langdef.md#time-complexity
- rule: "!(self.contains('--') || self.contains('__') || self.contains('..'))"
message: >-
custom validation:
linode instance: labels cannot have two hyphens (--), underscores (__) or periods (..) in a row
27 changes: 27 additions & 0 deletions config/crd/patches/validation_in_linodemachinetemplates.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# The following patch adds additional constraints after the built-in name validation for the CRD
- op: add
path: /spec/versions/0/schema/openAPIV3Schema/properties/metadata/properties
value:
name:
type: string
x-kubernetes-validations:
- rule: 3 <= size(self) && size(self) <= 58
message: >-
custom validation:
template: must be between 3..58 characters,
linode instance: labels must be between 3..64 characters
- rule: self.matches('^[[:alnum:]]([-_.[:alnum:]]+[[:alnum:]])*$')
message: >-
custom validation:
linode instance: labels:
must begin and end with an alphanumeric character,
may only consist of alphanumeric characters, hyphens (-), underscores (_) or periods (.),
cannot have two hyphens (--), underscores (__) or periods (..) in a row,
regex used for validation is: '^[[:alnum:]]([-_.[:alnum:]]+[[:alnum:]])*$',
see: https://www.linode.com/docs/api/linode-instances/#linode-create
# TODO: Consider combining this into the regex above to minimize time complexity
# See: https://github.com/google/cel-spec/blob/master/doc/langdef.md#time-complexity
- rule: "!(self.contains('--') || self.contains('__') || self.contains('..'))"
message: >-
custom validation:
linode instance: labels cannot have two hyphens (--), underscores (__) or periods (..) in a row
25 changes: 25 additions & 0 deletions config/crd/patches/validation_in_linodevpcs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# The following patch adds additional constraints after the built-in name validation for the CRD
- op: add
path: /spec/versions/0/schema/openAPIV3Schema/properties/metadata/properties
value:
name:
type: string
x-kubernetes-validations:
- rule: 1 <= size(self) && size(self) <= 64
message: >-
custom validation:
linode vpc: labels must be between 1..64 characters
- rule: self.matches('^[-[:alnum:]]*$')
message: >-
custom validation:
linode vpc: labels:
can only contain ASCII letters, numbers, and hyphens (-),
cannot have two consecutive hyphens (--),
regex used for validation is: '^[-[:alnum:]]*$',
see: https://www.linode.com/docs/api/vpcs/#vpc-create
# TODO: Consider combining this into the regex above to minimize time complexity
# See: https://github.com/google/cel-spec/blob/master/doc/langdef.md#time-complexity
- rule: "!self.contains('--')"
message: >-
custom validation:
linode vpc: labels cannot have two consecutive hyphens (--)
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,10 @@ spec:
- name: run
value: (join('-', ['e2e', 'min-cluster', env('GIT_REF')]))
- name: cluster
# Format the cluster name into a valid Linode label
# TODO: This is over-truncated to account for the Linode NodeBalancer label
value: (trim((truncate(($run), `21`)), '-'))
# Format the cluster name
value: (trim((truncate(($run), `32`)), '-'))
- name: nodebalancer
value: (join('-', [($cluster), 'api-server']))
value: ($cluster)
template: true
steps:
- name: step-00
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,8 @@ spec:
- name: run
value: (join('-', ['e2e', 'min-lm', env('GIT_REF')]))
- name: cluster
# Format the cluster name into a valid Linode label
# TODO: This is over-truncated to account for the Linode NodeBalancer label
value: (trim((truncate(($run), `21`)), '-'))
# Format the cluster name
value: (trim((truncate(($run), `32`)), '-'))
template: true
steps:
- name: step-00
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,8 @@ spec:
- name: run
value: (join('-', ['e2e', 'lm-vpc', env('GIT_REF')]))
- name: cluster
# Format the cluster name into a valid Linode label
# TODO: This is over-truncated to account for the Linode NodeBalancer label
value: (trim((truncate(($run), `21`)), '-'))
# Format the cluster name
value: (trim((truncate(($run), `32`)), '-'))
- name: vpc
# Format the VPC name into a valid Kubernetes object name
value: (trim((truncate(($run), `63`)), '-'))
Expand Down

0 comments on commit de59fb1

Please sign in to comment.