Merge pull request #460 from zyiyi11/topic/zyiyi/break-glass-ec-label

🌱 Add ExtraConfig Key, Label, Condition and validation for break glass override

api/v1alpha2/virtualmachine_types.go

@@ -89,6 +89,20 @@ const (
 	VirtualMachineToolsRunningReason = "VirtualMachineToolsRunning"
 )
 
+const (
+	// VirtualMachineReconcileReady exposes the status of VirtualMachine reconciliation.
+	VirtualMachineReconcileReady = "VirtualMachineReconcileReady"
+
+	// VirtualMachineReconcileRunningReason indicates that VirtualMachine
+	// reconciliation is running.
+	VirtualMachineReconcileRunningReason = "VirtualMachineReconcileRunning"
+
+	// VirtualMachineReconcilePausedReason indicates that VirtualMachine
+	// reconciliation is being paused.
+	VirtualMachineReconcilePausedReason = "VirtualMachineReconcilePaused"
+
+)
+
 const (
 	// PauseAnnotation is an annotation that prevents a VM from being
 	// reconciled.
@@ -136,6 +150,19 @@ const (
 	PVCDiskDataExtraConfigKey = "vmservice.virtualmachine.pvc.disk.data"
 )
 
+const (
+	// PauseVMExtraConfigKey is the ExtraConfig key to allow override
+	// operations for admins to pause reconciliation of VM Service VM.
+	PauseVMExtraConfigKey = "vmservice.virtualmachine.pause"
+
+	// PausedVMLabelKey is the label key to identify VMs that reconciliation
+	// are paused. Value will specify whose operation is responsible for
+	// the pause. It can be admins or devops or both.
+	//
+	// Only privileged user can edit this label.
+	PausedVMLabelKey = GroupName + "/paused"
+)
+
 // VirtualMachinePowerState defines a VM's desired and observed power states.
 // +kubebuilder:validation:Enum=PoweredOff;PoweredOn;Suspended
 type VirtualMachinePowerState string

webhooks/virtualmachine/v1alpha2/validation/virtualmachine_validator.go

@@ -65,6 +65,7 @@ const (
 	invalidNextRestartTimeOnUpdate           = "must be formatted as RFC3339Nano"
 	invalidNextRestartTimeOnUpdateNow        = "mutation webhooks are required to restart VM"
 	modifyAnnotationNotAllowedForNonAdmin    = "modifying this annotation is not allowed for non-admin users"
+	modifyLabelNotAllowedForNonAdmin         = "modifying this label is not allowed for non-admin users"
 	invalidMinHardwareVersionDowngrade       = "cannot downgrade hardware version"
 	invalidMinHardwareVersionPowerState      = "cannot upgrade hardware version unless powered off"
 )
@@ -123,6 +124,7 @@ func (v validator) ValidateCreate(ctx *context.WebhookRequestContext) admission.
 	fieldErrs = append(fieldErrs, v.validatePowerStateOnCreate(ctx, vm)...)
 	fieldErrs = append(fieldErrs, v.validateNextRestartTimeOnCreate(ctx, vm)...)
 	fieldErrs = append(fieldErrs, v.validateAnnotation(ctx, vm, nil)...)
+	fieldErrs = append(fieldErrs, v.validateLabel(ctx, vm, nil)...)
 
 	validationErrs := make([]string, 0, len(fieldErrs))
 	for _, fieldErr := range fieldErrs {
@@ -178,6 +180,7 @@ func (v validator) ValidateUpdate(ctx *context.WebhookRequestContext) admission.
 	fieldErrs = append(fieldErrs, v.validateNextRestartTimeOnUpdate(ctx, vm, oldVM)...)
 	fieldErrs = append(fieldErrs, v.validateAnnotation(ctx, vm, oldVM)...)
 	fieldErrs = append(fieldErrs, v.validateMinHardwareVersion(ctx, vm, oldVM)...)
+	fieldErrs = append(fieldErrs, v.validateLabel(ctx, vm, oldVM)...)
 
 	validationErrs := make([]string, 0, len(fieldErrs))
 	for _, fieldErr := range fieldErrs {
@@ -1116,3 +1119,24 @@ func (v validator) validateMinHardwareVersion(ctx *context.WebhookRequestContext
 
 	return allErrs
 }
+
+func (v validator) validateLabel(ctx *context.WebhookRequestContext, vm, oldVM *vmopv1.VirtualMachine) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if ctx.IsPrivilegedAccount {
+		return allErrs
+	}
+
+	// Use an empty VM if the oldVM is nil to validate a creation request.
+	if oldVM == nil {
+		oldVM = &vmopv1.VirtualMachine{}
+	}
+
+	labelPath := field.NewPath("metadata", "labels")
+
+	if vm.Labels[vmopv1.PausedVMLabelKey] != oldVM.Labels[vmopv1.PausedVMLabelKey] {
+		allErrs = append(allErrs, field.Forbidden(labelPath.Child(vmopv1.PausedVMLabelKey), modifyLabelNotAllowedForNonAdmin))
+	}
+
+	return allErrs
+}