feat: do not allow kic ControlPlane ref type for types unsupported by KIC

pmalek · pmalek · commit a721d9ec0b9c · 2024-11-18T19:38:32.000+01:00
diff --git a/api/configuration/v1alpha1/kongroute_types.go b/api/configuration/v1alpha1/kongroute_types.go
@@ -56,6 +56,7 @@ type KongRoute struct {
 }
 
 // KongRouteSpec defines specification of a Kong Route.
+// +kubebuilder:validation:XValidation:rule="!has(self.controlPlaneRef) ? true : self.controlPlaneRef.type != 'kic'", message="KongRoute is not supported by kic control plane"
 // +apireference:kgo:include
 type KongRouteSpec struct {
 	// ControlPlaneRef is a reference to a ControlPlane this KongRoute is associated with.
diff --git a/api/configuration/v1alpha1/kongservice_types.go b/api/configuration/v1alpha1/kongservice_types.go
@@ -52,6 +52,7 @@ type KongService struct {
 }
 
 // KongServiceSpec defines specification of a Kong Route.
+// +kubebuilder:validation:XValidation:rule="!has(self.controlPlaneRef) ? true : self.controlPlaneRef.type != 'kic'", message="KongRoute is not supported by kic control plane"
 // +apireference:kgo:include
 type KongServiceSpec struct {
 	// ControlPlaneRef is a reference to a ControlPlane this KongService is associated with.
diff --git a/config/crd/gateway-operator/configuration.konghq.com_kongroutes.yaml b/config/crd/gateway-operator/configuration.konghq.com_kongroutes.yaml
@@ -266,6 +266,10 @@ spec:
                 - message: tags entries must not be longer than 128 characters
                   rule: self.all(tag, size(tag) >= 1 && size(tag) <= 128)
             type: object
+            x-kubernetes-validations:
+            - message: KongRoute is not supported by kic control plane
+              rule: '!has(self.controlPlaneRef) ? true : self.controlPlaneRef.type
+                != ''kic'''
           status:
             default:
               conditions:
diff --git a/config/crd/gateway-operator/configuration.konghq.com_kongservices.yaml b/config/crd/gateway-operator/configuration.konghq.com_kongservices.yaml
@@ -187,6 +187,10 @@ spec:
             required:
             - host
             type: object
+            x-kubernetes-validations:
+            - message: KongRoute is not supported by kic control plane
+              rule: '!has(self.controlPlaneRef) ? true : self.controlPlaneRef.type
+                != ''kic'''
           status:
             default:
               conditions:
diff --git a/test/crdsvalidation/kongcacertificate_test.go b/test/crdsvalidation/kongcacertificate_test.go
@@ -45,6 +45,6 @@ func TestKongCACertificate(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 }
diff --git a/test/crdsvalidation/kongcertificate_test.go b/test/crdsvalidation/kongcertificate_test.go
@@ -26,7 +26,7 @@ func TestKongCertificate(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("required fields", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongconsumer_test.go b/test/crdsvalidation/kongconsumer_test.go
@@ -22,7 +22,7 @@ func TestKongConsumer(t *testing.T) {
 			Username:   "username-1",
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, SupportedByKIC).Run(t)
 	})
 
 	t.Run("required fields", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongconsumergroup_test.go b/test/crdsvalidation/kongconsumergroup_test.go
@@ -25,7 +25,7 @@ func TestKongConsumerGroup(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("cp ref update", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongdataplaneclientcertificate_test.go b/test/crdsvalidation/kongdataplaneclientcertificate_test.go
@@ -24,7 +24,7 @@ func TestKongDataPlaneClientCertificate(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("spec", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongkey_test.go b/test/crdsvalidation/kongkey_test.go
@@ -26,7 +26,7 @@ func TestKongKey(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 	t.Run("pem/cp ref", func(t *testing.T) {
 		obj := &configurationv1alpha1.KongKey{
@@ -46,7 +46,7 @@ func TestKongKey(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("spec", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongkeyset_test.go b/test/crdsvalidation/kongkeyset_test.go
@@ -25,7 +25,7 @@ func TestKongKeySet(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("spec", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongpluginbindings_test.go b/test/crdsvalidation/kongpluginbindings_test.go
@@ -31,7 +31,7 @@ func TestKongPluginBindings(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("plugin ref", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongroute_test.go b/test/crdsvalidation/kongroute_test.go
@@ -13,16 +13,20 @@ import (
 )
 
 func TestKongRoute(t *testing.T) {
+	obj := &configurationv1alpha1.KongRoute{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "KongRoute",
+			APIVersion: configurationv1alpha1.GroupVersion.String(),
+		},
+		ObjectMeta: commonObjectMeta,
+	}
+
 	t.Run("cp ref", func(t *testing.T) {
-		obj := &configurationv1alpha1.KongRoute{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       "KongRoute",
-				APIVersion: configurationv1alpha1.GroupVersion.String(),
-			},
-			ObjectMeta: commonObjectMeta,
-		}
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
+	})
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+	t.Run("cp ref - kic", func(t *testing.T) {
+		NewCRDValidationTestCasesGroupCPRefChangeKICUnsupportedTypes(t, obj).Run(t)
 	})
 
 	t.Run("protocols", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongservice_test.go b/test/crdsvalidation/kongservice_test.go
@@ -11,16 +11,20 @@ import (
 )
 
 func TestKongService(t *testing.T) {
+	obj := &configurationv1alpha1.KongService{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "KongService",
+			APIVersion: configurationv1alpha1.GroupVersion.String(),
+		},
+		ObjectMeta: commonObjectMeta,
+	}
+
 	t.Run("cp ref", func(t *testing.T) {
-		obj := &configurationv1alpha1.KongService{
-			TypeMeta: metav1.TypeMeta{
-				Kind:       "KongService",
-				APIVersion: configurationv1alpha1.GroupVersion.String(),
-			},
-			ObjectMeta: commonObjectMeta,
-		}
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
+	})
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+	t.Run("cp ref - kic", func(t *testing.T) {
+		NewCRDValidationTestCasesGroupCPRefChangeKICUnsupportedTypes(t, obj).Run(t)
 	})
 
 	t.Run("tags validation", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongupstream_test.go b/test/crdsvalidation/kongupstream_test.go
@@ -22,7 +22,7 @@ func TestKongUpstream(t *testing.T) {
 			ObjectMeta: commonObjectMeta,
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)
 	})
 
 	t.Run("required fields", func(t *testing.T) {
diff --git a/test/crdsvalidation/kongvault_test.go b/test/crdsvalidation/kongvault_test.go
@@ -24,7 +24,7 @@ func TestKongVault(t *testing.T) {
 			},
 		}
 
-		NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)
+		NewCRDValidationTestCasesGroupCPRefChange(t, obj, SupportedByKIC).Run(t)
 	})
 
 	t.Run("spec", func(t *testing.T) {
diff --git a/test/crdsvalidation/suite_crd_ref_change_kic_unsupported_test.go b/test/crdsvalidation/suite_crd_ref_change_kic_unsupported_test.go
@@ -0,0 +1,39 @@
+package crdsvalidation_test
+
+import (
+	"testing"
+
+	configurationv1alpha1 "github.com/kong/kubernetes-configuration/api/configuration/v1alpha1"
+	"github.com/samber/lo"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func NewCRDValidationTestCasesGroupCPRefChangeKICUnsupportedTypes[
+	T interface {
+		client.Object
+		DeepCopy() T
+		SetConditions([]metav1.Condition)
+		SetControlPlaneRef(*configurationv1alpha1.ControlPlaneRef)
+		GetControlPlaneRef() *configurationv1alpha1.ControlPlaneRef
+	},
+](
+	t *testing.T,
+	obj T,
+) CRDValidationTestCasesGroup[T] {
+	ret := CRDValidationTestCasesGroup[T]{}
+
+	{
+		obj := obj.DeepCopy()
+		obj.SetControlPlaneRef(&configurationv1alpha1.ControlPlaneRef{
+			Type: configurationv1alpha1.ControlPlaneRefKIC,
+		})
+		ret = append(ret, CRDValidationTestCase[T]{
+			Name:                 "kic control plane ref is not allowed",
+			TestObject:           obj,
+			ExpectedErrorMessage: lo.ToPtr("is not supported by kic control plane"),
+		})
+	}
+
+	return ret
+}
diff --git a/test/crdsvalidation/suite_crd_ref_change_test.go b/test/crdsvalidation/suite_crd_ref_change_test.go

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,7 @@ type KongRoute struct {`
`56`	`56`	`}`
`57`	`57`
`58`	`58`	`// KongRouteSpec defines specification of a Kong Route.`
	`59`	`+// +kubebuilder:validation:XValidation:rule="!has(self.controlPlaneRef) ? true : self.controlPlaneRef.type != 'kic'", message="KongRoute is not supported by kic control plane"`
`59`	`60`	`// +apireference:kgo:include`
`60`	`61`	`type KongRouteSpec struct {`
`61`	`62`	`// ControlPlaneRef is a reference to a ControlPlane this KongRoute is associated with.`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ type KongService struct {`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`// KongServiceSpec defines specification of a Kong Route.`
	`55`	`+// +kubebuilder:validation:XValidation:rule="!has(self.controlPlaneRef) ? true : self.controlPlaneRef.type != 'kic'", message="KongRoute is not supported by kic control plane"`
`55`	`56`	`// +apireference:kgo:include`
`56`	`57`	`type KongServiceSpec struct {`
`57`	`58`	`// ControlPlaneRef is a reference to a ControlPlane this KongService is associated with.`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,6 @@ func TestKongCACertificate(t *testing.T) {`
`45`	`45`	`},`
`46`	`46`	`}`
`47`	`47`
`48`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`48`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`49`	`49`	`})`
`50`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func TestKongCertificate(t *testing.T) {`
`26`	`26`	`},`
`27`	`27`	`}`
`28`	`28`
`29`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`29`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`30`	`30`	`})`
`31`	`31`
`32`	`32`	`t.Run("required fields", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ func TestKongConsumer(t *testing.T) {`
`22`	`22`	`Username: "username-1",`
`23`	`23`	`}`
`24`	`24`
`25`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`25`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, SupportedByKIC).Run(t)`
`26`	`26`	`})`
`27`	`27`
`28`	`28`	`t.Run("required fields", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func TestKongConsumerGroup(t *testing.T) {`
`25`	`25`	`},`
`26`	`26`	`}`
`27`	`27`
`28`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`28`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`29`	`29`	`})`
`30`	`30`
`31`	`31`	`t.Run("cp ref update", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ func TestKongDataPlaneClientCertificate(t *testing.T) {`
`24`	`24`	`},`
`25`	`25`	`}`
`26`	`26`
`27`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`27`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`28`	`28`	`})`
`29`	`29`
`30`	`30`	`t.Run("spec", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func TestKongKey(t *testing.T) {`
`26`	`26`	`},`
`27`	`27`	`}`
`28`	`28`
`29`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`29`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`30`	`30`	`})`
`31`	`31`	`t.Run("pem/cp ref", func(t *testing.T) {`
`32`	`32`	`obj := &configurationv1alpha1.KongKey{`
`@@ -46,7 +46,7 @@ func TestKongKey(t *testing.T) {`
`46`	`46`	`},`
`47`	`47`	`}`
`48`	`48`
`49`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`49`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`50`	`50`	`})`
`51`	`51`
`52`	`52`	`t.Run("spec", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func TestKongKeySet(t *testing.T) {`
`25`	`25`	`},`
`26`	`26`	`}`
`27`	`27`
`28`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`28`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`29`	`29`	`})`
`30`	`30`
`31`	`31`	`t.Run("spec", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func TestKongPluginBindings(t *testing.T) {`
`31`	`31`	`},`
`32`	`32`	`}`
`33`	`33`
`34`		`- NewCRDValidationTestCasesGroupCPRefChange(t, obj).Run(t)`
	`34`	`+ NewCRDValidationTestCasesGroupCPRefChange(t, obj, NotSupportedByKIC).Run(t)`
`35`	`35`	`})`
`36`	`36`
`37`	`37`	`t.Run("plugin ref", func(t *testing.T) {`