feat: webhook: Check if DataImportCronTemplate is correct

[akrejcir]

What this PR does / why we need it:
Added webhook code to check if DataImportCronTemplate is correct.
The code is copied from CDI webhook. They don't export the code, so we cannot import it as a module.

Which issue(s) this PR fixes:
Fixes: https://issues.redhat.com/browse/CNV-48792

Release note:

None

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from akrejcir. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[akrejcir]

/cc @0xFelix @jcanocan @codingben

[codingben]

The code is copied from CDI webhook. They don't export the code, so we cannot import it as a module.

Isn't exportable at all? What would be @akalenyu's opinion about this?

[0xFelix]

nit: Use for i := range s.NumField()

[akrejcir]

Done.
TIL that range can have int argument. I assumed only slices and maps can be there.

[akrejcir]

But golangci-lint complains about it:

golangci/golangci-lint info installed /workspace/bin/golangci-lint
/workspace/bin/golangci-lint run --timeout 5m
webhooks/data-import-cron.go:170:17: cannot range over s.NumField() (value of type int) (typecheck)
	for i := range s.NumField() {
	               ^
make: *** [Makefile:327: lint] Error 1

Even if it compiles and works: https://go.dev/play/p/KbogyWbaifX?v=goprev

Maybe we need to update the linter. For now, I will revert it.

[0xFelix]

IIRC that was introduced with golang 1.22. :)

[jcanocan]

Maybe the problem is that the linter is already a bit old. IIRC, we are using golangci-lint 1.55.2, which is based in golang 1.21.3. Could you please try to update the golangci-lint version up to 1.62.2 and try again?

[akrejcir]

I will do it in a separate PR.

[0xFelix]

Up to you but I'd inline most of these vars

[akrejcir]

I'd keep them this way. It would be too verbose if inlined.

[0xFelix]

This case is missing for Storage?

[0xFelix]

Can the cases not be split e.g. like other ones?

[akrejcir]

It is allowed to have multiple access modes for Storage. At least the CDI webhook allows it.

[akrejcir]

Can the cases not be split e.g. like other ones?

What do you mean?

[sonarqubecloud]

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[akalenyu]

The code is copied from CDI webhook. They don't export the code, so we cannot import it as a module.

Isn't exportable at all? What would be @akalenyu's opinion about this?

Yeah I don't think there is a good reason to export it. We did export the authorization bits at one point kubevirt/containerized-data-importer#2636 but that is a must for any project that embeds DataVolumes for security reasons.

My general thoughts are, with all the recent focus on webhooks, I am not sure we want to copy the webhook,
when we could instead just propagate the creation error properly to the status. Would that not suffice?
Another option is dry running the creation.

[0xFelix]

I like the idea of using the dry running option.

@akrejcir Can you explain how having these checks in SSP fixes the initial issue? Won't it still fail its reconciliation because the supplied DIC templates are not valid?

[akrejcir]

My general thoughts are, with all the recent focus on webhooks, I am not sure we want to copy the webhook,
when we could instead just propagate the creation error properly to the status. Would that not suffice?
Another option is dry running the creation.

Ok, I will look into propagating the error into status. Rejecting an incorrect SSP in webhook would be faster, but we need a lot of copied code.

I didn't want to call dry-run create API in the webhook, because the webhook should be fast, and there is a set timeout for it. There can be any number of DataImportCronTemplates specified in the SSP, and doing many API calls in the webhook could take too long.

@akrejcir Can you explain how having these checks in SSP fixes the initial issue? Won't it still fail its reconciliation because the supplied DIC templates are not valid?

It will not fail reconciliation, bacuase the invalid SSP object is rejected in webhook.

[akalenyu]

Rejecting an incorrect SSP in webhook would be faster

As a project we kind of decided that this is not enough of an advantage versus all the bad stuff webhooks bring.
I see no issue with solving the bug by reporting the error in the status (users should be checking that)