Add v1alpha2 Hardware validating admission webhook

[chrisdoherty4]

Add a validating admission webhook to perform complex Hardware validation that can't be performed with CEL.

[codecov]

Codecov Report

Merging #675 (85f430d) into main (906da94) will increase coverage by 3.43%.
The diff coverage is 75.78%.

❗ Current head 85f430d differs from pull request most recent head d8517c0. Consider uploading reports for the commit d8517c0 to get more accurate results

@@            Coverage Diff             @@
##             main     #675      +/-   ##
==========================================
+ Coverage   49.30%   52.73%   +3.43%     
==========================================
  Files          18       23       +5     
  Lines         858      986     +128     
==========================================
+ Hits          423      520      +97     
- Misses        427      454      +27     
- Partials        8       12       +4     

Impacted Files	Coverage Δ
internal/hardware/admission.go	37.20% <37.20%> (ø)
internal/hardware/admission_ip.go	92.85% <92.85%> (ø)
internal/hardware/admission_mac.go	93.93% <93.93%> (ø)
internal/hardware/admission_conditional.go	100.00% <100.00%> (ø)
internal/hardware/duplicate.go	100.00% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[jacobweinstock]

Thanks @chrisdoherty4. Question, how is this deployed?

[jacobweinstock]

Could a cel validation be used instead? +kubebuilder:validation:XValidation:rule= https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/

[chrisdoherty4]

I don't think we can run regex using the XValidation rule - I can't find anything in the link or other resources that shows how.

Even if it could, I'm not sure it would work for map keys. We have CEL validation configured on the map key type which I'd hoped would translate to applying the regex, but it seems the open API spec supported by the CustomResourceDefinition kind doesn't support validation of map keys (not that I've found yet anyway).

[chrisdoherty4]

Thanks @chrisdoherty4. Question, how is this deployed?

Great question.

This will be registered with the new controller manager component (we already have a manager under /internal/controllers). The manager is a controller-runtime data structure that handles initialization of controllers, webhooks, clients and has responsibilities such as leader election etc.

The Admission object satisfies the Handler interface that is consumed by the Webhook data structure. The Webhook is registerable, as an http.Handler, with the webhook.Server. You can see this registration happening in the SetupWithManager function. The webhook.Server is 1 of the structures managed by the manager.

An example of how this is plugged together can be seen in the kubebuilder book.