diff --git a/api/v1alpha2/hardware.go b/api/v1alpha2/hardware.go index 51beff7aa..9cd41f0b6 100644 --- a/api/v1alpha2/hardware.go +++ b/api/v1alpha2/hardware.go @@ -41,19 +41,31 @@ type NetworkInterfaces map[MAC]NetworkInterface // NetworkInterface is the desired configuration for a particular network interface. type NetworkInterface struct { - // DHCP is the basic network information for serving DHCP requests. - DHCP DHCP `json:"dhcp,omitempty"` + // DHCP is the basic network information for serving DHCP requests. Required when DisbaleDHCP + // is false. + // +optional + DHCP *DHCP `json:"dhcp,omitempty"` // DisableDHCP disables DHCP for this interface. Implies DisableNetboot. // +kubebuilder:default=false DisableDHCP bool `json:"disableDhcp,omitempty"` // DisableNetboot disables netbooting for this interface. The interface will still receive - // network information speified on by DHCP. + // network information specified by DHCP. // +kubebuilder:default=false DisableNetboot bool `json:"disableNetboot,omitempty"` } +// IsDHCPEnabled checks if DHCP is enabled for ni. +func (ni NetworkInterface) IsDHCPEnabled() bool { + return !ni.DisableDHCP +} + +// IsNetbootEnabled checks if Netboot is enabled for ni. +func (ni NetworkInterface) IsNetbootEnabled() bool { + return !ni.DisableNetboot +} + // DHCP describes basic network configuration to be served in DHCP OFFER responses. It can be // considered a DHCP reservation. type DHCP struct { @@ -165,6 +177,26 @@ type Hardware struct { Spec HardwareSpec `json:"spec,omitempty"` } +// GetMACs retrieves all MACs associated with h. +func (h *Hardware) GetMACs() []string { + var macs []string + for m := range h.Spec.NetworkInterfaces { + macs = append(macs, string(m)) + } + return macs +} + +// GetIPs retrieves all IP addresses. It does not consider the DisableDHCP flag. +func (h *Hardware) GetIPs() []string { + var ips []string + for _, ni := range h.Spec.NetworkInterfaces { + if ni.DHCP != nil { + ips = append(ips, ni.DHCP.IP) + } + } + return ips +} + // +kubebuilder:object:root=true type HardwareList struct { diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go index d461ee15a..ef69c0fc9 100644 --- a/api/v1alpha2/zz_generated.deepcopy.go +++ b/api/v1alpha2/zz_generated.deepcopy.go @@ -346,7 +346,11 @@ func (in *Instance) DeepCopy() *Instance { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *NetworkInterface) DeepCopyInto(out *NetworkInterface) { *out = *in - in.DHCP.DeepCopyInto(&out.DHCP) + if in.DHCP != nil { + in, out := &in.DHCP, &out.DHCP + *out = new(DHCP) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterface. diff --git a/config/crd/bases/tinkerbell.org_hardware.yaml b/config/crd/bases/tinkerbell.org_hardware.yaml index 21ae87c00..b37412525 100644 --- a/config/crd/bases/tinkerbell.org_hardware.yaml +++ b/config/crd/bases/tinkerbell.org_hardware.yaml @@ -421,7 +421,7 @@ spec: description: NetworkInterface is the desired configuration for a particular network interface. properties: dhcp: - description: DHCP is the basic network information for serving DHCP requests. + description: DHCP is the basic network information for serving DHCP requests. Requires when DisbaleDHCP is false. properties: gateway: description: Gateway is the default gateway address to serve. @@ -469,7 +469,7 @@ spec: type: boolean disableNetboot: default: false - description: DisableNetboot disables netbooting for this interface. The interface will still receive network information speified on by DHCP. + description: DisableNetboot disables netbooting for this interface. The interface will still receive network information specified by DHCP. type: boolean type: object description: NetworkInterfaces defines the desired DHCP and netboot configuration for a network interface. diff --git a/go.mod b/go.mod index 5eaa359ee..12dea1941 100644 --- a/go.mod +++ b/go.mod @@ -97,11 +97,11 @@ require ( github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/subosito/gotenv v1.4.2 // indirect go.opentelemetry.io/otel v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.11.2 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.2 // indirect + go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 // indirect go.opentelemetry.io/otel/metric v0.37.0 // indirect - go.opentelemetry.io/otel/sdk v1.11.2 // indirect + go.opentelemetry.io/otel/sdk v1.14.0 // indirect go.opentelemetry.io/otel/trace v1.14.0 // indirect go.opentelemetry.io/proto/otlp v0.19.0 // indirect go.uber.org/atomic v1.10.0 // indirect diff --git a/go.sum b/go.sum index 5f8768f0e..ce9a44496 100644 --- a/go.sum +++ b/go.sum @@ -823,16 +823,16 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.4 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0/go.mod h1:UMklln0+MRhZC4e3PwmN3pCtq4DyIadWw4yikh6bNrw= go.opentelemetry.io/otel v1.14.0 h1:/79Huy8wbf5DnIPhemGB+zEPVwnN6fuQybr/SRXa6hM= go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2 h1:htgM8vZIF8oPSCxa341e3IZ4yr/sKxgu8KZYllByiVY= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2/go.mod h1:rqbht/LlhVBgn5+k3M5QK96K5Xb0DvXpMJ5SFQpY6uw= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.11.2 h1:fqR1kli93643au1RKo0Uma3d2aPQKT+WBKfTSBaKbOc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.11.2/go.mod h1:5Qn6qvgkMsLDX+sYK64rHb1FPhpn0UtxF+ouX1uhyJE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.2 h1:ERwKPn9Aer7Gxsc0+ZlutlH1bEEAUXAUhqm3Y45ABbk= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.11.2/go.mod h1:jWZUM2MWhWCJ9J9xVbRx7tzK1mXKpAlze4CeulycwVY= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 h1:/fXHZHGvro6MVqV34fJzDhi7sHGpX3Ej/Qjmfn003ho= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0/go.mod h1:UFG7EBMRdXyFstOwH028U0sVf+AvukSGhF0g8+dmNG8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 h1:TKf2uAs2ueguzLaxOCBXNpHxfO/aC7PAdDsSH0IbeRQ= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0/go.mod h1:HrbCVv40OOLTABmOn1ZWty6CHXkU8DK/Urc43tHug70= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 h1:ap+y8RXX3Mu9apKVtOkM6WSFESLM8K3wNQyOU8sWHcc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0/go.mod h1:5w41DY6S9gZrbjuq6Y+753e96WfPha5IcsOSZTtullM= go.opentelemetry.io/otel/metric v0.37.0 h1:pHDQuLQOZwYD+Km0eb657A25NaRzy0a+eLyKfDXedEs= go.opentelemetry.io/otel/metric v0.37.0/go.mod h1:DmdaHfGt54iV6UKxsV9slj2bBRJcKC1B1uvDLIioc1s= -go.opentelemetry.io/otel/sdk v1.11.2 h1:GF4JoaEx7iihdMFu30sOyRx52HDHOkl9xQ8SMqNXUiU= -go.opentelemetry.io/otel/sdk v1.11.2/go.mod h1:wZ1WxImwpq+lVRo4vsmSOxdd+xwoUJ6rqyLc3SyX9aU= +go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY= +go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM= go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M= go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= @@ -847,7 +847,7 @@ go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0 go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11-0.20210813005559-691160354723/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= -go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk= +go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI= diff --git a/internal/hardware/admission.go b/internal/hardware/admission.go new file mode 100644 index 000000000..87d11ad21 --- /dev/null +++ b/internal/hardware/admission.go @@ -0,0 +1,105 @@ +package hardware + +import ( + "context" + "errors" + "fmt" + "net/http" + + "github.com/tinkerbell/tink/api/v1alpha2" + "github.com/tinkerbell/tink/internal/hardware/internal" + ctrl "sigs.k8s.io/controller-runtime" + ctrlclient "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// admissionWebhookEndpoint is the endpoint serving the Admission handler. +const admissionWebhookEndpoint = "/validate-tinkerbell-org-v1alpha2-hardware" + +// +kubebuilder:webhook:path=/validate-tinkerbell-org-v1alpha2-hardware,mutating=false,failurePolicy=fail,groups="",resources=hardware,verbs=create;update,versions=v1alpha2,name=hardware.tinkerbell.org + +// Admission handles complex validation for admitting a Hardware object to the cluster. +type Admission struct { + client ctrlclient.Client + decoder *admission.Decoder +} + +// Handle satisfies controller-runtime/pkg/webhook/admission#Handler. It is responsible for deciding +// if the given req is valid and should be admitted to the cluster. +func (a *Admission) Handle(ctx context.Context, req admission.Request) admission.Response { + if a.client == nil { + return admission.Errored(http.StatusInternalServerError, errors.New("misconfigured client")) + } + + var hw v1alpha2.Hardware + if err := a.decoder.Decode(req, &hw); err != nil { + return admission.Errored(http.StatusBadRequest, err) + } + + // Ensure conditionally optional fields are valid + if resp := a.validateConditionalFields(&hw); !resp.Allowed { + return resp + } + + // Ensure MACs on the hardware are valid. + if resp := a.validateMACs(&hw); !resp.Allowed { + return resp + } + + // Ensure there's no hardware in the cluster with the same MAC addresses. + if resp := a.validateUniqueMACs(ctx, &hw); !resp.Allowed { + return resp + } + + // Ensure there's no hardware in the cluster with the same IP addresses. + if resp := a.validateUniqueIPs(ctx, &hw); !resp.Allowed { + return resp + } + + return admission.Allowed("") +} + +// InjectDecoder satisfies controller-runtime/pkg/webhook/admission#DecoderInjector. It is used +// when registering the webhook to inject the decoder used by the controller manager. +func (a *Admission) InjectDecoder(d *admission.Decoder) error { + a.decoder = d + return nil +} + +// SetClient sets a's internal Kubernetes client. +func (a *Admission) SetClient(c ctrlclient.Client) { + a.client = c +} + +// SetupWithManager registers a with mgr as a webhook served from AdmissionWebhookEndpoint. +func (a *Admission) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error { + idx := mgr.GetFieldIndexer() + + err := idx.IndexField( + ctx, + &v1alpha2.Hardware{}, + internal.HardwareByMACAddr, + internal.HardwareByMACAddrFunc, + ) + if err != nil { + return fmt.Errorf("register index %s: %w", internal.HardwareByMACAddr, err) + } + + err = idx.IndexField( + ctx, + &v1alpha2.Hardware{}, + internal.HardwareByIPAddr, + internal.HardwareByIPAddrFunc, + ) + if err != nil { + return fmt.Errorf("register index %s: %w", internal.HardwareByIPAddr, err) + } + + mgr.GetWebhookServer().Register( + admissionWebhookEndpoint, + &webhook.Admission{Handler: a}, + ) + + return nil +} diff --git a/internal/hardware/admission_conditional.go b/internal/hardware/admission_conditional.go new file mode 100644 index 000000000..d79c16e27 --- /dev/null +++ b/internal/hardware/admission_conditional.go @@ -0,0 +1,22 @@ +package hardware + +import ( + "fmt" + "net/http" + + "github.com/tinkerbell/tink/api/v1alpha2" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +func (a *Admission) validateConditionalFields(hw *v1alpha2.Hardware) admission.Response { + for mac, ni := range hw.Spec.NetworkInterfaces { + if ni.IsDHCPEnabled() && ni.DHCP == nil { + return admission.Errored(http.StatusBadRequest, fmt.Errorf( + "network interface for %v has DHCP enabled but no DHCP config", + mac, + )) + } + } + + return admission.Allowed("") +} diff --git a/internal/hardware/admission_ip.go b/internal/hardware/admission_ip.go new file mode 100644 index 000000000..faa1ea668 --- /dev/null +++ b/internal/hardware/admission_ip.go @@ -0,0 +1,56 @@ +package hardware + +import ( + "context" + "fmt" + "net/http" + "strings" + + "github.com/tinkerbell/tink/api/v1alpha2" + "github.com/tinkerbell/tink/internal/hardware/internal" + ctrlclient "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +func (a *Admission) validateUniqueIPs(ctx context.Context, hw *v1alpha2.Hardware) admission.Response { + // Determine if there are IP duplicates within the hw object. + seen := map[string]struct{}{} + var dupOnHw []string + for _, ip := range hw.GetIPs() { + if _, ok := seen[ip]; ok { + dupOnHw = append(dupOnHw, ip) + } + seen[ip] = struct{}{} + } + + if len(dupOnHw) > 0 { + return admission.Errored(http.StatusBadRequest, fmt.Errorf( + "duplicate IPs on Hardware: %v", + strings.Join(dupOnHw, ", "), + )) + } + + // Determine if there are IP duplicates with other Hardware objects. + dups := duplicates{} + for _, ip := range hw.GetIPs() { + var hwWithIP v1alpha2.HardwareList + err := a.client.List(ctx, &hwWithIP, ctrlclient.MatchingFields{ + internal.HardwareByIPAddr: ip, + }) + if err != nil { + return admission.Errored(http.StatusInternalServerError, err) + } + if len(hwWithIP.Items) > 0 { + dups.AppendTo(ip, hwWithIP.Items...) + } + } + + if len(dups) > 0 { + return admission.Errored(http.StatusBadRequest, fmt.Errorf( + "IP associated with existing Hardware: %v", + dups.String(), + )) + } + + return admission.Allowed("") +} diff --git a/internal/hardware/admission_mac.go b/internal/hardware/admission_mac.go new file mode 100644 index 000000000..f35e72196 --- /dev/null +++ b/internal/hardware/admission_mac.go @@ -0,0 +1,70 @@ +package hardware + +import ( + "context" + "fmt" + "net/http" + "regexp" + "strings" + + "github.com/tinkerbell/tink/api/v1alpha2" + "github.com/tinkerbell/tink/internal/hardware/internal" + ctrlclient "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +func (a *Admission) validateMACs(hw *v1alpha2.Hardware) admission.Response { + // Validate all MACs on hw are valid before we compare them with Hardware in the cluster. + if invalidMACs := getInvalidMACs(hw); len(invalidMACs) > 0 { + return admission.Errored(http.StatusBadRequest, fmt.Errorf( + "invalid MAC address (%v): %v", + macRegex.String(), + strings.Join(invalidMACs, ", "), + )) + } + + return admission.Allowed("") +} + +// macRegex is taken from the API package documentation. It checks for valid MAC addresses. +// It expects MACs to be lowercase which is necessary for index lookups on API objects. +var macRegex = regexp.MustCompile("^([0-9a-f]{2}:){5}([0-9a-f]{2})$") + +func getInvalidMACs(hw *v1alpha2.Hardware) []string { + var invalidMACs []string + for _, mac := range hw.GetMACs() { + if mac == "" { + mac = "" + } + if !macRegex.MatchString(mac) { + invalidMACs = append(invalidMACs, mac) + } + } + return invalidMACs +} + +func (a *Admission) validateUniqueMACs(ctx context.Context, hw *v1alpha2.Hardware) admission.Response { + dups := duplicates{} + for _, mac := range hw.GetMACs() { + var hwWithMAC v1alpha2.HardwareList + err := a.client.List(ctx, &hwWithMAC, ctrlclient.MatchingFields{ + internal.HardwareByMACAddr: mac, + }) + if err != nil { + return admission.Errored(http.StatusInternalServerError, err) + } + + if len(hwWithMAC.Items) > 0 { + dups.AppendTo(mac, hwWithMAC.Items...) + } + } + + if len(dups) > 0 { + return admission.Errored(http.StatusBadRequest, fmt.Errorf( + "MAC associated with existing Hardware: %s", + dups.String(), + )) + } + + return admission.Allowed("") +} diff --git a/internal/hardware/admission_test.go b/internal/hardware/admission_test.go new file mode 100644 index 000000000..0d1e3d4d3 --- /dev/null +++ b/internal/hardware/admission_test.go @@ -0,0 +1,387 @@ +package hardware_test + +import ( + "context" + "strings" + "testing" + + "github.com/tinkerbell/tink/api/v1alpha2" + "github.com/tinkerbell/tink/internal/hardware" + "github.com/tinkerbell/tink/internal/hardware/internal" + admissionv1 "k8s.io/api/admission/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/json" + "k8s.io/apimachinery/pkg/util/rand" + "sigs.k8s.io/controller-runtime/pkg/client/fake" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +const ( + InvalidMAC = "invalid MAC address" + MACAssociated = "MAC associated with existing Hardware" +) + +const ( + InvalidIP = "invalid IP address" + DuplicateIP = "duplicate IPs on Hardware" + IPAssociated = "IP associated with existing Hardware" +) + +const DHCPEnabled = "DHCP enabled but no DHCP config" + +func TestAdmissionHandler(t *testing.T) { + scheme := runtime.NewScheme() + _ = v1alpha2.AddToScheme(scheme) + + // Configure the decoder for the Admission object. + decoder, err := admission.NewDecoder(scheme) + if err != nil { + t.Fatalf("create decoder: %v", err) + } + + // Build the fake client with indexes so the Admission object can perform its lookups. + // The indexes should be in sync with whatever indexes are registered via + // hardware.Admission#SetupWithManager. + cb := fake.NewClientBuilder(). + WithScheme(scheme). + WithIndex(&v1alpha2.Hardware{}, internal.HardwareByMACAddr, internal.HardwareByMACAddrFunc). + WithIndex(&v1alpha2.Hardware{}, internal.HardwareByIPAddr, internal.HardwareByIPAddrFunc) + clnt := cb.Build() + + // Build the Admission object. + adm := &hardware.Admission{} + adm.SetClient(clnt) + _ = adm.InjectDecoder(decoder) + + tests := []struct { + Name string + Submission *v1alpha2.Hardware + Objects []*v1alpha2.Hardware + DisallowContains []string + }{ + // Allowed + { + Name: "MultiInterfaces", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + "00:00:00:00:00:01": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "1.1.1.1", + }, + }, + "00:00:00:00:00:02": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "2.2.2.2", + }, + }, + }, + }, + }, + }, + { + Name: "ValidMAC1", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + }, + { + Name: "ValidMAC2", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:12:34:56:78:90": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + }, + { + Name: "ValidMAC3", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "aa:bb:cc:dd:ee:ff": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + }, + { + Name: "MultiInterfaces", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + "00:00:00:00:00:01": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "1.1.1.1", + }, + }, + }, + }, + }, + Objects: []*v1alpha2.Hardware{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "hw1", + }, + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:02": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "2.2.2.2", + }, + }, + }, + }, + }, + }, + }, + + // Conditional fields + { + Name: "DHCPDisbaled", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "aa:bb:cc:dd:ee:ff": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + }, + { + Name: "DHCPEnabledWithoutDHCP", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "aa:bb:cc:dd:ee:ff": v1alpha2.NetworkInterface{}, + }, + }, + }, + DisallowContains: []string{DHCPEnabled, "aa:bb:cc:dd:ee:ff"}, + }, + + // Invalid MACs + { + Name: "EmptyMAC", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + DisallowContains: []string{InvalidMAC, "empty"}, + }, + { + Name: "ShortMAC", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:0": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "0.0.0.0", + Netmask: "255.255.255.0", + }, + }, + }, + }, + }, + DisallowContains: []string{InvalidMAC, "00:00:00:00:00:0"}, + }, + { + Name: "UpperMAC", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "AA:BB:CC:DD:EE:FF": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "0.0.0.0", + Netmask: "255.255.255.0", + }, + }, + }, + }, + }, + DisallowContains: []string{InvalidMAC, "AA:BB:CC:DD:EE:FF"}, + }, + { + Name: "MultiInvalidMAC", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "": v1alpha2.NetworkInterface{DisableDHCP: true}, + "00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + "11:00:11:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + "AA:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + DisallowContains: []string{ + InvalidMAC, + "empty", + "00:00:00", + "11:00:11:00", + "AA:00:00:00:00", + }, + }, + + // MAC duplication + { + Name: "DuplicateMAC", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + Objects: []*v1alpha2.Hardware{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "hw1", + }, + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + }, + DisallowContains: []string{MACAssociated, "hw1", "00:00:00:00:00:00"}, + }, + { + Name: "MACAssociated", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + Objects: []*v1alpha2.Hardware{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "hw1", + }, + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{DisableDHCP: true}, + }, + }, + }, + }, + DisallowContains: []string{MACAssociated, "hw1", "00:00:00:00:00:00"}, + }, + + // IP duplication + { + Name: "DuplicateIP", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "1.1.1.1", + }, + }, + "00:00:00:00:00:01": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "1.1.1.1", + }, + }, + }, + }, + }, + DisallowContains: []string{DuplicateIP, "1.1.1.1"}, + }, + { + Name: "IPAssociated", + Submission: &v1alpha2.Hardware{ + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:00": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "1.1.1.1", + }, + }, + }, + }, + }, + Objects: []*v1alpha2.Hardware{ + { + Spec: v1alpha2.HardwareSpec{ + NetworkInterfaces: v1alpha2.NetworkInterfaces{ + "00:00:00:00:00:01": v1alpha2.NetworkInterface{ + DHCP: &v1alpha2.DHCP{ + IP: "1.1.1.1", + }, + }, + }, + }, + }, + }, + DisallowContains: []string{IPAssociated, "1.1.1.1"}, + }, + } + + for _, tc := range tests { + t.Run(tc.Name, func(t *testing.T) { + // Clear out all objects from previous tests and register the new ones. + if err := clnt.DeleteAllOf(context.Background(), &v1alpha2.Hardware{}); err != nil { + t.Fatalf("delete existing objects: %v", err) + } + for _, o := range tc.Objects { + // If the object doesn't have a name fill it in. + if o.Name == "" { + o.Name = rand.String(10) + } + if err := clnt.Create(context.Background(), o); err != nil { + t.Fatalf("registering objects with fake client: %v", err) + } + } + + // We're assuming the json marshaller works with the controller runtime decoder. + buf, err := json.Marshal(tc.Submission) + if err != nil { + t.Fatalf("encoding test object: %v", err) + } + + req := admission.Request{ + AdmissionRequest: admissionv1.AdmissionRequest{ + Object: runtime.RawExtension{ + Raw: buf, + }, + }, + } + + // Run the object through the handler. + resp := adm.Handle(context.Background(), req) + + if len(tc.DisallowContains) == 0 { + if !resp.Allowed { + t.Fatalf("disallowed: %v", resp.Result.Message) + } + } else { + if resp.Allowed { + t.Fatalf("expected object to be disallowed but was allowed") + } + + for _, substr := range tc.DisallowContains { + if !strings.Contains(resp.Result.Message, substr) { + t.Fatalf( + "expected reason to contain '%v' but got '%v'", + substr, + resp.Result.Message, + ) + } + } + } + }) + } +} diff --git a/internal/hardware/duplicate.go b/internal/hardware/duplicate.go new file mode 100644 index 000000000..bd102e1e4 --- /dev/null +++ b/internal/hardware/duplicate.go @@ -0,0 +1,39 @@ +package hardware + +import ( + "fmt" + "strings" + + "github.com/tinkerbell/tink/api/v1alpha2" +) + +type duplicates map[string]*hardwareList + +func (d *duplicates) AppendTo(k string, hw ...v1alpha2.Hardware) { + if _, ok := (*d)[k]; !ok { + (*d)[k] = &hardwareList{} + } + (*d)[k].Append(hw...) +} + +func (d duplicates) String() string { + var buf []string + for mac, dupes := range d { + buf = append(buf, fmt.Sprintf("{%v: %v}", mac, dupes.String())) + } + return strings.Join(buf, "; ") +} + +type hardwareList []v1alpha2.Hardware + +func (d *hardwareList) Append(hw ...v1alpha2.Hardware) { + *d = append(*d, hw...) +} + +func (d hardwareList) String() string { + var names []string + for _, hw := range d { + names = append(names, fmt.Sprintf("[Name: %v; Namespace: %v]", hw.Name, hw.Namespace)) + } + return strings.Join(names, " ") +} diff --git a/internal/hardware/internal/index.go b/internal/hardware/internal/index.go new file mode 100644 index 000000000..05372c4a1 --- /dev/null +++ b/internal/hardware/internal/index.go @@ -0,0 +1,30 @@ +package internal + +import ( + "github.com/tinkerbell/tink/api/v1alpha2" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// HardwareByMACAddr is an index used with a controller-runtime client to lookup hardware by MAC. +const HardwareByMACAddr = ".Spec.NetworkInterfaces.MAC" + +// HardwareByMACAddrFunc returns a list of MAC addresses for a Hardware object. +func HardwareByMACAddrFunc(obj client.Object) []string { + hw, ok := obj.(*v1alpha2.Hardware) + if !ok { + return nil + } + return hw.GetMACs() +} + +// HardwareByIPAddr is an index used with a controller-runtime client to lookup hardware by IP. +const HardwareByIPAddr = ".Spec.NetworkInterfaces.DHCP.IP" + +// HardwareByIPAddrFunc returns a list of IP addresses for a Hardware object. +func HardwareByIPAddrFunc(obj client.Object) []string { + hw, ok := obj.(*v1alpha2.Hardware) + if !ok { + return nil + } + return hw.GetIPs() +}