Add IngressController .spec.domain API validation

grzpiotrowski · grzpiotrowski · commit 9a9eb85e0304 · 2025-05-13T16:14:48.000+01:00
This commit fixes OCPBUGS-55192. https://issues.redhat.com/browse/OCPBUGS-55192 Add ratcheting validation of the .spec.domain field of ingress controller. Domain must consist of lowercase alphanumeric characters '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters. * operator/v1/types_ingress.go (IngressControllerSpec): Add ratcheting validation of the Domain field. * operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml Add test cases for the ingress controller .spec.domain field validation Generated files: * operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml * operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml * operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml * operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml * operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml
diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
@@ -565,3 +565,109 @@ tests:
           tuningOptions:
             connectTimeout: "4 s"
       expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.connectTimeout: Invalid value: \"4 s\": spec.tuningOptions.connectTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should be able to create an IngressController with valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+    - name: Should not be able to create an IngressController with invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
+    - name: Should not be able to create an IngressController with domain label exceeding 63 characters
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.1aaaaaaaaa2bbbbbbbbb3ccccccccc4ddddddddd5eeeeeeeee6fffffffff7gggg.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
+  onUpdate:
+    - name: Should be able to update invalid domain to a valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+    - name: Should be able to retain already invalid domain when it is not modified on update
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+    - name: Should not be able to update already invalid domain to another invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.*.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
diff --git a/operator/v1/types_ingress.go b/operator/v1/types_ingress.go
@@ -68,6 +68,7 @@ type IngressControllerSpec struct {
 	//
 	// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
 	//
+	// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters"
 	// +optional
 	Domain string `json:"domain,omitempty"`
 
diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
@@ -165,6 +165,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character and not exceed 63 characters
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
@@ -166,6 +166,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character and not exceed 63 characters
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml
@@ -166,6 +166,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character and not exceed 63 characters
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml
@@ -167,6 +167,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character and not exceed 63 characters
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml
@@ -166,6 +166,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character and not exceed 63 characters
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
