Add IngressController .spec.domain API validation

This commit fixes OCPBUGS-55192.

https://issues.redhat.com/browse/OCPBUGS-55192

Add ratcheting validation of the .spec.domain field of ingress controller.
Domain must consist of lowercase alphanumeric characters '-' or '.',
and each label must start and end with an alphanumeric character.

* operator/v1/types_ingress.go
(IngressControllerSpec): Add ratcheting validation of the Domain field.

* operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
Add test cases for the ingress controller .spec.domain field validation

Author: grzpiotrowski

openapi/generated_openapi/zz_generated.openapi.go

@@ -29269,7 +29269,6 @@
           "$ref": "#/definitions/io.k8s.api.core.v1.LocalObjectReference"
         },
         "domain": {
-          "description": "domain is a DNS name serviced by the ingress controller and is used to configure multiple features:\n\n* For the LoadBalancerService endpoint publishing strategy, domain is\n  used to configure DNS records. See endpointPublishingStrategy.\n\n* When using a generated default certificate, the certificate will be valid\n  for domain and its subdomains. See defaultCertificate.\n\n* The value is published to individual Route statuses so that end-users\n  know where to target external DNS records.\n\ndomain must be unique among all IngressControllers, and cannot be updated.\n\nIf empty, defaults to ingress.config.openshift.io/cluster .spec.domain.",
           "type": "string"
         },
         "endpointPublishingStrategy": {

openapi/openapi.json

@@ -565,3 +565,99 @@ tests:
           tuningOptions:
             connectTimeout: "4 s"
       expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.connectTimeout: Invalid value: \"4 s\": spec.tuningOptions.connectTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should be able to create an IngressController with valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+    - name: Should not be able to create an IngressController with invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character"
+  onUpdate:
+    - name: Should be able to update invalid domain to a valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+    - name: Should be able to retain already invalid domain when it is not modified on update
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+    - name: Should not be able to update already invalid domain to another invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.*.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character"

operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml

@@ -69,6 +69,9 @@ type IngressControllerSpec struct {
 	// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
 	//
 	// +optional
+	// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]+|[a-z0-9]+[a-z0-9\\-]*[a-z0-9]+)(\\.([a-z0-9]+|[a-z0-9]+[a-z0-9\\-]*[a-z0-9]+))*$')"
+	// message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character"
+
 	Domain string `json:"domain,omitempty"`
 
 	// httpErrorCodePages specifies a configmap with custom error pages.