Add IngressController .spec.domain API validation

This commit fixes OCPBUGS-55192.

https://issues.redhat.com/browse/OCPBUGS-55192

Add ratcheting validation of the .spec.domain field of ingress controller.
Domain must consist of lowercase alphanumeric characters '-' or '.',
and each label must start and end with an alphanumeric character
and not exceed 63 characters.

* operator/v1/types_ingress.go
(IngressControllerSpec): Add ratcheting validation of the Domain field.
* operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
Add test cases for the ingress controller .spec.domain field validation

Generated files:
* operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml

Author: grzpiotrowski

operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml

@@ -565,3 +565,99 @@ tests:
           tuningOptions:
             connectTimeout: "4 s"
       expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.connectTimeout: Invalid value: \"4 s\": spec.tuningOptions.connectTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should be able to create an IngressController with valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+    - name: Should not be able to create an IngressController with invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character"
+  onUpdate:
+    - name: Should be able to update invalid domain to a valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+    - name: Should be able to retain already invalid domain when it is not modified on update
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+    - name: Should not be able to update already invalid domain to another invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.*.com"
+      expectedError: "domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character"

operator/v1/types_ingress.go

@@ -68,6 +68,7 @@ type IngressControllerSpec struct {
 	//
 	// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
 	//
+	// +kubebuilder:validation:XValidation:rule="(has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')",message="domain must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character"
 	// +optional
 	Domain string `json:"domain,omitempty"`
 

operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml

@@ -165,6 +165,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller

operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml

@@ -166,6 +166,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller

operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerLBSubnetsAWS.yaml

@@ -166,6 +166,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller

operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController+IngressControllerLBSubnetsAWS.yaml

@@ -167,6 +167,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller

operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml

@@ -166,6 +166,11 @@ spec:
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lowercase alphanumeric characters,
+                    '-' or '.', and each label must start and end with an alphanumeric
+                    character
+                  rule: (has(oldSelf) && self == oldSelf) || self.matches('^([a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)'+'(\.[a-z0-9]([-a-z0-9]{0,61}[a-z0-9])?)*$')
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller