Adding webhook validation and test cases

vishu2498 · vishu2498 · commit 8cc7e3d83251 · 2025-02-27T15:16:38.000+05:30
diff --git a/api/v1beta1/azurecluster_validation.go b/api/v1beta1/azurecluster_validation.go
@@ -203,6 +203,7 @@ func validateNetworkSpec(controlPlaneEnabled bool, networkSpec NetworkSpec, old
 		lbType = networkSpec.APIServerLB.Type
 	}
 	allErrs = append(allErrs, validatePrivateDNSZoneName(networkSpec.PrivateDNSZoneName, controlPlaneEnabled, lbType, fldPath.Child("privateDNSZoneName"))...)
+	allErrs = append(allErrs, validatePrivateDNSZoneResourceGroup(networkSpec.PrivateDNSZoneName, networkSpec.PrivateDNSZoneResourceGroup, fldPath.Child("privateDNSZoneResourceGroup"))...)
 
 	if len(allErrs) == 0 {
 		return nil
@@ -556,6 +557,23 @@ func validatePrivateDNSZoneName(privateDNSZoneName string, controlPlaneEnabled b
 	return allErrs
 }
 
+// validatePrivateDNSZoneName validates the PrivateDNSZoneResourceGroup.
+func validatePrivateDNSZoneResourceGroup(privateDNSZoneName string, privateDNSZoneResourceGroup string, fldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if privateDNSZoneResourceGroup != "" {
+		if valid.IsNull(privateDNSZoneName) {
+			allErrs = append(allErrs, field.Invalid(fldPath, privateDNSZoneName,
+				"PrivateDNSZoneResourceGroup can only be used when PrivateDNSZoneName is provided"))
+		}
+		if err := validateResourceGroup(privateDNSZoneResourceGroup, fldPath); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
+	return allErrs
+}
+
 // validateCloudProviderConfigOverrides validates CloudProviderConfigOverrides.
 func validateCloudProviderConfigOverrides(oldConfig, newConfig *CloudProviderConfigOverrides, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
diff --git a/api/v1beta1/azurecluster_validation_test.go b/api/v1beta1/azurecluster_validation_test.go
@@ -465,6 +465,9 @@ func TestResourceGroupValid(t *testing.T) {
 		err := validateResourceGroup(testCase.resourceGroup,
 			field.NewPath("spec").Child("networkSpec").Child("vnet").Child("resourceGroup"))
 		g.Expect(err).NotTo(HaveOccurred())
+		err = validateResourceGroup(testCase.resourceGroup,
+			field.NewPath("spec").Child("networkSpec").Child("privateDNSZoneResourceGroup"))
+		g.Expect(err).NotTo(HaveOccurred())
 	})
 }
 
@@ -487,6 +490,12 @@ func TestResourceGroupInvalid(t *testing.T) {
 		g.Expect(err.Type).To(Equal(field.ErrorTypeInvalid))
 		g.Expect(err.Field).To(Equal("spec.networkSpec.vnet.resourceGroup"))
 		g.Expect(err.BadValue).To(BeEquivalentTo(testCase.resourceGroup))
+		err = validateResourceGroup(testCase.resourceGroup,
+			field.NewPath("spec").Child("networkSpec").Child("privateDNSZoneResourceGroup"))
+		g.Expect(err).NotTo(BeNil())
+		g.Expect(err.Type).To(Equal(field.ErrorTypeInvalid))
+		g.Expect(err.Field).To(Equal("spec.networkSpec.privateDNSZoneResourceGroup"))
+		g.Expect(err.BadValue).To(BeEquivalentTo(testCase.resourceGroup))
 	})
 }
 
@@ -1371,6 +1380,81 @@ func TestPrivateDNSZoneName(t *testing.T) {
 	}
 }
 
+func TestPrivateDNSZoneResourceGroup(t *testing.T) {
+	testcases := []struct {
+		name        string
+		network     NetworkSpec
+		wantErr     bool
+		expectedErr field.Error
+	}{
+		{
+			name: "testEmptyPrivateDNSZoneNameAndResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "",
+					PrivateDNSZoneResourceGroup: "",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "testValidPrivateDNSZoneNameAndResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "good.dns.io",
+					PrivateDNSZoneResourceGroup: "test-rg",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "testInvalidPrivateDNSZoneResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "good.dns.io",
+					PrivateDNSZoneResourceGroup: "inv@lid-rg",
+				},
+			},
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "spec.networkSpec.privateDNSZoneResourceGroup",
+				BadValue: "inv@lid-rg",
+				Detail:   "resourceGroup doesn't match regex ^[-\\w\\._\\(\\)]+$",
+			},
+			wantErr: true,
+		},
+		{
+			name: "testEmptyPrivateDNSZoneNameWithValidResourceGroup",
+			network: NetworkSpec{
+				NetworkClassSpec: NetworkClassSpec{
+					PrivateDNSZoneName:          "",
+					PrivateDNSZoneResourceGroup: "test-rg",
+				},
+			},
+			expectedErr: field.Error{
+				Type:     "FieldValueInvalid",
+				Field:    "spec.networkSpec.privateDNSZoneResourceGroup",
+				BadValue: "",
+				Detail:   "PrivateDNSZoneResourceGroup can only be used when PrivateDNSZoneName is provided",
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, test := range testcases {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+			err := validatePrivateDNSZoneResourceGroup(test.network.PrivateDNSZoneName, test.network.PrivateDNSZoneResourceGroup, field.NewPath("spec", "networkSpec", "privateDNSZoneResourceGroup"))
+			if test.wantErr {
+				g.Expect(err).To(ContainElement(MatchError(test.expectedErr.Error())))
+			} else {
+				g.Expect(err).To(BeEmpty())
+			}
+		})
+	}
+}
+
 func TestValidateNodeOutboundLB(t *testing.T) {
 	testcases := []struct {
 		name        string
diff --git a/api/v1beta1/azurecluster_webhook.go b/api/v1beta1/azurecluster_webhook.go
@@ -116,6 +116,13 @@ func (c *AzureCluster) ValidateUpdate(oldRaw runtime.Object) (admission.Warnings
 		allErrs = append(allErrs, err)
 	}
 
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("spec", "networkSpec", "privateDNSZoneResourceGroup"),
+		old.Spec.NetworkSpec.PrivateDNSZoneResourceGroup,
+		c.Spec.NetworkSpec.PrivateDNSZoneResourceGroup); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
 	// Allow enabling azure bastion but avoid disabling it.
 	if old.Spec.BastionSpec.AzureBastion != nil && !reflect.DeepEqual(old.Spec.BastionSpec.AzureBastion, c.Spec.BastionSpec.AzureBastion) {
 		allErrs = append(allErrs,
diff --git a/api/v1beta1/azureclustertemplate_validation.go b/api/v1beta1/azureclustertemplate_validation.go
@@ -62,6 +62,8 @@ func (c *AzureClusterTemplate) validateClusterTemplateSpec() field.ErrorList {
 
 	allErrs = append(allErrs, c.validatePrivateDNSZoneName()...)
 
+	allErrs = append(allErrs, c.validatePrivateDNSZoneResourceGroup()...)
+
 	return allErrs
 }
 
@@ -169,3 +171,18 @@ func (c *AzureClusterTemplate) validatePrivateDNSZoneName() field.ErrorList {
 
 	return allErrs
 }
+
+func (c *AzureClusterTemplate) validatePrivateDNSZoneResourceGroup() field.ErrorList {
+	var allErrs field.ErrorList
+
+	fldPath := field.NewPath("spec").Child("template").Child("spec").Child("networkSpec").Child("privateDNSZoneResourceGroup")
+	networkSpec := c.Spec.Template.Spec.NetworkSpec
+
+	allErrs = append(allErrs, validatePrivateDNSZoneResourceGroup(
+		networkSpec.PrivateDNSZoneName,
+		networkSpec.PrivateDNSZoneResourceGroup,
+		fldPath,
+	)...)
+
+	return allErrs
+}
diff --git a/api/v1beta1/azureclustertemplate_validation_test.go b/api/v1beta1/azureclustertemplate_validation_test.go
@@ -822,6 +822,88 @@ func TestValidatePrivateDNSZoneName(t *testing.T) {
 		})
 	}
 }
+
+func TestValidatePrivateDNSZoneResourceGroup(t *testing.T) {
+	cases := []struct {
+		name            string
+		clusterTemplate *AzureClusterTemplate
+		expectValid     bool
+	}{
+		{
+			name: "not set",
+			clusterTemplate: &AzureClusterTemplate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster-template",
+				},
+				Spec: AzureClusterTemplateSpec{
+					Template: AzureClusterTemplateResource{
+						Spec: AzureClusterTemplateResourceSpec{
+							NetworkSpec: NetworkTemplateSpec{},
+						},
+					},
+				},
+			},
+			expectValid: true,
+		},
+		{
+			name: "show be set if PrivateDNSZoneName is given",
+			clusterTemplate: &AzureClusterTemplate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster-template",
+				},
+				Spec: AzureClusterTemplateSpec{
+					Template: AzureClusterTemplateResource{
+						Spec: AzureClusterTemplateResourceSpec{
+							NetworkSpec: NetworkTemplateSpec{
+								NetworkClassSpec: NetworkClassSpec{
+									PrivateDNSZoneName:          "e.f.g",
+									PrivateDNSZoneResourceGroup: "a.b.c",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectValid: true,
+		},
+		{
+			name: "show not be set if PrivateDNSZoneName is not given",
+			clusterTemplate: &AzureClusterTemplate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster-template",
+				},
+				Spec: AzureClusterTemplateSpec{
+					Template: AzureClusterTemplateResource{
+						Spec: AzureClusterTemplateResourceSpec{
+							NetworkSpec: NetworkTemplateSpec{
+								NetworkClassSpec: NetworkClassSpec{
+									PrivateDNSZoneResourceGroup: "a.b.c",
+								},
+							},
+						},
+					},
+				},
+			},
+			expectValid: false,
+		},
+	}
+
+	for _, c := range cases {
+		tc := c
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+			res := tc.clusterTemplate.validatePrivateDNSZoneResourceGroup()
+
+			if tc.expectValid {
+				g.Expect(res).To(BeNil())
+			} else {
+				g.Expect(res).NotTo(BeNil())
+			}
+		})
+	}
+}
+
 func TestValidateNetworkSpec(t *testing.T) {
 	cases := []struct {
 		name            string
