Validations

lucian-tosa · lucian-tosa · commit d2f0323840e7 · 2025-05-21T18:29:49.000+02:00
diff --git a/api/v1/mdb/mongodb_roles_validation.go b/api/v1/mdb/mongodb_roles_validation.go
@@ -163,6 +163,9 @@ func validateAuthenticationRestriction(ar AuthenticationRestriction) v1.Validati
 // and returns true if the first one is greater or equal the second
 // false otherwise
 func isVersionAtLeast(mdbVersion string, expectedVersion string) (bool, error) {
+	if mdbVersion == "" {
+		return true, nil
+	}
 	currentV, err := semver.Make(mdbVersion)
 	if err != nil {
 		return false, xerrors.Errorf("error parsing mdbVersion %s with semver: %w", mdbVersion, err)
@@ -270,7 +273,7 @@ func isValidCIDR(cidr string) bool {
 	return err == nil
 }
 
-func roleIsCorrectlyConfigured(role MongoDbRole, mdbVersion string) v1.ValidationResult {
+func RoleIsCorrectlyConfigured(role MongoDBRole, mdbVersion string) v1.ValidationResult {
 	// Extensive validation of the roles attribute
 
 	if role.Role == "" {
@@ -305,10 +308,10 @@ func roleIsCorrectlyConfigured(role MongoDbRole, mdbVersion string) v1.Validatio
 	return v1.ValidationSuccess()
 }
 
-func rolesAttributeisCorrectlyConfigured(d DbCommonSpec) v1.ValidationResult {
+func rolesAttributeIsCorrectlyConfigured(d DbCommonSpec) v1.ValidationResult {
 	// Validate every single entry and return error on the first one that fails validation
 	for _, role := range d.Security.Roles {
-		if res := roleIsCorrectlyConfigured(role, d.Version); res.Level == v1.ErrorLevel {
+		if res := RoleIsCorrectlyConfigured(role, d.Version); res.Level == v1.ErrorLevel {
 			return v1.ValidationError("Error validating role - %s", res.Msg)
 		}
 	}
diff --git a/api/v1/mdb/mongodb_types.go b/api/v1/mdb/mongodb_types.go
@@ -736,6 +736,7 @@ type SharedConnectionSpec struct {
 	CloudManagerConfig *PrivateCloudConfig `json:"cloudManager,omitempty"`
 }
 
+// +kubebuilder:validation:XValidation:rule="!(has(self.roles) && has(self.roleRefs)) || !(self.roles.size() > 0 && self.roleRefs.size() > 0)",message="At most one of roles or roleRefs can be non-empty"
 type Security struct {
 	TLSConfig      *TLSConfig      `json:"tls,omitempty"`
 	Authentication *Authentication `json:"authentication,omitempty"`
diff --git a/api/v1/mdb/mongodb_validation.go b/api/v1/mdb/mongodb_validation.go
@@ -195,7 +195,7 @@ func CommonValidators() []func(d DbCommonSpec) v1.ValidationResult {
 		deploymentsMustHaveAgentModeInAuthModes,
 		scramSha1AuthValidation,
 		ldapAuthRequiresEnterprise,
-		rolesAttributeisCorrectlyConfigured,
+		rolesAttributeIsCorrectlyConfigured,
 		agentModeIsSetIfMoreThanADeploymentAuthModeIsSet,
 		ldapGroupDnIsSetIfLdapAuthzIsEnabledAndAgentsAreExternal,
 		specWithExactlyOneSchema,
diff --git a/api/v1/role/clustermongodbrole_validation.go b/api/v1/role/clustermongodbrole_validation.go
@@ -0,0 +1,32 @@
+package role
+
+import (
+	"golang.org/x/xerrors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	v1 "github.com/mongodb/mongodb-kubernetes/api/v1"
+	"github.com/mongodb/mongodb-kubernetes/api/v1/mdb"
+)
+
+var _ webhook.Validator = &ClusterMongoDBRole{}
+
+func (r *ClusterMongoDBRole) ValidateCreate() (warnings admission.Warnings, err error) {
+	return nil, r.ProcessValidationsOnReconcile(nil)
+}
+
+func (r *ClusterMongoDBRole) ValidateUpdate(old runtime.Object) (warnings admission.Warnings, err error) {
+	return nil, r.ProcessValidationsOnReconcile(old.(*ClusterMongoDBRole))
+}
+
+func (r *ClusterMongoDBRole) ValidateDelete() (warnings admission.Warnings, err error) {
+	return nil, nil
+}
+
+func (r *ClusterMongoDBRole) ProcessValidationsOnReconcile(_ *ClusterMongoDBRole) error {
+	if res := mdb.RoleIsCorrectlyConfigured(r.Spec.MongoDBRole, ""); res.Level == v1.ErrorLevel {
+		return xerrors.Errorf("Error validating role - %s", res.Msg)
+	}
+	return nil
+}
diff --git a/config/webhooks/webhooks.yaml b/config/webhooks/webhooks.yaml
@@ -73,3 +73,26 @@ webhooks:
     failurePolicy: Ignore
     sideEffects: None
     timeoutSeconds: 5
+
+  - name: validate-clustermongodbroles.mongodb.com
+    admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: Cg==
+      service:
+        name: mongodb-kubernetes-operator
+        namespace: placeholder
+        path: /validate-mongodb-com-v1-clustermongodbrole
+    rules:
+      - apiGroups:
+          - mongodb.com
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clustermongodbroles
+    failurePolicy: Ignore
+    sideEffects: None
+    timeoutSeconds: 5
diff --git a/pkg/webhook/setup.go b/pkg/webhook/setup.go
@@ -76,12 +76,14 @@ func GetWebhookConfig(serviceLocation types.NamespacedName) admissionv1.Validati
 
 	// need to make variables as one can't take the address of a constant
 	scope := admissionv1.NamespacedScope
+	clusterScope := admissionv1.ClusterScope
 	sideEffects := admissionv1.SideEffectClassNone
 	failurePolicy := admissionv1.Ignore
 	var port int32 = 443
 	dbPath := "/validate-mongodb-com-v1-mongodb"
 	dbmultiPath := "/validate-mongodb-com-v1-mongodbmulticluster"
 	omPath := "/validate-mongodb-com-v1-mongodbopsmanager"
+	clusterrolePath := "/validate-mongodb-com-v1-clustermongodbrole"
 	return admissionv1.ValidatingWebhookConfiguration{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "mdbpolicy.mongodb.com",
@@ -178,6 +180,37 @@ func GetWebhookConfig(serviceLocation types.NamespacedName) admissionv1.Validati
 				SideEffects:             &sideEffects,
 				FailurePolicy:           &failurePolicy,
 			},
+			{
+				Name: "clustermdbrolepolicy.mongodb.com",
+				ClientConfig: admissionv1.WebhookClientConfig{
+					Service: &admissionv1.ServiceReference{
+						Name:      serviceLocation.Name,
+						Namespace: serviceLocation.Namespace,
+						Path:      &clusterrolePath,
+						// NOTE: port isn't supported in k8s 1.11 and lower. It works in
+						// 1.15 but I am unsure about the intervening versions.
+						Port: &port,
+					},
+					CABundle: caBytes,
+				},
+				Rules: []admissionv1.RuleWithOperations{
+					{
+						Operations: []admissionv1.OperationType{
+							admissionv1.Create,
+							admissionv1.Update,
+						},
+						Rule: admissionv1.Rule{
+							APIGroups:   []string{"mongodb.com"},
+							APIVersions: []string{"*"},
+							Resources:   []string{"clustermongodbroles"},
+							Scope:       &clusterScope,
+						},
+					},
+				},
+				AdmissionReviewVersions: []string{"v1"},
+				SideEffects:             &sideEffects,
+				FailurePolicy:           &failurePolicy,
+			},
 		},
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -736,6 +736,7 @@ type SharedConnectionSpec struct {`
`736`	`736`	CloudManagerConfig *PrivateCloudConfig `json:"cloudManager,omitempty"`
`737`	`737`	`}`
`738`	`738`
	`739`	`+// +kubebuilder:validation:XValidation:rule="!(has(self.roles) && has(self.roleRefs)) \|\| !(self.roles.size() > 0 && self.roleRefs.size() > 0)",message="At most one of roles or roleRefs can be non-empty"`
`739`	`740`	`type Security struct {`
`740`	`741`	TLSConfig *TLSConfig `json:"tls,omitempty"`
`741`	`742`	Authentication *Authentication `json:"authentication,omitempty"`