From fc6a26f837c74028f7c39b683b2aa2e001ded2da Mon Sep 17 00:00:00 2001 From: Gaurav Jaswal Date: Mon, 25 Nov 2024 12:53:31 -0500 Subject: [PATCH] Adding cluster-arn validation to klusterlet CRD Signed-off-by: Erica Jin <132393634+EricaJ6@users.noreply.github.com> --- ...n-cluster-management.io_klusterlets.crd.yaml | 2 ++ ...n-cluster-management.io_klusterlets.crd.yaml | 2 ++ operator/v1/types_klusterlet.go | 2 ++ test/integration/api/klusterlet_test.go | 17 +++++++++++++++++ 4 files changed, 23 insertions(+) diff --git a/crdsv1beta1/0001_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/crdsv1beta1/0001_00_operator.open-cluster-management.io_klusterlets.crd.yaml index c211a638d..066e6bc99 100644 --- a/crdsv1beta1/0001_00_operator.open-cluster-management.io_klusterlets.crd.yaml +++ b/crdsv1beta1/0001_00_operator.open-cluster-management.io_klusterlets.crd.yaml @@ -204,10 +204,12 @@ spec: description: 'The arn of the hub cluster (ie: an EKS cluster). This will be required to pass information to hub, which hub will use to create IAM identities for this klusterlet. Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1.' type: string minLength: 1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ managedClusterArn: description: 'The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup. Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1.' type: string minLength: 1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ registrationImagePullSpec: description: RegistrationImagePullSpec represents the desired image configuration of registration agent. quay.io/open-cluster-management.io/registration:latest will be used if unspecified. type: string diff --git a/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml index d5e0e0ef7..442d03160 100644 --- a/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml +++ b/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml @@ -312,6 +312,7 @@ spec: The arn of the hub cluster (ie: an EKS cluster). This will be required to pass information to hub, which hub will use to create IAM identities for this klusterlet. Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1. minLength: 1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ type: string managedClusterArn: description: |- @@ -319,6 +320,7 @@ spec: as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup. Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1. minLength: 1 + pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$ type: string type: object type: object diff --git a/operator/v1/types_klusterlet.go b/operator/v1/types_klusterlet.go index 81863e53e..dde6ccb14 100644 --- a/operator/v1/types_klusterlet.go +++ b/operator/v1/types_klusterlet.go @@ -195,12 +195,14 @@ type AwsIrsa struct { // Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1. // +required // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$` HubClusterArn string `json:"hubClusterArn"` // The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub // as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup. // Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1. // +required // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:Pattern=`^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$` ManagedClusterArn string `json:"managedClusterArn"` } diff --git a/test/integration/api/klusterlet_test.go b/test/integration/api/klusterlet_test.go index da4ad1e00..0b85dd3bb 100644 --- a/test/integration/api/klusterlet_test.go +++ b/test/integration/api/klusterlet_test.go @@ -37,6 +37,23 @@ var _ = Describe("Create Klusterlet API", func() { Expect(err).NotTo(BeNil()) }) }) + + Context("Create with aws auth and invalid arn", func() { + It("should reject the klusterlet creation", func() { + klusterlet.Spec.RegistrationConfiguration = &operatorv1.RegistrationConfiguration{ + RegistrationDriver: operatorv1.RegistrationDriver{ + AuthType: "awsirsa", + AwsIrsa: &operatorv1.AwsIrsa{ + ManagedClusterArn: "arn:aws:bks:us-west-2:123456789012:cluster/managed-cluster1", + HubClusterArn: "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1", + }, + }, + } + _, err := operatorClient.OperatorV1().Klusterlets().Create(context.TODO(), klusterlet, metav1.CreateOptions{}) + fmt.Println(err) + Expect(err).NotTo(BeNil()) + }) + }) }) var _ = Describe("valid HubApiServerHostAlias", func() {