VM sestore webhook

Signed-off-by: Michael Henriksen <[email protected]>
bk201 · Sep 10, 2020 · d265577 · d265577
1 parent 33cd708
commit d265577
Show file tree

Hide file tree

Showing 7 changed files with 694 additions and 11 deletions.
diff --git a/pkg/virt-api/api.go b/pkg/virt-api/api.go
@@ -569,6 +569,9 @@ func (app *virtAPIApp) registerValidatingWebhooks() {
 	http.HandleFunc(components.VMSnapshotValidatePath, func(w http.ResponseWriter, r *http.Request) {
 		validating_webhook.ServeVMSnapshots(w, r, app.clusterConfig, app.virtCli)
 	})
+	http.HandleFunc(components.VMRestoreValidatePath, func(w http.ResponseWriter, r *http.Request) {
+		validating_webhook.ServeVMRestores(w, r, app.clusterConfig, app.virtCli)
+	})
 	http.HandleFunc(components.StatusValidatePath, func(w http.ResponseWriter, r *http.Request) {
 		validating_webhook.ServeStatusValidation(w, r)
 	})

diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel b/pkg/virt-api/webhooks/validating-webhook/admitters/BUILD.bazel
@@ -10,6 +10,7 @@ go_library(
         "vmi-preset-admitter.go",
         "vmi-update-admitter.go",
         "vmirs-admitter.go",
+        "vmrestore-admitter.go",
         "vms-admitter.go",
         "vmsnapshot-admitter.go",
     ],
@@ -50,6 +51,7 @@ go_test(
         "vmi-preset-admitter_test.go",
         "vmi-update-admitter_test.go",
         "vmirs-admitter_test.go",
+        "vmrestore-admitter_test.go",
         "vms-admitter_test.go",
         "vmsnapshot-admitter_test.go",
     ],
@@ -62,6 +64,7 @@ go_test(
         "//pkg/virt-operator/creation/rbac:go_default_library",
         "//staging/src/kubevirt.io/client-go/api/v1:go_default_library",
         "//staging/src/kubevirt.io/client-go/apis/snapshot/v1alpha1:go_default_library",
+        "//staging/src/kubevirt.io/client-go/generated/kubevirt/clientset/versioned/fake:go_default_library",
         "//staging/src/kubevirt.io/client-go/kubecli:go_default_library",
         "//staging/src/kubevirt.io/client-go/log:go_default_library",
         "//vendor/github.com/golang/mock/gomock:go_default_library",

diff --git a/pkg/virt-api/webhooks/validating-webhook/admitters/vmrestore-admitter.go b/pkg/virt-api/webhooks/validating-webhook/admitters/vmrestore-admitter.go
@@ -0,0 +1,220 @@
+/*
+ * This file is part of the KubeVirt project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright 2018 Red Hat, Inc.
+ *
+ */
+
+package admitters
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+
+	"k8s.io/api/admission/v1beta1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8sfield "k8s.io/apimachinery/pkg/util/validation/field"
+
+	v1 "kubevirt.io/client-go/api/v1"
+	snapshotv1 "kubevirt.io/client-go/apis/snapshot/v1alpha1"
+	"kubevirt.io/client-go/kubecli"
+	webhookutils "kubevirt.io/kubevirt/pkg/util/webhooks"
+	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
+)
+
+// VMRestoreAdmitter validates VirtualMachineRestores
+type VMRestoreAdmitter struct {
+	Config *virtconfig.ClusterConfig
+	Client kubecli.KubevirtClient
+}
+
+// NewVMRestoreAdmitter creates a VMRestoreAdmitter
+func NewVMRestoreAdmitter(config *virtconfig.ClusterConfig, client kubecli.KubevirtClient) *VMRestoreAdmitter {
+	return &VMRestoreAdmitter{
+		Config: config,
+		Client: client,
+	}
+}
+
+// Admit validates an AdmissionReview
+func (admitter *VMRestoreAdmitter) Admit(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
+	if ar.Request.Resource.Group != snapshotv1.SchemeGroupVersion.Group ||
+		ar.Request.Resource.Resource != "virtualmachinerestores" {
+		return webhookutils.ToAdmissionResponseError(fmt.Errorf("Unexpected Resource %+v", ar.Request.Resource))
+	}
+
+	if ar.Request.Operation == v1beta1.Create && !admitter.Config.SnapshotEnabled() {
+		return webhookutils.ToAdmissionResponseError(fmt.Errorf("Snapshot/Restore feature gate not enabled"))
+	}
+
+	vmRestore := &snapshotv1.VirtualMachineRestore{}
+	// TODO ideally use UniversalDeserializer here
+	err := json.Unmarshal(ar.Request.Object.Raw, vmRestore)
+	if err != nil {
+		return webhookutils.ToAdmissionResponseError(err)
+	}
+
+	var causes []metav1.StatusCause
+
+	switch ar.Request.Operation {
+	case v1beta1.Create:
+		targetField := k8sfield.NewPath("spec", "target")
+
+		if vmRestore.Spec.Target.APIGroup == nil {
+			causes = []metav1.StatusCause{
+				{
+					Type:    metav1.CauseTypeFieldValueNotFound,
+					Message: "missing apiGroup",
+					Field:   targetField.Child("apiGroup").String(),
+				},
+			}
+			break
+		}
+
+		gv, err := schema.ParseGroupVersion(*vmRestore.Spec.Target.APIGroup)
+		if err != nil {
+			return webhookutils.ToAdmissionResponseError(err)
+		}
+
+		switch gv.Group {
+		case v1.GroupName:
+			switch vmRestore.Spec.Target.Kind {
+			case "VirtualMachine":
+				causes, err = admitter.validateCreateVM(targetField.Child("name"), ar.Request.Namespace, vmRestore.Spec.Target.Name)
+				if err != nil {
+					return webhookutils.ToAdmissionResponseError(err)
+				}
+			default:
+				causes = []metav1.StatusCause{
+					{
+						Type:    metav1.CauseTypeFieldValueInvalid,
+						Message: "invalid kind",
+						Field:   targetField.Child("kind").String(),
+					},
+				}
+			}
+		default:
+			causes = []metav1.StatusCause{
+				{
+					Type:    metav1.CauseTypeFieldValueInvalid,
+					Message: "invalid apiGroup",
+					Field:   targetField.Child("apiGroup").String(),
+				},
+			}
+		}
+
+		snapshotCauses, err := admitter.validateSnapshot(
+			k8sfield.NewPath("spec", "virtualMachineSnapshotName"),
+			ar.Request.Namespace,
+			vmRestore.Spec.VirtualMachineSnapshotName,
+		)
+		if err != nil {
+			return webhookutils.ToAdmissionResponseError(err)
+		}
+
+		causes = append(causes, snapshotCauses...)
+
+	case v1beta1.Update:
+		prevObj := &snapshotv1.VirtualMachineRestore{}
+		err = json.Unmarshal(ar.Request.OldObject.Raw, prevObj)
+		if err != nil {
+			return webhookutils.ToAdmissionResponseError(err)
+		}
+
+		if !reflect.DeepEqual(prevObj.Spec, vmRestore.Spec) {
+			causes = []metav1.StatusCause{
+				{
+					Type:    metav1.CauseTypeFieldValueInvalid,
+					Message: "spec in immutable after creation",
+					Field:   k8sfield.NewPath("spec").String(),
+				},
+			}
+		}
+	default:
+		return webhookutils.ToAdmissionResponseError(fmt.Errorf("unexpected operation %s", ar.Request.Operation))
+	}
+
+	if len(causes) > 0 {
+		return webhookutils.ToAdmissionResponse(causes)
+	}
+
+	reviewResponse := v1beta1.AdmissionResponse{
+		Allowed: true,
+	}
+	return &reviewResponse
+}
+
+func (admitter *VMRestoreAdmitter) validateCreateVM(field *k8sfield.Path, namespace, name string) ([]metav1.StatusCause, error) {
+	vm, err := admitter.Client.VirtualMachine(namespace).Get(name, &metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		return []metav1.StatusCause{
+			{
+				Type:    metav1.CauseTypeFieldValueInvalid,
+				Message: fmt.Sprintf("VirtualMachine %q does not exist", name),
+				Field:   field.String(),
+			},
+		}, nil
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	var causes []metav1.StatusCause
+
+	if vm.Spec.Running != nil && *vm.Spec.Running {
+		cause := metav1.StatusCause{
+			Type:    metav1.CauseTypeFieldValueInvalid,
+			Message: fmt.Sprintf("VirtualMachine %q is running", name),
+			Field:   field.String(),
+		}
+		causes = append(causes, cause)
+	}
+
+	return causes, nil
+}
+
+func (admitter *VMRestoreAdmitter) validateSnapshot(field *k8sfield.Path, namespace, name string) ([]metav1.StatusCause, error) {
+	snapshot, err := admitter.Client.VirtualMachineSnapshot(namespace).Get(name, metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		return []metav1.StatusCause{
+			{
+				Type:    metav1.CauseTypeFieldValueInvalid,
+				Message: fmt.Sprintf("VirtualMachineSnapshot %q does not exist", name),
+				Field:   field.String(),
+			},
+		}, nil
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	var causes []metav1.StatusCause
+
+	if snapshot.Status == nil || snapshot.Status.ReadyToUse == nil || *snapshot.Status.ReadyToUse == false {
+		cause := metav1.StatusCause{
+			Type:    metav1.CauseTypeFieldValueInvalid,
+			Message: fmt.Sprintf("VirtualMachineSnapshot %q is not ready to use", name),
+			Field:   field.String(),
+		}
+		causes = append(causes, cause)
+	}
+
+	return causes, nil
+}