Validate external types with CRD spec

Author: cartermckinnon

nodeadm/Makefile

@@ -41,7 +41,7 @@ clean:
 
 .PHONY: crds
 crds: controller-gen ## Generate CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=crds/
+	$(CONTROLLER_GEN) crd paths="./..." output:crd:artifacts:config=internal/api/bridge/crds
 
 .PHONY: generate
 generate: generate-code generate-doc ## Generate code and documentation.

nodeadm/api/v1alpha1/nodeconfig_types.go

@@ -39,15 +39,19 @@ type NodeConfigSpec struct {
 // These details can be found using the [DescribeCluster API](https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html).
 type ClusterDetails struct {
 	// Name is the name of your EKS cluster
+	// +kubebuilder:validation:Required
 	Name string `json:"name,omitempty"`
 
 	// APIServerEndpoint is the URL of your EKS cluster's kube-apiserver.
+	// +kubebuilder:validation:Required
 	APIServerEndpoint string `json:"apiServerEndpoint,omitempty"`
 
 	// CertificateAuthority is a base64-encoded string of your cluster's certificate authority chain.
+	// +kubebuilder:validation:Required
 	CertificateAuthority []byte `json:"certificateAuthority,omitempty"`
 
 	// CIDR is your cluster's Pod IP CIDR. This value is used to infer your cluster's DNS address.
+	// +kubebuilder:validation:Required
 	CIDR string `json:"cidr,omitempty"`
 
 	// EnableOutpost determines how your node is configured when running on an AWS Outpost.

nodeadm/go.mod

@@ -15,20 +15,35 @@ require (
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.26.0
 	golang.org/x/mod v0.14.0
-	k8s.io/apimachinery v0.29.1
+	k8s.io/apiextensions-apiserver v0.29.2
+	k8s.io/apimachinery v0.29.2
 	k8s.io/cri-api v0.29.1
 	k8s.io/kubelet v0.29.1
 	sigs.k8s.io/controller-runtime v0.17.0
 )
 
 require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
+	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/cel-go v0.17.7 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
+	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
 	golang.org/x/tools v0.16.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20230726155614-23370e0ffb3e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
 	google.golang.org/grpc v1.58.3 // indirect
-	k8s.io/component-base v0.29.1 // indirect
+	k8s.io/apiserver v0.29.2 // indirect
+	k8s.io/component-base v0.29.2 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 )
 
 require dario.cat/mergo v1.0.0 // direct
@@ -74,7 +89,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.29.1
+	k8s.io/api v0.29.2
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e // direct
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

nodeadm/go.sum

@@ -61,6 +61,11 @@ spec:
                   name:
                     description: Name is the name of your EKS cluster
                     type: string
+                required:
+                - apiServerEndpoint
+                - certificateAuthority
+                - cidr
+                - name
                 type: object
               containerd:
                 description: ContainerdOptions are additional parameters passed to

nodeadm/crds/node.eks.aws_nodeconfigs.yaml renamed to nodeadm/internal/api/bridge/crds/node.eks.aws_nodeconfigs.yaml

@@ -28,6 +28,9 @@ func DecodeNodeConfig(data []byte) (*internalapi.NodeConfig, error) {
 	if gvk.Group != api.GroupName {
 		return nil, fmt.Errorf("failed to decode %q, unexpected group: %s", gvk.Kind, gvk.Group)
 	}
+	if err := ValidateExternalType(obj, *gvk); err != nil {
+		return nil, err
+	}
 	if internalConfig, ok := obj.(*internalapi.NodeConfig); ok {
 		return internalConfig, nil
 	}

nodeadm/internal/api/bridge/decode.go

@@ -0,0 +1,66 @@
+package bridge
+
+import (
+	_ "embed"
+	"errors"
+	"fmt"
+	"log"
+
+	"k8s.io/apiextensions-apiserver/pkg/apihelpers"
+	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+//go:embed crds/node.eks.aws_nodeconfigs.yaml
+var customResourceDefinitionYAML []byte
+
+var customResourceDefinition *apiextensionsv1.CustomResourceDefinition
+
+func init() {
+	scheme := runtime.NewScheme()
+	if err := apiextensions.AddToScheme(scheme); err != nil {
+		panic("Failed to register apiextensions on validation scheme")
+	}
+	if err := apiextensionsv1.AddToScheme(scheme); err != nil {
+		panic("Failed to register apiextensionsv1 on validation scheme")
+	}
+	codecs := serializer.NewCodecFactory(scheme)
+	obj, gvk, err := codecs.UniversalDeserializer().Decode(customResourceDefinitionYAML, nil, nil)
+	if err != nil {
+		log.Fatalf("failed to decode CRD: %v", err)
+	}
+	if crd, ok := obj.(*apiextensionsv1.CustomResourceDefinition); !ok {
+		log.Fatalf("CRD YAML is not a valid apiextensionsv1.CustomResourceDefinition: %v", gvk)
+	} else {
+		customResourceDefinition = crd
+	}
+}
+
+func ValidateExternalType(obj runtime.Object, gvk schema.GroupVersionKind) error {
+	validationSchema, err := apihelpers.GetSchemaForVersion(customResourceDefinition, gvk.Version)
+	if err != nil {
+		return err
+	}
+	var internalSchemaProps *apiextensions.JSONSchemaProps
+	var internalValidationSchema *apiextensions.CustomResourceValidation
+	if validationSchema != nil {
+		internalValidationSchema = &apiextensions.CustomResourceValidation{}
+		if err := apiextensionsv1.Convert_v1_CustomResourceValidation_To_apiextensions_CustomResourceValidation(validationSchema, internalValidationSchema, nil); err != nil {
+			return fmt.Errorf("failed to convert CRD validation to internal version: %v", err)
+		}
+		internalSchemaProps = internalValidationSchema.OpenAPIV3Schema
+	}
+	validator, _, err := apiservervalidation.NewSchemaValidator(internalSchemaProps)
+	if err != nil {
+		return err
+	}
+	res := validator.Validate(obj)
+	if len(res.Errors) > 0 {
+		return errors.Join(res.Errors...)
+	}
+	return nil
+}

nodeadm/internal/api/bridge/validation.go

@@ -3,21 +3,9 @@ package api
 import "fmt"
 
 func ValidateNodeConfig(cfg *NodeConfig) error {
-	if cfg.Spec.Cluster.Name == "" {
-		return fmt.Errorf("Name is missing in cluster configuration")
-	}
-	if cfg.Spec.Cluster.APIServerEndpoint == "" {
-		return fmt.Errorf("Apiserver endpoint is missing in cluster configuration")
-	}
-	if cfg.Spec.Cluster.CertificateAuthority == nil {
-		return fmt.Errorf("Certificate authority is missing in cluster configuration")
-	}
-	if cfg.Spec.Cluster.CIDR == "" {
-		return fmt.Errorf("CIDR is missing in cluster configuration")
-	}
 	if enabled := cfg.Spec.Cluster.EnableOutpost; enabled != nil && *enabled {
 		if cfg.Spec.Cluster.ID == "" {
-			return fmt.Errorf("CIDR is missing in cluster configuration")
+			return fmt.Errorf("cidr is missing in cluster configuration")
 		}
 	}
 	return nil