r

Author: aryangorwade

cmd/main.go

@@ -260,7 +260,7 @@ func main() {
 
 	// nolint:goconst
 	// Parse ENABLE_WEBHOOKS environment variable once as a boolean.
-	enableWebhooks := true
+	var enableWebhooks bool
 	if val, ok := os.LookupEnv("ENABLE_WEBHOOKS"); ok {
 		var err error
 		enableWebhooks, err = strconv.ParseBool(val)

config/manager/kustomization.yaml

@@ -4,5 +4,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
-  newName: nvcr.io/nvidia/cloud-native/nim-operator
-  newTag: v1.0.0
+  newName: localhost:5000/k8s-nim-operator
+  newTag: dev

deployments/helm/k8s-nim-operator/values.yaml

@@ -1,9 +1,10 @@
 operator:
   replicas: 1
   upgradeCRD: true
-  image:
-    repository: ghcr.io/nvidia/k8s-nim-operator
-    tag: main
+  image: 
+    repository: localhost:5000/k8s-nim-operator
+    tag: dev
+
     pullSecrets: []
     pullPolicy: Always
   args:
@@ -46,7 +47,7 @@ operator:
         - ALL
   admissionController:
     # -- Deploy with admission controller.
-    enabled: true
+    enabled: false
     # -- Use cert-manager for generating self-signed certificate.
     useCertManager: true
     # certificate:

internal/webhook/apps/v1alpha1/nimcache_webhook.go

@@ -68,12 +68,9 @@ func (v *NIMCacheCustomValidator) ValidateCreate(_ context.Context, obj runtime.
 	}
 	nimcachelog.V(4).Info("Validation for NIMCache upon creation", "name", nimcache.GetName())
 
-	errList := field.ErrorList{}
-
 	fldPath := field.NewPath("nimcache").Child("spec")
-	errList = append(errList, validateNIMSourceConfiguration(&nimcache.Spec.Source, fldPath.Child("source"))...)
-	errList = append(errList, validateNIMCacheStorageConfiguration(&nimcache.Spec.Storage, fldPath.Child("storage"))...)
-	errList = append(errList, validateProxyConfiguration(nimcache.Spec.Proxy, fldPath.Child("proxy"))...)
+	// Perform structural validation via helper.
+	errList := validateNIMCacheSpec(&nimcache.Spec, fldPath)
 
 	if len(errList) > 0 {
 		return nil, errList.ToAggregate()
@@ -91,6 +88,11 @@ func (v *NIMCacheCustomValidator) ValidateUpdate(_ context.Context, oldObj, newO
 	}
 	nimcachelog.V(4).Info("Validation for NIMCache upon update", "name", nimcache.GetName())
 
+	fldPath := field.NewPath("nimcache").Child("spec")
+	
+	// Begin by validating the new spec structurally.
+	errList := validateNIMCacheSpec(&nimcache.Spec, fldPath)
+
 	oldNIMCache, ok := oldObj.(*appsv1alpha1.NIMCache)
 	if !ok {
 		return nil, fmt.Errorf("expected a NIMCache object for oldObj but got %T", oldObj)
@@ -100,8 +102,7 @@ func (v *NIMCacheCustomValidator) ValidateUpdate(_ context.Context, oldObj, newO
 		return nil, fmt.Errorf("expected a NIMCache object for newObj but got %T", newObj)
 	}
 
-	errList := field.ErrorList{}
-
+	// Append immutability errors after structural checks.
 	errList = append(errList, validateImmutableNIMCacheSpec(oldNIMCache, newNIMCache, field.NewPath("nimcache"))...)
 
 	if len(errList) > 0 {

internal/webhook/apps/v1alpha1/nimcache_webhook_validation_helper.go

@@ -18,6 +18,7 @@ package v1alpha1
 
 import (
 	"fmt"
+	"reflect"
 	"regexp"
 	"strings"
 
@@ -78,7 +79,7 @@ func validateModel(model *appsv1alpha1.ModelSpec, fldPath *field.Path) field.Err
 
 		for _, profile := range model.Profiles {
 			if profile == "all" && len(model.Profiles) != 1 {
-				errList = append(errList, field.Invalid(fldPath.Child("profiles"), model.Profiles, "%s must only have a single entry when it contains 'all'"))
+				errList = append(errList, field.Invalid(fldPath.Child("profiles"), model.Profiles, "must only have a single entry when it contains 'all'"))
 				break
 			}
 		}
@@ -127,31 +128,35 @@ func validateNIMCacheStorageConfiguration(storage *appsv1alpha1.NIMCacheStorage,
 	errList := field.ErrorList{}
 
 	// Spec.Storage must not be empty
-	if storage.PVC.Create == nil && storage.PVC.Name == "" && storage.PVC.StorageClass == "" &&
-		storage.PVC.Size == "" && storage.PVC.VolumeAccessMode == "" && storage.PVC.SubPath == "" &&
-		len(storage.PVC.Annotations) == 0 {
+	if reflect.DeepEqual(storage.PVC, appsv1alpha1.PersistentVolumeClaim{}) {
 		errList = append(errList, field.Required(fldPath, "must not be empty"))
 	}
+	
+	errList = append(errList, validatePVCConfiguration(&storage.PVC, fldPath.Child("pvc"))...)
 
-	// Removed invalid comparison of a struct containing maps.
+	return errList
+}
+
+func validatePVCConfiguration(pvc *appsv1alpha1.PersistentVolumeClaim, fldPath *field.Path) field.ErrorList {
+	errList := field.ErrorList{}
 
 	// If PVC.Create is False, PVC.Name cannot be empty
-	if storage.PVC.Create != nil && !*storage.PVC.Create && storage.PVC.Name == "" {
-		errList = append(errList, field.Required(fldPath.Child("pvc").Child("name"), fmt.Sprintf("must be provided when %s is false", fldPath.Child("pvc").Child("create"))))
+	if (pvc.Create == nil || !*pvc.Create) && pvc.Name == "" {
+		errList = append(errList, field.Required(fldPath.Child("name"), fmt.Sprintf("must be provided when %s is false", fldPath.Child("create"))))
 	}
 
 	// If PVC.VolumeAccessMode is defined, it must be one of the valid modes
-	if storage.PVC.VolumeAccessMode != "" {
+	if pvc.VolumeAccessMode != "" {
 		found := false
 		for _, vm := range validPVCAccessModeStrs {
-			if storage.PVC.VolumeAccessMode == vm {
+			if pvc.VolumeAccessMode == vm {
 				found = true
 				break
 			}
 		}
 
 		if !found {
-			errList = append(errList, field.Invalid(fldPath.Child("pvc").Child("volumeAccessMode"), storage.PVC.VolumeAccessMode, "unrecognized volumeAccessMode"))
+			errList = append(errList, field.Invalid(fldPath.Child("volumeAccessMode"), pvc.VolumeAccessMode, "unrecognized volumeAccessMode"))
 		}
 	}
 
@@ -190,6 +195,28 @@ func validateProxyConfiguration(proxy *appsv1alpha1.ProxySpec, fldPath *field.Pa
 	return errList
 }
 
+// validateNIMCacheSpec aggregates all structural validation rules for a NIMCache
+// resource. This central function is intended for use by both webhook
+// ValidateCreate and ValidateUpdate methods so that they share identical
+// well-formedness checks.
+//
+// Parameters:
+//   – spec:  pointer to the NIMCacheSpec being validated.
+//   – fldPath: field path pointing at the root of the spec (typically
+//     field.NewPath("nimcache").Child("spec")).
+//
+// Returns a field.ErrorList with any validation errors encountered.
+func validateNIMCacheSpec(spec *appsv1alpha1.NIMCacheSpec, fldPath *field.Path) field.ErrorList {
+    errList := field.ErrorList{}
+
+    // Delegate to existing granular validators.
+    errList = append(errList, validateNIMSourceConfiguration(&spec.Source, fldPath.Child("source"))...)
+    errList = append(errList, validateNIMCacheStorageConfiguration(&spec.Storage, fldPath.Child("storage"))...)
+    errList = append(errList, validateProxyConfiguration(spec.Proxy, fldPath.Child("proxy"))...)
+
+    return errList
+}
+
 func validateImmutableNIMCacheSpec(oldNIMCache, newNIMCache *appsv1alpha1.NIMCache, fldPath *field.Path) field.ErrorList {
 	errList := field.ErrorList{}
 

internal/webhook/apps/v1alpha1/nimservice_webhook.go

@@ -92,18 +92,10 @@ func (v *NIMServiceCustomValidator) ValidateCreate(_ context.Context, obj runtim
 	}
 	nimservicelog.V(4).Info("Validation for NIMService upon creation", "name", nimservice.GetName())
 
-	errList := field.ErrorList{}
-
 	fldPath := field.NewPath("nimservice").Child("spec")
-	errList = append(errList, validateImageConfiguration(&nimservice.Spec.Image, fldPath.Child("image"))...)
-	errList = append(errList, validateAuthSecret(&nimservice.Spec.AuthSecret, fldPath.Child("authSecret"))...)
-	errList = append(errList, validateServiceStorageConfiguration(&nimservice.Spec.Storage, fldPath.Child("storage"))...)
-	errList = append(errList, validateExposeConfiguration(&nimservice.Spec.Expose, fldPath.Child("expose").Child("ingress"))...)
-	errList = append(errList, validateMetricsConfiguration(&nimservice.Spec.Metrics, fldPath.Child("metrics"))...)
-	errList = append(errList, validateScaleConfiguration(&nimservice.Spec.Scale, fldPath.Child("scale"))...)
-	errList = append(errList, validateDRAResourcesVersionCompatibility(v.k8sVersion, fldPath.Child("draResources"))...)
-	errList = append(errList, validateResourcesConfiguration(nimservice.Spec.Resources, fldPath.Child("resources"))...)
-	errList = append(errList, validateDRAResourcesConfiguration(&nimservice.Spec, fldPath)...)
+	
+	// Perform comprehensive spec validation via helper.
+	errList := validateNIMServiceSpec(v.k8sVersion, &nimservice.Spec, fldPath)
 
 	if len(errList) > 0 {
 		return nil, errList.ToAggregate()
@@ -120,11 +112,13 @@ func (v *NIMServiceCustomValidator) ValidateUpdate(_ context.Context, oldObj, ne
 	}
 	nimservicelog.V(4).Info("Validation for NIMService upon update", "name", nimservice.GetName())
 
+	fldPath := field.NewPath("nimservice").Child("spec")
+	// Start with structural validation to ensure the updated object is well formed.
+	errList := validateNIMServiceSpec(v.k8sVersion, &nimservice.Spec, fldPath)
+
 	// All fields of NIMService.Spec are mutable, except for:
 	// - Spec.MultiNode
 	// - If PVC has been created with PVC.Create = true, reject any updates to any fields of PVC object
-	errList := field.ErrorList{}
-
 	oldNIMService, ok := oldObj.(*appsv1alpha1.NIMService)
 	if !ok {
 		return nil, fmt.Errorf("expected a NIMService object for oldObj but got %T", oldObj)

internal/webhook/apps/v1alpha1/nimservice_webhook_validation_helper.go

@@ -18,11 +18,14 @@ package v1alpha1
 
 import (
 	"fmt"
+	"reflect"
 
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
+	"github.com/NVIDIA/k8s-nim-operator/api/apps/v1alpha1"
 	appsv1alpha1 "github.com/NVIDIA/k8s-nim-operator/api/apps/v1alpha1"
 	"github.com/NVIDIA/k8s-nim-operator/internal/utils"
 )
@@ -93,25 +96,7 @@ func validateServiceStorageConfiguration(storage *appsv1alpha1.NIMServiceStorage
 
 	// Enforcing PVC rules if defined
 	if pvcDefined {
-
-		// If PVC.Create is False, PVC.Name cannot be empty
-		if storage.PVC.Create != nil && !*storage.PVC.Create && storage.PVC.Name == "" {
-			errList = append(errList, field.Required(fldPath.Child("pvc").Child("name"), fmt.Sprintf("must be provided when %s is false", fldPath.Child("pvc").Child("create"))))
-		}
-
-		if storage.PVC.VolumeAccessMode != "" {
-			found := false
-			for _, vm := range validPVCAccessModeStrs {
-				if storage.PVC.VolumeAccessMode == vm {
-					found = true
-					break
-				}
-			}
-
-			if !found {
-				errList = append(errList, field.Invalid(fldPath.Child("pvc").Child("volumeAccessMode"), storage.PVC.VolumeAccessMode, "unrecognized volumeAccessMode"))
-			}
-		}
+		errList = append(errList, validatePVCConfiguration(&storage.PVC, fldPath.Child("pvc"))...)
 	}
 
 	return errList
@@ -133,20 +118,22 @@ func validateDRAResourcesConfiguration(spec *appsv1alpha1.NIMServiceSpec, fldPat
 			if dra.ResourceClaimName != nil && *dra.ResourceClaimName != "" {
 				errList = append(errList, field.Forbidden(
 					draResourcesPath.Index(i).Child("resourceClaimName"),
-					fmt.Sprintf("must not be set when %s > 1 or %s, only %s is allowed", fldPath.Child("replicas"), fldPath.Child("scale").Child("enabled"), draResourcesPath.Index(i).Child("draResourceClaimTemplateName"))))
+					fmt.Sprintf("must not be set when %s > 1 or %s, only %s is allowed", fldPath.Child("replicas"), fldPath.Child("scale").Child("enabled"), draResourcesPath.Index(i).Child("resourceClaimTemplateName"))))
 			}
 		}
-	} else {
-
-		// If DRAResources is not empty, all DRAResources objects must have a unique DRAResource.ResourceClaimName
-		draResources := spec.DRAResources
-		if len(draResources) > 0 {
-			seen := make(map[string]struct{})
-			for i, dra := range draResources {
-				if dra.ResourceClaimName == nil {
-					errList = append(errList, field.Required(draResourcesPath.Index(i).Child("resourceClaimName"), "must not be empty"))
-					continue
-				}
+	}
+	// If DRAResources has multiple entries with DRAResource.ResourceClaimName, they have to be unique names. Additionally, only one of DRAResource.ResourceClaimName or DRAResource.ResourceClaimTemplateName must be defined.
+	draResources := spec.DRAResources
+	if len(draResources) > 0 {
+		seen := make(map[string]struct{})
+		for i, dra := range draResources {
+			// Must have only one of the two defined
+			if (dra.ResourceClaimName == nil && dra.ResourceClaimTemplateName == nil) || (dra.ResourceClaimName != nil && dra.ResourceClaimTemplateName != nil) {
+				errList = append(errList, field.Invalid(draResourcesPath.Index(i), dra, "must specify exactly one of resourceClaimName or resourceClaimTemplateName"))
+				continue
+			}
+
+			if dra.ResourceClaimName != nil {
 				if _, exists := seen[*dra.ResourceClaimName]; exists {
 					errList = append(errList, field.Duplicate(draResourcesPath.Index(i).Child("resourceClaimName"), *dra.ResourceClaimName))
 				}
@@ -169,9 +156,7 @@ func validateAuthSecret(authSecret *string, fldPath *field.Path) field.ErrorList
 func validateExposeConfiguration(expose *appsv1alpha1.Expose, fldPath *field.Path) field.ErrorList {
 	errList := field.ErrorList{}
 	if expose.Ingress.Enabled != nil && *expose.Ingress.Enabled {
-		spec := expose.Ingress.Spec
-		if spec.IngressClassName == nil && spec.DefaultBackend == nil &&
-			len(spec.TLS) == 0 && len(spec.Rules) == 0 {
+		if reflect.DeepEqual(expose.Ingress.Spec, networkingv1.IngressSpec{}) {
 			errList = append(errList, field.Required(fldPath.Child("spec"), fmt.Sprintf("must be defined if %s is true", fldPath.Child("enabled"))))
 		}
 	}
@@ -182,9 +167,7 @@ func validateExposeConfiguration(expose *appsv1alpha1.Expose, fldPath *field.Pat
 func validateMetricsConfiguration(metrics *appsv1alpha1.Metrics, fldPath *field.Path) field.ErrorList {
 	errList := field.ErrorList{}
 	if metrics.Enabled != nil && *metrics.Enabled {
-		sm := metrics.ServiceMonitor
-		if len(sm.AdditionalLabels) == 0 && len(sm.Annotations) == 0 &&
-			sm.Interval == "" && sm.ScrapeTimeout == "" {
+		if reflect.DeepEqual(metrics.ServiceMonitor, v1alpha1.ServiceMonitor{}) {
 			errList = append(errList, field.Required(fldPath.Child("serviceMonitor"), fmt.Sprintf("must be defined if %s is true", fldPath.Child("enabled"))))
 		}
 	}
@@ -195,8 +178,7 @@ func validateMetricsConfiguration(metrics *appsv1alpha1.Metrics, fldPath *field.
 func validateScaleConfiguration(scale *appsv1alpha1.Autoscaling, fldPath *field.Path) field.ErrorList {
 	errList := field.ErrorList{}
 	if scale.Enabled != nil && *scale.Enabled {
-		hpa := scale.HPA
-		if hpa.MinReplicas == nil && hpa.MaxReplicas == 0 && len(hpa.Metrics) == 0 && hpa.Behavior == nil {
+		if reflect.DeepEqual(scale.HPA, v1alpha1.HorizontalPodAutoscalerSpec{}) {
 			errList = append(errList, field.Required(fldPath.Child("hpa"), fmt.Sprintf("must be defined if %s is true", fldPath.Child("enabled"))))
 		}
 	}
@@ -226,6 +208,37 @@ func validateResourcesConfiguration(resources *corev1.ResourceRequirements, fldP
 	return errList
 }
 
+// validateNIMServiceSpec aggregates all structural validation checks for a NIMService
+// object. It is intended to be invoked by both ValidateCreate and ValidateUpdate to
+// ensure the resource is well-formed before any other validation (e.g. immutability)
+// is performed.
+//
+// Parameters:
+//
+//	– kubeVersion: the Kubernetes version string against which version-specific
+//	  checks (e.g. DRA resources) are evaluated.
+//	– spec: the NIMServiceSpec being validated.
+//	– fldPath: the field path pointing at the root of the spec (typically
+//	  field.NewPath("nimservice").Child("spec")).
+//
+// Returns a field.ErrorList containing any validation errors discovered.
+func validateNIMServiceSpec(kubeVersion string, spec *appsv1alpha1.NIMServiceSpec, fldPath *field.Path) field.ErrorList {
+	errList := field.ErrorList{}
+
+	// Validate individual sections of the spec using existing helper functions.
+	errList = append(errList, validateImageConfiguration(&spec.Image, fldPath.Child("image"))...)
+	errList = append(errList, validateAuthSecret(&spec.AuthSecret, fldPath.Child("authSecret"))...)
+	errList = append(errList, validateServiceStorageConfiguration(&spec.Storage, fldPath.Child("storage"))...)
+	errList = append(errList, validateExposeConfiguration(&spec.Expose, fldPath.Child("expose").Child("ingress"))...)
+	errList = append(errList, validateMetricsConfiguration(&spec.Metrics, fldPath.Child("metrics"))...)
+	errList = append(errList, validateScaleConfiguration(&spec.Scale, fldPath.Child("scale"))...)
+	errList = append(errList, validateDRAResourcesVersionCompatibility(kubeVersion, fldPath.Child("draResources"))...)
+	errList = append(errList, validateResourcesConfiguration(spec.Resources, fldPath.Child("resources"))...)
+	errList = append(errList, validateDRAResourcesConfiguration(spec, fldPath)...)
+
+	return errList
+}
+
 // validateMultiNodeImmutability ensures that the MultiNode field remains unchanged after creation.
 func validateMultiNodeImmutability(oldNs, newNs *appsv1alpha1.NIMService, fldPath *field.Path) field.ErrorList {
 	errList := field.ErrorList{}