Add webhook for BIOSSettings resources (#315)

Author: nagadeesh-nagaraja

cmd/manager/main.go

@@ -49,7 +49,7 @@ func init() {
 	//+kubebuilder:scaffold:scheme
 }
 
-func main() {
+func main() { // nolint: gocyclo
 	var (
 		metricsAddr                        string
 		metricsCertPath                    string

config/webhook/manifests.yaml

@@ -4,6 +4,26 @@ kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
 webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-metal-ironcore-dev-v1alpha1-biossettings
+  failurePolicy: Fail
+  name: vbiossettings-v1alpha1.kb.io
+  rules:
+  - apiGroups:
+    - metal.ironcore.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - biossettings
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   clientConfig:

dist/chart/templates/webhook/webhooks.yaml

@@ -11,6 +11,26 @@ metadata:
   labels:
     {{- include "chart.labels" . | nindent 4 }}
 webhooks:
+  - name: vbiossettings-v1alpha1.kb.io
+    clientConfig:
+      service:
+        name: metal-operator-webhook-service
+        namespace: {{ .Release.Namespace }}
+        path: /validate-metal-ironcore-dev-v1alpha1-biossettings
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - metal.ironcore.dev
+        apiVersions:
+          - v1alpha1
+        resources:
+          - biossettings
   - name: vendpoint-v1alpha1.kb.io
     clientConfig:
       service:

internal/webhook/v1alpha1/biossettings_webhook.go

@@ -0,0 +1,107 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	metalv1alpha1 "github.com/ironcore-dev/metal-operator/api/v1alpha1"
+)
+
+// nolint:unused
+// log is for logging in this package.
+var biossettingslog = logf.Log.WithName("biossettings-resource")
+
+// SetupBIOSSettingsWebhookWithManager registers the webhook for BIOSSettings in the manager.
+func SetupBIOSSettingsWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).For(&metalv1alpha1.BIOSSettings{}).
+		WithValidator(&BIOSSettingsCustomValidator{Client: mgr.GetClient()}).
+		Complete()
+}
+
+// NOTE: The 'path' attribute must follow a specific pattern and should not be modified directly here.
+// Modifying the path for an invalid path can cause API server errors; failing to locate the webhook.
+// +kubebuilder:webhook:path=/validate-metal-ironcore-dev-v1alpha1-biossettings,mutating=false,failurePolicy=fail,sideEffects=None,groups=metal.ironcore.dev,resources=biossettings,verbs=create;update,versions=v1alpha1,name=vbiossettings-v1alpha1.kb.io,admissionReviewVersions=v1
+
+// BIOSSettingsCustomValidator struct is responsible for validating the BIOSSettings resource
+// when it is created, updated, or deleted.
+//
+// NOTE: The +kubebuilder:object:generate=false marker prevents controller-gen from generating DeepCopy methods,
+// as this struct is used only for temporary operations and does not need to be deeply copied.
+type BIOSSettingsCustomValidator struct {
+	Client client.Client
+}
+
+var _ webhook.CustomValidator = &BIOSSettingsCustomValidator{}
+
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type BIOSSettings.
+func (v *BIOSSettingsCustomValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	biossettings, ok := obj.(*metalv1alpha1.BIOSSettings)
+	if !ok {
+		return nil, fmt.Errorf("expected a BIOSSettings object but got %T", obj)
+	}
+	biossettingslog.Info("Validation for BIOSSettings upon creation", "name", biossettings.GetName())
+
+	biosSettingsList := &metalv1alpha1.BIOSSettingsList{}
+	if err := v.Client.List(ctx, biosSettingsList); err != nil {
+		return nil, fmt.Errorf("failed to list BIOSSettingsList: %w", err)
+	}
+
+	for _, bs := range biosSettingsList.Items {
+		if biossettings.Spec.ServerRef.Name == bs.Spec.ServerRef.Name {
+			return nil, apierrors.NewInvalid(
+				schema.GroupKind{Group: biossettings.GroupVersionKind().Group, Kind: biossettings.Kind},
+				biossettings.GetName(), field.ErrorList{field.Duplicate(field.NewPath("spec").Child("ServerRef").Child("Name"), bs.Spec.ServerRef.Name)})
+		}
+	}
+
+	return nil, nil
+}
+
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type BIOSSettings.
+func (v *BIOSSettingsCustomValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	biossettings, ok := newObj.(*metalv1alpha1.BIOSSettings)
+	if !ok {
+		return nil, fmt.Errorf("expected a BIOSSettings object for the newObj but got %T", newObj)
+	}
+	biossettingslog.Info("Validation for BIOSSettings upon update", "name", biossettings.GetName())
+
+	biosSettingsList := &metalv1alpha1.BIOSSettingsList{}
+	if err := v.Client.List(ctx, biosSettingsList); err != nil {
+		return nil, fmt.Errorf("failed to list BIOSSettingsList: %w", err)
+	}
+
+	for _, bs := range biosSettingsList.Items {
+		if biossettings.Spec.ServerRef.Name == bs.Spec.ServerRef.Name && biossettings.Name != bs.Name {
+			return nil, apierrors.NewInvalid(
+				schema.GroupKind{Group: biossettings.GroupVersionKind().Group, Kind: biossettings.Kind},
+				biossettings.GetName(), field.ErrorList{field.Duplicate(field.NewPath("spec").Child("ServerRef").Child("Name"), bs.Spec.ServerRef.Name)})
+		}
+	}
+	return nil, nil
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type BIOSSettings.
+func (v *BIOSSettingsCustomValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	biossettings, ok := obj.(*metalv1alpha1.BIOSSettings)
+	if !ok {
+		return nil, fmt.Errorf("expected a BIOSSettings object but got %T", obj)
+	}
+	biossettingslog.Info("Validation for BIOSSettings upon deletion", "name", biossettings.GetName())
+
+	// TODO(user): fill in your validation logic upon object deletion.
+
+	return nil, nil
+}

internal/webhook/v1alpha1/biossettings_webhook_test.go

@@ -0,0 +1,213 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	metalv1alpha1 "github.com/ironcore-dev/metal-operator/api/v1alpha1"
+	// TODO (user): Add any additional imports if needed
+)
+
+var _ = Describe("BIOSSettings Webhook", func() {
+	var (
+		obj       *metalv1alpha1.BIOSSettings
+		oldObj    *metalv1alpha1.BIOSSettings
+		validator BIOSSettingsCustomValidator
+	)
+
+	BeforeEach(func() {
+		obj = &metalv1alpha1.BIOSSettings{}
+		oldObj = &metalv1alpha1.BIOSSettings{}
+		validator = BIOSSettingsCustomValidator{Client: k8sClient}
+		Expect(validator).NotTo(BeNil(), "Expected validator to be initialized")
+		Expect(oldObj).NotTo(BeNil(), "Expected oldObj to be initialized")
+		Expect(obj).NotTo(BeNil(), "Expected obj to be initialized")
+	})
+
+	AfterEach(func() {
+		// TODO (user): Add any teardown logic common to all tests
+	})
+
+	Context("When creating or updating BIOSSettings under Validating Webhook", func() {
+
+		It("Should deny creation if a Spec.ServerRef field is duplicate", func(ctx SpecContext) {
+			By("Creating an BIOSSetttings")
+			biosSettingsV1 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P70 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "foo"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV1)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV1)
+
+			By("Creating another BIOSSettings with existing ServerRef")
+			biosSettingsV2 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P71 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "foo"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(validator.ValidateCreate(ctx, biosSettingsV2)).Error().To(HaveOccurred())
+		})
+
+		It("Should create if a Spec.ServerRef field is NOT duplicate", func() {
+			By("Creating an BIOSSetttings")
+			biosSettingsV1 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P70 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "foo"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV1)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV1)
+
+			By("Creating another BIOSSetting with different ServerRef")
+			biosSettingsV2 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P71 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "bar"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV2)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV2)
+		})
+
+		It("Should deny update if a Spec.ServerRef field is duplicate", func() {
+			By("Creating an BIOSSetttings")
+			biosSettingsV1 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P70 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "foo"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV1)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV1)
+
+			By("Creating an BIOSSetting with different ServerRef")
+			biosSettingsV2 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P71 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "bar"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV2)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV2)
+
+			By("Updating an biosSettingsV2 to conflicting Spec.ServerRef")
+			biosSettingsV2Updated := biosSettingsV2.DeepCopy()
+			biosSettingsV2Updated.Spec.ServerRef = &v1.LocalObjectReference{Name: "foo"}
+			Expect(validator.ValidateUpdate(ctx, biosSettingsV2, biosSettingsV2Updated)).Error().To(HaveOccurred())
+		})
+
+		It("Should allow update if a different field is duplicate", func() {
+			By("Creating an BIOSSetttings")
+			biosSettingsV1 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P70 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "foo"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV1)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV1)
+
+			By("Creating an BIOSSetting with different ServerRef")
+			biosSettingsV2 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P71 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "bar"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV2)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV2)
+
+			By("Updating an biosSettingsV2 to conflicting Spec.BIOSSettings")
+			biosSettingsV2Updated := biosSettingsV2.DeepCopy()
+			biosSettingsV2Updated.Spec.BIOSSettings = biosSettingsV1.Spec.BIOSSettings
+			Expect(validator.ValidateUpdate(ctx, biosSettingsV2, biosSettingsV2Updated)).Error().ToNot(HaveOccurred())
+		})
+
+		It("Should allow update if a ServerRef field is NOT duplicate", func() {
+			By("Creating an BIOSSetttings")
+			biosSettingsV1 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P70 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "foo"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV1)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV1)
+
+			By("Creating an BIOSSetting with different ServerRef")
+			biosSettingsV2 := &metalv1alpha1.BIOSSettings{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace:    "ns.Name",
+					GenerateName: "test-",
+				},
+				Spec: metalv1alpha1.BIOSSettingsSpec{
+					BIOSSettings:            metalv1alpha1.Settings{Version: "P71 v1.45 (12/06/2017)", SettingsMap: map[string]string{}},
+					ServerRef:               &v1.LocalObjectReference{Name: "bar"},
+					ServerMaintenancePolicy: metalv1alpha1.ServerMaintenancePolicyEnforced,
+				},
+			}
+			Expect(k8sClient.Create(ctx, biosSettingsV2)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, biosSettingsV2)
+
+			By("Updating an biosSettingsV2 to NON conflicting Spec.ServerRef ")
+			biosSettingsV2Updated := biosSettingsV2.DeepCopy()
+			biosSettingsV2Updated.Spec.ServerRef = &v1.LocalObjectReference{Name: "foobar"}
+			Expect(validator.ValidateUpdate(ctx, biosSettingsV2, biosSettingsV2Updated)).Error().ToNot(HaveOccurred())
+		})
+	})
+
+})

internal/webhook/v1alpha1/webhook_suite_test.go

@@ -119,6 +119,9 @@ var _ = BeforeSuite(func() {
 	err = SetupEndpointWebhookWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 
+	err = SetupBIOSSettingsWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
 	// +kubebuilder:scaffold:webhook
 
 	go func() {