fix: validate API server LB private IP is unchanged on update

Author: dee077

internal/webhooks/azurecluster_validation.go

@@ -392,6 +392,18 @@ func validateSecurityRule(rule infrav1.SecurityRule, fldPath *field.Path) (allEr
 	return allErrs
 }
 
+func validateAPIServerLBPrivateIPUnchanged(lb, old *infrav1.LoadBalancerSpec, fldPath *field.Path) *field.Error {
+	if lb == nil || old == nil || len(old.FrontendIPs) == 0 || len(lb.FrontendIPs) == 0 {
+		return nil
+	}
+	if old.FrontendIPs[0].PrivateIPAddress != lb.FrontendIPs[0].PrivateIPAddress {
+		return field.Forbidden(
+			fldPath.Child("frontendIPConfigs").Index(0).Child("privateIP"),
+			"API Server load balancer private IP should not be modified after AzureCluster creation.")
+	}
+	return nil
+}
+
 func validateAPIServerLB(lb *infrav1.LoadBalancerSpec, old *infrav1.LoadBalancerSpec, cidrs []string, fldPath *field.Path) field.ErrorList {
 	var allErrs field.ErrorList
 
@@ -434,12 +446,13 @@ func validateAPIServerLB(lb *infrav1.LoadBalancerSpec, old *infrav1.LoadBalancer
 			if err := validateInternalLBIPAddress(privateIP, cidrs, fldPath.Child("frontendIPConfigs").Index(0).Child("privateIP")); err != nil {
 				allErrs = append(allErrs, err)
 			}
-		} else {
-			// API Server LB should not have a Private IP if APIServerILB feature is disabled.
-			if privateIPCount > 0 {
-				allErrs = append(allErrs, field.Forbidden(fldPath.Child("frontendIPConfigs").Index(0).Child("privateIP"),
-					"Public Load Balancers cannot have a Private IP"))
+			if err := validateAPIServerLBPrivateIPUnchanged(lb, old, fldPath); err != nil {
+				allErrs = append(allErrs, err)
 			}
+		} else if privateIPCount > 0 {
+			// API Server LB should not have a Private IP if APIServerILB feature is disabled.
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("frontendIPConfigs").Index(0).Child("privateIP"),
+				"Public Load Balancers cannot have a Private IP"))
 		}
 	}
 
@@ -458,8 +471,8 @@ func validateAPIServerLB(lb *infrav1.LoadBalancerSpec, old *infrav1.LoadBalancer
 				allErrs = append(allErrs, err)
 			}
 
-			if old != nil && len(old.FrontendIPs) != 0 && old.FrontendIPs[0].PrivateIPAddress != lb.FrontendIPs[0].PrivateIPAddress {
-				allErrs = append(allErrs, field.Forbidden(fldPath.Child("name"), "API Server load balancer private IP should not be modified after AzureCluster creation."))
+			if err := validateAPIServerLBPrivateIPUnchanged(lb, old, fldPath); err != nil {
+				allErrs = append(allErrs, err)
 			}
 		}
 	}

internal/webhooks/azurecluster_validation_test.go

@@ -1286,6 +1286,187 @@ func TestValidateAPIServerLB(t *testing.T) {
 				Detail:   "Internal LB IP address needs to be in control plane subnet range ([10.0.0.0/24 10.1.0.0/24])",
 			},
 		},
+		{
+			name:        "public LB with APIServerILB enabled changing private IP after creation is forbidden",
+			featureGate: feature.APIServerILB,
+			old: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.0.0.10",
+						},
+					},
+					{
+						Name: "ip-2",
+						PublicIP: &infrav1.PublicIPSpec{
+							Name:    "my-valid-ip",
+							DNSName: "my-valid-ip",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Public,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-public-lb",
+			},
+			lb: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.0.0.11",
+						},
+					},
+					{
+						Name: "ip-2",
+						PublicIP: &infrav1.PublicIPSpec{
+							Name:    "my-valid-ip",
+							DNSName: "my-valid-ip",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Public,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-public-lb",
+			},
+			cpCIDRS: []string{"10.0.0.0/24"},
+			wantErr: true,
+			expectedErr: field.Error{
+				Type:   "FieldValueForbidden",
+				Field:  "apiServerLB.frontendIPConfigs[0].privateIP",
+				Detail: "API Server load balancer private IP should not be modified after AzureCluster creation.",
+			},
+		},
+		{
+			name: "internal LB: changing private IP after creation is forbidden",
+			old: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.1.0.3",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Internal,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-private-lb",
+			},
+			lb: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.1.0.4",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Internal,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-private-lb",
+			},
+			cpCIDRS: []string{"10.1.0.0/24"},
+			wantErr: true,
+			expectedErr: field.Error{
+				Type:   "FieldValueForbidden",
+				Field:  "apiServerLB.frontendIPConfigs[0].privateIP",
+				Detail: "API Server load balancer private IP should not be modified after AzureCluster creation.",
+			},
+		},
+		{
+			name:        "public LB with APIServerILB enabled and unchanged private IP",
+			featureGate: feature.APIServerILB,
+			old: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.0.0.10",
+						},
+					},
+					{
+						Name: "ip-2",
+						PublicIP: &infrav1.PublicIPSpec{
+							Name:    "my-valid-ip",
+							DNSName: "my-valid-ip",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Public,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-public-lb",
+			},
+			lb: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.0.0.10",
+						},
+					},
+					{
+						Name: "ip-2",
+						PublicIP: &infrav1.PublicIPSpec{
+							Name:    "my-valid-ip",
+							DNSName: "my-valid-ip",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Public,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-public-lb",
+			},
+			cpCIDRS: []string{"10.0.0.0/24"},
+			wantErr: false,
+		},
+		{
+			name:        "internal LB with APIServerILB enabled and unchanged private IP",
+			featureGate: feature.APIServerILB,
+			old: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.1.0.3",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Internal,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-private-lb",
+			},
+			lb: &infrav1.LoadBalancerSpec{
+				FrontendIPs: []infrav1.FrontendIP{
+					{
+						Name: "ip-1",
+						FrontendIPClass: infrav1.FrontendIPClass{
+							PrivateIPAddress: "10.1.0.3",
+						},
+					},
+				},
+				LoadBalancerClassSpec: infrav1.LoadBalancerClassSpec{
+					Type: infrav1.Internal,
+					SKU:  infrav1.SKUStandard,
+				},
+				Name: "my-private-lb",
+			},
+			cpCIDRS: []string{"10.1.0.0/24"},
+			wantErr: false,
+		},
 	}
 
 	for _, test := range testcases {