AzureManagedCluster spec.controlPlaneEndpoint is immutable

kubernetes-sigs · Dec 5, 2022 · 582a8b3 · 582a8b3
1 parent c74fa34
commit 582a8b3
Show file tree

Hide file tree

Showing 4 changed files with 177 additions and 0 deletions.
diff --git a/exp/api/v1beta1/azuremanagedcluster_webhook.go b/exp/api/v1beta1/azuremanagedcluster_webhook.go
@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/cluster-api-provider-azure/azure"
 	"sigs.k8s.io/cluster-api-provider-azure/feature"
 	"sigs.k8s.io/cluster-api-provider-azure/util/maps"
+	webhookutils "sigs.k8s.io/cluster-api-provider-azure/util/webhook"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
@@ -70,6 +71,24 @@ func (r *AzureManagedCluster) ValidateUpdate(oldRaw runtime.Object) error {
 				fmt.Sprintf("annotations with '%s' prefix are immutable", azure.CustomHeaderPrefix)))
 	}
 
+	if old.Spec.ControlPlaneEndpoint.Host != "" {
+		if err := webhookutils.ValidateImmutable(
+			field.NewPath("Spec", "ControlPlaneEndpoint", "Host"),
+			old.Spec.ControlPlaneEndpoint.Host,
+			r.Spec.ControlPlaneEndpoint.Host); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
+	if old.Spec.ControlPlaneEndpoint.Port != 0 {
+		if err := webhookutils.ValidateImmutable(
+			field.NewPath("Spec", "ControlPlaneEndpoint", "Port"),
+			old.Spec.ControlPlaneEndpoint.Port,
+			r.Spec.ControlPlaneEndpoint.Port); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
 	if len(allErrs) != 0 {
 		return apierrors.NewInvalid(GroupVersion.WithKind("AzureManagedCluster").GroupKind(), r.Name, allErrs)
 	}

diff --git a/exp/api/v1beta1/azuremanagedcluster_webhook_test.go b/exp/api/v1beta1/azuremanagedcluster_webhook_test.go
@@ -23,6 +23,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilfeature "k8s.io/component-base/featuregate/testing"
 	"sigs.k8s.io/cluster-api-provider-azure/feature"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
 func TestAzureManagedCluster_ValidateUpdate(t *testing.T) {
@@ -119,6 +120,69 @@ func TestAzureManagedCluster_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "ControlPlaneEndpoint.Port is immutable",
+			oldAMC: &AzureManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: AzureManagedClusterSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 443,
+					},
+				},
+			},
+			amc: &AzureManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: AzureManagedClusterSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 444,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "ControlPlaneEndpoint.Host is immutable",
+			oldAMC: &AzureManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: AzureManagedClusterSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 443,
+					},
+				},
+			},
+			amc: &AzureManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: AzureManagedClusterSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "this-is-not-allowed",
+						Port: 443,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "ControlPlaneEndpoint update from zero values are allowed",
+			oldAMC: &AzureManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: AzureManagedClusterSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{},
+				},
+			},
+			amc: &AzureManagedCluster{
+				ObjectMeta: metav1.ObjectMeta{},
+				Spec: AzureManagedClusterSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 443,
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {

diff --git a/exp/api/v1beta1/azuremanagedcontrolplane_webhook.go b/exp/api/v1beta1/azuremanagedcontrolplane_webhook.go
@@ -193,6 +193,24 @@ func (m *AzureManagedControlPlane) ValidateUpdate(oldRaw runtime.Object, client
 		}
 	}
 
+	if old.Spec.ControlPlaneEndpoint.Host != "" {
+		if err := webhookutils.ValidateImmutable(
+			field.NewPath("Spec", "ControlPlaneEndpoint", "Host"),
+			old.Spec.ControlPlaneEndpoint.Host,
+			m.Spec.ControlPlaneEndpoint.Host); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
+	if old.Spec.ControlPlaneEndpoint.Port != 0 {
+		if err := webhookutils.ValidateImmutable(
+			field.NewPath("Spec", "ControlPlaneEndpoint", "Port"),
+			old.Spec.ControlPlaneEndpoint.Port,
+			m.Spec.ControlPlaneEndpoint.Port); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
 	if errs := m.validateVirtualNetworkUpdate(old); len(errs) > 0 {
 		allErrs = append(allErrs, errs...)
 	}

diff --git a/exp/api/v1beta1/azuremanagedcontrolplane_webhook_test.go b/exp/api/v1beta1/azuremanagedcontrolplane_webhook_test.go
@@ -25,6 +25,7 @@ import (
 	utilfeature "k8s.io/component-base/featuregate/testing"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/cluster-api-provider-azure/feature"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
 func TestDefaultingWebhook(t *testing.T) {
@@ -903,6 +904,81 @@ func TestAzureManagedControlPlane_ValidateUpdate(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "AzureManagedControlPlane ControlPlaneEndpoint.Port is mutable",
+			oldAMCP: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 443,
+					},
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 444,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "AzureManagedControlPlane ControlPlaneEndpoint.Host is mutable",
+			oldAMCP: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 443,
+					},
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "this-is-not-allowed",
+						Port: 443,
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "ControlPlaneEndpoint update from zero values are allowed",
+			oldAMCP: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{},
+				},
+			},
+			amcp: &AzureManagedControlPlane{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-cluster",
+				},
+				Spec: AzureManagedControlPlaneSpec{
+					ControlPlaneEndpoint: clusterv1.APIEndpoint{
+						Host: "aks-8622-h4h26c44.hcp.eastus.azmk8s.io",
+						Port: 443,
+					},
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {