From 0146e81d7c51722de3d74d794cc948c75d959aaf Mon Sep 17 00:00:00 2001
From: Kazuki Suda <kazuki.suda@gmail.com>
Date: Wed, 1 Jun 2022 17:46:55 +0900
Subject: [PATCH 1/2] controlplane/kubeadm/api/v1beta1: validate
 init/joinConfiguration.patches

Signed-off-by: Kazuki Suda <kazuki.suda@gmail.com>
---
 .../kubeadm_control_plane_webhook_test.go     | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
index 99e3e3200a01..ede2d4b11630 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
@@ -608,6 +608,16 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 	validIgnitionConfigurationAfter := validIgnitionConfigurationBefore.DeepCopy()
 	validIgnitionConfigurationAfter.Spec.KubeadmConfigSpec.Ignition.ContainerLinuxConfig.AdditionalConfig = "foo: bar"
 
+	updateInitConfigurationPatches := before.DeepCopy()
+	updateInitConfigurationPatches.Spec.KubeadmConfigSpec.InitConfiguration.Patches = &bootstrapv1.Patches{
+		Directory: "/tmp/patches",
+	}
+
+	updateJoinConfigurationPatches := before.DeepCopy()
+	updateJoinConfigurationPatches.Spec.KubeadmConfigSpec.InitConfiguration.Patches = &bootstrapv1.Patches{
+		Directory: "/tmp/patches",
+	}
+
 	tests := []struct {
 		name                  string
 		enableIgnitionFeature bool
@@ -914,6 +924,18 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			before:    before,
 			kcp:       disableNTPServers,
 		},
+		{
+			name:      "should disallow changes to initConfiguration.patches",
+			expectErr: true,
+			before:    before,
+			kcp:       updateInitConfigurationPatches,
+		},
+		{
+			name:      "should disallow changes to joinConfiguration.patches",
+			expectErr: true,
+			before:    before,
+			kcp:       updateJoinConfigurationPatches,
+		},
 		{
 			name:                  "should return error when Ignition configuration is invalid",
 			enableIgnitionFeature: true,

From 85f7b82326052f500cb985f831984490bbc2381d Mon Sep 17 00:00:00 2001
From: Kazuki Suda <kazuki.suda@gmail.com>
Date: Wed, 1 Jun 2022 17:54:29 +0900
Subject: [PATCH 2/2] Make KCP's patches option mutable

Signed-off-by: Kazuki Suda <kazuki.suda@gmail.com>
---
 .../kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go  | 4 ++++
 .../api/v1beta1/kubeadm_control_plane_webhook_test.go     | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
index a6d6d82e0516..c20d90e1dbd3 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go
@@ -115,6 +115,8 @@ const (
 	initConfiguration    = "initConfiguration"
 	joinConfiguration    = "joinConfiguration"
 	nodeRegistration     = "nodeRegistration"
+	patches              = "patches"
+	directory            = "directory"
 	preKubeadmCommands   = "preKubeadmCommands"
 	postKubeadmCommands  = "postKubeadmCommands"
 	files                = "files"
@@ -142,7 +144,9 @@ func (in *KubeadmControlPlane) ValidateUpdate(old runtime.Object) error {
 		{spec, kubeadmConfigSpec, clusterConfiguration, controllerManager, "*"},
 		{spec, kubeadmConfigSpec, clusterConfiguration, scheduler, "*"},
 		{spec, kubeadmConfigSpec, initConfiguration, nodeRegistration, "*"},
+		{spec, kubeadmConfigSpec, initConfiguration, patches, directory},
 		{spec, kubeadmConfigSpec, joinConfiguration, nodeRegistration, "*"},
+		{spec, kubeadmConfigSpec, joinConfiguration, patches, directory},
 		{spec, kubeadmConfigSpec, preKubeadmCommands},
 		{spec, kubeadmConfigSpec, postKubeadmCommands},
 		{spec, kubeadmConfigSpec, files},
diff --git a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
index ede2d4b11630..a7452a459ef7 100644
--- a/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
+++ b/controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook_test.go
@@ -925,14 +925,14 @@ func TestKubeadmControlPlaneValidateUpdate(t *testing.T) {
 			kcp:       disableNTPServers,
 		},
 		{
-			name:      "should disallow changes to initConfiguration.patches",
-			expectErr: true,
+			name:      "should allow changes to initConfiguration.patches",
+			expectErr: false,
 			before:    before,
 			kcp:       updateInitConfigurationPatches,
 		},
 		{
-			name:      "should disallow changes to joinConfiguration.patches",
-			expectErr: true,
+			name:      "should allow changes to joinConfiguration.patches",
+			expectErr: false,
 			before:    before,
 			kcp:       updateJoinConfigurationPatches,
 		},