mbergo
diff --git a/‎pkg/apis/networking/validation/validation.go
Lines changed: 37 additions & 14 deletions b/‎pkg/apis/networking/validation/validation.go
Lines changed: 37 additions & 14 deletions
diff --git a/‎pkg/apis/networking/validation/validation_test.go
Lines changed: 206 additions & 26 deletions b/‎pkg/apis/networking/validation/validation_test.go
Lines changed: 206 additions & 26 deletions
@@ -765,39 +765,62 @@ var ValidateServiceCIDRName = apimachineryvalidation.NameIsDNSSubdomain
 
 func ValidateServiceCIDR(cidrConfig *networking.ServiceCIDR) field.ErrorList {
 	allErrs := apivalidation.ValidateObjectMeta(&cidrConfig.ObjectMeta, false, ValidateServiceCIDRName, field.NewPath("metadata"))
-	fieldPath := field.NewPath("spec", "cidrs")
+	allErrs = append(allErrs, validateServiceCIDRSpec(&cidrConfig.Spec, field.NewPath("spec", "cidrs"))...)
+	return allErrs
+}
 
-	if len(cidrConfig.Spec.CIDRs) == 0 {
+func validateServiceCIDRSpec(cidrConfigSpec *networking.ServiceCIDRSpec, fieldPath *field.Path) field.ErrorList {
+	var allErrs field.ErrorList
+	if len(cidrConfigSpec.CIDRs) == 0 {
 		allErrs = append(allErrs, field.Required(fieldPath, "at least one CIDR required"))
 		return allErrs
 	}
 
-	if len(cidrConfig.Spec.CIDRs) > 2 {
-		allErrs = append(allErrs, field.Invalid(fieldPath, cidrConfig.Spec, "may only hold up to 2 values"))
+	if len(cidrConfigSpec.CIDRs) > 2 {
+		allErrs = append(allErrs, field.Invalid(fieldPath, cidrConfigSpec, "may only hold up to 2 values"))
 		return allErrs
 	}
-	// validate cidrs are dual stack, one of each IP family
-	if len(cidrConfig.Spec.CIDRs) == 2 {
-		isDual, err := netutils.IsDualStackCIDRStrings(cidrConfig.Spec.CIDRs)
-		if err != nil || !isDual {
-			allErrs = append(allErrs, field.Invalid(fieldPath, cidrConfig.Spec, "may specify no more than one IP for each IP family, i.e 192.168.0.0/24 and 2001:db8::/64"))
-			return allErrs
-		}
-	}
 
-	for i, cidr := range cidrConfig.Spec.CIDRs {
+	for i, cidr := range cidrConfigSpec.CIDRs {
 		allErrs = append(allErrs, validation.IsValidCIDR(fieldPath.Index(i), cidr)...)
 	}
 
+	// validate cidrs are dual stack, one of each IP family
+	if len(cidrConfigSpec.CIDRs) == 2 &&
+		netutils.IPFamilyOfCIDRString(cidrConfigSpec.CIDRs[0]) == netutils.IPFamilyOfCIDRString(cidrConfigSpec.CIDRs[1]) &&
+		netutils.IPFamilyOfCIDRString(cidrConfigSpec.CIDRs[0]) != netutils.IPFamilyUnknown {
+		allErrs = append(allErrs, field.Invalid(fieldPath, cidrConfigSpec.CIDRs, "may specify no more than one IP for each IP family, i.e 192.168.0.0/24 and 2001:db8::/64"))
+	}
+
 	return allErrs
 }
 
 // ValidateServiceCIDRUpdate tests if an update to a ServiceCIDR is valid.
 func ValidateServiceCIDRUpdate(update, old *networking.ServiceCIDR) field.ErrorList {
 	var allErrs field.ErrorList
 	allErrs = append(allErrs, apivalidation.ValidateObjectMetaUpdate(&update.ObjectMeta, &old.ObjectMeta, field.NewPath("metadata"))...)
-	allErrs = append(allErrs, apivalidation.ValidateImmutableField(update.Spec.CIDRs, old.Spec.CIDRs, field.NewPath("spec").Child("cidrs"))...)
+	switch {
+	// no change in Spec.CIDRs lengths fields must not change
+	case len(old.Spec.CIDRs) == len(update.Spec.CIDRs):
+		for i, ip := range old.Spec.CIDRs {
+			if ip != update.Spec.CIDRs[i] {
+				allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("cidrs").Index(i), update.Spec.CIDRs[i], apimachineryvalidation.FieldImmutableErrorMsg))
+			}
+		}
+		// added a new CIDR is allowed to convert to Dual Stack
+		// ref: https://issues.k8s.io/131261
+	case len(old.Spec.CIDRs) == 1 && len(update.Spec.CIDRs) == 2:
+		// existing CIDR can not change
+		if update.Spec.CIDRs[0] != old.Spec.CIDRs[0] {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("cidrs").Index(0), update.Spec.CIDRs[0], apimachineryvalidation.FieldImmutableErrorMsg))
+		}
+		// validate the new added CIDR
+		allErrs = append(allErrs, validateServiceCIDRSpec(&update.Spec, field.NewPath("spec", "cidrs"))...)
 
+		// no other changes allowed
+	default:
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("cidrs"), update.Spec.CIDRs, apimachineryvalidation.FieldImmutableErrorMsg))
+	}
 	return allErrs
 }
 
 
@@ -2373,6 +2373,17 @@ func TestValidateServiceCIDR(t *testing.T) {
 				},
 			},
 		},
+		"bad-iprange-ipv6-bad-ipv4": {
+			expectedErrors: 2,
+			ipRange: &networking.ServiceCIDR{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-name",
+				},
+				Spec: networking.ServiceCIDRSpec{
+					CIDRs: []string{"192.168.007.0/24", "MN00:1234::/64"},
+				},
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
@@ -2386,55 +2397,224 @@ func TestValidateServiceCIDR(t *testing.T) {
 }
 
 func TestValidateServiceCIDRUpdate(t *testing.T) {
-	oldServiceCIDR := &networking.ServiceCIDR{
+	oldServiceCIDRv4 := &networking.ServiceCIDR{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "mysvc-v4",
+			ResourceVersion: "1",
+		},
+		Spec: networking.ServiceCIDRSpec{
+			CIDRs: []string{"192.168.0.0/24"},
+		},
+	}
+	oldServiceCIDRv6 := &networking.ServiceCIDR{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:            "mysvc",
+			Name:            "mysvc-v6",
+			ResourceVersion: "1",
+		},
+		Spec: networking.ServiceCIDRSpec{
+			CIDRs: []string{"fd00:1234::/64"},
+		},
+	}
+	oldServiceCIDRDual := &networking.ServiceCIDR{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            "mysvc-dual",
 			ResourceVersion: "1",
 		},
 		Spec: networking.ServiceCIDRSpec{
 			CIDRs: []string{"192.168.0.0/24", "fd00:1234::/64"},
 		},
 	}
 
+	// Define expected immutable field error for convenience
+	cidrsPath := field.NewPath("spec").Child("cidrs")
+	cidr0Path := cidrsPath.Index(0)
+	cidr1Path := cidrsPath.Index(1)
+
 	testCases := []struct {
-		name      string
-		svc       func(svc *networking.ServiceCIDR) *networking.ServiceCIDR
-		expectErr bool
+		name         string
+		old          *networking.ServiceCIDR
+		new          *networking.ServiceCIDR
+		expectedErrs field.ErrorList
 	}{
 		{
-			name: "Successful update, no changes",
-			svc: func(svc *networking.ServiceCIDR) *networking.ServiceCIDR {
-				out := svc.DeepCopy()
+			name: "Successful update, no changes (dual)",
+			old:  oldServiceCIDRDual,
+			new:  oldServiceCIDRDual.DeepCopy(),
+		},
+		{
+			name: "Successful update, no changes (v4)",
+			old:  oldServiceCIDRv4,
+			new:  oldServiceCIDRv4.DeepCopy(),
+		},
+		{
+			name: "Successful update, single IPv4 to dual stack upgrade",
+			old:  oldServiceCIDRv4,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv4.DeepCopy()
+				out.Spec.CIDRs = []string{"192.168.0.0/24", "fd00:1234::/64"} // Add IPv6
+				return out
+			}(),
+		},
+		{
+			name: "Successful update, single IPv6 to dual stack upgrade",
+			old:  oldServiceCIDRv6,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv6.DeepCopy()
+				out.Spec.CIDRs = []string{"fd00:1234::/64", "192.168.0.0/24"} // Add IPv4
 				return out
+			}(),
+		},
+		{
+			name: "Failed update, change CIDRs (dual)",
+			old:  oldServiceCIDRDual,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRDual.DeepCopy()
+				out.Spec.CIDRs = []string{"10.0.0.0/16", "fd00:abcd::/64"}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(cidr0Path, "10.0.0.0/16", apimachineryvalidation.FieldImmutableErrorMsg),
+				field.Invalid(cidr1Path, "fd00:abcd::/64", apimachineryvalidation.FieldImmutableErrorMsg),
 			},
-			expectErr: false,
 		},
-
 		{
-			name: "Failed update, update spec.CIDRs single stack",
-			svc: func(svc *networking.ServiceCIDR) *networking.ServiceCIDR {
-				out := svc.DeepCopy()
+			name: "Failed update, change CIDRs (single)",
+			old:  oldServiceCIDRv4,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv4.DeepCopy()
 				out.Spec.CIDRs = []string{"10.0.0.0/16"}
 				return out
-			}, expectErr: true,
+			}(),
+			expectedErrs: field.ErrorList{field.Invalid(cidr0Path, "10.0.0.0/16", apimachineryvalidation.FieldImmutableErrorMsg)},
 		},
 		{
-			name: "Failed update, update spec.CIDRs dual stack",
-			svc: func(svc *networking.ServiceCIDR) *networking.ServiceCIDR {
-				out := svc.DeepCopy()
-				out.Spec.CIDRs = []string{"10.0.0.0/24", "fd00:1234::/64"}
+			name: "Failed update, single IPv4 to dual stack upgrade with primary change",
+			old:  oldServiceCIDRv4,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv4.DeepCopy()
+				// Change primary CIDR during upgrade
+				out.Spec.CIDRs = []string{"10.0.0.0/16", "fd00:1234::/64"}
 				return out
-			}, expectErr: true,
+			}(),
+			expectedErrs: field.ErrorList{field.Invalid(cidr0Path, "10.0.0.0/16", apimachineryvalidation.FieldImmutableErrorMsg)},
+		},
+		{
+			name: "Failed update, single IPv6 to dual stack upgrade with primary change",
+			old:  oldServiceCIDRv6,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv6.DeepCopy()
+				// Change primary CIDR during upgrade
+				out.Spec.CIDRs = []string{"fd00:abcd::/64", "192.168.0.0/24"}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{field.Invalid(cidr0Path, "fd00:abcd::/64", apimachineryvalidation.FieldImmutableErrorMsg)},
+		},
+		{
+			name: "Failed update, dual stack downgrade to single",
+			old:  oldServiceCIDRDual,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRDual.DeepCopy()
+				out.Spec.CIDRs = []string{"192.168.0.0/24"} // Remove IPv6
+				return out
+			}(),
+			expectedErrs: field.ErrorList{field.Invalid(cidrsPath, []string{"192.168.0.0/24"}, apimachineryvalidation.FieldImmutableErrorMsg)},
+		},
+		{
+			name: "Failed update, dual stack reorder",
+			old:  oldServiceCIDRDual,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRDual.DeepCopy()
+				// Swap order
+				out.Spec.CIDRs = []string{"fd00:1234::/64", "192.168.0.0/24"}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(cidr0Path, "fd00:1234::/64", apimachineryvalidation.FieldImmutableErrorMsg),
+				field.Invalid(cidr1Path, "192.168.0.0/24", apimachineryvalidation.FieldImmutableErrorMsg),
+			},
+		},
+		{
+			name: "Failed update, add invalid CIDR during upgrade",
+			old:  oldServiceCIDRv4,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv4.DeepCopy()
+				out.Spec.CIDRs = []string{"192.168.0.0/24", "invalid-cidr"}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{field.Invalid(cidrsPath.Index(1), "invalid-cidr", "must be a valid CIDR value, (e.g. 10.9.8.0/24 or 2001:db8::/64)")},
+		},
+		{
+			name: "Failed update, add duplicate family CIDR during upgrade",
+			old:  oldServiceCIDRv4,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv4.DeepCopy()
+				out.Spec.CIDRs = []string{"192.168.0.0/24", "10.0.0.0/16"}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{field.Invalid(cidrsPath, []string{"192.168.0.0/24", "10.0.0.0/16"}, "may specify no more than one IP for each IP family, i.e 192.168.0.0/24 and 2001:db8::/64")},
+		},
+		{
+			name: "Failed update, dual stack remove one cidr",
+			old:  oldServiceCIDRDual,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRDual.DeepCopy()
+				out.Spec.CIDRs = out.Spec.CIDRs[0:1]
+				return out
+			}(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(cidrsPath, []string{"192.168.0.0/24"}, apimachineryvalidation.FieldImmutableErrorMsg),
+			},
+		},
+		{
+			name: "Failed update, dual stack remove all cidrs",
+			old:  oldServiceCIDRDual,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRDual.DeepCopy()
+				out.Spec.CIDRs = []string{}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(cidrsPath, []string{}, apimachineryvalidation.FieldImmutableErrorMsg),
+			},
+		},
+		{
+			name: "Failed update, single stack remove cidr",
+			old:  oldServiceCIDRv4,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRv4.DeepCopy()
+				out.Spec.CIDRs = []string{}
+				return out
+			}(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(cidrsPath, []string{}, apimachineryvalidation.FieldImmutableErrorMsg),
+			},
+		},
+		{
+			name: "Failed update, add additional cidrs",
+			old:  oldServiceCIDRDual,
+			new: func() *networking.ServiceCIDR {
+				out := oldServiceCIDRDual.DeepCopy()
+				out.Spec.CIDRs = append(out.Spec.CIDRs, "172.16.0.0/24")
+				return out
+			}(),
+			expectedErrs: field.ErrorList{
+				field.Invalid(cidrsPath, []string{"192.168.0.0/24", "fd00:1234::/64", "172.16.0.0/24"}, apimachineryvalidation.FieldImmutableErrorMsg),
+			},
 		},
 	}
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			err := ValidateServiceCIDRUpdate(testCase.svc(oldServiceCIDR), oldServiceCIDR)
-			if !testCase.expectErr && err != nil {
-				t.Errorf("ValidateServiceCIDRUpdate must be successful for test '%s', got %v", testCase.name, err)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Ensure ResourceVersion is set for update validation
+			tc.new.ResourceVersion = tc.old.ResourceVersion
+			errs := ValidateServiceCIDRUpdate(tc.new, tc.old)
+
+			if len(errs) != len(tc.expectedErrs) {
+				t.Fatalf("Expected %d errors, got %d errors: %v", len(tc.expectedErrs), len(errs), errs)
 			}
-			if testCase.expectErr && err == nil {
-				t.Errorf("ValidateServiceCIDRUpdate must return error for test: %s, but got nil", testCase.name)
+			for i, expectedErr := range tc.expectedErrs {
+				if errs[i].Error() != expectedErr.Error() {
+					t.Errorf("Expected error %d: %v, got: %v", i, expectedErr, errs[i])
+				}
 			}
 		})
 	}