fix: validates CONTROL_PLANE_ENDPOINT_IP and NUTANIX_ENDPOINT are distinct

Author: manoj-nutanix

api/v1alpha1/common_types.go

@@ -77,3 +77,15 @@ type LocalObjectReference struct {
 	// +kubebuilder:validation:MinLength=1
 	Name string `json:"name"`
 }
+
+func (s ControlPlaneEndpointSpec) ControlPlaneEndpointIP() string {
+	// If specified, use the virtual IP address and/or port,
+	// otherwise fall back to the control plane endpoint host and port.
+	if s.VirtualIPSpec != nil &&
+		s.VirtualIPSpec.Configuration != nil &&
+		s.VirtualIPSpec.Configuration.Address != "" {
+		return s.VirtualIPSpec.Configuration.Address
+	}
+
+	return s.Host
+}

api/v1alpha1/common_types_test.go

@@ -0,0 +1,67 @@
+// Copyright 2023 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestControlPlaneEndpointIP(t *testing.T) {
+	tests := []struct {
+		name     string
+		spec     ControlPlaneEndpointSpec
+		expected string
+	}{
+		{
+			name: "Virtual IP specified",
+			spec: ControlPlaneEndpointSpec{
+				VirtualIPSpec: &ControlPlaneVirtualIPSpec{
+					Configuration: &ControlPlaneVirtualIPConfiguration{
+						Address: "192.168.1.1",
+					},
+				},
+				Host: "192.168.1.2",
+			},
+			expected: "192.168.1.1",
+		},
+		{
+			name: "VirtualIPSpec struct not specified",
+			spec: ControlPlaneEndpointSpec{
+				VirtualIPSpec: nil,
+				Host:          "192.168.1.2",
+			},
+			expected: "192.168.1.2",
+		},
+		{
+			name: "ControlPlaneVirtualIPConfiguration struct not specified",
+			spec: ControlPlaneEndpointSpec{
+				VirtualIPSpec: &ControlPlaneVirtualIPSpec{
+					Configuration: nil,
+				},
+				Host: "192.168.1.2",
+			},
+			expected: "192.168.1.2",
+		},
+		{
+			name: "Virtual IP specified as empty string",
+			spec: ControlPlaneEndpointSpec{
+				VirtualIPSpec: &ControlPlaneVirtualIPSpec{
+					Configuration: &ControlPlaneVirtualIPConfiguration{
+						Address: "",
+					},
+				},
+				Host: "192.168.1.2",
+			},
+			expected: "192.168.1.2",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.spec.ControlPlaneEndpointIP()
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

pkg/webhook/cluster/nutanix_validator.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 
 	v1 "k8s.io/api/admission/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
@@ -69,15 +70,23 @@ func (a *nutanixValidator) validate(
 		)
 	}
 
-	if clusterConfig.Nutanix != nil &&
-		clusterConfig.Addons != nil {
-		// Check if Prism Central IP is in MetalLB Load Balancer IP range.
-		if err := checkIfPrismCentralIPInLoadBalancerIPRange(
+	if clusterConfig.Nutanix != nil {
+		if err := checkIfPrismCentralAndControlPlaneIPSame(
 			clusterConfig.Nutanix.PrismCentralEndpoint,
-			clusterConfig.Addons.ServiceLoadBalancer,
+			clusterConfig.Nutanix.ControlPlaneEndpoint,
 		); err != nil {
 			return admission.Denied(err.Error())
 		}
+
+		if clusterConfig.Addons != nil {
+			// Check if Prism Central IP is in MetalLB Load Balancer IP range.
+			if err := checkIfPrismCentralIPInLoadBalancerIPRange(
+				clusterConfig.Nutanix.PrismCentralEndpoint,
+				clusterConfig.Addons.ServiceLoadBalancer,
+			); err != nil {
+				return admission.Denied(err.Error())
+			}
+		}
 	}
 
 	return admission.Allowed("")
@@ -125,3 +134,35 @@ func checkIfPrismCentralIPInLoadBalancerIPRange(
 
 	return nil
 }
+
+// checkIfPrismCentralAndControlPlaneIPSame checks if Prism Central and Control Plane IP are same.
+// It compares strictly IP addresses(no FQDN) and doesn't involve any network calls.
+// This is a temporary check until we have a better way to handle this by reserving IPs
+// using IPAM provider.
+func checkIfPrismCentralAndControlPlaneIPSame(
+	pcEndpoint v1alpha1.NutanixPrismCentralEndpointSpec,
+	controlPlaneEndpointSpec v1alpha1.ControlPlaneEndpointSpec,
+) error {
+	controlPlaneEndpointIP, err := netip.ParseAddr(
+		controlPlaneEndpointSpec.ControlPlaneEndpointIP(),
+	)
+	if err != nil {
+		// controlPlaneEndpointIP is strictly accepted as an IP address from user so
+		// if it is not an IP address, it is invalid.
+		return fmt.Errorf("invalid Nutanix control plane endpoint IP: %w", err)
+	}
+
+	pcHostname, _, err := pcEndpoint.ParseURL()
+	if err != nil {
+		return err
+	}
+
+	pcIP, err := netip.ParseAddr(pcHostname)
+	// PC URL can contain IP/FQDN, so compare only if PC is an IP address i.e. error is nil.
+	if err == nil && pcIP.Compare(controlPlaneEndpointIP) == 0 {
+		return fmt.Errorf("prism central and control plane endpoint cannot have the same IP %q",
+			pcIP.String())
+	}
+
+	return nil
+}

pkg/webhook/cluster/nutanix_validator_test.go

@@ -112,3 +112,121 @@ func TestCheckIfPrismCentralIPInLoadBalancerIPRange(t *testing.T) {
 		})
 	}
 }
+
+func TestCheckIfPrismCentralAndControlPlaneIPSame(t *testing.T) {
+	tests := []struct {
+		name                     string
+		pcEndpoint               v1alpha1.NutanixPrismCentralEndpointSpec
+		controlPlaneEndpointSpec v1alpha1.ControlPlaneEndpointSpec
+		expectedErr              error
+	}{
+		{
+			name: "Different IPs",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "https://192.168.1.1:9440",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "192.168.1.2",
+			},
+			expectedErr: nil,
+		},
+		{
+			name: "Same IPs",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "https://192.168.1.1:9440",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "192.168.1.1",
+			},
+			expectedErr: fmt.Errorf(
+				"prism central and control plane endpoint cannot have the same IP %q",
+				"192.168.1.1",
+			),
+		},
+		{
+			name: "Invalid Control Plane IP",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "https://192.168.1.1:9440",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "invalid-ip",
+			},
+			expectedErr: fmt.Errorf(
+				"invalid Nutanix control plane endpoint IP: ParseAddr(%q): unable to parse IP",
+				"invalid-ip",
+			),
+		},
+		{
+			name: "Invalid Prism Central URL",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "invalid-url",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "192.168.1.2",
+			},
+			expectedErr: fmt.Errorf(
+				"error parsing Prism Central URL: parse %q: invalid URI for request",
+				"invalid-url",
+			),
+		},
+		{
+			name: "Prism Central URL is FQDN",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "https://example.com:9440",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "192.168.1.2",
+			},
+			expectedErr: nil,
+		},
+		{
+			name: "With KubeVIP ovveride and same PC and Control Plane IPs",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "https://192.168.1.1:9440",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "192.168.1.2",
+				VirtualIPSpec: &v1alpha1.ControlPlaneVirtualIPSpec{
+					Provider: "KubeVIP",
+					Configuration: &v1alpha1.ControlPlaneVirtualIPConfiguration{
+						Address: "192.168.1.1",
+					},
+				},
+			},
+			expectedErr: fmt.Errorf(
+				"prism central and control plane endpoint cannot have the same IP %q",
+				"192.168.1.1",
+			),
+		},
+		{
+			name: "With KubeVIP ovveride and different PC and Control Plane IPs",
+			pcEndpoint: v1alpha1.NutanixPrismCentralEndpointSpec{
+				URL: "https://192.168.1.2:9440",
+			},
+			controlPlaneEndpointSpec: v1alpha1.ControlPlaneEndpointSpec{
+				Host: "192.168.1.2",
+				VirtualIPSpec: &v1alpha1.ControlPlaneVirtualIPSpec{
+					Provider: "KubeVIP",
+					Configuration: &v1alpha1.ControlPlaneVirtualIPConfiguration{
+						Address: "192.168.1.1",
+					},
+				},
+			},
+			expectedErr: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := checkIfPrismCentralAndControlPlaneIPSame(
+				tt.pcEndpoint,
+				tt.controlPlaneEndpointSpec,
+			)
+			if tt.expectedErr != nil {
+				assert.Equal(t, tt.expectedErr.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}