Add image validation for opestack machine

smoshiur1237 · smoshiur1237 · commit ee2a77b66652 · 2025-08-26T13:06:55.000+03:00
Signed-off-by: smoshiur1237 &lt;moshiur.rahman@est.tech&gt;
diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
 
 	"sigs.k8s.io/cluster-api-provider-openstack/pkg/utils/optional"
@@ -75,6 +76,24 @@ func (f *ImageFilter) IsZero() bool {
 	return f.Name == nil && len(f.Tags) == 0
 }
 
+// Validate performs validation on [ImageParam], returning a list of field errors using the provided base path.
+// It is intended to be used in the validation webhooks of resources containing [ImageParam].
+func (i *ImageParam) Validate(base field.Path) field.ErrorList {
+	var errors field.ErrorList
+	// Not possible to validate the image if it is missing
+	if i == nil {
+		errors = append(errors, field.Required(&base, "image is required"))
+		return errors
+	}
+	if i.Filter.Name == nil || i.Filter.Tags == nil {
+		errors = append(errors, field.Required(base.Child("Image filter"), "either name or tags of image are missing"))
+	}
+	if i.ImageRef.Name == "" {
+		errors = append(errors, field.Required(base.Child("ORC image Referecne"), "Orc image is missing"))
+	}
+	return errors
+}
+
 type ExternalRouterIPParam struct {
 	// The FixedIP in the corresponding subnet
 	FixedIP string `json:"fixedIP,omitempty"`
diff --git a/pkg/webhooks/openstackmachine_webhook.go b/pkg/webhooks/openstackmachine_webhook.go
@@ -48,7 +48,7 @@ type openStackMachineWebhook struct{}
 var _ webhook.CustomValidator = &openStackMachineWebhook{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackMachineWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackMachineWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {
 	var allErrs field.ErrorList
 	newObj, err := castToOpenStackMachine(objRaw)
 	if err != nil {
@@ -67,13 +67,14 @@ func (*openStackMachineWebhook) ValidateCreate(_ context.Context, objRaw runtime
 		if ptr.Deref(port.DisablePortSecurity, false) && len(port.SecurityGroups) > 0 {
 			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "ports"), "cannot have security groups when DisablePortSecurity is set to true"))
 		}
+		//return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
 	}
 
-	return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
+	return nil, webhook.validate(newObj)
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackMachineWebhook) ValidateUpdate(_ context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackMachineWebhook) ValidateUpdate(_ context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {
 	newObj, err := castToOpenStackMachine(newObjRaw)
 	if err != nil {
 		return nil, err
@@ -115,13 +116,14 @@ func (*openStackMachineWebhook) ValidateUpdate(_ context.Context, oldObjRaw, new
 
 	if !reflect.DeepEqual(oldOpenStackMachineSpec, newOpenStackMachineSpec) {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "cannot be modified"))
+		//return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
 	}
 
-	return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
+	return nil, webhook.validate(newObj)
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackMachineWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackMachineWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
 
@@ -132,3 +134,14 @@ func castToOpenStackMachine(obj runtime.Object) (*infrav1.OpenStackMachine, erro
 	}
 	return cast, nil
 }
+
+func (webhook *openStackMachineWebhook) validate(newObj *infrav1.OpenStackMachine) error {
+	var allErrs field.ErrorList
+
+	allErrs = append(allErrs, newObj.Spec.Image.Validate(*field.NewPath("Spec", "Image"))...)
+
+	if len(allErrs) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(infrav1.SchemeGroupVersion.WithKind("OpenStackMachine").GroupKind(), newObj.Name, allErrs)
+}
diff --git a/pkg/webhooks/openstackmachinetemplate_webhook.go b/pkg/webhooks/openstackmachinetemplate_webhook.go
@@ -48,7 +48,7 @@ type openStackMachineTemplateWebhook struct{}
 var _ webhook.CustomValidator = &openStackMachineTemplateWebhook{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackMachineTemplateWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackMachineTemplateWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {
 	newObj, err := castToOpenStackMachineTemplate(objRaw)
 	if err != nil {
 		return nil, err
@@ -58,13 +58,14 @@ func (*openStackMachineTemplateWebhook) ValidateCreate(_ context.Context, objRaw
 
 	if newObj.Spec.Template.Spec.ProviderID != nil {
 		allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "template", "spec", "providerID"), "cannot be set in templates"))
+		//return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
 	}
 
-	return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
+	return nil, webhook.validate(newObj)
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackMachineTemplateWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackMachineTemplateWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {
 	var allErrs field.ErrorList
 	oldObj, err := castToOpenStackMachineTemplate(oldObjRaw)
 	if err != nil {
@@ -86,13 +87,14 @@ func (*openStackMachineTemplateWebhook) ValidateUpdate(ctx context.Context, oldO
 		allErrs = append(allErrs,
 			field.Invalid(field.NewPath("spec", "template", "spec"), newObj.Spec.Template.Spec, "OpenStackMachineTemplate spec.template.spec field is immutable. Please create a new resource instead. Ref doc: https://cluster-api.sigs.k8s.io/tasks/change-machine-template.html"),
 		)
+		//return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
 	}
 
-	return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
+	return nil, webhook.validate(newObj)
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackMachineTemplateWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackMachineTemplateWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
 
@@ -103,3 +105,14 @@ func castToOpenStackMachineTemplate(obj runtime.Object) (*infrav1.OpenStackMachi
 	}
 	return cast, nil
 }
+
+func (webhook *openStackMachineTemplateWebhook) validate(newObj *infrav1.OpenStackMachineTemplate) error {
+	var allErrs field.ErrorList
+
+	allErrs = append(allErrs, newObj.Spec.Template.Spec.Image.Validate(*field.NewPath("Spec", "Template", "Spec", "Image"))...)
+
+	if len(allErrs) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(infrav1.SchemeGroupVersion.WithKind("OpenStackMachineTemplate").GroupKind(), newObj.Name, allErrs)
+}
diff --git a/pkg/webhooks/openstackserver_webhook.go b/pkg/webhooks/openstackserver_webhook.go
@@ -50,7 +50,7 @@ type openStackServerWebhook struct{}
 var _ webhook.CustomValidator = &openStackServerWebhook{}
 
 // ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackServerWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackServerWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {
 	var allErrs field.ErrorList
 	newObj, err := castToOpenStackServer(objRaw)
 	if err != nil {
@@ -69,13 +69,14 @@ func (*openStackServerWebhook) ValidateCreate(_ context.Context, objRaw runtime.
 		if ptr.Deref(port.DisablePortSecurity, false) && len(port.SecurityGroups) > 0 {
 			allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "ports"), "cannot have security groups when DisablePortSecurity is set to true"))
 		}
+		//return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
 	}
 
-	return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
+	return nil, webhook.validate(newObj)
 }
 
 // ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackServerWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackServerWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {
 	oldObj, err := castToOpenStackServer(oldObjRaw)
 	if err != nil {
 		return nil, err
@@ -118,13 +119,14 @@ func (*openStackServerWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, ne
 		allErrs = append(allErrs,
 			field.Forbidden(field.NewPath("spec"), "OpenStackServer spec field is immutable. Please create a new resource instead."),
 		)
+		//return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
 	}
 
-	return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)
+	return nil, webhook.validate(newObj)
 }
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.
-func (*openStackServerWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+func (webhook *openStackServerWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }
 
@@ -135,3 +137,14 @@ func castToOpenStackServer(obj runtime.Object) (*infrav1alpha1.OpenStackServer,
 	}
 	return cast, nil
 }
+
+func (webhook *openStackServerWebhook) validate(newObj *infrav1alpha1.OpenStackServer) error {
+	var allErrs field.ErrorList
+
+	allErrs = append(allErrs, newObj.Spec.Image.Validate(*field.NewPath("Spec", "Image"))...)
+
+	if len(allErrs) == 0 {
+		return nil
+	}
+	return apierrors.NewInvalid(infrav1.SchemeGroupVersion.WithKind("OpenStackServer").GroupKind(), newObj.Name, allErrs)
+}

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ type openStackServerWebhook struct{}`
`50`	`50`	`var _ webhook.CustomValidator = &openStackServerWebhook{}`
`51`	`51`
`52`	`52`	`// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type.`
`53`		`-func (*openStackServerWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {`
	`53`	`+func (webhook *openStackServerWebhook) ValidateCreate(_ context.Context, objRaw runtime.Object) (admission.Warnings, error) {`
`54`	`54`	`var allErrs field.ErrorList`
`55`	`55`	`newObj, err := castToOpenStackServer(objRaw)`
`56`	`56`	`if err != nil {`
`@@ -69,13 +69,14 @@ func (*openStackServerWebhook) ValidateCreate(_ context.Context, objRaw runtime.`
`69`	`69`	`if ptr.Deref(port.DisablePortSecurity, false) && len(port.SecurityGroups) > 0 {`
`70`	`70`	`allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "ports"), "cannot have security groups when DisablePortSecurity is set to true"))`
`71`	`71`	`}`
	`72`	`+ //return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)`
`72`	`73`	`}`
`73`	`74`
`74`		`- return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)`
	`75`	`+ return nil, webhook.validate(newObj)`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type.`
`78`		`-func (*openStackServerWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {`
	`79`	`+func (webhook *openStackServerWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, newObjRaw runtime.Object) (admission.Warnings, error) {`
`79`	`80`	`oldObj, err := castToOpenStackServer(oldObjRaw)`
`80`	`81`	`if err != nil {`
`81`	`82`	`return nil, err`
`@@ -118,13 +119,14 @@ func (*openStackServerWebhook) ValidateUpdate(ctx context.Context, oldObjRaw, ne`
`118`	`119`	`allErrs = append(allErrs,`
`119`	`120`	`field.Forbidden(field.NewPath("spec"), "OpenStackServer spec field is immutable. Please create a new resource instead."),`
`120`	`121`	`)`
	`122`	`+ //return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)`
`121`	`123`	`}`
`122`	`124`
`123`		`- return aggregateObjErrors(newObj.GroupVersionKind().GroupKind(), newObj.Name, allErrs)`
	`125`	`+ return nil, webhook.validate(newObj)`
`124`	`126`	`}`
`125`	`127`
`126`	`128`	`// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type.`
`127`		`-func (*openStackServerWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {`
	`129`	`+func (webhook *openStackServerWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {`
`128`	`130`	`return nil, nil`
`129`	`131`	`}`
`130`	`132`
`@@ -135,3 +137,14 @@ func castToOpenStackServer(obj runtime.Object) (*infrav1alpha1.OpenStackServer,`
`135`	`137`	`}`
`136`	`138`	`return cast, nil`
`137`	`139`	`}`
	`140`	`+`
	`141`	`+func (webhook openStackServerWebhook) validate(newObj infrav1alpha1.OpenStackServer) error {`
	`142`	`+ var allErrs field.ErrorList`
	`143`	`+`
	`144`	`+ allErrs = append(allErrs, newObj.Spec.Image.Validate(*field.NewPath("Spec", "Image"))...)`
	`145`	`+`
	`146`	`+ if len(allErrs) == 0 {`
	`147`	`+ return nil`
	`148`	`+ }`
	`149`	`+ return apierrors.NewInvalid(infrav1.SchemeGroupVersion.WithKind("OpenStackServer").GroupKind(), newObj.Name, allErrs)`
	`150`	`+}`