Add IngressController .spec.domain API validation

This commit fixes OCPBUGS-55192.

https://issues.redhat.com/browse/OCPBUGS-55192

Add ratcheting validation of the .spec.domain field of ingress controller.

Domain must consist of DNS labels separated by periods, where each label
contains only lowercase alphanumeric characters and hyphens, must start
and end with an alphanumeric character, and must not exceed 63 characters.
The domain must not exceed 253 characters.

As part of the ingressController's implementation, cluster-ingress-operator
always composes the router's canonical hostname from:
`"router-" + ingressController.Name + ingressController.Status.Domain`.
For this reason, the maximum length of the .spec.domain field can vary
based on the ingressController name set by the user (if it is not "default").

Validation of the IC's .spec.domain field introduced by this commit
takes into consideration the actual length of the ingressController.Name,
by adding a CEL validation rule on the IngressController object.

* operator/v1/types_ingress.go
(IngressControllerSpec): Add ratcheting validation of the Domain field.
* operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
Add test cases for the ingress controller .spec.domain field validation

Generated files:
* openapi/openapi.json
* openapi/generated_openapi/zz_generated.openapi.go
* operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml
* operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/SetEIPForNLBIngressController.yaml
* operator/v1/zz_generated.swagger_doc_generated.go

Author: grzpiotrowski

openapi/generated_openapi/zz_generated.openapi.go

@@ -29524,7 +29524,7 @@
           "type": "string"
         },
         "metadata": {
-          "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
+          "description": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata // +kubebuilder:validation:XValidation:rule=\"!has(self.name) || size(self.name) <= 63\",message=\"metadata.name must not exceed 63 characters\"",
           "default": {},
           "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
         },
@@ -29844,7 +29844,7 @@
           "$ref": "#/definitions/io.k8s.api.core.v1.LocalObjectReference"
         },
         "domain": {
-          "description": "domain is a DNS name serviced by the ingress controller and is used to configure multiple features:\n\n* For the LoadBalancerService endpoint publishing strategy, domain is\n  used to configure DNS records. See endpointPublishingStrategy.\n\n* When using a generated default certificate, the certificate will be valid\n  for domain and its subdomains. See defaultCertificate.\n\n* The value is published to individual Route statuses so that end-users\n  know where to target external DNS records.\n\ndomain must be unique among all IngressControllers, and cannot be updated.\n\nIf empty, defaults to ingress.config.openshift.io/cluster .spec.domain.",
+          "description": "domain is a DNS name serviced by the ingress controller and is used to configure multiple features:\n\n* For the LoadBalancerService endpoint publishing strategy, domain is\n  used to configure DNS records. See endpointPublishingStrategy.\n\n* When using a generated default certificate, the certificate will be valid\n  for domain and its subdomains. See defaultCertificate.\n\n* The value is published to individual Route statuses so that end-users\n  know where to target external DNS records.\n\ndomain must be unique among all IngressControllers, and cannot be updated.\n\nIf empty, defaults to ingress.config.openshift.io/cluster .spec.domain.\n\nThe domain value must be a valid DNS name. It must consist of lowercase alphanumeric characters, '-' or '.', and each label must start and end with an alphanumeric character and not exceed 63 characters. Maximum length of a valid DNS domain is 253 characters.\n\nThe implementation may add a prefix such as \"router-default-\" to the domain when constructing the router canonical hostname. To ensure the resulting hostname does not exceed the DNS maximum length of 253 characters, the domain length additionally validated at the IngressController object level.",
           "type": "string"
         },
         "endpointPublishingStrategy": {

openapi/openapi.json

@@ -565,3 +565,152 @@ tests:
           tuningOptions:
             connectTimeout: "4 s"
       expectedError: "IngressController.operator.openshift.io \"default\" is invalid: spec.tuningOptions.connectTimeout: Invalid value: \"4 s\": spec.tuningOptions.connectTimeout in body should match '^(0|([0-9]+(\\.[0-9]+)?(ns|us|µs|μs|ms|s|m|h))+)$'"
+    - name: Should be able to create an IngressController with valid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          domain: "foo.com"
+    - name: Should not be able to create an IngressController with invalid domain
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      expectedError: "domain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+    - name: Should not be able to create an IngressController with domain label exceeding 63 characters
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.this-label-exceeds-63-characters-for-the-purpose-of-testing-the-domain-validation.com"
+      expectedError: "each DNS label must not exceed 63 characters"
+    - name: Should not be able to create the default IngressController with the domain exceeding 253 characters
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: default
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.this-domain.has-exactly-277-characters.for-the-purpose-of-testing.the-domain-length-validation.it-is-an-extraordinarily-long-and-twisted-domain.but-it-would-be-completely-valid.if-not-for-its-gargantuan-length.and-now-there-is-even-more-text.to-go-well-beyond-the-limit.com"
+      expectedError: "Too long: may not be more than 253 bytes"
+    - name: Should not be able to create an IngressController with the canonical domain exceeding 253 characters
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-name-containing-exactly-40-characters
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.this-domain.has-exactly-235-characters.which-on.its-own-would-not-exceed.the-limit-of-253-characters.but-combined-with-the-ingress-controller-name.with-40-characters.and-the-router-dash-prefix.ends-up-as-a-too-long.canonical-domain"
+      expectedError: "The combined 'router-' + IngressController.Name + '.' + .spec.domain cannot exceed 253 characters"
+  onUpdate:
+    - name: Should be able to update invalid domain to a valid domain
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/domain/x-kubernetes-validations
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/domain/maxLength
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "123-foo.com"
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          domain: "123-foo.com"
+    - name: Should not be able to update already invalid domain to another invalid domain
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/domain/x-kubernetes-validations
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/domain/maxLength
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "foo.*.com"
+      expectedError: "domain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+    - name: Should be able to update other fields while retaining invalid domain due to ratcheting
+      initialCRDPatches:
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/domain/x-kubernetes-validations
+        - op: remove
+          path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/domain/maxLength
+      initial: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+      updated: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          domain: "*.foo.com"
+          replicas: 3
+      expected: |
+        apiVersion: operator.openshift.io/v1
+        kind: IngressController
+        metadata:
+          name: ic-spec-domain-test
+          namespace: openshift-ingress-operator
+        spec:
+          httpEmptyRequestsPolicy: Respond
+          idleConnectionTerminationPolicy: Immediate
+          domain: "*.foo.com"
+          replicas: 3

operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml

@@ -35,11 +35,13 @@ import (
 //
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
 // +openshift:compatibility-gen:level=1
+// +kubebuilder:validation:XValidation:rule="!has(self.spec.domain) || size('router-' + self.metadata.name + '.' + self.spec.domain) <= 253",message="The combined 'router-' + IngressController.Name + '.' + .spec.domain cannot exceed 253 characters"
 type IngressController struct {
 	metav1.TypeMeta `json:",inline"`
 
 	// metadata is the standard object's metadata.
 	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	// // +kubebuilder:validation:XValidation:rule="!has(self.name) || size(self.name) <= 63",message="metadata.name must not exceed 63 characters"
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
 	// spec is the specification of the desired behavior of the IngressController.
@@ -68,6 +70,20 @@ type IngressControllerSpec struct {
 	//
 	// If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
 	//
+	// The domain value must be a valid DNS name. It must consist of lowercase
+	// alphanumeric characters, '-' or '.', and each label must start and end
+	// with an alphanumeric character and not exceed 63 characters. Maximum
+	// length of a valid DNS domain is 253 characters.
+	//
+	// The implementation may add a prefix such as "router-default-" to the domain
+	// when constructing the router canonical hostname. To ensure the resulting
+	// hostname does not exceed the DNS maximum length of 253 characters,
+	// the domain length additionally validated at the IngressController object
+	// level.
+	//
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="domain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
+	// +kubebuilder:validation:XValidation:rule="self.split('.').all(label, !format.dns1123Label().validate(label).hasValue())",message="each DNS label must not exceed 63 characters"
 	// +optional
 	Domain string `json:"domain,omitempty"`
 

operator/v1/types_ingress.go

@@ -164,7 +164,25 @@ spec:
                   updated.
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
+
+                  The domain value must be a valid DNS name. It must consist of lowercase
+                  alphanumeric characters, '-' or '.', and each label must start and end
+                  with an alphanumeric character and not exceed 63 characters. Maximum
+                  length of a valid DNS domain is 253 characters.
+
+                  The implementation may add a prefix such as "router-default-" to the domain
+                  when constructing the router canonical hostname. To ensure the resulting
+                  hostname does not exceed the DNS maximum length of 253 characters,
+                  the domain length additionally validated at the IngressController object
+                  level.
+                maxLength: 253
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lower case alphanumeric characters,
+                    '-' or '.', and must start and end with an alphanumeric character
+                  rule: '!format.dns1123Subdomain().validate(self).hasValue()'
+                - message: each DNS label must not exceed 63 characters
+                  rule: self.split('.').all(label, !format.dns1123Label().validate(label).hasValue())
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
@@ -3234,6 +3252,11 @@ spec:
                 type: object
             type: object
         type: object
+        x-kubernetes-validations:
+        - message: The combined 'router-' + IngressController.Name + '.' + .spec.domain
+            cannot exceed 253 characters
+          rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name +
+            ''.'' + self.spec.domain) <= 253'
     served: true
     storage: true
     subresources:

operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers.crd.yaml

@@ -165,7 +165,25 @@ spec:
                   updated.
 
                   If empty, defaults to ingress.config.openshift.io/cluster .spec.domain.
+
+                  The domain value must be a valid DNS name. It must consist of lowercase
+                  alphanumeric characters, '-' or '.', and each label must start and end
+                  with an alphanumeric character and not exceed 63 characters. Maximum
+                  length of a valid DNS domain is 253 characters.
+
+                  The implementation may add a prefix such as "router-default-" to the domain
+                  when constructing the router canonical hostname. To ensure the resulting
+                  hostname does not exceed the DNS maximum length of 253 characters,
+                  the domain length additionally validated at the IngressController object
+                  level.
+                maxLength: 253
                 type: string
+                x-kubernetes-validations:
+                - message: domain must consist of lower case alphanumeric characters,
+                    '-' or '.', and must start and end with an alphanumeric character
+                  rule: '!format.dns1123Subdomain().validate(self).hasValue()'
+                - message: each DNS label must not exceed 63 characters
+                  rule: self.split('.').all(label, !format.dns1123Label().validate(label).hasValue())
               endpointPublishingStrategy:
                 description: |-
                   endpointPublishingStrategy is used to publish the ingress controller
@@ -3101,6 +3119,11 @@ spec:
                 type: object
             type: object
         type: object
+        x-kubernetes-validations:
+        - message: The combined 'router-' + IngressController.Name + '.' + .spec.domain
+            cannot exceed 253 characters
+          rule: '!has(self.spec.domain) || size(''router-'' + self.metadata.name +
+            ''.'' + self.spec.domain) <= 253'
     served: true
     storage: true
     subresources: