Add webhook warning for missing ClusterClass

Signed-off-by: killianmuldoon <[email protected]>

Author: killianmuldoon

internal/webhooks/cluster.go

@@ -139,6 +139,7 @@ func (webhook *Cluster) ValidateDelete(_ context.Context, _ runtime.Object) (adm
 
 func (webhook *Cluster) validate(ctx context.Context, oldCluster, newCluster *clusterv1.Cluster) (admission.Warnings, error) {
 	var allErrs field.ErrorList
+	var allWarnings admission.Warnings
 	// The Cluster name is used as a label value. This check ensures that names which are not valid label values are rejected.
 	if errs := validation.IsValidLabelValue(newCluster.Name); len(errs) != 0 {
 		for _, err := range errs {
@@ -191,7 +192,9 @@ func (webhook *Cluster) validate(ctx context.Context, oldCluster, newCluster *cl
 
 	// Validate the managed topology, if defined.
 	if newCluster.Spec.Topology != nil {
-		allErrs = append(allErrs, webhook.validateTopology(ctx, oldCluster, newCluster, topologyPath)...)
+		topologyWarnings, topologyErrs := webhook.validateTopology(ctx, oldCluster, newCluster, topologyPath)
+		allWarnings = append(allWarnings, topologyWarnings...)
+		allErrs = append(allErrs, topologyErrs...)
 	}
 
 	// On update.
@@ -206,16 +209,18 @@ func (webhook *Cluster) validate(ctx context.Context, oldCluster, newCluster *cl
 	}
 
 	if len(allErrs) > 0 {
-		return nil, apierrors.NewInvalid(clusterv1.GroupVersion.WithKind("Cluster").GroupKind(), newCluster.Name, allErrs)
+		return allWarnings, apierrors.NewInvalid(clusterv1.GroupVersion.WithKind("Cluster").GroupKind(), newCluster.Name, allErrs)
 	}
-	return nil, nil
+	return allWarnings, nil
 }
 
-func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newCluster *clusterv1.Cluster, fldPath *field.Path) field.ErrorList {
+func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newCluster *clusterv1.Cluster, fldPath *field.Path) (admission.Warnings, field.ErrorList) {
+	var allWarnings admission.Warnings
+
 	// NOTE: ClusterClass and managed topologies are behind ClusterTopology feature gate flag; the web hook
 	// must prevent the usage of Cluster.Topology in case the feature flag is disabled.
 	if !feature.Gates.Enabled(feature.ClusterTopology) {
-		return field.ErrorList{
+		return allWarnings, field.ErrorList{
 			field.Forbidden(
 				fldPath,
 				"can be set only if the ClusterTopology feature flag is enabled",
@@ -234,6 +239,8 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 				"class cannot be empty",
 			),
 		)
+		// Return early if there is no defined class to validate.
+		return allWarnings, allErrs
 	}
 
 	// version should be valid.
@@ -268,18 +275,11 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 	}
 
 	// Get the ClusterClass referenced in the Cluster.
-	clusterClass, clusterClassPollErr := webhook.pollClusterClassForCluster(ctx, newCluster)
-	if clusterClassPollErr != nil &&
-		// If the error is anything other than "NotFound" or "NotReconciled" return all errors at this point.
-		!(apierrors.IsNotFound(clusterClassPollErr) || errors.Is(clusterClassPollErr, errClusterClassNotReconciled)) {
-		allErrs = append(
-			allErrs, field.InternalError(
-				fldPath.Child("class"),
-				clusterClassPollErr))
-		return allErrs
-	}
+	clusterClass, warnings, clusterClassPollErr := webhook.validateClusterClassExistsAndIsReconciled(ctx, newCluster)
+	allWarnings = append(allWarnings, warnings...)
+
+	// If there's no error validate the Cluster based on the ClusterClass.
 	if clusterClassPollErr == nil {
-		// If there's no error validate the Cluster based on the ClusterClass.
 		allErrs = append(allErrs, ValidateClusterForClusterClass(newCluster, clusterClass)...)
 	}
 	if oldCluster != nil { // On update
@@ -290,13 +290,13 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 				allErrs, field.InternalError(
 					fldPath.Child("class"),
 					clusterClassPollErr))
-			return allErrs
+			return allWarnings, allErrs
 		}
 
 		// Topology or Class can not be added on update unless ClusterTopologyUnsafeUpdateClassNameAnnotation is set.
 		if oldCluster.Spec.Topology == nil || oldCluster.Spec.Topology.Class == "" {
 			if _, ok := newCluster.Annotations[clusterv1.ClusterTopologyUnsafeUpdateClassNameAnnotation]; ok {
-				return allErrs
+				return allWarnings, allErrs
 			}
 
 			allErrs = append(
@@ -307,7 +307,7 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 				),
 			)
 			// return early here if there is no class to compare.
-			return allErrs
+			return allWarnings, allErrs
 		}
 
 		// Version could only be increased.
@@ -372,14 +372,14 @@ func (webhook *Cluster) validateTopology(ctx context.Context, oldCluster, newClu
 							oldCluster.Spec.Topology.Class, newCluster.Spec.Topology.Class)))
 
 				// Return early with errors if the ClusterClass can't be retrieved.
-				return allErrs
+				return allWarnings, allErrs
 			}
 
 			// Check if the new and old ClusterClasses are compatible with one another.
 			allErrs = append(allErrs, check.ClusterClassesAreCompatible(oldClusterClass, clusterClass)...)
 		}
 	}
-	return allErrs
+	return allWarnings, allErrs
 }
 
 func validateMachineHealthChecks(cluster *clusterv1.Cluster, clusterClass *clusterv1.ClusterClass) field.ErrorList {
@@ -551,11 +551,29 @@ func ValidateClusterForClusterClass(cluster *clusterv1.Cluster, clusterClass *cl
 	return allErrs
 }
 
+// validateClusterClassExistsAndIsReconciled will try to get the ClusterClass referenced in the Cluster. If it does not exist or is not reconciled it will add a warning.
+// In any other case it will return an error.
+func (webhook *Cluster) validateClusterClassExistsAndIsReconciled(ctx context.Context, newCluster *clusterv1.Cluster) (*clusterv1.ClusterClass, admission.Warnings, error) {
+	var allWarnings admission.Warnings
+	clusterClass, clusterClassPollErr := webhook.pollClusterClassForCluster(ctx, newCluster)
+	if clusterClassPollErr != nil {
+		// Add a warning if the Class does not exist or if it has not been successfully reconciled.
+		switch {
+		case apierrors.IsNotFound(clusterClassPollErr):
+			allWarnings = append(allWarnings,
+				fmt.Sprintf("Cluster specifies ClusterClass %s in the topology but it does not exist. Cluster variables have not been fully validated. The ClusterClass must be created to reconcile the Cluster", newCluster.Spec.Topology.Class))
+		case errors.Is(clusterClassPollErr, errClusterClassNotReconciled):
+			allWarnings = append(allWarnings,
+				fmt.Sprintf("Cluster specifies ClusterClass %s in `topology.spec.class` but it has not successfully been reconciled. Cluster variables have not been fully validated.", newCluster.Spec.Topology.Class))
+		}
+	}
+	return clusterClass, allWarnings, clusterClassPollErr
+}
+
 // pollClusterClassForCluster will retry getting the ClusterClass referenced in the Cluster for two seconds.
 func (webhook *Cluster) pollClusterClassForCluster(ctx context.Context, cluster *clusterv1.Cluster) (*clusterv1.ClusterClass, error) {
 	clusterClass := &clusterv1.ClusterClass{}
 	var clusterClassPollErr error
-	// TODO: Add a webhook warning if the ClusterClass is not up to date or not found.
 	_ = wait.PollUntilContextTimeout(ctx, 200*time.Millisecond, 2*time.Second, true, func(ctx context.Context) (bool, error) {
 		if clusterClassPollErr = webhook.Client.Get(ctx, client.ObjectKey{Namespace: cluster.Namespace, Name: cluster.Spec.Topology.Class}, clusterClass); clusterClassPollErr != nil {
 			return false, nil //nolint:nilerr

internal/webhooks/cluster_test.go

@@ -1004,7 +1004,8 @@ func TestClusterValidation(t *testing.T) {
 			// Create the webhook.
 			webhook := &Cluster{}
 
-			_, err := webhook.validate(ctx, tt.old, tt.in)
+			warnings, err := webhook.validate(ctx, tt.old, tt.in)
+			g.Expect(warnings).To(BeNil())
 			if tt.expectErr {
 				g.Expect(err).To(HaveOccurred())
 				return
@@ -1268,7 +1269,8 @@ func TestClusterTopologyValidation(t *testing.T) {
 			// Create the webhook and add the fakeClient as its client. This is required because the test uses a Managed Topology.
 			webhook := &Cluster{Client: fakeClient}
 
-			_, err := webhook.validate(ctx, tt.old, tt.in)
+			warnings, err := webhook.validate(ctx, tt.old, tt.in)
+			g.Expect(warnings).To(BeNil())
 			if tt.expectErr {
 				g.Expect(err).To(HaveOccurred())
 				return
@@ -1284,11 +1286,13 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 	g := NewWithT(t)
 
 	tests := []struct {
-		name    string
-		cluster *clusterv1.Cluster
-		class   *clusterv1.ClusterClass
-		objects []client.Object
-		wantErr bool
+		name            string
+		cluster         *clusterv1.Cluster
+		class           *clusterv1.ClusterClass
+		classReconciled bool
+		objects         []client.Object
+		wantErr         bool
+		wantWarnings    bool
 	}{
 		{
 			name: "Accept a cluster with an existing ClusterClass named in cluster.spec.topology.class",
@@ -1302,10 +1306,11 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 				Build(),
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				Build(),
-			wantErr: false,
+			classReconciled: true,
+			wantErr:         false,
 		},
 		{
-			name: "Accept a cluster with non-existent ClusterClass referenced cluster.spec.topology.class",
+			name: "Warning for a cluster with non-existent ClusterClass referenced cluster.spec.topology.class",
 			cluster: builder.Cluster(metav1.NamespaceDefault, "cluster1").
 				WithTopology(
 					builder.ClusterTopology().
@@ -1316,7 +1321,26 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 				Build(),
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				Build(),
-			wantErr: false,
+			// There should be a warning for a ClusterClass which can not be found.
+			wantWarnings: true,
+			wantErr:      false,
+		},
+		{
+			name: "Warning for a cluster with an unreconciled ClusterClass named in cluster.spec.topology.class",
+			cluster: builder.Cluster(metav1.NamespaceDefault, "cluster1").
+				WithTopology(
+					builder.ClusterTopology().
+						WithClass("clusterclass").
+						WithVersion("v1.22.2").
+						WithControlPlaneReplicas(3).
+						Build()).
+				Build(),
+			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
+				Build(),
+			classReconciled: false,
+			// There should be a warning for a ClusterClass which is not yet reconciled.
+			wantWarnings: true,
+			wantErr:      false,
 		},
 		{
 			name: "Reject a cluster that has MHC enabled for control plane but is missing MHC definition in cluster topology and clusterclass",
@@ -1333,7 +1357,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 				Build(),
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				Build(),
-			wantErr: true,
+			classReconciled: true,
+			wantErr:         true,
 		},
 		{
 			name: "Reject a cluster that MHC override defined for control plane but is missing unhealthy conditions",
@@ -1352,7 +1377,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 				Build(),
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				Build(),
-			wantErr: true,
+			classReconciled: true,
+			wantErr:         true,
 		},
 		{
 			name: "Reject a cluster that MHC override defined for control plane but is set when control plane is missing machineInfrastructure",
@@ -1376,7 +1402,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 				Build(),
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				Build(),
-			wantErr: true,
+			classReconciled: true,
+			wantErr:         true,
 		},
 		{
 			name: "Accept a cluster that has MHC enabled for control plane with control plane MHC defined in ClusterClass",
@@ -1394,7 +1421,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				WithControlPlaneMachineHealthCheck(&clusterv1.MachineHealthCheckClass{}).
 				Build(),
-			wantErr: false,
+			classReconciled: true,
+			wantErr:         false,
 		},
 		{
 			name: "Accept a cluster that has MHC enabled for control plane with control plane MHC defined in cluster topology",
@@ -1420,7 +1448,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 			class: builder.ClusterClass(metav1.NamespaceDefault, "clusterclass").
 				WithControlPlaneInfrastructureMachineTemplate(&unstructured.Unstructured{}).
 				Build(),
-			wantErr: false,
+			classReconciled: true,
+			wantErr:         false,
 		},
 		{
 			name: "Reject a cluster that has MHC enabled for machine deployment but is missing MHC definition in cluster topology and ClusterClass",
@@ -1445,7 +1474,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 					*builder.MachineDeploymentClass("worker-class").Build(),
 				).
 				Build(),
-			wantErr: true,
+			classReconciled: true,
+			wantErr:         true,
 		},
 		{
 			name: "Reject a cluster that has MHC override defined for machine deployment but is missing unhealthy conditions",
@@ -1472,7 +1502,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 					*builder.MachineDeploymentClass("worker-class").Build(),
 				).
 				Build(),
-			wantErr: true,
+			classReconciled: true,
+			wantErr:         true,
 		},
 		{
 			name: "Accept a cluster that has MHC enabled for machine deployment with machine deployment MHC defined in ClusterClass",
@@ -1499,7 +1530,8 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 						Build(),
 				).
 				Build(),
-			wantErr: false,
+			classReconciled: true,
+			wantErr:         false,
 		},
 		{
 			name: "Accept a cluster that has MHC enabled for machine deployment with machine deployment MHC defined in cluster topology",
@@ -1532,13 +1564,16 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 					*builder.MachineDeploymentClass("worker-class").Build(),
 				).
 				Build(),
-			wantErr: false,
+			classReconciled: true,
+			wantErr:         false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Mark this condition to true so the webhook sees the ClusterClass as up to date.
-			conditions.MarkTrue(tt.class, clusterv1.ClusterClassVariablesReconciledCondition)
+			if tt.classReconciled {
+				conditions.MarkTrue(tt.class, clusterv1.ClusterClassVariablesReconciledCondition)
+			}
 			// Sets up the fakeClient for the test case.
 			fakeClient := fake.NewClientBuilder().
 				WithObjects(tt.class).
@@ -1549,12 +1584,17 @@ func TestClusterTopologyValidationWithClient(t *testing.T) {
 			c := &Cluster{Client: fakeClient}
 
 			// Checks the return error.
-			_, err := c.ValidateCreate(ctx, tt.cluster)
+			warnings, err := c.ValidateCreate(ctx, tt.cluster)
 			if tt.wantErr {
 				g.Expect(err).To(HaveOccurred())
 			} else {
 				g.Expect(err).NotTo(HaveOccurred())
 			}
+			if tt.wantWarnings {
+				g.Expect(warnings).ToNot(BeNil())
+			} else {
+				g.Expect(warnings).To(BeNil())
+			}
 		})
 	}
 }