Introduce the Etcd validation (gardener#4821)

* make revendor

* wip

* Remove testing changes

* Revendor rpj, update etcd validation

* Fix make verify

example/seed-admission-controller/10-validatingwebhookconfiguration.yaml

@@ -49,6 +49,15 @@ webhooks:
     caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrakNDQWVLZ0F3SUJBZ0lVVHAzWHZocldPVk04WkdlODZZb1hNVi9VSjdBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweE9UQXlNamN4TlRNME1EQmFGdzB5TkRBeQpNall4TlRNME1EQmFNQlV4RXpBUkJnTlZCQU1UQ210MVltVnlibVYwWlhNd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDeWkwUUdPY3YyYlRmM044T0xOOTdSd3NnSDZRQXI4d1NwQU9ydHRCSmcKRm5mblUyVDFSSGd4bTdxZDE5MFdMOERDaHYwZFpmNzZkNmVTUTRacmpqeUFyVHp1ZmI0RHRQd2crVldxN1h2RgpCTnluKzJoZjRTeVNrd2Q2azdYTGhVVFJ4MDQ4SWJCeUM0ditGRXZtb0xBd3JjMGQwRzE0ZWM2c25EKzdqTzdlCmt5a1EvTmdBT0w3UDZrRHM5ejYrYk9mZ0YwbkdOK2JtZVdRcUplalIwdCtPeVFEQ3g1L0ZNdFVmRVZSNVFYODAKYWVlZmdwM0pGWmI2ZkF3OUtoTHRkUlYzRlAwdHo2aFMrZTRTZzBtd0FBT3FpalpzVjg3a1A1R1l6anRjZkExMgpsRFlsL25iMUd0VnZ2a1FENDlWblY3bURubDZtRzNMQ01OQ05INldsWk52M0FnTUJBQUdqUWpCQU1BNEdBMVVkCkR3RUIvd1FFQXdJQkJqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCU0ZBM0x2Sk0yMWQ4cXMKWlZWQ2U2UnJUVDl3aVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQW5zL0VKM3lLc2p0SVNvdGVRNzE0cjJVbQpCTVB5VVlUVGRSSEQ4TFpNZDNSeWt2c2FjRjJsMnk4OE56NndKY0F1b1VqMWg4YUJEUDVvWFZ0Tm1GVDlqeWJTClRYclJ2V2krYWVZZGI1NTZuRUE1L2E5NGUrY2IrQ2szcXkvMXhnUW9TNDU3QVpRT0Rpc0RaTkJZV2tBRnMyTGMKdWNwY0F0WEp0SXRoVm03RmpvQUhZY3NyWTA0eUFpWUVKTEQwMlRqVURYZzRpR09HTWtWSGRtaGF3QkRCRjNBagplc2ZjcUZ3amk2SnlBS0ZSQUNQb3d5a1FPTkZ3VVNvbTg5dVlFU1NDSkZ2TkNrOU1KbWpKMlB6RFV0NkN5cFI0CmVwRmRkMWZYTHd1d243ZnZQTW1KcUQzSHRMYWxYMUFabVBrK0JJOGV6ZkFpVmNWcW5USlFNWGxZUHBZZTlBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 - name: validation.extensions.seed.admission.core.gardener.cloud
   rules:
+    - apiGroups:
+      - druid.gardener.cloud
+      apiVersions:
+      - v1alpha1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - etcds
     - apiGroups:
       - extensions.gardener.cloud
       apiVersions:

go.mod

@@ -3,15 +3,17 @@ module github.com/gardener/gardener
 go 1.16
 
 require (
+	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/ahmetb/gen-crd-api-reference-docs v0.2.0
 	github.com/coreos/go-systemd/v22 v22.1.0
+	github.com/dsnet/compress v0.0.1 // indirect
 	github.com/envoyproxy/go-control-plane v0.9.7-0.20200730005029-803dd64f0468
 	github.com/frankban/quicktest v1.13.1 // indirect
 	github.com/gardener/component-spec/bindings-go v0.0.33
 	github.com/gardener/dependency-watchdog v0.6.1-0.20210623112844-96f73d5dc311
-	github.com/gardener/etcd-druid v0.5.0
+	github.com/gardener/etcd-druid/api v0.0.0-00010101000000-000000000000
 	github.com/gardener/external-dns-management v0.7.18
 	github.com/gardener/hvpa-controller v0.3.1
 	github.com/gardener/landscaper/apis v0.7.0
@@ -27,6 +29,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.0
 	github.com/kubernetes-csi/external-snapshotter/v2 v2.1.4
 	github.com/mholt/archiver v3.1.1+incompatible
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/nwaples/rardecode v1.1.2 // indirect
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.13.0
@@ -39,6 +42,7 @@ require (
 	github.com/spf13/viper v1.7.0
 	github.com/texttheater/golang-levenshtein v0.0.0-20191208221605-eb6844b05fc6
 	github.com/ulikunitz/xz v0.5.10 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	go.uber.org/goleak v1.1.10
 	go.uber.org/zap v1.17.0
 	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
@@ -77,6 +81,8 @@ require (
 replace (
 	github.com/emicklei/go-restful => github.com/emicklei/go-restful v2.9.5+incompatible // keep this value in sync with k8s.io/apiserver
 	github.com/envoyproxy/go-control-plane => github.com/envoyproxy/go-control-plane v0.9.4
+	github.com/gardener/etcd-druid => github.com/gardener/etcd-druid v0.6.0
+	github.com/gardener/etcd-druid/api => github.com/gardener/etcd-druid/api v0.6.1-0.20211011084637-5c908089a872
 	github.com/googleapis/gnostic => github.com/googleapis/gnostic v0.4.1
 	github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.11.0 // keep this value in sync with sigs.k8s.io/controller-runtime
 	google.golang.org/grpc => google.golang.org/grpc v1.27.1 // keep this value in sync with k8s.io/apiserver

pkg/operation/botanist/component/etcd/etcd_test.go

@@ -527,7 +527,7 @@ var _ = Describe("Etcd", func() {
 					func(ctx context.Context, _ client.ObjectKey, obj client.Object) error {
 						(&druidv1alpha1.Etcd{
 							Status: druidv1alpha1.EtcdStatus{
-								Etcd: druidv1alpha1.CrossVersionObjectReference{
+								Etcd: &druidv1alpha1.CrossVersionObjectReference{
 									Name: statefulSetName,
 								},
 							},
@@ -657,7 +657,7 @@ var _ = Describe("Etcd", func() {
 								Replicas: int(existingReplicas),
 							},
 							Status: druidv1alpha1.EtcdStatus{
-								Etcd: druidv1alpha1.CrossVersionObjectReference{
+								Etcd: &druidv1alpha1.CrossVersionObjectReference{
 									Name: etcdName,
 								},
 							},
@@ -714,7 +714,7 @@ var _ = Describe("Etcd", func() {
 								},
 							},
 							Status: druidv1alpha1.EtcdStatus{
-								Etcd: druidv1alpha1.CrossVersionObjectReference{
+								Etcd: &druidv1alpha1.CrossVersionObjectReference{
 									Name: etcdName,
 								},
 							},
@@ -946,7 +946,7 @@ var _ = Describe("Etcd", func() {
 									},
 								},
 								Status: druidv1alpha1.EtcdStatus{
-									Etcd: druidv1alpha1.CrossVersionObjectReference{
+									Etcd: &druidv1alpha1.CrossVersionObjectReference{
 										Name: "",
 									},
 								},
@@ -961,15 +961,18 @@ var _ = Describe("Etcd", func() {
 						}),
 						c.EXPECT().Get(ctx, kutil.Key(testNamespace, etcdName), gomock.AssignableToTypeOf(&druidv1alpha1.Etcd{})),
 						c.EXPECT().Patch(ctx, gomock.AssignableToTypeOf(&druidv1alpha1.Etcd{}), gomock.Any()).Do(func(ctx context.Context, obj client.Object, _ client.Patch, _ ...client.PatchOption) {
-							Expect(obj).To(DeepEqual(etcdObjFor(
+							expobj := etcdObjFor(
 								class,
 								1,
 								backupConfig,
 								"",
 								existingBackupSchedule,
 								nil,
 								nil,
-							)))
+							)
+							expobj.Status.Etcd = &druidv1alpha1.CrossVersionObjectReference{}
+
+							Expect(obj).To(DeepEqual(expobj))
 						}),
 						c.EXPECT().Get(ctx, kutil.Key(testNamespace, hvpaName), gomock.AssignableToTypeOf(&hvpav1alpha1.Hvpa{})),
 						c.EXPECT().Patch(ctx, gomock.AssignableToTypeOf(&hvpav1alpha1.Hvpa{}), gomock.Any()).Do(func(ctx context.Context, obj client.Object, _ client.Patch, _ ...client.PatchOption) {

pkg/operation/botanist/component/seedadmissioncontroller/seedadmissioncontroller.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"time"
 
+	druidv1alpha1 "github.com/gardener/etcd-druid/api/v1alpha1"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/gardener/gardener/pkg/client/kubernetes"
@@ -397,26 +398,36 @@ func GetValidatingWebhookConfig(caBundle []byte, webhookClientService *corev1.Se
 			TimeoutSeconds:          pointer.Int32(10),
 		}, {
 			Name: "validation.extensions.seed.admission.core.gardener.cloud",
-			Rules: []admissionregistrationv1.RuleWithOperations{{
-				Rule: admissionregistrationv1.Rule{
-					APIGroups:   []string{extensionsv1alpha1.SchemeGroupVersion.Group},
-					APIVersions: []string{extensionsv1alpha1.SchemeGroupVersion.Version},
-					Resources: []string{
-						"backupbuckets",
-						"backupentries",
-						"bastions",
-						"containerruntimes",
-						"controlplanes",
-						"dnsrecords",
-						"extensions",
-						"infrastructures",
-						"networks",
-						"operatingsystemconfigs",
-						"workers",
+			Rules: []admissionregistrationv1.RuleWithOperations{
+				{
+					Rule: admissionregistrationv1.Rule{
+						APIGroups:   []string{druidv1alpha1.GroupVersion.Group},
+						APIVersions: []string{druidv1alpha1.GroupVersion.Version},
+						Resources:   []string{"etcds"},
 					},
+					Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
 				},
-				Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
-			}},
+				{
+					Rule: admissionregistrationv1.Rule{
+						APIGroups:   []string{extensionsv1alpha1.SchemeGroupVersion.Group},
+						APIVersions: []string{extensionsv1alpha1.SchemeGroupVersion.Version},
+						Resources: []string{
+							"backupbuckets",
+							"backupentries",
+							"bastions",
+							"containerruntimes",
+							"controlplanes",
+							"dnsrecords",
+							"extensions",
+							"infrastructures",
+							"networks",
+							"operatingsystemconfigs",
+							"workers",
+						},
+					},
+					Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create, admissionregistrationv1.Update},
+				},
+			},
 			FailurePolicy:     &failurePolicy,
 			NamespaceSelector: &metav1.LabelSelector{},
 			ClientConfig: admissionregistrationv1.WebhookClientConfig{

pkg/operation/botanist/component/seedadmissioncontroller/seedadmissioncontroller_test.go

@@ -327,6 +327,15 @@ webhooks:
   name: validation.extensions.seed.admission.core.gardener.cloud
   namespaceSelector: {}
   rules:
+  - apiGroups:
+    - druid.gardener.cloud
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - etcds
   - apiGroups:
     - extensions.gardener.cloud
     apiVersions:

pkg/seedadmissioncontroller/webhooks/admission/extensionresources/admission.go

@@ -20,6 +20,8 @@ import (
 	"net/http"
 	"time"
 
+	druidv1alpha1 "github.com/gardener/etcd-druid/api/v1alpha1"
+	druidvalidation "github.com/gardener/etcd-druid/api/validation"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/gardener/gardener/pkg/apis/extensions/validation"
 
@@ -105,6 +107,16 @@ func New(logger logr.Logger, allowInvalidExtensionResources bool) *handler {
 			},
 		},
 
+		gvrDruid("etcds"): {
+			newObject: func() client.Object { return new(druidv1alpha1.Etcd) },
+			validateCreateResource: func(n, _ client.Object) field.ErrorList {
+				return druidvalidation.ValidateEtcd(n.(*druidv1alpha1.Etcd))
+			},
+			validateUpdateResource: func(n, o client.Object) field.ErrorList {
+				return druidvalidation.ValidateEtcdUpdate(n.(*druidv1alpha1.Etcd), o.(*druidv1alpha1.Etcd))
+			},
+		},
+
 		gvr("extensions"): {
 			newObject: func() client.Object { return new(extensionsv1alpha1.Extension) },
 			validateCreateResource: func(n, _ client.Object) field.ErrorList {
@@ -240,8 +252,8 @@ func (h handler) handleValidation(request admission.Request, newObject newObject
 			Kind:  request.Kind.Kind,
 		}, kutil.ObjectName(obj), errors)
 
+		h.logger.Info("Invalid extension resource detected", "operation", request.Operation, "error", err.Error())
 		if h.allowInvalidExtensionResources {
-			h.logger.Info("Invalid extension resource detected", "operation", request.Operation, "error", err.Error())
 			return admission.Allowed(err.Error())
 		}
 		return admission.Denied(err.Error())
@@ -257,3 +269,11 @@ func gvr(resource string) metav1.GroupVersionResource {
 		Resource: resource,
 	}
 }
+
+func gvrDruid(resource string) metav1.GroupVersionResource {
+	return metav1.GroupVersionResource{
+		Group:    druidv1alpha1.GroupVersion.Group,
+		Version:  druidv1alpha1.GroupVersion.Version,
+		Resource: resource,
+	}
+}