Add validation for nested ObjectMeta fields in webhook

api/v1beta1/common_validate.go

@@ -0,0 +1,19 @@
+package v1beta1
+
+import (
+	metavalidation "k8s.io/apimachinery/pkg/api/validation"
+	metav1validation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func (metadata *ObjectMeta) Validate(parent *field.Path) field.ErrorList {
+	allErrs := metav1validation.ValidateLabels(
+		metadata.Labels,
+		parent.Child("labels"),
+	)
+	allErrs = append(allErrs, metavalidation.ValidateAnnotations(
+		metadata.Annotations,
+		parent.Child("annotations"),
+	)...)
+	return allErrs
+}

api/v1beta1/machinedeployment_webhook.go

@@ -260,6 +260,9 @@ func (m *MachineDeployment) validate(old *MachineDeployment) error {
 		}
 	}
 
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}

api/v1beta1/machineset_webhook.go

@@ -142,6 +142,9 @@ func (m *MachineSet) validate(old *MachineSet) error {
 		}
 	}
 
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}

bootstrap/kubeadm/api/v1beta1/kubeadmconfigtemplate_webhook.go

@@ -62,6 +62,8 @@ func (r *KubeadmConfigTemplateSpec) validate(name string) error {
 	var allErrs field.ErrorList
 
 	allErrs = append(allErrs, r.Template.Spec.Validate(field.NewPath("spec", "template", "spec"))...)
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, r.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
 
 	if len(allErrs) == 0 {
 		return nil

controlplane/kubeadm/api/v1beta1/kubeadm_control_plane_webhook.go

@@ -329,6 +329,9 @@ func validateKubeadmControlPlaneSpec(s KubeadmControlPlaneSpec, namespace string
 		)
 	}
 
+	// Validate the metadata of the MachineTemplate
+	allErrs = append(allErrs, s.MachineTemplate.ObjectMeta.Validate(pathPrefix.Child("machineTemplate", "metadata"))...)
+
 	if !version.KubeSemver.MatchString(s.Version) {
 		allErrs = append(allErrs, field.Invalid(pathPrefix.Child("version"), s.Version, "must be a valid semantic version"))
 	}

controlplane/kubeadm/api/v1beta1/kubeadmcontrolplanetemplate_webhook.go

@@ -68,6 +68,8 @@ func (r *KubeadmControlPlaneTemplate) ValidateCreate() error {
 	allErrs := validateKubeadmControlPlaneTemplateResourceSpec(spec, field.NewPath("spec", "template", "spec"))
 	allErrs = append(allErrs, validateClusterConfiguration(spec.KubeadmConfigSpec.ClusterConfiguration, nil, field.NewPath("spec", "template", "spec", "kubeadmConfigSpec", "clusterConfiguration"))...)
 	allErrs = append(allErrs, spec.KubeadmConfigSpec.Validate(field.NewPath("spec", "template", "spec", "kubeadmConfigSpec"))...)
+	// Validate the metadata of the KubeadmControlPlaneTemplateResource
+	allErrs = append(allErrs, r.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
 	if len(allErrs) > 0 {
 		return apierrors.NewInvalid(GroupVersion.WithKind("KubeadmControlPlaneTemplate").GroupKind(), r.Name, allErrs)
 	}
@@ -107,5 +109,10 @@ func validateKubeadmControlPlaneTemplateResourceSpec(s KubeadmControlPlaneTempla
 	allErrs = append(allErrs, validateRolloutBefore(s.RolloutBefore, pathPrefix.Child("rolloutBefore"))...)
 	allErrs = append(allErrs, validateRolloutStrategy(s.RolloutStrategy, nil, pathPrefix.Child("rolloutStrategy"))...)
 
+	if s.MachineTemplate != nil {
+		// Validate the metadata of the MachineTemplate
+		allErrs = append(allErrs, s.MachineTemplate.ObjectMeta.Validate(pathPrefix.Child("machineTemplate", "metadata"))...)
+	}
+
 	return allErrs
 }

exp/api/v1beta1/machinepool_webhook.go

@@ -151,6 +151,9 @@ func (m *MachinePool) validate(old *MachinePool) error {
 		}
 	}
 
+	// Validate the metadata of the MachinePool template.
+	allErrs = append(allErrs, m.Spec.Template.ObjectMeta.Validate(specPath.Child("template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}

test/infrastructure/docker/api/v1beta1/dockerclustertemplate_webhook.go

@@ -62,6 +62,10 @@ func (r *DockerClusterTemplate) ValidateCreate() error {
 	}
 
 	allErrs := validateDockerClusterSpec(r.Spec.Template.Spec)
+
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, r.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
+
 	if len(allErrs) > 0 {
 		return apierrors.NewInvalid(GroupVersion.WithKind("DockerClusterTemplate").GroupKind(), r.Name, allErrs)
 	}

test/infrastructure/docker/api/v1beta1/dockermachinetemplate_webhook.go

@@ -49,7 +49,16 @@ type DockerMachineTemplateWebhook struct{}
 var _ webhook.CustomValidator = &DockerMachineTemplateWebhook{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
-func (*DockerMachineTemplateWebhook) ValidateCreate(_ context.Context, _ runtime.Object) error {
+func (*DockerMachineTemplateWebhook) ValidateCreate(_ context.Context, raw runtime.Object) error {
+	obj, ok := raw.(*DockerMachineTemplate)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected a DockerMachineTemplate but got a %T", raw))
+	}
+	// Validate the metadata of the template.
+	allErrs := obj.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))
+	if len(allErrs) > 0 {
+		return apierrors.NewInvalid(GroupVersion.WithKind("DockerClusterTemplate").GroupKind(), obj.Name, allErrs)
+	}
 	return nil
 }
 
@@ -74,6 +83,9 @@ func (*DockerMachineTemplateWebhook) ValidateUpdate(ctx context.Context, oldRaw
 		!reflect.DeepEqual(newObj.Spec.Template.Spec, oldObj.Spec.Template.Spec) {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "template", "spec"), newObj, dockerMachineTemplateImmutableMsg))
 	}
+	// Validate the metadata of the template.
+	allErrs = append(allErrs, newObj.Spec.Template.ObjectMeta.Validate(field.NewPath("spec", "template", "metadata"))...)
+
 	if len(allErrs) == 0 {
 		return nil
 	}