Validate securityGroups field of IngressClassParams

Author: johngmyers

webhooks/elbv2/ingressclassparams_validator.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/webhook"
@@ -34,6 +35,7 @@ func (v *ingressClassParamsValidator) ValidateCreate(ctx context.Context, obj ru
 	icp := obj.(*elbv2api.IngressClassParams)
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, v.checkInboundCIDRs(icp)...)
+	allErrs = append(allErrs, v.checkSecurityGroupsSelectors(icp)...)
 	allErrs = append(allErrs, v.checkSubnetSelectors(icp)...)
 
 	return allErrs.ToAggregate()
@@ -43,6 +45,7 @@ func (v *ingressClassParamsValidator) ValidateUpdate(ctx context.Context, obj ru
 	icp := obj.(*elbv2api.IngressClassParams)
 	allErrs := field.ErrorList{}
 	allErrs = append(allErrs, v.checkInboundCIDRs(icp)...)
+	allErrs = append(allErrs, v.checkSecurityGroupsSelectors(icp)...)
 	allErrs = append(allErrs, v.checkSubnetSelectors(icp)...)
 
 	return allErrs.ToAggregate()
@@ -89,6 +92,63 @@ func validateCIDR(cidr string, fieldPath *field.Path) field.ErrorList {
 	return allErrs
 }
 
+// checkSecurityGroupsSelectors will check for valid SubnetSelectors
+func (v *ingressClassParamsValidator) checkSecurityGroupsSelectors(icp *elbv2api.IngressClassParams) (allErrs field.ErrorList) {
+	if icp.Spec.SecurityGroups != nil {
+		securityGroups := icp.Spec.SecurityGroups
+		fieldPath := field.NewPath("spec", "securityGroups")
+		if securityGroups.IDs == nil && !securityGroups.ManagedInbound && securityGroups.Tags == nil {
+			allErrs = append(allErrs, field.Required(fieldPath, "must have `ids`, `managed`, or `tags`"))
+			return allErrs
+		}
+		if securityGroups.IDs != nil {
+			if len(icp.Spec.InboundCIDRs) > 0 {
+				allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "inboundCIDRs"), "May not have both `inboundCIDRs` and `securityGroups.ids`"))
+			}
+			if securityGroups.ManagedInbound {
+				allErrs = append(allErrs, field.Forbidden(fieldPath.Child("managedInbound"), "may not have both `ids` and `managedInbound` set"))
+				return allErrs
+			}
+			if securityGroups.Tags != nil {
+				allErrs = append(allErrs, field.Forbidden(fieldPath.Child("tags"), "may not have both `ids` and `tags` set"))
+				return allErrs
+			}
+			fieldPath := fieldPath.Child("ids")
+			seen := sets.New[elbv2api.SecurityGroupID]()
+			for i, securityGroupID := range securityGroups.IDs {
+				if seen.Has(securityGroupID) {
+					allErrs = append(allErrs, field.Duplicate(fieldPath.Index(i), securityGroupID))
+				}
+				seen.Insert(securityGroupID)
+			}
+		} else if securityGroups.ManagedInbound {
+			if securityGroups.Tags != nil {
+				allErrs = append(allErrs, field.Forbidden(fieldPath.Child("tags"), "may not have both `managedInbound` and `tags` set"))
+			}
+		} else {
+			fieldPath := fieldPath.Child("tags")
+			if len(icp.Spec.InboundCIDRs) > 0 {
+				allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "inboundCIDRs"), "May not have both `inboundCIDRs` and `securityGroups.tags`"))
+			}
+			if len(securityGroups.Tags) == 0 {
+				allErrs = append(allErrs, field.Required(fieldPath, "must have at least one tag key"))
+			}
+			for tagKey, tagValues := range securityGroups.Tags {
+				fieldPath := fieldPath.Key(tagKey)
+				valueSeen := sets.New[string]()
+				for i, value := range tagValues {
+					if valueSeen.Has(value) {
+						allErrs = append(allErrs, field.Duplicate(fieldPath.Index(i), value))
+					}
+					valueSeen.Insert(value)
+				}
+			}
+		}
+	}
+
+	return allErrs
+}
+
 // checkSubnetSelectors will check for valid SubnetSelectors
 func (v *ingressClassParamsValidator) checkSubnetSelectors(icp *elbv2api.IngressClassParams) (allErrs field.ErrorList) {
 	if icp.Spec.Subnets != nil {
@@ -104,12 +164,12 @@ func (v *ingressClassParamsValidator) checkSubnetSelectors(icp *elbv2api.Ingress
 				return allErrs
 			}
 			fieldPath := fieldPath.Child("ids")
-			seen := map[elbv2api.SubnetID]bool{}
+			seen := sets.New[elbv2api.SubnetID]()
 			for i, subnetID := range subnets.IDs {
-				if seen[subnetID] {
+				if seen.Has(subnetID) {
 					allErrs = append(allErrs, field.Duplicate(fieldPath.Index(i), subnetID))
 				}
-				seen[subnetID] = true
+				seen.Insert(subnetID)
 			}
 		} else {
 			fieldPath := fieldPath.Child("tags")
@@ -118,12 +178,12 @@ func (v *ingressClassParamsValidator) checkSubnetSelectors(icp *elbv2api.Ingress
 			}
 			for tagKey, tagValues := range subnets.Tags {
 				fieldPath := fieldPath.Key(tagKey)
-				valueSeen := map[string]bool{}
+				valueSeen := sets.New[string]()
 				for i, value := range tagValues {
-					if valueSeen[value] {
+					if valueSeen.Has(value) {
 						allErrs = append(allErrs, field.Duplicate(fieldPath.Index(i), value))
 					}
-					valueSeen[value] = true
+					valueSeen.Insert(value)
 				}
 			}
 		}

webhooks/elbv2/ingressclassparams_validator_test.go

@@ -84,6 +84,168 @@ func Test_ingressClassParamsValidator_ValidateCreate(t *testing.T) {
 			},
 			wantErr: "spec.inboundCIDRs[0]: Invalid value: \"invalid.example.com\": Could not be parsed as a CIDR",
 		},
+		{
+			name: "securityGroups is valid ID list",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						IDs: []elbv2api.SecurityGroupID{"sg-1", "sg-2"},
+					},
+				},
+			},
+		},
+		{
+			name: "securityGroups is valid managed",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						ManagedInbound: true,
+					},
+				},
+			},
+		},
+		{
+			name: "securityGroups is managedInbound with inboundCIDRs",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					InboundCIDRs: []string{
+						"10.0.0.0/8",
+						"2001:DB8::/32",
+					},
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						ManagedInbound: true,
+					},
+				},
+			},
+		},
+		{
+			name: "securityGroups is valid tag list",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						Tags: map[string][]string{
+							"key": {"value1", "value2"},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "securityGroups selector empty",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{},
+				},
+			},
+			wantErr: "spec.securityGroups: Required value: must have `ids`, `managed`, or `tags`",
+		},
+		{
+			name: "securityGroups selector with both id and managedInbound",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						IDs:            []elbv2api.SecurityGroupID{"sg-1", "sg-2"},
+						ManagedInbound: true,
+					},
+				},
+			},
+			wantErr: "spec.securityGroups.managedInbound: Forbidden: may not have both `ids` and `managedInbound` set",
+		},
+		{
+			name: "securityGroups selector with both id and tag",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						IDs: []elbv2api.SecurityGroupID{"sg-1", "sg-2"},
+						Tags: map[string][]string{
+							"Name": {"named-subnet"},
+						},
+					},
+				},
+			},
+			wantErr: "spec.securityGroups.tags: Forbidden: may not have both `ids` and `tags` set",
+		},
+		{
+			name: "securityGroups selector with both managedInbound and tag",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						ManagedInbound: true,
+						Tags: map[string][]string{
+							"Name": {"named-subnet"},
+						},
+					},
+				},
+			},
+			wantErr: "spec.securityGroups.tags: Forbidden: may not have both `managedInbound` and `tags` set",
+		},
+		{
+			name: "securityGroups id with inboundCIDRs",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					InboundCIDRs: []string{
+						"10.0.0.0/8",
+					},
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						IDs: []elbv2api.SecurityGroupID{"sg-1"},
+					},
+				},
+			},
+			wantErr: "spec.inboundCIDRs: Forbidden: May not have both `inboundCIDRs` and `securityGroups.ids`",
+		},
+		{
+			name: "securityGroups duplicate id",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						IDs: []elbv2api.SecurityGroupID{"sg-1", "sg-2", "sg-1"},
+					},
+				},
+			},
+			wantErr: "spec.securityGroups.ids[2]: Duplicate value: \"sg-1\"",
+		},
+		{
+			name: "securityGroups tag with inboundCIDRs",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					InboundCIDRs: []string{
+						"10.0.0.0/8",
+					},
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						Tags: map[string][]string{
+							"Name":  {"name1"},
+							"Other": {"other1"},
+						},
+					},
+				},
+			},
+			wantErr: "spec.inboundCIDRs: Forbidden: May not have both `inboundCIDRs` and `securityGroups.tags`",
+		},
+		{
+			name: "securityGroups duplicate tag value",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						Tags: map[string][]string{
+							"Name":  {"name1"},
+							"Other": {"other1", "other2", "other1"},
+						},
+					},
+				},
+			},
+			wantErr: "spec.securityGroups.tags[Other][2]: Duplicate value: \"other1\"",
+		},
+		{
+			name: "securityGroups empty tags map",
+			obj: &elbv2api.IngressClassParams{
+				Spec: elbv2api.IngressClassParamsSpec{
+					SecurityGroups: &elbv2api.SecurityGroupSelector{
+						Tags: map[string][]string{},
+					},
+				},
+			},
+			wantErr: "spec.securityGroups.tags: Required value: must have at least one tag key",
+		},
 		{
 			name: "subnet is valid ID list",
 			obj: &elbv2api.IngressClassParams{