feat: add ingressclass webhook

Author: Kamil Przybyl

cmd/application-load-balancer-controller-manager/main.go

@@ -135,12 +135,19 @@ func main() {
 		os.Exit(1)
 	}
 
+	decoder := admission.NewDecoder(mgr.GetScheme())
 	mgr.GetWebhookServer().Register("/validate-ingress", &webhook.Admission{
-        Handler: &ingress.IngressValidator{
-            Client:  mgr.GetClient(),
-            Decoder: admission.NewDecoder(mgr.GetScheme()),
-        },
-    })
+		Handler: &ingress.IngressValidator{
+			Client:  mgr.GetClient(),
+			Decoder: decoder,
+		},
+	})
+	mgr.GetWebhookServer().Register("/validate-ingressclass", &webhook.Admission{
+		Handler: &ingress.IngressClassValidator{
+			Client:  mgr.GetClient(),
+			Decoder: decoder,
+		},
+	})
 
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {

deploy/application-load-balancer-controller-manager/deployment.yaml

@@ -44,7 +44,7 @@ spec:
           name: probe
           protocol: TCP
         - containerPort: 9443
-          name: validating-webhook
+          name: webhook
           protocol: TCP
         resources:
           limits:
@@ -57,13 +57,13 @@ spec:
         - mountPath: /etc/serviceaccount
           name: cloud-secret
         - mountPath: /tmp/k8s-webhook-server/serving-certs
-          name: validating-webhook-cert
+          name: webhook-cert
           readOnly: true
       volumes:
       - name: cloud-secret
         secret:
           secretName: stackit-cloud-secret
-      - name: validating-webhook-cert
+      - name: webhook-cert
         secret:
           secretName: stackit-application-load-balancer-contoller-manager-webhook-cert
 

deploy/application-load-balancer-controller-manager/service.yaml

@@ -17,7 +17,7 @@ spec:
     port: 8080
     targetPort: metrics
     protocol: TCP
-  - name: validating-webhook
+  - name: webhook
     port: 443
     targetPort: 9443
     protocol: TCP

deploy/application-load-balancer-controller-manager/validating-webhook-issuer.yaml

@@ -18,4 +18,5 @@ spec:
   issuerRef:
     kind: Issuer
     name: stackit-application-load-balancer-contoller-manager
-  secretName: stackit-application-load-balancer-contoller-manager-webhook-cert # cert-manager will create this secret
+  secretName: stackit-application-load-balancer-contoller-manager-webhook-cert # cert-manager will create this secret
+  

deploy/application-load-balancer-controller-manager/validating-webhook.yaml

@@ -19,4 +19,19 @@ webhooks:
         path: "/validate-ingress"
     admissionReviewVersions: ["v1"]
     sideEffects: None
+    timeoutSeconds: 5
+  - name: validate-ingressclass.stackit.cloud
+    rules:
+      - apiGroups: ["networking.k8s.io"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["ingressclasses"]
+        scope: "Cluster"
+    clientConfig:
+      service:
+        namespace: kube-system
+        name: stackit-application-load-balancer-contoller-manager
+        path: "/validate-ingressclass"
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
     timeoutSeconds: 5

pkg/alb/ingress/webhook_test.go pkg/alb/ingress/ingress_webhook_test.gopkg/alb/ingress/webhook_test.go renamed to pkg/alb/ingress/ingress_webhook_test.go

@@ -5,13 +5,13 @@ import (
 	"encoding/json"
 	"testing"
 
+	admissionv1 "k8s.io/api/admission/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-	admissionv1 "k8s.io/api/admission/v1"
 )
 
 func TestIngressValidator_Handle(t *testing.T) {
@@ -38,89 +38,76 @@ func TestIngressValidator_Handle(t *testing.T) {
 	decoder := admission.NewDecoder(s)
 
 	validator := &IngressValidator{
-		Client: fakeClient,
+		Client:  fakeClient,
+		Decoder: decoder,
 	}
-	_ = validator.InjectDecoder(decoder)
 
 	tests := []struct {
-		name           string
-		className      *string
-		annotations    map[string]string
-		expectAllowed  bool
+		name          string
+		operation     admissionv1.Operation
+		className     *string
+		annotations   map[string]string
+		expectAllowed bool
 	}{
 		{
-			name:      "Valid Ingress",
+			name:      "Valid Ingress (Create)",
+			operation: admissionv1.Create,
+			className: &managedIngressClassName,
+			annotations: map[string]string{
+				AnnotationHTTPSOnly: "true",
+				AnnotationPriority:  "100",
+			},
+			expectAllowed: true,
+		},
+		{
+			name:      "Valid Ingress (Update)",
+			operation: admissionv1.Update,
 			className: &managedIngressClassName,
 			annotations: map[string]string{
-				AnnotationNetworkMode: "NodePort",
+				AnnotationHTTPSOnly:                   "false",
+				AnnotationCookiePersistenceTTLSeconds: "3600",
 			},
 			expectAllowed: true,
 		},
 		{
 			name:          "No IngressClass - Should Ignore and Allow",
+			operation:     admissionv1.Create,
 			className:     nil,
 			annotations:   map[string]string{},
 			expectAllowed: true,
 		},
 		{
 			name:      "Unmanaged IngressClass - Should Ignore and Allow",
+			operation: admissionv1.Create,
 			className: &unmanagedIngressClassName,
 			annotations: map[string]string{
-				// These are completely invalid for STACKIT ALB,
-				// but the webhook shouldn't check them because it's unmanaged.
-				AnnotationNetworkMode: "LoadBalancer",
-				AnnotationHTTPPort:    "potato",
+				AnnotationHTTPSOnly: "not-a-bool",
 			},
 			expectAllowed: true,
 		},
 		{
-			name:      "Missing Network Mode",
-			className: &managedIngressClassName,
-			annotations: map[string]string{
-				AnnotationHTTPPort: "80",
-			},
-			expectAllowed: false,
-		},
-		{
-			name:      "Invalid Network Mode Value - Must be NodePort",
-			className: &managedIngressClassName,
-			annotations: map[string]string{
-				AnnotationNetworkMode: "LoadBalancer",
-			},
-			expectAllowed: false,
-		},
-		{
-			name:      "Invalid Boolean",
+			name:      "Denied - Invalid Boolean",
+			operation: admissionv1.Create,
 			className: &managedIngressClassName,
 			annotations: map[string]string{
-				AnnotationNetworkMode: "NodePort",
-				AnnotationInternal:    "not-a-bool",
+				AnnotationHTTPSOnly: "not-a-bool",
 			},
 			expectAllowed: false,
 		},
 		{
-			name:      "Invalid Port Number - Out of Range",
+			name:      "Denied - Invalid Integer",
+			operation: admissionv1.Create,
 			className: &managedIngressClassName,
 			annotations: map[string]string{
-				AnnotationNetworkMode: "NodePort",
-				AnnotationHTTPPort:    "99999",
+				AnnotationPriority: "high",
 			},
 			expectAllowed: false,
 		},
 		{
-			name:      "Invalid IP Address",
+			name:      "Denied - Negative TTL",
+			operation: admissionv1.Create,
 			className: &managedIngressClassName,
 			annotations: map[string]string{
-				AnnotationNetworkMode: "NodePort",
-				AnnotationExternalIP:  "300.0.0.1",
-			},
-			expectAllowed: false,
-		},
-		{
-			name:      "Negative TTL",
-			className: &managedIngressClassName,
-			annotations: map[string]string{
-				AnnotationNetworkMode:                 "NodePort",
 				AnnotationCookiePersistenceTTLSeconds: "-50",
 			},
 			expectAllowed: false,
@@ -130,6 +117,10 @@ func TestIngressValidator_Handle(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ingress := &networkingv1.Ingress{
+				TypeMeta: metav1.TypeMeta{
+					APIVersion: "networking.k8s.io/v1",
+					Kind:       "Ingress",
+				},
 				ObjectMeta: metav1.ObjectMeta{
 					Name:        "test-ingress",
 					Namespace:   "default",
@@ -139,24 +130,27 @@ func TestIngressValidator_Handle(t *testing.T) {
 					IngressClassName: tt.className,
 				},
 			}
-
-			// Marshal it into JSON to simulate the API server payload
+			
 			rawIngress, err := json.Marshal(ingress)
 			if err != nil {
 				t.Fatalf("Failed to marshal ingress: %v", err)
 			}
 
 			req := admission.Request{
 				AdmissionRequest: admissionv1.AdmissionRequest{
-					Object: runtime.RawExtension{Raw: rawIngress},
+					Operation: tt.operation,
+					Object:    runtime.RawExtension{Raw: rawIngress},
 				},
 			}
 
-			// Execute the webhook
+			if tt.operation == admissionv1.Update {
+				req.AdmissionRequest.OldObject = runtime.RawExtension{Raw: rawIngress}
+			}
+
 			res := validator.Handle(context.TODO(), req)
 
 			if res.Allowed != tt.expectAllowed {
-				t.Errorf("Expected Allowed=%v, got Allowed=%v. Result Message: %s", 
+				t.Errorf("Expected Allowed=%v, got Allowed=%v. Result Message: %s",
 					tt.expectAllowed, res.Allowed, res.Result.Message)
 			}
 		})

pkg/alb/ingress/webook.go pkg/alb/ingress/ingress_webook.gopkg/alb/ingress/webook.go renamed to pkg/alb/ingress/ingress_webook.go

@@ -3,26 +3,33 @@ package ingress
 import (
 	"fmt"
 	"context"
-	"net"
 	"net/http"
 	"strconv"
 
 	networkingv1 "k8s.io/api/networking/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	admissionv1 "k8s.io/api/admission/v1"
 )
 
 type IngressValidator struct {
     Client  client.Client
     Decoder admission.Decoder
 }
 
-func (v *IngressValidator) InjectDecoder(d admission.Decoder) error {
-	v.Decoder = d
-	return nil
+// Handle routes the request based on the operation type.
+func (v *IngressValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+	switch req.Operation {
+	case admissionv1.Create:
+		return v.handleCreate(ctx, req)
+	case admissionv1.Update:
+		return v.handleUpdate(ctx, req)
+	default:
+		return admission.Allowed("Unhandled operation allowed.")
+	}
 }
 
-func (v *IngressValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+func (v *IngressValidator) handleCreate(ctx context.Context, req admission.Request) admission.Response {
 	ingress := &networkingv1.Ingress{}
 	if err := v.Decoder.Decode(req, ingress); err != nil {
 		return admission.Errored(http.StatusBadRequest, err)
@@ -36,30 +43,45 @@ func (v *IngressValidator) Handle(ctx context.Context, req admission.Request) ad
 	if err := v.Client.Get(ctx, client.ObjectKey{Name: *ingress.Spec.IngressClassName}, ingressClass); err != nil {
 		return admission.Errored(http.StatusInternalServerError, err)
 	}
-
+	
 	if ingressClass.Spec.Controller != controllerName {
 		return admission.Allowed("Ingress managed by a different controller; allowing.")
 	}
 
-	// 1. Network Mode Check.
-	mode, exists := ingress.Annotations[AnnotationNetworkMode]
-	if !exists {
-		return admission.Denied("The annotation '" + AnnotationNetworkMode + "' is mandatory for STACKIT ALB Ingresses.")
+	return v.validateBaseAnnotations(ctx, ingress)
+}
+
+func (v *IngressValidator) handleUpdate(ctx context.Context, req admission.Request) admission.Response {
+	newIngress := &networkingv1.Ingress{}
+	if err := v.Decoder.Decode(req, newIngress); err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
 	}
-	if mode != "NodePort" {
-		return admission.Denied(fmt.Sprintf("The annotation '%s' currently only supports the value 'NodePort'.", AnnotationNetworkMode))
+
+	oldIngress := &networkingv1.Ingress{}
+	if err := v.Decoder.DecodeRaw(req.OldObject, oldIngress); err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
 	}
 
-	// 2. Validate IP Addresses.
-	if val, ok := ingress.Annotations[AnnotationExternalIP]; ok {
-		if net.ParseIP(val) == nil {
-			return admission.Denied(fmt.Sprintf("Annotation '%s' must be a valid IP address.", AnnotationExternalIP))
-		}
+	if newIngress.Spec.IngressClassName == nil {
+		return admission.Allowed("No ingress class specified; ignoring.")
+	}
+
+	ingressClass := &networkingv1.IngressClass{}
+	if err := v.Client.Get(ctx, client.ObjectKey{Name: *newIngress.Spec.IngressClassName}, ingressClass); err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
 	}
 
-	// 3. Validate Booleans.
+	if ingressClass.Spec.Controller != controllerName {
+		return admission.Allowed("Ingress managed by a different controller; allowing.")
+	}
+
+	return v.validateBaseAnnotations(ctx, newIngress)
+}
+
+// validateBaseAnnotations checks simple formatting, allowed values, and basic constraints for all relevant annotations.
+func (v *IngressValidator) validateBaseAnnotations(ctx context.Context, ingress *networkingv1.Ingress) admission.Response {
+	// Validate Booleans
 	boolAnnotations := []string{
-		AnnotationInternal,
 		AnnotationTargetPoolTLSEnabled,
 		AnnotationTargetPoolTLSSkipCertificateValidation,
 		AnnotationHTTPSOnly,
@@ -73,26 +95,14 @@ func (v *IngressValidator) Handle(ctx context.Context, req admission.Request) ad
 		}
 	}
 
-	// 4. Validate Ports (Must be between 1 and 65535).
-	portAnnotations := []string{AnnotationHTTPPort, AnnotationHTTPSPort}
-	for _, ann := range portAnnotations {
-		if val, ok := ingress.Annotations[ann]; ok {
-			port, err := strconv.Atoi(val)
-			if err != nil || port < 1 || port > 65535 {
-				return admission.Denied(fmt.Sprintf("Annotation '%s' must be a valid port number between 1 and 65535.", ann))
-			}
-		}
-	}
-
-	// 5. Validate TTL and Priority (Must be valid integers. TTL must be non-negative).
+	// Validate Integers and TTL limits
 	intAnnotations := []string{AnnotationCookiePersistenceTTLSeconds, AnnotationPriority}
 	for _, ann := range intAnnotations {
 		if val, ok := ingress.Annotations[ann]; ok {
 			num, err := strconv.Atoi(val)
 			if err != nil {
 				return admission.Denied(fmt.Sprintf("Annotation '%s' must be a valid integer.", ann))
 			}
-			// Optional: Enforce TTL to be non-negative
 			if ann == AnnotationCookiePersistenceTTLSeconds && num < 0 {
 				return admission.Denied(fmt.Sprintf("Annotation '%s' must be greater than or equal to 0.", ann))
 			}