Adds CAPI Machine VAP

- Adds CAPI Machine VAP, similar to the MAPI one, but for when MAPI is
  autoritative.
- Adds tests
- Updates machine sync reconciler to requeue after 2s of
  AuthoritativeAPI is empty (rather than the 10m default)

Author: theobarberbany

manifests/0000_30_cluster-api_09_admission-policies.yaml

@@ -115,29 +115,29 @@ data:
         - expression: "variables.specLockedExceptAuthoritativeAPI"
           message:  "You may only modify spec.authoritativeAPI. Any other change inside .spec is not allowed. This is because status.authoritativeAPI is set to Cluster API."
     
-        # Guard machine.openshift.io/* and kubernetes.io/* labels
+        # Guard machine.openshift.io/*, kubernetes.io/* and cluster.x-k8s.io labels
         - expression: >
             !(
               variables.newLabels.exists(k,
-                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io')) &&
+                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io') || k.contains('cluster.x-k8s.io/')) &&
                   (variables.oldLabels[?k].orValue(null) != variables.newLabels[k])
               ) ||
               variables.oldLabels.exists(k,
-                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io')) &&
+                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io') || k.contains('cluster.x-k8s.io/')) &&
                   !(k in variables.newLabels)
               )
             )
           message: "Cannot add, modify or delete any machine.openshift.io/* or kubernetes.io/* label. This is because status.authoritativeAPI is set to Cluster API."
     
-        # Guard machine.openshift.io/* annotations
+        # Guard machine.openshift.io/* and cluster(s).x-k8s.io annotations
         - expression: >
             !(
               variables.newAnn.exists(k,
-                  k.startsWith('machine.openshift.io') &&
+                  (k.startsWith('machine.openshift.io') || k.contains('cluster.x-k8s.io') || k.contains('clusters.x-k8s.io')) &&
                   (variables.oldAnn[?k].orValue(null) != variables.newAnn[k])
               ) ||
               variables.oldAnn.exists(k,
-                  k.startsWith('machine.openshift.io') &&
+                  (k.startsWith('machine.openshift.io') || k.contains('cluster.x-k8s.io') || k.contains('clusters.x-k8s.io')) &&
                   !(k in variables.newAnn)
               )
             )
@@ -151,6 +151,121 @@ data:
               variables.newLabels[?k].orValue(null) == variables.paramLabels[k]
             )
           message: "Cannot modify a Cluster API controlled label except to match the Cluster API mirrored machine. This is because status.authoritativeAPI is set to Cluster API."
+        
+        # Don't allow setting the 'machine-template-hash' label. It should only be set by the CAPI controllers.
+        - expression: "!('machine-template-hash' in variables.newLabels)"
+          message: "Setting the 'machine-template-hash' label is forbidden.'"
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicyBinding
+    metadata:
+      name: cluster-api-machine-vap
+    spec:
+      matchResources:
+        namespaceSelector:
+          matchLabels:
+            kubernetes.io/metadata.name: openshift-cluster-api
+      paramRef:
+        namespace: openshift-machine-api
+        # We 'Allow' here as we don't want to block CAPI Machine functionality
+        # when no MAPI machine (param) exists. This might happen when a user
+        # wants to not use MAPI, or is migrating.
+        parameterNotFoundAction: Allow
+        selector: {}
+      policyName: cluster-api-machine-vap
+      validationActions: [Deny]
+    ---
+    apiVersion: admissionregistration.k8s.io/v1
+    kind: ValidatingAdmissionPolicy
+    metadata:
+      name: cluster-api-machine-vap
+    spec:
+      failurePolicy: Fail
+    
+      paramKind:
+        apiVersion: machine.openshift.io/v1beta1
+        kind: Machine
+    
+      matchConstraints:
+        resourceRules:
+        - apiGroups:   ["cluster.x-k8s.io"]
+          apiVersions: ["v1beta1"]
+          operations:  ["UPDATE"]
+          resources:   ["machines"]
+    
+      # Requests must satisfy every matchCondition to reach the validations
+      matchConditions:
+        - name: check-only-non-service-account-requests
+          expression: >-
+            !(request.userInfo.username in [
+                "system:serviceaccount:openshift-machine-api:machine-api-controllers",
+                "system:serviceaccount:openshift-cluster-api:cluster-capi-operator"
+            ])
+        - name: check-param-match
+          expression: 'object.metadata.name == params.metadata.name'
+        - name: check-authoritativeAPI-machineapi
+          expression: "params.?status.?authoritativeAPI.orValue(\"\") == \"MachineAPI\""
+      variables:
+        # label maps
+        - name: newLabels
+          expression: "object.metadata.?labels.orValue({})"
+        - name: oldLabels
+          expression: "oldObject.metadata.?labels.orValue({})"
+        - name: paramLabels
+          expression: "params.metadata.?labels.orValue({})"
+    
+        # annotation maps
+        - name: newAnn
+          expression: "object.metadata.?annotations.orValue({})"
+        - name: oldAnn
+          expression: "oldObject.metadata.?annotations.orValue({})"
+    
+      # All validations must evaluate to TRUE
+      validations:
+        # Only spec.authoritativeAPI may change
+        - expression: "object.spec == oldObject.spec"
+          message:  "Changing .spec is not allowed. This is because status.authoritativeAPI is set to Machine API."
+    
+        # Guard machine.openshift.io/* and kubernetes.io/*  and cluster.x-k8s.io/* labels
+        - expression: >
+            !(
+              variables.newLabels.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io') || k.contains('cluster.x-k8s.io/')) &&
+                  (variables.oldLabels[?k].orValue(null) != variables.newLabels[k])
+              ) ||
+              variables.oldLabels.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.startsWith('kubernetes.io') || k.contains('cluster.x-k8s.io/')) &&
+                  !(k in variables.newLabels)
+              )
+            )
+          message: "Cannot add, modify or delete any machine.openshift.io/*, kubernetes.io/* or cluster.x-k8s.io/* label. This is because status.authoritativeAPI is set to Machine API."
+    
+        # Guard machine.openshift.io/* and cluster.x-k8s.io/* and clusters.x-k8s.io/* annotations
+        - expression: >
+            !(
+              variables.newAnn.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.contains('cluster.x-k8s.io') || k.contains('clusters.x-k8s.io')) &&
+                  (variables.oldAnn[?k].orValue(null) != variables.newAnn[k])
+              ) ||
+              variables.oldAnn.exists(k,
+                  (k.startsWith('machine.openshift.io') || k.contains('cluster.x-k8s.io') || k.contains('clusters.x-k8s.io')) &&
+                  !(k in variables.newAnn)
+              )
+            )
+          message: "Cannot add, modify or delete any machine.openshift.io/* or cluster.x-k8s.io or clusters.x-k8s.io annotation. This is because status.authoritativeAPI is set to Machine API."
+    
+        # Param-controlled labels (labels on the MAPI machine) may change only to match the value on the MAPI Machine
+        - expression: >
+            variables.paramLabels.all(
+              k,
+              variables.newLabels[?k].orValue(null) == variables.oldLabels[?k].orValue(null) ||
+              variables.newLabels[?k].orValue(null) == variables.paramLabels[k]
+            )
+          message: "Cannot modify a Machine API controlled label except to match the Machine API mirrored machine. This is because status.authoritativeAPI is set to Machine API."
+        
+        # Don't allow setting the 'machine-template-hash' label. It should only be set by the CAPI controllers.
+        - expression: "!('machine-template-hash' in variables.newLabels)"
+          message: "Setting the 'machine-template-hash' label is forbidden.'"
     ---
     apiVersion: admissionregistration.k8s.io/v1
     kind: ValidatingAdmissionPolicy
@@ -165,15 +280,15 @@ data:
             operations: ["CREATE", "UPDATE"]
             resources: ["machines", "machinesets"]
       variables:
-      - name: machineSpec
-        expression: "object.kind == 'Machine' ? object.spec : object.spec.template.spec"
-      - name: specPath
-        expression: "object.kind == 'Machine' ? 'spec' : 'spec.template.spec'"
+        - name: machineSpec
+          expression: "object.kind == 'Machine' ? object.spec : object.spec.template.spec"
+        - name: specPath
+          expression: "object.kind == 'Machine' ? 'spec' : 'spec.template.spec'"
       validations:
-      - expression: "!has(variables.machineSpec.version)"
-        messageExpression: "variables.specPath + '.version is a forbidden field'"
-      - expression: "!has(variables.machineSpec.readinessGates)"
-        messageExpression: "variables.specPath + '.readinessGates is a forbidden field'"
+        - expression: "!has(variables.machineSpec.version)"
+          messageExpression: "variables.specPath + '.version is a forbidden field'"
+        - expression: "!has(variables.machineSpec.readinessGates)"
+          messageExpression: "variables.specPath + '.readinessGates is a forbidden field'"
     ---
     apiVersion: admissionregistration.k8s.io/v1
     kind: ValidatingAdmissionPolicyBinding

pkg/controllers/machinesync/machine_sync_controller.go

@@ -540,12 +540,12 @@ func (r *MachineSyncReconciler) reconcileMAPIMachinetoCAPIMachine(ctx context.Co
 		BlockOwnerDeletion: ptr.To(true),
 	}})
 
-	result, syncronizationIsProgressing, err := r.createOrUpdateCAPIInfraMachine(ctx, mapiMachine, infraMachine, newCAPIInfraMachine)
+	result, synchronizationIsProgressing, err := r.createOrUpdateCAPIInfraMachine(ctx, mapiMachine, infraMachine, newCAPIInfraMachine)
 	if err != nil {
 		return result, fmt.Errorf("unable to ensure Cluster API infra machine: %w", err)
 	}
 
-	if syncronizationIsProgressing {
+	if synchronizationIsProgressing {
 		return ctrl.Result{RequeueAfter: time.Second * 1}, r.applySynchronizedConditionWithPatch(ctx, mapiMachine, corev1.ConditionUnknown,
 			reasonProgressingToCreateCAPIInfraMachine, progressingToSynchronizeMAPItoCAPI, nil)
 	}
@@ -605,9 +605,9 @@ func (r *MachineSyncReconciler) convertCAPIToMAPIMachine(capiMachine *clusterv1.
 func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Context, mapiMachine *machinev1beta1.Machine, infraMachine client.Object, newCAPIInfraMachine client.Object) (ctrl.Result, bool, error) { //nolint:unparam
 	logger := log.FromContext(ctx)
 	// This variable tracks whether or not we are still progressing
-	// towards syncronizing the MAPI machine with the CAPI infra machine.
+	// towards synchronized the MAPI machine with the CAPI infra machine.
 	// It is then passed up the stack so the syncronized condition can be set accordingly.
-	syncronizationIsProgressing := false
+	synchronizationIsProgressing := false
 
 	alreadyExists := false
 
@@ -618,10 +618,10 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 			createErr := fmt.Errorf("failed to create Cluster API infra machine: %w", err)
 
 			if condErr := r.applySynchronizedConditionWithPatch(ctx, mapiMachine, corev1.ConditionFalse, reasonFailedToCreateCAPIInfraMachine, createErr.Error(), nil); condErr != nil {
-				return ctrl.Result{}, syncronizationIsProgressing, utilerrors.NewAggregate([]error{createErr, condErr})
+				return ctrl.Result{}, synchronizationIsProgressing, utilerrors.NewAggregate([]error{createErr, condErr})
 			}
 
-			return ctrl.Result{}, syncronizationIsProgressing, createErr
+			return ctrl.Result{}, synchronizationIsProgressing, createErr
 		} else if apierrors.IsAlreadyExists(err) {
 			// this handles the case where the CAPI Machine is not present, so we can't resolve the
 			// infraMachine ref from it - but the InfraMachine exists. (e.g a user deletes the CAPI machine manually).
@@ -630,7 +630,7 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 		} else {
 			logger.Info("Successfully created Cluster API infra machine")
 
-			return ctrl.Result{}, syncronizationIsProgressing, nil
+			return ctrl.Result{}, synchronizationIsProgressing, nil
 		}
 	}
 
@@ -640,10 +640,10 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 			getErr := fmt.Errorf("failed to get Cluster API infra machine: %w", err)
 
 			if condErr := r.applySynchronizedConditionWithPatch(ctx, mapiMachine, corev1.ConditionFalse, reasonFailedToGetCAPIInfraResources, getErr.Error(), nil); condErr != nil {
-				return ctrl.Result{}, syncronizationIsProgressing, utilerrors.NewAggregate([]error{getErr, condErr})
+				return ctrl.Result{}, synchronizationIsProgressing, utilerrors.NewAggregate([]error{getErr, condErr})
 			}
 
-			return ctrl.Result{}, syncronizationIsProgressing, getErr
+			return ctrl.Result{}, synchronizationIsProgressing, getErr
 		}
 	}
 
@@ -654,15 +654,15 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 
 		if condErr := r.applySynchronizedConditionWithPatch(
 			ctx, mapiMachine, corev1.ConditionFalse, reasonFailedToUpdateCAPIInfraMachine, updateErr.Error(), nil); condErr != nil {
-			return ctrl.Result{}, syncronizationIsProgressing, utilerrors.NewAggregate([]error{updateErr, condErr})
+			return ctrl.Result{}, synchronizationIsProgressing, utilerrors.NewAggregate([]error{updateErr, condErr})
 		}
 
-		return ctrl.Result{}, syncronizationIsProgressing, updateErr
+		return ctrl.Result{}, synchronizationIsProgressing, updateErr
 	}
 
 	if len(capiInfraMachinesDiff) == 0 {
 		logger.Info("No changes detected in Cluster API infra machine")
-		return ctrl.Result{}, syncronizationIsProgressing, nil
+		return ctrl.Result{}, synchronizationIsProgressing, nil
 	}
 
 	logger.Info("Deleting the corresponding Cluster API infra machine as it is out of date, it will be recreated", "diff", fmt.Sprintf("%+v", capiInfraMachinesDiff))
@@ -674,10 +674,10 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 
 		if condErr := r.applySynchronizedConditionWithPatch(
 			ctx, mapiMachine, corev1.ConditionFalse, reasonFailedToUpdateCAPIInfraMachine, deleteErr.Error(), nil); condErr != nil {
-			return ctrl.Result{}, syncronizationIsProgressing, utilerrors.NewAggregate([]error{deleteErr, condErr})
+			return ctrl.Result{}, synchronizationIsProgressing, utilerrors.NewAggregate([]error{deleteErr, condErr})
 		}
 
-		return ctrl.Result{}, syncronizationIsProgressing, deleteErr
+		return ctrl.Result{}, synchronizationIsProgressing, deleteErr
 	}
 
 	// Remove finalizers from the deleting CAPI infraMachine, it is not authoritative.
@@ -690,10 +690,10 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 
 		if condErr := r.applySynchronizedConditionWithPatch(
 			ctx, mapiMachine, corev1.ConditionFalse, reasonFailedToUpdateCAPIInfraMachine, deleteErr.Error(), nil); condErr != nil {
-			return ctrl.Result{}, syncronizationIsProgressing, utilerrors.NewAggregate([]error{deleteErr, condErr})
+			return ctrl.Result{}, synchronizationIsProgressing, utilerrors.NewAggregate([]error{deleteErr, condErr})
 		}
 
-		return ctrl.Result{}, syncronizationIsProgressing, deleteErr
+		return ctrl.Result{}, synchronizationIsProgressing, deleteErr
 	}
 
 	// The outdated outdated CAPI infra machine has been deleted.
@@ -702,9 +702,9 @@ func (r *MachineSyncReconciler) createOrUpdateCAPIInfraMachine(ctx context.Conte
 
 	// Set the syncronized as progressing to signal the caller
 	// we are still progressing and aren't fully synced yet.
-	syncronizationIsProgressing = true
+	synchronizationIsProgressing = true
 
-	return ctrl.Result{}, syncronizationIsProgressing, nil
+	return ctrl.Result{}, synchronizationIsProgressing, nil
 }
 
 // createOrUpdateCAPIMachine creates a CAPI machine from a MAPI one, or updates if it exists and it is out of date.