Adding cluster-arn validation to klusterlet CRD

jaswalkiranavtar · EricaJ6 · commit fc6a26f837c7 · 2024-11-25T12:53:31.000-05:00
Signed-off-by: Erica Jin &lt;132393634+EricaJ6@users.noreply.github.com&gt;
diff --git a/crdsv1beta1/0001_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/crdsv1beta1/0001_00_operator.open-cluster-management.io_klusterlets.crd.yaml
@@ -204,10 +204,12 @@ spec:
                           description: 'The arn of the hub cluster (ie: an EKS cluster). This will be required to pass information to hub, which hub will use to create IAM identities for this klusterlet. Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1.'
                           type: string
                           minLength: 1
+                          pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                         managedClusterArn:
                           description: 'The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup. Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1.'
                           type: string
                           minLength: 1
+                          pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
             registrationImagePullSpec:
               description: RegistrationImagePullSpec represents the desired image configuration of registration agent. quay.io/open-cluster-management.io/registration:latest will be used if unspecified.
               type: string
diff --git a/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml b/operator/v1/0000_00_operator.open-cluster-management.io_klusterlets.crd.yaml
@@ -312,13 +312,15 @@ spec:
                               The arn of the hub cluster (ie: an EKS cluster). This will be required to pass information to hub, which hub will use to create IAM identities for this klusterlet.
                               Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1.
                             minLength: 1
+                            pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                             type: string
                           managedClusterArn:
                             description: |-
                               The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub
                               as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup.
                               Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1.
                             minLength: 1
+                            pattern: ^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$
                             type: string
                         type: object
                     type: object
diff --git a/operator/v1/types_klusterlet.go b/operator/v1/types_klusterlet.go
@@ -195,12 +195,14 @@ type AwsIrsa struct {
 	// Example - arn:eks:us-west-2:12345678910:cluster/hub-cluster1.
 	// +required
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$`
 	HubClusterArn string `json:"hubClusterArn"`
 	// The arn of the managed cluster (ie: an EKS cluster). This will be required to generate the md5hash which will be used as a suffix to create IAM role on hub
 	// as well as used by kluslerlet-agent, to assume role suffixed with the md5hash, on startup.
 	// Example - arn:eks:us-west-2:12345678910:cluster/managed-cluster1.
 	// +required
 	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:Pattern=`^arn:aws:eks:([a-zA-Z0-9-]+):(\d{12}):cluster/([a-zA-Z0-9-]+)$`
 	ManagedClusterArn string `json:"managedClusterArn"`
 }
 
diff --git a/test/integration/api/klusterlet_test.go b/test/integration/api/klusterlet_test.go
@@ -37,6 +37,23 @@ var _ = Describe("Create Klusterlet API", func() {
 			Expect(err).NotTo(BeNil())
 		})
 	})
+
+	Context("Create with aws auth and invalid arn", func() {
+		It("should reject the klusterlet creation", func() {
+			klusterlet.Spec.RegistrationConfiguration = &operatorv1.RegistrationConfiguration{
+				RegistrationDriver: operatorv1.RegistrationDriver{
+					AuthType: "awsirsa",
+					AwsIrsa: &operatorv1.AwsIrsa{
+						ManagedClusterArn: "arn:aws:bks:us-west-2:123456789012:cluster/managed-cluster1",
+						HubClusterArn:     "arn:aws:eks:us-west-2:123456789012:cluster/hub-cluster1",
+					},
+				},
+			}
+			_, err := operatorClient.OperatorV1().Klusterlets().Create(context.TODO(), klusterlet, metav1.CreateOptions{})
+			fmt.Println(err)
+			Expect(err).NotTo(BeNil())
+		})
+	})
 })
 
 var _ = Describe("valid HubApiServerHostAlias", func() {
