feat: plug APIM v4 validation to admission controller

see https://gravitee.atlassian.net/browse/GKO-286

Author: a-cordier

api/model/api/v4/status.go

@@ -14,12 +14,28 @@
 
 package v4
 
-import "github.com/gravitee-io/gravitee-kubernetes-operator/api/model/api/base"
+import (
+	"github.com/gravitee-io/gravitee-kubernetes-operator/api/model/api/base"
+)
 
 type Status struct {
 	base.Status `json:",inline"`
 	// This field is used to store the list of plans that have been created
 	// for the API definition if a management context has been defined
 	// to sync the API with an APIM instance
 	Plans map[string]string `json:"plans,omitempty"`
+	// When API has been created regardless of errors, this field is
+	// used to persist the error message encountered during admission
+	Errors Errors `json:"errors,omitempty"`
+}
+
+type Errors struct {
+	// warning errors do not block object reconciliation,
+	// most of the time because the value is ignored or defaulted
+	// when the API gets synced with APIM
+	Warning []string `json:"warning,omitempty"`
+	// severe errors do not pass admission and will block reconcile
+	// hence, this field should always be during the admission phase
+	// and is very unlikely to be persisted in the status
+	Severe []string `json:"severe,omitempty"`
 }

api/model/api/v4/zz_generated.deepcopy.go

@@ -147,7 +147,7 @@ func createOrUpdateV4(ctx context.Context, apiDefinition *v1alpha1.ApiV4Definiti
 			return err
 		}
 		spec.ID = cp.PickID(apim.Context)
-		status, err := apim.APIs.ImportV4(&spec.Api)
+		status, err := apim.APIs.ImportV4(spec)
 		if err != nil {
 			return err
 		}

controllers/apim/apidefinition/internal/update.go

@@ -7091,6 +7091,14 @@ ApiV4DefinitionStatus defines the observed state of API Definition.
           The environment ID, if a management context has been defined to sync with an APIM instance<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#apiv4definitionstatuserrors">errors</a></b></td>
+        <td>object</td>
+        <td>
+          When API has been created regardless of errors, this field is
+used to persist the error message encountered during admission<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>id</b></td>
         <td>string</td>
@@ -7142,6 +7150,45 @@ to sync the API with an APIM instance<br/>
       </tr></tbody>
 </table>
 
+
+### ApiV4Definition.status.errors
+[Go to parent definition](#apiv4definitionstatus)
+
+
+
+When API has been created regardless of errors, this field is
+used to persist the error message encountered during admission
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>severe</b></td>
+        <td>[]string</td>
+        <td>
+          severe errors do not pass admission and will block reconcile
+hence, this field should always be during the admission phase
+and is very unlikely to be persisted in the status<br/>
+        </td>
+        <td>false</td>
+      </tr><tr>
+        <td><b>warning</b></td>
+        <td>[]string</td>
+        <td>
+          warning errors do not block object reconciliation,
+most of the time because the value is ignored or defaulted
+when the API gets synced with APIM<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
 ## ApiResource
 
 [gravitee.io/v1alpha1](#graviteeiov1alpha1)

docs/api/reference.md

@@ -1278,6 +1278,28 @@ spec:
                 description: The environment ID, if a management context has been
                   defined to sync with an APIM instance
                 type: string
+              errors:
+                description: |-
+                  When API has been created regardless of errors, this field is
+                  used to persist the error message encountered during admission
+                properties:
+                  severe:
+                    description: |-
+                      severe errors do not pass admission and will block reconcile
+                      hence, this field should always be during the admission phase
+                      and is very unlikely to be persisted in the status
+                    items:
+                      type: string
+                    type: array
+                  warning:
+                    description: |-
+                      warning errors do not block object reconciliation,
+                      most of the time because the value is ignored or defaulted
+                      when the API gets synced with APIM
+                    items:
+                      type: string
+                    type: array
+                type: object
               id:
                 description: The ID of the API definition in the Gravitee API Management
                   instance (if an API context has been configured).

helm/gko/crds/gravitee.io_apiv4definitions.yaml

@@ -20,6 +20,7 @@ import (
 
 	v4 "github.com/gravitee-io/gravitee-kubernetes-operator/api/model/api/v4"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/admission/api/base"
+	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/apim"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/env"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/errors"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/k8s/dynamic"
@@ -33,18 +34,23 @@ import (
 
 func validateCreate(ctx context.Context, obj runtime.Object) *errors.AdmissionErrors {
 	errs := errors.NewAdmissionErrors()
-
 	if api, ok := obj.(custom.ApiDefinitionResource); ok {
 		errs = errs.MergeWith(base.ValidateCreate(ctx, obj))
 		if errs.IsSevere() {
 			return errs
 		}
 		errs.Add(validateNoConflictingPath(ctx, api))
+		if errs.IsSevere() {
+			return errs
+		}
+		if api.HasContext() {
+			errs = errs.MergeWith(validateDryRun(ctx, api))
+		}
 	}
-
 	return errs
 }
 
+// TODO this should be move to base once implemented for v2
 func validateNoConflictingPath(ctx context.Context, api custom.ApiDefinitionResource) *errors.AdmissionError {
 	apiPaths, err := api.GetContextPaths()
 	if err != nil {
@@ -65,6 +71,30 @@ func validateNoConflictingPath(ctx context.Context, api custom.ApiDefinitionReso
 	return nil
 }
 
+func validateDryRun(ctx context.Context, api custom.ApiDefinitionResource) *errors.AdmissionErrors {
+	errs := errors.NewAdmissionErrors()
+
+	apim, err := apim.FromContextRef(ctx, api.ContextRef(), api.GetNamespace())
+	if err != nil {
+		errs.AddSevere(err.Error())
+	}
+	status, err := apim.APIs.DryRunImportV4(api.GetSpec())
+	if err != nil {
+		errs.AddSevere(err.Error())
+		return errs
+	}
+	for _, severe := range status.Errors.Severe {
+		errs.AddSevere(severe)
+	}
+	if errs.IsSevere() {
+		return errs
+	}
+	for _, warning := range status.Errors.Warning {
+		errs.AddWarning(warning)
+	}
+	return errs
+}
+
 func getExistingPaths(ctx context.Context, api custom.ApiDefinitionResource) ([]string, error) {
 	existingPaths := make([]string, 0)
 	unstructuredList, err := getListOfExistingApis(ctx, api.GetNamespace())

internal/admission/api/v4/validate.go

@@ -48,7 +48,7 @@ func (a AdmissionCtrl) ValidateCreate(
 	ctx context.Context,
 	obj runtime.Object,
 ) (admission.Warnings, error) {
-	return validate(ctx, obj).Map()
+	return validateCreate(ctx, obj).Map()
 }
 
 // ValidateDelete implements admission.CustomValidator.

internal/admission/mctx/ctrl.go

@@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
-func validate(ctx context.Context, obj runtime.Object) *errors.AdmissionErrors {
+func validateCreate(ctx context.Context, obj runtime.Object) *errors.AdmissionErrors {
 	errs := errors.NewAdmissionErrors()
 
 	if context, ok := obj.(custom.ContextResource); ok {
@@ -54,7 +54,7 @@ func validateContextIsAvailable(ctx context.Context, context custom.ContextResou
 	}
 	_, err = apim.Env.Get()
 
-	if err != nil {
+	if errors.IsNetworkError(err) {
 		return errors.NewWarning(
 			"unable to reach APIM, [%s] is not available",
 			apim.Context.GetURL(),
@@ -68,12 +68,5 @@ func validateContextIsAvailable(ctx context.Context, context custom.ContextResou
 		)
 	}
 
-	if errors.IsNotFound(err) {
-		return errors.NewSevere(
-			"environment [%s/%s] could not be found in APIM",
-			apim.Context.GetOrg(), apim.Context.GetEnv(),
-		)
-	}
-
-	return nil
+	return errors.NewSevere(err.Error())
 }

internal/admission/mctx/validate.go

@@ -16,8 +16,10 @@ package service
 
 import (
 	"net/http"
+	"strconv"
 
 	v4 "github.com/gravitee-io/gravitee-kubernetes-operator/api/model/api/v4"
+	"github.com/gravitee-io/gravitee-kubernetes-operator/pkg/types/k8s/custom"
 
 	v2 "github.com/gravitee-io/gravitee-kubernetes-operator/api/model/api/v2"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/apim/client"
@@ -102,8 +104,16 @@ func (svc *APIs) ImportV2(method string, spec *v2.Api) (*model.ApiEntity, error)
 	return api, nil
 }
 
-func (svc *APIs) ImportV4(spec *v4.Api) (*v4.Status, error) {
-	url := svc.EnvV2Target("apis/_import/crd")
+func (svc *APIs) ImportV4(spec custom.Spec) (*v4.Status, error) {
+	return svc.importV4(spec, false)
+}
+
+func (svc *APIs) DryRunImportV4(spec custom.Spec) (*v4.Status, error) {
+	return svc.importV4(spec, true)
+}
+
+func (svc *APIs) importV4(spec custom.Spec, dryRun bool) (*v4.Status, error) {
+	url := svc.EnvV2Target("apis/_import/crd").WithQueryParam("dryRun", strconv.FormatBool(dryRun))
 
 	status := new(v4.Status)
 	if err := svc.HTTP.Put(url.String(), spec, status); err != nil {

internal/apim/service/apis.go

@@ -33,8 +33,8 @@ type AdmissionError struct {
 }
 
 type AdmissionErrors struct {
-	Warning []*AdmissionError `json:"warning"`
-	Severe  []*AdmissionError `json:"severe"`
+	Warning []*AdmissionError
+	Severe  []*AdmissionError
 }
 
 func NewAdmissionErrors() *AdmissionErrors {
@@ -56,6 +56,9 @@ func (errs *AdmissionErrors) Map() (admission.Warnings, error) {
 }
 
 func (errs *AdmissionErrors) MergeWith(other *AdmissionErrors) *AdmissionErrors {
+	if other == nil {
+		return errs
+	}
 	errs.Warning = append(errs.Warning, other.Warning...)
 	errs.Severe = append(errs.Severe, other.Severe...)
 	return errs

internal/errors/admission.go

@@ -19,6 +19,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 
 	kErrors "k8s.io/apimachinery/pkg/util/errors"
@@ -129,6 +130,19 @@ func IsNotFound(err error) bool {
 	return false
 }
 
+func IsBadRequest(err error) bool {
+	serverError := &ServerError{}
+	if errors.As(err, serverError) {
+		return serverError.StatusCode == http.StatusBadRequest
+	}
+	return false
+}
+
+func IsNetworkError(err error) bool {
+	opErr := new(net.OpError)
+	return errors.As(err, &opErr)
+}
+
 func IsUnauthorized(err error) bool {
 	serverError := &ServerError{}
 	if errors.As(err, serverError) {