refactor: look for existing APIs in the same namespace only

kamiiiel · kamiiiel · commit 6c16b00e0616 · 2024-07-24T11:27:06.000+01:00
diff --git a/api/v1alpha1/apiv4definition_webhook.go b/api/v1alpha1/apiv4definition_webhook.go
@@ -22,6 +22,10 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/env"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
 	v4 "github.com/gravitee-io/gravitee-kubernetes-operator/api/model/api/v4"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/internal/k8s"
 	runtime "k8s.io/apimachinery/pkg/runtime"
@@ -55,7 +59,7 @@ func (*ApiV4Definition) ValidateDelete() (admission.Warnings, error) {
 
 func validateApi(api *ApiV4Definition) (admission.Warnings, error) {
 	// make sure Management Context exist before creating the API Definition resource
-	if api.HasContext() {
+	if api.HasContext() { //nolint:nestif // nested if is needed
 		mCtx := new(ManagementContext)
 		if err := k8s.GetClient().Get(context.Background(), api.ContextRef().NamespacedName(), mCtx); err != nil {
 			return admission.Warnings{}, fmt.Errorf("can't create API [%s] because it is using "+
@@ -64,13 +68,22 @@ func validateApi(api *ApiV4Definition) (admission.Warnings, error) {
 	} else {
 		// check for unique context path
 		apis := new(ApiV4DefinitionList)
-		if err := k8s.GetClient().List(context.Background(), apis); err != nil {
+		listOpts := client.ListOptions{}
+		if !env.Config.CheckApiContextPathConflictInCluster {
+			listOpts = client.ListOptions{
+				Namespace: api.Namespace,
+			}
+		}
+
+		if err := k8s.GetClient().List(context.Background(), apis, &listOpts); err != nil {
 			return admission.Warnings{}, err
 		}
 
 		existingListeners := make([]*v4.GenericListener, 0)
 		for _, item := range apis.Items {
-			existingListeners = append(existingListeners, item.Spec.Listeners...)
+			if api.Name != item.Name || api.Namespace != item.Namespace {
+				existingListeners = append(existingListeners, item.Spec.Listeners...)
+			}
 		}
 
 		if err := validateApiContextPath(existingListeners, api.Spec.Listeners); err != nil {
diff --git a/helm/gko/README.md b/helm/gko/README.md
@@ -54,27 +54,28 @@ Kube RBAC Proxy is deployed as a sidecar container and restricts access to the p
 
 This is where you can configure the deployment itself and the way the operator will interact with APIM and Custom Resources in your cluster.
 
-| Name                                        | Description                                                                                                                                     | Value                            |
-| ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
-| `manager.image.repository`                  | Specifies the docker registry and image name to use.                                                                                            | `graviteeio/kubernetes-operator` |
-| `manager.image.tag`                         | Specifies the docker image tag to use. If no value is set, the chart version will be used.                                                      | `""`                             |
-| `manager.image.pullPolicy`                  | Specifies the pullPolicy to use when starting a new container                                                                                   | `IfNotPresent`                   |
-| `manager.logs.json`                         | Whether to output manager logs in JSON format.                                                                                                  | `true`                           |
-| `manager.configMap.name`                    | The name of the config map used to set the manager config from this values.                                                                     | `gko-config`                     |
-| `manager.resources.limits.cpu`              | The CPU resources limits for the GKO Manager container                                                                                          | `500m`                           |
-| `manager.resources.limits.memory`           | The memory resources limits for the GKO Manager container                                                                                       | `128Mi`                          |
-| `manager.resources.requests.cpu`            | The requested CPU for the GKO Manager container                                                                                                 | `5m`                             |
-| `manager.resources.requests.memory`         | The requested memory for the GKO Manager container                                                                                              | `64Mi`                           |
-| `manager.scope.cluster`                     | Use false to listen only in the release namespace.                                                                                              | `true`                           |
-| `manager.applyCRDs`                         | 👎 This feature is deprecated and will be replaced in a future release. If true, the manager will patch Custom Resource Definitions on startup. | `true`                           |
-| `manager.metrics.enabled`                   | If true, a metrics server will be created so that metrics can be scraped using prometheus.                                                      | `true`                           |
-| `manager.httpClient.insecureSkipCertVerify` | If true, the manager HTTP client will not verify the certificate used by the Management API.                                                    | `false`                          |
-| `manager.httpClient.timeoutSeconds`         | he timeout (in seconds) used when issuing request to the Management API.                                                                        | `5`                              |
-| `manager.webhook.enabled`                   | If true, the manager will register a webhook server operating on custom resources.                                                              | `true`                           |
-| `manager.webhook.service.name`              | The service used to expose the webhook server.                                                                                                  | `gko-webhook`                    |
-| `manager.webhook.service.port`              | Which port the webhook server will listen to.                                                                                                   | `9443`                           |
-| `manager.webhook.cert.create`               | If true, a secret will be created to store the webhook server certificate.                                                                      | `true`                           |
-| `manager.webhook.cert.secret.name`          | The name of the secret storing the webhook server certificate.                                                                                  | `gko-webhook-cert`               |
+| Name                                                             | Description                                                                                                                                     | Value                            |
+| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- |
+| `manager.image.repository`                                       | Specifies the docker registry and image name to use.                                                                                            | `graviteeio/kubernetes-operator` |
+| `manager.image.tag`                                              | Specifies the docker image tag to use. If no value is set, the chart version will be used.                                                      | `""`                             |
+| `manager.image.pullPolicy`                                       | Specifies the pullPolicy to use when starting a new container                                                                                   | `IfNotPresent`                   |
+| `manager.logs.json`                                              | Whether to output manager logs in JSON format.                                                                                                  | `true`                           |
+| `manager.configMap.name`                                         | The name of the config map used to set the manager config from this values.                                                                     | `gko-config`                     |
+| `manager.resources.limits.cpu`                                   | The CPU resources limits for the GKO Manager container                                                                                          | `500m`                           |
+| `manager.resources.limits.memory`                                | The memory resources limits for the GKO Manager container                                                                                       | `128Mi`                          |
+| `manager.resources.requests.cpu`                                 | The requested CPU for the GKO Manager container                                                                                                 | `5m`                             |
+| `manager.resources.requests.memory`                              | The requested memory for the GKO Manager container                                                                                              | `64Mi`                           |
+| `manager.scope.cluster`                                          | Use false to listen only in the release namespace.                                                                                              | `true`                           |
+| `manager.applyCRDs`                                              | 👎 This feature is deprecated and will be replaced in a future release. If true, the manager will patch Custom Resource Definitions on startup. | `true`                           |
+| `manager.metrics.enabled`                                        | If true, a metrics server will be created so that metrics can be scraped using prometheus.                                                      | `true`                           |
+| `manager.httpClient.insecureSkipCertVerify`                      | If true, the manager HTTP client will not verify the certificate used by the Management API.                                                    | `false`                          |
+| `manager.httpClient.timeoutSeconds`                              | he timeout (in seconds) used when issuing request to the Management API.                                                                        | `5`                              |
+| `manager.webhook.enabled`                                        | If true, the manager will register a webhook server operating on custom resources.                                                              | `true`                           |
+| `manager.webhook.service.name`                                   | The service used to expose the webhook server.                                                                                                  | `gko-webhook`                    |
+| `manager.webhook.service.port`                                   | Which port the webhook server will listen to.                                                                                                   | `9443`                           |
+| `manager.webhook.cert.create`                                    | If true, a secret will be created to store the webhook server certificate.                                                                      | `true`                           |
+| `manager.webhook.cert.secret.name`                               | The name of the secret storing the webhook server certificate.                                                                                  | `gko-webhook-cert`               |
+| `manager.webhook.admission.checkApiContextPathConflictInCluster` | check if the same API context path exists in the whole cluster.                                                                                 | `false`                          |
 
 ### ingress
 
diff --git a/helm/gko/templates/manager/config.yaml b/helm/gko/templates/manager/config.yaml
@@ -12,8 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-kind: ConfigMap 
-apiVersion: v1 
+kind: ConfigMap
+apiVersion: v1
 metadata:
   name: {{ .Values.manager.configMap.name }}
   namespace: {{ .Release.Namespace }}
@@ -56,4 +56,7 @@ data:
   WEBHOOK_NAMESPACE: {{ .Release.Namespace }}
   WEBHOOK_SERVICE_NAME: {{ .Values.manager.webhook.service.name }}
   WEBHOOK_SERVICE_PORT: {{ quote .Values.manager.webhook.service.port }}
+  {{- if .Values.manager.webhook.admission.checkApiContextPathConflictInCluster }}
+  CHECK_API_CONTEXT_PATH_CONFLICT_IN_CLUSTER: "true"
+  {{- end }}
   {{- end }}
diff --git a/helm/gko/values.yaml b/helm/gko/values.yaml
@@ -107,6 +107,10 @@ manager:
       secret:
         ## @param manager.webhook.cert.secret.name The name of the secret storing the webhook server certificate.
         name: gko-webhook-cert
+    admission:
+      ## @param manager.webhook.admission.checkApiContextPathConflictInCluster check if the same API context path exists in the whole cluster.
+      checkApiContextPathConflictInCluster: false
+
 ## @section ingress
 ## @descriptionStart
 ## Configure the behavior of the ingress controller.
diff --git a/internal/env/env.go b/internal/env/env.go
@@ -23,42 +23,44 @@ import (
 )
 
 const (
-	CMTemplate404Name                = "TEMPLATE_404_CONFIG_MAP_NAME"
-	CMTemplate404NS                  = "TEMPLATE_404_CONFIG_MAP_NAMESPACE"
-	Development                      = "DEV_MODE"
-	NS                               = "NAMESPACE"
-	ApplyCRDs                        = "APPLY_CRDS"
-	EnableMetrics                    = "ENABLE_METRICS"
-	EnableWebhook                    = "ENABLE_WEBHOOK"
-	WebhookNS                        = "WEBHOOK_NAMESPACE"
-	WebhookServiceName               = "WEBHOOK_SERVICE_NAME"
-	WebhookPort                      = "WEBHOOK_SERVICE_PORT"
-	WebhookCertSecret                = "WEBHOOK_CERT_SECRET_NAME" //nolint:gosec // This is not a hardcoded secret
-	HttpCLientInsecureSkipCertVerify = "HTTP_CLIENT_INSECURE_SKIP_CERT_VERIFY"
-	HttpClientTimeoutSeconds         = "HTTP_CLIENT_TIMEOUT_SECONDS"
-	TrueString                       = "true"
-	IngressClasses                   = "INGRESS_CLASSES"
+	CMTemplate404Name                    = "TEMPLATE_404_CONFIG_MAP_NAME"
+	CMTemplate404NS                      = "TEMPLATE_404_CONFIG_MAP_NAMESPACE"
+	Development                          = "DEV_MODE"
+	NS                                   = "NAMESPACE"
+	ApplyCRDs                            = "APPLY_CRDS"
+	EnableMetrics                        = "ENABLE_METRICS"
+	EnableWebhook                        = "ENABLE_WEBHOOK"
+	WebhookNS                            = "WEBHOOK_NAMESPACE"
+	WebhookServiceName                   = "WEBHOOK_SERVICE_NAME"
+	WebhookPort                          = "WEBHOOK_SERVICE_PORT"
+	WebhookCertSecret                    = "WEBHOOK_CERT_SECRET_NAME" //nolint:gosec // This is not a hardcoded secret
+	HttpCLientInsecureSkipCertVerify     = "HTTP_CLIENT_INSECURE_SKIP_CERT_VERIFY"
+	HttpClientTimeoutSeconds             = "HTTP_CLIENT_TIMEOUT_SECONDS"
+	TrueString                           = "true"
+	IngressClasses                       = "INGRESS_CLASSES"
+	CheckApiContextPathConflictInCluster = "CHECK_API_CONTEXT_PATH_CONFLICT_IN_CLUSTER"
 
 	// This default are applied when running the app locally.
 	defaultWebhookPort       = 9443
-	defaultHttpCLientTimeout = 5
+	defaultHttpClientTimeout = 5
 )
 
 var Config = struct {
-	NS                           string
-	ApplyCRDs                    bool
-	EnableMetrics                bool
-	EnableWebhook                bool
-	WebhookNS                    string
-	WebhookService               string
-	WebhookPort                  int
-	WebhookCertSecret            string
-	Development                  bool
-	CMTemplate404Name            string
-	CMTemplate404NS              string
-	HTTPClientInsecureSkipVerify bool
-	HTTPClientTimeoutSeconds     int
-	IngressClasses               []string
+	NS                                   string
+	ApplyCRDs                            bool
+	EnableMetrics                        bool
+	EnableWebhook                        bool
+	WebhookNS                            string
+	WebhookService                       string
+	WebhookPort                          int
+	WebhookCertSecret                    string
+	Development                          bool
+	CMTemplate404Name                    string
+	CMTemplate404NS                      string
+	HTTPClientInsecureSkipVerify         bool
+	HTTPClientTimeoutSeconds             int
+	IngressClasses                       []string
+	CheckApiContextPathConflictInCluster bool
 }{}
 
 func init() {
@@ -68,13 +70,14 @@ func init() {
 	Config.CMTemplate404Name = os.Getenv(CMTemplate404Name)
 	Config.CMTemplate404NS = os.Getenv(CMTemplate404NS)
 	Config.HTTPClientInsecureSkipVerify = os.Getenv(HttpCLientInsecureSkipCertVerify) == TrueString
-	Config.HTTPClientTimeoutSeconds = parseInt(HttpClientTimeoutSeconds, defaultHttpCLientTimeout)
+	Config.HTTPClientTimeoutSeconds = parseInt(HttpClientTimeoutSeconds, defaultHttpClientTimeout)
 	Config.EnableMetrics = os.Getenv(EnableMetrics) == TrueString
 	Config.EnableWebhook = os.Getenv(EnableWebhook) == TrueString
 	Config.WebhookNS = os.Getenv(WebhookNS)
 	Config.WebhookService = os.Getenv(WebhookServiceName)
 	Config.WebhookCertSecret = os.Getenv(WebhookCertSecret)
 	Config.WebhookPort = parseInt(WebhookPort, defaultWebhookPort)
+	Config.CheckApiContextPathConflictInCluster = os.Getenv(CheckApiContextPathConflictInCluster) == TrueString
 	var ingressClass string
 	if ingressClass = keys.IngressClassAnnotationValue; os.Getenv(IngressClasses) != "" {
 		ingressClass = os.Getenv(IngressClasses)
diff --git a/test/integration/admissionwebhook/api_v4_create_withoutContext_invalid_path_webhook_test.go b/test/integration/admissionwebhook/api_v4_create_withoutContext_invalid_path_webhook_test.go
@@ -17,14 +17,15 @@ package admissionwebhook
 import (
 	"context"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/gravitee-io/gravitee-kubernetes-operator/api/v1alpha1"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/test/internal/integration/constants"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/test/internal/integration/fixture"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/test/internal/integration/labels"
 	"github.com/gravitee-io/gravitee-kubernetes-operator/test/internal/integration/manager"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"k8s.io/apimachinery/pkg/types"
 )
 
 var _ = Describe("Webhook", labels.WithContext, func() {
@@ -42,11 +43,16 @@ var _ = Describe("Webhook", labels.WithContext, func() {
 
 		By("Check API creation validation")
 		Eventually(func() error {
-			api := new(v1alpha1.ApiV4Definition)
-			if err := manager.Client().Get(ctx, types.NamespacedName{
-				Name:      fixtures.APIv4.Name,
-				Namespace: fixtures.APIv4.Namespace,
-			}, api); err != nil {
+			api := &v1alpha1.ApiV4Definition{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fixtures.APIv4.Name + "-duplicate",
+					Namespace: fixtures.APIv4.Namespace,
+				},
+			}
+
+			fixtures.APIv4.Spec.DeepCopyInto(&api.Spec)
+
+			if err := manager.Client().Create(ctx, api); err != nil {
 				return err
 			}
 
diff --git a/test/integration/admissionwebhook/api_v4_update_withoutContext_invalid_path_webhook_test.go b/test/integration/admissionwebhook/api_v4_update_withoutContext_invalid_path_webhook_test.go
