feat: Add preflight checks framework

dlipovetsky · dlipovetsky · commit a40fd92643ea · 2025-05-19T17:17:47.000-07:00
diff --git a/charts/cluster-api-runtime-extensions-nutanix/templates/webhooks.yaml b/charts/cluster-api-runtime-extensions-nutanix/templates/webhooks.yaml
@@ -56,3 +56,23 @@ webhooks:
         resources:
           - clusters
     sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: '{{ include "chart.name" . }}-admission'
+        namespace: '{{ .Release.Namespace }}'
+        path: /preflight-v1beta1
+    failurePolicy: Fail
+    name: preflight.caren.nutanix.com
+    rules:
+      - apiGroups:
+          - cluster.x-k8s.io
+        apiVersions:
+          - '*'
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clusters
+    sideEffects: None
diff --git a/cmd/main.go b/cmd/main.go
@@ -41,6 +41,7 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/nutanix"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/options"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/cluster"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
 )
 
 func main() {
@@ -219,6 +220,13 @@ func main() {
 		Handler: cluster.NewValidator(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme())),
 	})
 
+	mgr.GetWebhookServer().Register("/preflight-v1beta1", &webhook.Admission{
+		Handler: preflight.New(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme()),
+			[]preflight.Checker{
+				// Add your preflight checkers here.
+			}...,
+		),
+	})
 	if err := mgr.Start(signalCtx); err != nil {
 		setupLog.Error(err, "unable to start controller manager")
 		os.Exit(1)
diff --git a/pkg/webhook/preflight/doc.go b/pkg/webhook/preflight/doc.go
@@ -0,0 +1,5 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package preflight
+
+// +kubebuilder:webhook:path=/preflight-v1beta1,mutating=false,failurePolicy=fail,groups="cluster.x-k8s.io",resources=clusters,verbs=create;update,versions=*,name=preflight.caren.nutanix.com,admissionReviewVersions=v1,sideEffects=None
diff --git a/pkg/webhook/preflight/preflight.go b/pkg/webhook/preflight/preflight.go
@@ -0,0 +1,133 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+package preflight
+
+import (
+	"context"
+	"net/http"
+
+	admissionv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/common/pkg/capi/utils"
+)
+
+type CheckResult struct {
+	Allowed bool
+	Field   string
+	Message string
+	Warning string
+	Error   bool
+}
+
+type Check = func(ctx context.Context) CheckResult
+
+type Checker interface {
+	Checks(ctx context.Context, client ctrlclient.Client, cluster *clusterv1.Cluster) ([]Check, error)
+	Provider() string
+}
+
+type WebhookHandler struct {
+	client             ctrlclient.Client
+	decoder            admission.Decoder
+	checkersByProvider map[string]Checker
+}
+
+func New(client ctrlclient.Client, decoder admission.Decoder, checkers ...Checker) *WebhookHandler {
+	h := &WebhookHandler{
+		client:             client,
+		decoder:            decoder,
+		checkersByProvider: make(map[string]Checker, len(checkers)),
+	}
+	for _, checker := range checkers {
+		h.checkersByProvider[checker.Provider()] = checker
+	}
+	return h
+}
+
+func (h *WebhookHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
+	if req.Operation == admissionv1.Delete {
+		return admission.Allowed("")
+	}
+
+	cluster := &clusterv1.Cluster{}
+	err := h.decoder.Decode(req, cluster)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	// Checks run only for ClusterClass-based clusters.
+	if cluster.Spec.Topology == nil {
+		return admission.Allowed("")
+	}
+
+	// Checks run only for the known infrastructure providers.
+	checker, ok := h.checkersByProvider[utils.GetProvider(cluster)]
+	if !ok {
+		return admission.Allowed("")
+	}
+
+	resp := admission.Response{
+		AdmissionResponse: admissionv1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Details: &metav1.StatusDetails{},
+			},
+		},
+	}
+
+	checks, err := checker.Checks(ctx, h.client, cluster)
+	if err != nil {
+		resp.Allowed = false
+		resp.Result.Code = http.StatusInternalServerError
+		resp.Result.Message = "failed to initialize preflight checks"
+		resp.Result.Details.Causes = append(resp.Result.Details.Causes, metav1.StatusCause{
+			Type:    metav1.CauseTypeInternal,
+			Message: err.Error(),
+			Field:   "", // This concerns the whole cluster.
+		})
+		return resp
+	}
+
+	if len(checks) == 0 {
+		return admission.Allowed("")
+	}
+
+	// Run all checks and collect results.
+	// TODO Parallelize	checks.
+	for _, check := range checks {
+		result := check(ctx)
+
+		if result.Error {
+			resp.Allowed = false
+			resp.Result.Code = http.StatusForbidden
+			resp.Result.Message = "preflight checks failed"
+			resp.Result.Details.Causes = append(resp.Result.Details.Causes, metav1.StatusCause{
+				Type:    metav1.CauseTypeInternal,
+				Field:   result.Field,
+				Message: result.Message,
+			})
+			continue
+		}
+
+		if !result.Allowed {
+			resp.Allowed = false
+			resp.Result.Code = http.StatusForbidden
+			resp.Result.Message = "preflight checks failed"
+			resp.Result.Details.Causes = append(resp.Result.Details.Causes, metav1.StatusCause{
+				Type:    metav1.CauseTypeFieldValueInvalid,
+				Field:   result.Field,
+				Message: result.Message,
+			})
+		}
+
+		if result.Warning != "" {
+			resp.Warnings = append(resp.Warnings, result.Warning)
+		}
+	}
+
+	return resp
+}
