UPSTREAM: <carry>: Add validation plugin for CRD-based route parity.

Author: benluddy

openshift-kube-apiserver/admission/customresourcevalidation/attributes.go

@@ -10,6 +10,7 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	quotav1 "github.com/openshift/api/quota/v1"
+	routev1 "github.com/openshift/api/route/v1"
 	securityv1 "github.com/openshift/api/security/v1"
 )
 
@@ -54,4 +55,5 @@ func init() {
 	utilruntime.Must(securityv1.Install(supportedObjectsScheme))
 	utilruntime.Must(authorizationv1.Install(supportedObjectsScheme))
 	utilruntime.Must(apiv1.Install(supportedObjectsScheme))
+	utilruntime.Must(routev1.Install(supportedObjectsScheme))
 }

openshift-kube-apiserver/admission/customresourcevalidation/customresourcevalidationregistration/cr_validation_registration.go

@@ -18,6 +18,7 @@ import (
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/oauth"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/project"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/rolebindingrestriction"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/route"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/scheduler"
 	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/securitycontextconstraints"
 )
@@ -40,6 +41,7 @@ var AllCustomResourceValidators = []string{
 	network.PluginName,
 	apirequestcount.PluginName,
 	node.PluginName,
+	route.PluginName,
 
 	// the kubecontrollermanager operator resource has to exist in order to run deployments to deploy admission webhooks.
 	kubecontrollermanager.PluginName,
@@ -77,4 +79,9 @@ func RegisterCustomResourceValidation(plugins *admission.Plugins) {
 
 	// this one is special because we don't work without it.
 	securitycontextconstraints.RegisterDefaulting(plugins)
+
+	// Requests to route.openshift.io/v1 should only go through kube-apiserver admission if
+	// served via CRD. Most OpenShift flavors (including vanilla) will continue to do validation
+	// and defaulting inside openshift-apiserver.
+	route.Register(plugins)
 }

openshift-kube-apiserver/admission/customresourcevalidation/route/validate_route.go

@@ -0,0 +1,85 @@
+package route
+
+import (
+	"fmt"
+	"io"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apiserver/pkg/admission"
+
+	routev1 "github.com/openshift/api/route/v1"
+	routevalidation "github.com/openshift/library-go/pkg/route/validation"
+	"k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation"
+)
+
+const PluginName = "route.openshift.io/ValidateRoute"
+
+func Register(plugins *admission.Plugins) {
+	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
+		return customresourcevalidation.NewValidator(
+			map[schema.GroupResource]bool{
+				{Group: routev1.GroupName, Resource: "routes"}: true,
+			},
+			map[schema.GroupVersionKind]customresourcevalidation.ObjectValidator{
+				routev1.GroupVersion.WithKind("Route"): routeV1{},
+			})
+	})
+}
+
+func toRoute(uncastObj runtime.Object) (*routev1.Route, field.ErrorList) {
+	if uncastObj == nil {
+		return nil, nil
+	}
+
+	obj, ok := uncastObj.(*routev1.Route)
+	if !ok {
+		return nil, field.ErrorList{
+			field.NotSupported(field.NewPath("kind"), fmt.Sprintf("%T", uncastObj), []string{"Route"}),
+			field.NotSupported(field.NewPath("apiVersion"), fmt.Sprintf("%T", uncastObj), []string{routev1.GroupVersion.String()}),
+		}
+	}
+
+	return obj, nil
+}
+
+type routeV1 struct {
+}
+
+func (routeV1) ValidateCreate(obj runtime.Object) field.ErrorList {
+	routeObj, errs := toRoute(obj)
+	if len(errs) > 0 {
+		return errs
+	}
+
+	return routevalidation.ValidateRoute(routeObj)
+}
+
+func (routeV1) ValidateUpdate(obj runtime.Object, oldObj runtime.Object) field.ErrorList {
+	routeObj, errs := toRoute(obj)
+	if len(errs) > 0 {
+		return errs
+	}
+
+	routeOldObj, errs := toRoute(oldObj)
+	if len(errs) > 0 {
+		return errs
+	}
+
+	return routevalidation.ValidateRouteUpdate(routeObj, routeOldObj)
+}
+
+func (c routeV1) ValidateStatusUpdate(obj runtime.Object, oldObj runtime.Object) field.ErrorList {
+	routeObj, errs := toRoute(obj)
+	if len(errs) > 0 {
+		return errs
+	}
+
+	routeOldObj, errs := toRoute(oldObj)
+	if len(errs) > 0 {
+		return errs
+	}
+
+	return routevalidation.ValidateRouteStatusUpdate(routeObj, routeOldObj)
+}