diff --git a/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook.go b/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook.go index 5c328cd44d..4c308a43a2 100644 --- a/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook.go +++ b/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook.go @@ -318,7 +318,8 @@ func (a *ClusterDeploymentValidatingAdmissionHook) validateCreate(admissionSpec } } - allErrs = append(allErrs, validateClusterPlatform(specPath.Child("platform"), cd.Spec.Platform)...) + allErrs = append(allErrs, validateClusterPlatform(specPath, cd)...) + allErrs = append(allErrs, validateCanManageDNSForClusterPlatform(specPath, cd.Spec)...) if cd.Spec.Platform.AWS != nil { @@ -470,7 +471,9 @@ func validatefeatureGates(decoder admission.Decoder, admissionSpec *admissionv1b return nil } -func validateClusterPlatform(path *field.Path, platform hivev1.Platform) field.ErrorList { +// validatePlatformConfiguration validates platform-specific fields. +// Shared by ClusterDeployment and ClusterPool validation. +func validatePlatformConfiguration(path *field.Path, platform hivev1.Platform) field.ErrorList { allErrs := field.ErrorList{} numberOfPlatforms := 0 if aws := platform.AWS; aws != nil { @@ -495,9 +498,7 @@ func validateClusterPlatform(path *field.Path, platform hivev1.Platform) field.E if azure.Region == "" { allErrs = append(allErrs, field.Required(azurePath.Child("region"), "must specify Azure region")) } - if azure.BaseDomainResourceGroupName == "" { - allErrs = append(allErrs, field.Required(azurePath.Child("baseDomainResourceGroupName"), "must specify the Azure resource group for the base domain")) - } + // Note: baseDomainResourceGroupName validation is ClusterDeployment-specific, handled in validateClusterPlatform } if gcp := platform.GCP; gcp != nil { numberOfPlatforms++ @@ -584,6 +585,29 @@ func validateClusterPlatform(path *field.Path, platform hivev1.Platform) field.E return allErrs } +// validateClusterPlatform validates platform configuration for ClusterDeployment. +// Performs common platform validation and adds ClusterDeployment-specific checks +// (e.g., Azure baseDomainResourceGroupName when manageDNS is enabled). +func validateClusterPlatform(specPath *field.Path, cd *hivev1.ClusterDeployment) field.ErrorList { + platformPath := specPath.Child("platform") + allErrs := validatePlatformConfiguration(platformPath, cd.Spec.Platform) + + if cd.Spec.Platform.Azure != nil && cd.Spec.ManageDNS { + if cd.Spec.Platform.Azure.BaseDomainResourceGroupName == "" { + allErrs = append(allErrs, field.Required(platformPath.Child("azure", "baseDomainResourceGroupName"), "must specify the Azure resource group for the base domain when manageDNS is true")) + } + } + + return allErrs +} + +// validateClusterPoolPlatform validates platform configuration for ClusterPool. +// Only performs common platform validation as ClusterPool lacks ClusterDeployment-specific fields. +func validateClusterPoolPlatform(specPath *field.Path, cp *hivev1.ClusterPool) field.ErrorList { + platformPath := specPath.Child("platform") + return validatePlatformConfiguration(platformPath, cp.Spec.Platform) +} + func validateCanManageDNSForClusterPlatform(specPath *field.Path, spec hivev1.ClusterDeploymentSpec) field.ErrorList { allErrs := field.ErrorList{} canManageDNS := false diff --git a/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook_test.go b/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook_test.go index 656e7dcda8..5b14a9b05b 100644 --- a/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook_test.go +++ b/pkg/validating-webhooks/hive/v1/clusterdeployment_validating_admission_hook_test.go @@ -832,10 +832,22 @@ func TestClusterDeploymentValidate(t *testing.T) { expectedAllowed: false, }, { - name: "Azure create missing baseDomainResourceGroupName", + name: "Azure create missing baseDomainResourceGroupName with manageDNS false", newObject: func() *hivev1.ClusterDeployment { cd := validAzureClusterDeployment() cd.Spec.Platform.Azure.BaseDomainResourceGroupName = "" + cd.Spec.ManageDNS = false + return cd + }(), + operation: admissionv1beta1.Create, + expectedAllowed: true, + }, + { + name: "Azure create missing baseDomainResourceGroupName with manageDNS true", + newObject: func() *hivev1.ClusterDeployment { + cd := validAzureClusterDeployment() + cd.Spec.Platform.Azure.BaseDomainResourceGroupName = "" + cd.Spec.ManageDNS = true return cd }(), operation: admissionv1beta1.Create, diff --git a/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook.go b/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook.go index 94a96c9737..147eef4520 100644 --- a/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook.go +++ b/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook.go @@ -177,7 +177,7 @@ func (a *ClusterPoolValidatingAdmissionHook) validateCreate(admissionSpec *admis allErrs := field.ErrorList{} specPath := field.NewPath("spec") - allErrs = append(allErrs, validateClusterPlatform(specPath, newObject.Spec.Platform)...) + allErrs = append(allErrs, validateClusterPoolPlatform(specPath, newObject)...) if len(allErrs) > 0 { status := errors.NewInvalid(schemaGVK(admissionSpec.Kind).GroupKind(), admissionSpec.Name, allErrs).Status() @@ -237,7 +237,7 @@ func (a *ClusterPoolValidatingAdmissionHook) validateUpdate(admissionSpec *admis allErrs := field.ErrorList{} specPath := field.NewPath("spec") - allErrs = append(allErrs, validateClusterPlatform(specPath, newObject.Spec.Platform)...) + allErrs = append(allErrs, validateClusterPoolPlatform(specPath, newObject)...) if len(allErrs) > 0 { contextLogger.WithError(allErrs.ToAggregate()).Info("failed validation") diff --git a/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook_test.go b/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook_test.go index c2fec6430b..829723e81c 100644 --- a/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook_test.go +++ b/pkg/validating-webhooks/hive/v1/clusterpool_validating_admission_hook_test.go @@ -187,7 +187,7 @@ func TestClusterPoolValidate(t *testing.T) { return cd }(), operation: admissionv1beta1.Create, - expectedAllowed: false, + expectedAllowed: true, }, { name: "create with two cloud platforms",