fix(vm): prohibit duplicating networks in the VirtualMachine .spec (#1545)

This update enhances the validation logic for Virtual Machines' network configurations by prohibiting duplicate network names within the specification.

Signed-off-by: Dmitry Lopatin <[email protected]>

Author: LopatinDmitr

docs/USER_GUIDE.md

@@ -2492,26 +2492,12 @@ spec:
       name: user-net # Network name
 ```
 
-It is allowed to connect a VM to the same network multiple times. Example:
-
-```yaml
-spec:
-  networks:
-    - type: Main # Must always be specified first
-    - type: Network
-      name: user-net # Network name
-    - type: Network
-      name: user-net # Network name
-```
-
 Example of connecting to the cluster network `corp-net`:
 
 ```yaml
 spec:
   networks:
     - type: Main # Must always be specified first
-    - type: Network
-      name: user-net
     - type: Network
       name: user-net
     - type: ClusterNetwork
@@ -2527,12 +2513,9 @@ status:
     - type: Network
       name: user-net
       macAddress: aa:bb:cc:dd:ee:01
-    - type: Network
-      name: user-net
-      macAddress: aa:bb:cc:dd:ee:02
     - type: ClusterNetwork
       name: corp-net
-      macAddress: aa:bb:cc:dd:ee:03
+      macAddress: aa:bb:cc:dd:ee:02
 ```
 
 For each additional network interface, a unique MAC address is automatically generated and reserved to avoid collisions. The following resources are used for this: `VirtualMachineMACAddress` (`vmmac`) and `VirtualMachineMACAddressLease` (`vmmacl`).

docs/USER_GUIDE.ru.md

@@ -2524,26 +2524,12 @@ spec:
       name: user-net # Название сети
 ```
 
-Допускается подключать одну ВМ к одной и той же сети несколько раз. Пример:
-
-```yaml
-spec:
-  networks:
-    - type: Main # Обязательно указывать первым
-    - type: Network
-      name: user-net # Название сети
-    - type: Network
-      name: user-net # Название сети
-```
-
 Пример подключения кластерной сети `corp-net`:
 
 ```yaml
 spec:
   networks:
     - type: Main # Обязательно указывать первым
-    - type: Network
-      name: user-net
     - type: Network
       name: user-net
     - type: ClusterNetwork
@@ -2559,12 +2545,9 @@ status:
     - type: Network
       name: user-net
       macAddress: aa:bb:cc:dd:ee:01
-    - type: Network
-      name: user-net
-      macAddress: aa:bb:cc:dd:ee:02
     - type: ClusterNetwork
       name: corp-net
-      macAddress: aa:bb:cc:dd:ee:03
+      macAddress: aa:bb:cc:dd:ee:02
 ```
 
 Для каждого дополнительного сетевого интерфейса автоматически создается и резервируется уникальный MAC-адрес, что обеспечивает отсутствие коллизий MAC-адресов. Для этих целей используются ресурсы: `VirtualMachineMACAddress` (`vmmac`) и `VirtualMachineMACAddressLease` (`vmmacl`).

images/virtualization-artifact/pkg/controller/vm/internal/validators/networks_validator.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 
+	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/component-base/featuregate"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
@@ -38,42 +39,60 @@ func NewNetworksValidator(featureGate featuregate.FeatureGate) *NetworksValidato
 }
 
 func (v *NetworksValidator) ValidateCreate(_ context.Context, vm *v1alpha2.VirtualMachine) (admission.Warnings, error) {
-	return v.Validate(vm)
-}
+	networksSpec := vm.Spec.Networks
+	if len(networksSpec) == 0 {
+		return nil, nil
+	}
 
-func (v *NetworksValidator) ValidateUpdate(_ context.Context, _, newVM *v1alpha2.VirtualMachine) (admission.Warnings, error) {
-	return v.Validate(newVM)
-}
+	if !v.featureGate.Enabled(featuregates.SDN) {
+		return nil, fmt.Errorf("network configuration requires SDN to be enabled")
+	}
 
-func (v *NetworksValidator) Validate(vm *v1alpha2.VirtualMachine) (admission.Warnings, error) {
-	networksSpec := vm.Spec.Networks
+	return v.validateNetworksSpec(networksSpec)
+}
 
-	if len(networksSpec) == 0 {
+func (v *NetworksValidator) ValidateUpdate(_ context.Context, oldVM, newVM *v1alpha2.VirtualMachine) (admission.Warnings, error) {
+	newNetworksSpec := newVM.Spec.Networks
+	if len(newNetworksSpec) == 0 {
 		return nil, nil
 	}
 
 	if !v.featureGate.Enabled(featuregates.SDN) {
 		return nil, fmt.Errorf("network configuration requires SDN to be enabled")
 	}
 
+	isChanged := !equality.Semantic.DeepEqual(newNetworksSpec, oldVM.Spec.Networks)
+	if isChanged {
+		return v.validateNetworksSpec(newNetworksSpec)
+	}
+	return nil, nil
+}
+
+func (v *NetworksValidator) validateNetworksSpec(networksSpec []v1alpha2.NetworksSpec) (admission.Warnings, error) {
 	if networksSpec[0].Type != v1alpha2.NetworksTypeMain {
 		return nil, fmt.Errorf("first network in the list must be of type '%s'", v1alpha2.NetworksTypeMain)
 	}
 	if networksSpec[0].Name != "" {
 		return nil, fmt.Errorf("network with type '%s' should not have a name", v1alpha2.NetworksTypeMain)
 	}
 
+	namesSet := make(map[string]struct{})
+
 	for i, network := range networksSpec {
 		if network.Type == v1alpha2.NetworksTypeMain {
 			if i > 0 {
 				return nil, fmt.Errorf("only one network of type '%s' is allowed", v1alpha2.NetworksTypeMain)
 			}
 			continue
 		}
-
 		if network.Name == "" {
 			return nil, fmt.Errorf("network at index %d with type '%s' must have a non-empty name", i, network.Type)
 		}
+
+		if _, exists := namesSet[network.Name]; exists {
+			return nil, fmt.Errorf("network name '%s' is duplicated", network.Name)
+		}
+		namesSet[network.Name] = struct{}{}
 	}
 
 	return nil, nil

images/virtualization-artifact/pkg/controller/vm/internal/validators/networks_validator_test.go

@@ -24,7 +24,7 @@ import (
 	"github.com/deckhouse/virtualization/api/core/v1alpha2"
 )
 
-func TestNetworksValidate(t *testing.T) {
+func TestNetworksValidateCreate(t *testing.T) {
 	tests := []struct {
 		networks   []v1alpha2.NetworksSpec
 		sdnEnabled bool
@@ -36,12 +36,13 @@ func TestNetworksValidate(t *testing.T) {
 		{[]v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeMain, Name: "main"}}, true, false},
 		{[]v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeNetwork, Name: "test"}, {Type: v1alpha2.NetworksTypeMain}}, true, false},
 		{[]v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeMain}, {Type: v1alpha2.NetworksTypeNetwork, Name: "test"}}, true, true},
+		{[]v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeMain}, {Type: v1alpha2.NetworksTypeNetwork, Name: "test"}, {Type: v1alpha2.NetworksTypeNetwork, Name: "test"}}, true, false},
 		{[]v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeMain}, {Type: v1alpha2.NetworksTypeNetwork}}, true, false},
 		{[]v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeMain}}, false, false},
 	}
 
 	for i, test := range tests {
-		t.Run(fmt.Sprintf("TestCase%d", i), func(t *testing.T) {
+		t.Run(fmt.Sprintf("CreateTestCase%d", i), func(t *testing.T) {
 			vm := &v1alpha2.VirtualMachine{Spec: v1alpha2.VirtualMachineSpec{Networks: test.networks}}
 
 			// Create feature gate with SDN
@@ -51,13 +52,120 @@ func TestNetworksValidate(t *testing.T) {
 			}
 			networkValidator := NewNetworksValidator(featureGate)
 
-			_, err := networkValidator.Validate(vm)
+			_, err := networkValidator.ValidateCreate(t.Context(), vm)
 			if test.valid && err != nil {
-				t.Errorf("For spec %s expected valid, but validation failed", test.networks)
+				t.Errorf("Validation failed for spec %s: expected valid, but got an error: %v", test.networks, err)
 			}
+			if !test.valid && err == nil {
+				t.Errorf("Validation succeeded for spec %s: expected error, but got none", test.networks)
+			}
+		})
+	}
+}
 
+func TestNetworksValidateUpdate(t *testing.T) {
+	tests := []struct {
+		oldNetworksSpec []v1alpha2.NetworksSpec
+		newNetworksSpec []v1alpha2.NetworksSpec
+		sdnEnabled      bool
+		valid           bool
+	}{
+		{
+			oldNetworksSpec: []v1alpha2.NetworksSpec{},
+			newNetworksSpec: []v1alpha2.NetworksSpec{},
+			sdnEnabled:      true,
+			valid:           true,
+		},
+		{
+			oldNetworksSpec: []v1alpha2.NetworksSpec{},
+			newNetworksSpec: []v1alpha2.NetworksSpec{{Type: v1alpha2.NetworksTypeMain}},
+			sdnEnabled:      true,
+			valid:           true,
+		},
+		{
+			oldNetworksSpec: []v1alpha2.NetworksSpec{},
+			newNetworksSpec: []v1alpha2.NetworksSpec{
+				{Type: v1alpha2.NetworksTypeMain},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+			},
+			sdnEnabled: true,
+			valid:      true,
+		},
+		{
+			oldNetworksSpec: []v1alpha2.NetworksSpec{},
+			newNetworksSpec: []v1alpha2.NetworksSpec{
+				{Type: v1alpha2.NetworksTypeMain},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+			},
+			sdnEnabled: true,
+			valid:      false,
+		},
+		{
+			oldNetworksSpec: []v1alpha2.NetworksSpec{
+				{Type: v1alpha2.NetworksTypeMain},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+			},
+			newNetworksSpec: []v1alpha2.NetworksSpec{
+				{Type: v1alpha2.NetworksTypeMain},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+			},
+			sdnEnabled: true,
+			valid:      false,
+		},
+		{
+			oldNetworksSpec: []v1alpha2.NetworksSpec{
+				{Type: v1alpha2.NetworksTypeMain},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+			},
+			newNetworksSpec: []v1alpha2.NetworksSpec{
+				{Type: v1alpha2.NetworksTypeMain},
+				{Type: v1alpha2.NetworksTypeNetwork, Name: "test"},
+			},
+			sdnEnabled: true,
+			valid:      true,
+		},
+	}
+
+	for i, test := range tests {
+		t.Run(fmt.Sprintf("UpdateTestCase%d", i), func(t *testing.T) {
+			oldVM := &v1alpha2.VirtualMachine{
+				Spec: v1alpha2.VirtualMachineSpec{
+					Networks: test.oldNetworksSpec,
+				},
+			}
+			newVM := &v1alpha2.VirtualMachine{
+				Spec: v1alpha2.VirtualMachineSpec{
+					Networks: test.newNetworksSpec,
+				},
+			}
+
+			// Create feature gate with SDN
+			featureGate, _, setFromMap, _ := featuregates.New()
+			if test.sdnEnabled {
+				_ = setFromMap(map[string]bool{
+					string(featuregates.SDN): true,
+				})
+			}
+			networkValidator := NewNetworksValidator(featureGate)
+			_, err := networkValidator.ValidateUpdate(t.Context(), oldVM, newVM)
+
+			if test.valid && err != nil {
+				t.Errorf(
+					"Validation failed for old spec %v and new spec %v: expected valid, but got an error: %v",
+					test.oldNetworksSpec, test.newNetworksSpec, err,
+				)
+			}
 			if !test.valid && err == nil {
-				t.Errorf("For spec %s expected not valid, but validation succeeded", test.networks)
+				t.Errorf(
+					"Validation succeeded for old spec %v and new spec %v: expected error, but got none",
+					test.oldNetworksSpec, test.newNetworksSpec,
+				)
 			}
 		})
 	}