add validation webhook for podtemplate.ports

Signed-off-by: Harshad Reddy Nalla <[email protected]>

Author: harshad16

workspaces/controller/internal/webhook/suite_test.go

@@ -220,6 +220,9 @@ func NewExampleWorkspaceKind(name string) *kubefloworgv1beta1.WorkspaceKind {
 							},
 						},
 					},
+					{
+						PortId: "my_port",
+					},
 				},
 				ExtraEnv: []v1.EnvVar{
 					{
@@ -618,6 +621,38 @@ func NewExampleWorkspaceKindWithDuplicatePorts(name string) *kubefloworgv1beta1.
 	return workspaceKind
 }
 
+// NewExampleWorkspaceKindWithEmptyPortsArrayInPodTemplate returns a WorkspaceKind with an empty ports array in podTemplate.ports.
+func NewExampleWorkspaceKindWithEmptyPortsArrayInPodTemplate(name string) *kubefloworgv1beta1.WorkspaceKind {
+	workspaceKind := NewExampleWorkspaceKind(name)
+	workspaceKind.Spec.PodTemplate.Ports = []kubefloworgv1beta1.WorkspaceKindPort{}
+	return workspaceKind
+}
+
+// NewExampleWorkspaceKindWithDuplicatePortsInPodTemplate returns a WorkspaceKind with duplicate ports in podTemplate.ports.
+func NewExampleWorkspaceKindWithDuplicatePortsInPodTemplate(name string) *kubefloworgv1beta1.WorkspaceKind {
+	workspaceKind := NewExampleWorkspaceKind(name)
+	workspaceKind.Spec.PodTemplate.Ports = []kubefloworgv1beta1.WorkspaceKindPort{
+		{
+			PortId: "jupyterlab",
+		},
+		{
+			PortId: "jupyterlab",
+		},
+	}
+	return workspaceKind
+}
+
+// NewExampleWorkspaceKindWithNonExistentPortIdInImageConfig returns a WorkspaceKind with a non-existent portId in imageConfig.ports.
+func NewExampleWorkspaceKindWithNonExistentPortIdInImageConfig(name string) *kubefloworgv1beta1.WorkspaceKind {
+	workspaceKind := NewExampleWorkspaceKind(name)
+	workspaceKind.Spec.PodTemplate.Ports = []kubefloworgv1beta1.WorkspaceKindPort{
+		{
+			PortId: "non-existent-port-id",
+		},
+	}
+	return workspaceKind
+}
+
 // NewExampleWorkspaceKindWithInvalidExtraEnvValue returns a WorkspaceKind with an invalid extraEnv value.
 func NewExampleWorkspaceKindWithInvalidExtraEnvValue(name string) *kubefloworgv1beta1.WorkspaceKind {
 	workspaceKind := NewExampleWorkspaceKind(name)

workspaces/controller/internal/webhook/workspacekind_webhook.go

@@ -78,6 +78,9 @@ func (v *WorkspaceKindValidator) ValidateCreate(ctx context.Context, obj runtime
 	// validate the extra environment variables
 	allErrs = append(allErrs, validateExtraEnv(workspaceKind)...)
 
+	// validate the ports configuration
+	allErrs = append(allErrs, validatePorts(workspaceKind)...)
+
 	// generate helper maps for imageConfig values
 	imageConfigIdMap := make(map[string]kubefloworgv1beta1.ImageConfigValue)
 	imageConfigRedirectMap := make(map[string]string)
@@ -156,6 +159,11 @@ func (v *WorkspaceKindValidator) ValidateUpdate(ctx context.Context, oldObj, new
 		allErrs = append(allErrs, validateExtraEnv(newWorkspaceKind)...)
 	}
 
+	// validate the ports configuration
+	if !equality.Semantic.DeepEqual(newWorkspaceKind.Spec.PodTemplate.Ports, oldWorkspaceKind.Spec.PodTemplate.Ports) {
+		allErrs = append(allErrs, validatePorts(newWorkspaceKind)...)
+	}
+
 	// calculate changes to imageConfig values
 	var shouldValidateImageConfigRedirects = false
 	toValidateImageConfigIds := make(map[string]bool)
@@ -516,6 +524,61 @@ func (v *WorkspaceKindValidator) validatePodTemplatePodMetadata(workspaceKind *k
 	return errs
 }
 
+// validatePorts validates the ports in podTemplate.ports of WorkspaceKind
+func validatePorts(workspaceKind *kubefloworgv1beta1.WorkspaceKind) []*field.Error {
+	var errs []*field.Error
+
+	ports := workspaceKind.Spec.PodTemplate.Ports
+	portsPath := field.NewPath("spec", "podTemplate", "ports")
+
+	// if no ports are defined, we can skip validation
+	if len(ports) == 0 {
+		return errs
+	}
+
+	// collect all available port IDs from imageConfig values
+	availablePortIds := make(map[string]bool)
+	for _, imageConfigValue := range workspaceKind.Spec.PodTemplate.Options.ImageConfig.Values {
+		for _, imagePort := range imageConfigValue.Spec.Ports {
+			availablePortIds[imagePort.Id] = true
+		}
+	}
+
+	// track seen port IDs to ensure uniqueness
+	seenPortIds := make(map[string]bool)
+
+	// validate each port in the ports array
+	for i, port := range ports {
+		portId := port.PortId
+		portPath := portsPath.Index(i)
+		portIdPath := portPath.Child("portId")
+
+		// validate that portId is not empty (should be caught by CRD validation, but be safe)
+		if portId == "" {
+			errs = append(errs, field.Required(portIdPath, "portId is required"))
+			continue
+		}
+
+		// validate that each port has a unique portId
+		if seenPortIds[portId] {
+			errs = append(errs, field.Duplicate(portIdPath, portId))
+		} else {
+			seenPortIds[portId] = true
+		}
+
+		// validate that the portId references a valid port from imageConfig
+		if !availablePortIds[portId] {
+			errs = append(errs, field.Invalid(portIdPath, portId,
+				fmt.Sprintf("portId %q does not match any port defined in imageConfig values", portId)))
+		}
+
+		// httpProxy is optional, so no validation needed for nil
+		// The structure validation is handled by the CRD schema
+	}
+
+	return errs
+}
+
 // validateExtraEnv validates the extra environment variables in a WorkspaceKind
 func validateExtraEnv(workspaceKind *kubefloworgv1beta1.WorkspaceKind) []*field.Error {
 	var errs []*field.Error

workspaces/controller/internal/webhook/workspacekind_webhook_test.go

@@ -98,6 +98,21 @@ var _ = Describe("WorkspaceKind Webhook", func() {
 				workspaceKind: NewExampleWorkspaceKindWithDuplicatePorts("wsk-webhook-create--image-config-duplicate-ports"),
 				shouldSucceed: false,
 			},
+			{
+				description:   "should reject creation with empty ports array in podTemplate",
+				workspaceKind: NewExampleWorkspaceKindWithEmptyPortsArrayInPodTemplate("wsk-webhook-create--pod-template-empty-ports-array"),
+				shouldSucceed: true,
+			},
+			{
+				description:   "should reject creation with duplicate ports in podTemplate.ports",
+				workspaceKind: NewExampleWorkspaceKindWithDuplicatePortsInPodTemplate("wsk-webhook-create--pod-template-duplicate-portids"),
+				shouldSucceed: false,
+			},
+			{
+				description:   "should reject creation with non-existent portId in imageConfig.ports",
+				workspaceKind: NewExampleWorkspaceKindWithNonExistentPortIdInImageConfig("wsk-webhook-create--image-config-non-existent-portid"),
+				shouldSucceed: false,
+			},
 			{
 				description:   "should reject creation if extraEnv[].value is not a valid Go template",
 				workspaceKind: NewExampleWorkspaceKindWithInvalidExtraEnvValue("wsk-webhook-create--extra-invalid-env-value"),
@@ -508,6 +523,26 @@ var _ = Describe("WorkspaceKind Webhook", func() {
 					return ContainSubstring("port %d is defined more than once", duplicatePortNumber)
 				},
 			},
+			{
+				description:   "should reject updating a portId in podTemplate.ports to a duplicate portId",
+				shouldSucceed: false,
+
+				workspaceKind: NewExampleWorkspaceKind(workspaceKindName),
+				modifyKindFn: func(wsk *kubefloworgv1beta1.WorkspaceKind) gomegaTypes.GomegaMatcher {
+					wsk.Spec.PodTemplate.Ports[1].PortId = "jupyterlab"
+					return ContainSubstring("Duplicate value: %q", "jupyterlab")
+				},
+			},
+			{
+				description:   "should reject updating a portId in podTemplate.ports to a non-existent portId in imageConfig.ports",
+				shouldSucceed: false,
+
+				workspaceKind: NewExampleWorkspaceKind(workspaceKindName),
+				modifyKindFn: func(wsk *kubefloworgv1beta1.WorkspaceKind) gomegaTypes.GomegaMatcher {
+					wsk.Spec.PodTemplate.Ports[0].PortId = "non-existent-port-id"
+					return ContainSubstring("portId %q does not match any port defined in imageConfig values", "non-existent-port-id")
+				},
+			},
 			{
 				description:   "should reject updating a podMetadata.labels key to an invalid value",
 				shouldSucceed: false,