Add rabbitmqClusterReference.connectionSecret

api/v1alpha1/superstream_webhook.go

@@ -28,9 +28,10 @@ func (s *SuperStream) SetupWebhookWithManager(mgr ctrl.Manager) error {
 
 var _ webhook.Validator = &SuperStream{}
 
-// no validation on create
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+// either rabbitmqClusterReference.name or rabbitmqClusterReference.connectionSecret must be provided but not both
 func (s *SuperStream) ValidateCreate() error {
-	return nil
+	return s.Spec.RabbitmqClusterReference.ValidateOnCreate(s.GroupResource(), s.Name)
 }
 
 // returns error type 'forbidden' for updates on superstream name, vhost and rabbitmqClusterReference
@@ -50,7 +51,7 @@ func (s *SuperStream) ValidateUpdate(old runtime.Object) error {
 			field.Forbidden(field.NewPath("spec", "vhost"), detailMsg))
 	}
 
-	if s.Spec.RabbitmqClusterReference != oldSuperStream.Spec.RabbitmqClusterReference {
+	if !oldSuperStream.Spec.RabbitmqClusterReference.Matches(&s.Spec.RabbitmqClusterReference) {
 		return apierrors.NewForbidden(s.GroupResource(), s.Name,
 			field.Forbidden(field.NewPath("spec", "rabbitmqClusterReference"), detailMsg))
 	}

api/v1alpha1/superstream_webhook_test.go

@@ -4,6 +4,7 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 	topologyv1beta1 "github.com/rabbitmq/messaging-topology-operator/api/v1beta1"
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -26,54 +27,77 @@ var _ = Describe("superstream webhook", func() {
 		}
 	})
 
-	It("does not allow updates on superstream name", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.Name = "new-name"
-		Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
-	})
+	Context("ValidateCreate", func() {
+		It("does not allow both spec.rabbitmqClusterReference.name and spec.rabbitmqClusterReference.connectionSecret be configured", func() {
+			notAllowed := superstream.DeepCopy()
+			notAllowed.Spec.RabbitmqClusterReference.ConnectionSecret = &corev1.LocalObjectReference{Name: "some-secret"}
+			Expect(apierrors.IsForbidden(notAllowed.ValidateCreate())).To(BeTrue())
+		})
 
-	It("does not allow updates on superstream vhost", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.Vhost = "new-vhost"
-		Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		It("spec.rabbitmqClusterReference.name and spec.rabbitmqClusterReference.connectionSecret cannot both be empty", func() {
+			notAllowed := superstream.DeepCopy()
+			notAllowed.Spec.RabbitmqClusterReference.Name = ""
+			notAllowed.Spec.RabbitmqClusterReference.ConnectionSecret = nil
+			Expect(apierrors.IsForbidden(notAllowed.ValidateCreate())).To(BeTrue())
+		})
 	})
 
-	It("does not allow updates on RabbitmqClusterReference", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.RabbitmqClusterReference = topologyv1beta1.RabbitmqClusterReference{
-			Name: "new-cluster",
-		}
-		Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
-	})
+	Context("ValidateUpdate", func() {
+		It("does not allow updates on superstream name", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.Name = "new-name"
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
 
-	It("does not allow updates on superstream.spec.routingKeys", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.RoutingKeys = []string{"a1", "d6"}
-		Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
-	})
+		It("does not allow updates on superstream vhost", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.Vhost = "new-vhost"
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
 
-	It("if the superstream previously had routing keys and the update only appends, the update succeeds", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.RoutingKeys = []string{"a1", "b2", "f17", "z66"}
-		Expect(newSuperStream.ValidateUpdate(&superstream)).To(Succeed())
-	})
+		It("does not allow updates on RabbitmqClusterReference", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.RabbitmqClusterReference = topologyv1beta1.RabbitmqClusterReference{
+				Name: "new-cluster",
+			}
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
 
-	It("if the superstream previously had no routing keys but now does, the update fails", func() {
-		superstream.Spec.RoutingKeys = nil
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.RoutingKeys = []string{"a1", "b2", "f17"}
-		Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
-	})
+		It("does not allow updates on rabbitmqClusterReference.connectionSecret", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.RabbitmqClusterReference = topologyv1beta1.RabbitmqClusterReference{ConnectionSecret: &corev1.LocalObjectReference{Name: "a-secret"}}
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
 
-	It("allows superstream.spec.partitions to be increased", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.Partitions = 1000
-		Expect(newSuperStream.ValidateUpdate(&superstream)).To(Succeed())
-	})
-	It("does not allow superstream.spec.partitions to be decreased", func() {
-		newSuperStream := superstream.DeepCopy()
-		newSuperStream.Spec.Partitions = 1
-		Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
-	})
+		It("does not allow updates on superstream.spec.routingKeys", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.RoutingKeys = []string{"a1", "d6"}
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
+
+		It("if the superstream previously had routing keys and the update only appends, the update succeeds", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.RoutingKeys = []string{"a1", "b2", "f17", "z66"}
+			Expect(newSuperStream.ValidateUpdate(&superstream)).To(Succeed())
+		})
 
+		It("if the superstream previously had no routing keys but now does, the update fails", func() {
+			superstream.Spec.RoutingKeys = nil
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.RoutingKeys = []string{"a1", "b2", "f17"}
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
+
+		It("allows superstream.spec.partitions to be increased", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.Partitions = 1000
+			Expect(newSuperStream.ValidateUpdate(&superstream)).To(Succeed())
+		})
+
+		It("does not allow superstream.spec.partitions to be decreased", func() {
+			newSuperStream := superstream.DeepCopy()
+			newSuperStream.Spec.Partitions = 1
+			Expect(apierrors.IsForbidden(newSuperStream.ValidateUpdate(&superstream))).To(BeTrue())
+		})
+	})
 })

api/v1beta1/binding_webhook.go

@@ -20,12 +20,13 @@ func (b *Binding) SetupWebhookWithManager(mgr ctrl.Manager) error {
 
 var _ webhook.Validator = &Binding{}
 
-// no validation logic on create
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+// either rabbitmqClusterReference.name or rabbitmqClusterReference.connectionSecret must be provided but not both
 func (b *Binding) ValidateCreate() error {
-	return nil
+	return b.Spec.RabbitmqClusterReference.ValidateOnCreate(b.GroupResource(), b.Name)
 }
 
-// updates on bindings.rabbitmq.com is forbidden
+// ValidateUpdate updates on vhost and rabbitmqClusterReference are forbidden
 func (b *Binding) ValidateUpdate(old runtime.Object) error {
 	oldBinding, ok := old.(*Binding)
 	if !ok {
@@ -40,7 +41,7 @@ func (b *Binding) ValidateUpdate(old runtime.Object) error {
 			field.Forbidden(field.NewPath("spec", "vhost"), detailMsg))
 	}
 
-	if b.Spec.RabbitmqClusterReference != oldBinding.Spec.RabbitmqClusterReference {
+	if !oldBinding.Spec.RabbitmqClusterReference.Matches(&b.Spec.RabbitmqClusterReference) {
 		return apierrors.NewForbidden(b.GroupResource(), b.Name,
 			field.Forbidden(field.NewPath("spec", "rabbitmqClusterReference"), detailMsg))
 	}

api/v1beta1/binding_webhook_test.go

@@ -3,6 +3,7 @@ package v1beta1
 import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -25,47 +26,83 @@ var _ = Describe("Binding webhook", func() {
 		},
 	}
 
-	It("does not allow updates on vhost", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.Vhost = "/new-vhost"
-		Expect(apierrors.IsForbidden(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
-	})
+	Context("ValidateCreate", func() {
+		It("does not allow both spec.rabbitmqClusterReference.name and spec.rabbitmqClusterReference.connectionSecret be configured", func() {
+			notAllowed := oldBinding.DeepCopy()
+			notAllowed.Spec.RabbitmqClusterReference.ConnectionSecret = &corev1.LocalObjectReference{Name: "some-secret"}
+			Expect(apierrors.IsForbidden(notAllowed.ValidateCreate())).To(BeTrue())
+		})
 
-	It("does not allow updates on RabbitmqClusterReference", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.RabbitmqClusterReference = RabbitmqClusterReference{
-			Name: "new-cluster",
-		}
-		Expect(apierrors.IsForbidden(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		It("spec.rabbitmqClusterReference.name and spec.rabbitmqClusterReference.connectionSecret cannot both be empty", func() {
+			notAllowed := oldBinding.DeepCopy()
+			notAllowed.Spec.RabbitmqClusterReference.Name = ""
+			notAllowed.Spec.RabbitmqClusterReference.ConnectionSecret = nil
+			Expect(apierrors.IsForbidden(notAllowed.ValidateCreate())).To(BeTrue())
+		})
 	})
 
-	It("does not allow updates on source", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.Source = "updated-source"
-		Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
-	})
+	Context("ValidateUpdate", func() {
+		It("does not allow updates on vhost", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.Vhost = "/new-vhost"
+			Expect(apierrors.IsForbidden(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
 
-	It("does not allow updates on destination", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.Destination = "updated-des"
-		Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
-	})
+		It("does not allow updates on RabbitmqClusterReference", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.RabbitmqClusterReference = RabbitmqClusterReference{
+				Name: "new-cluster",
+			}
+			Expect(apierrors.IsForbidden(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
 
-	It("does not allow updates on destination type", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.DestinationType = "exchange"
-		Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
-	})
+		It("does not allow updates on rabbitmqClusterReference.connectionSecret", func() {
+			connectionScr := Binding{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "connect-test-queue",
+				},
+				Spec: BindingSpec{
+					RabbitmqClusterReference: RabbitmqClusterReference{
+						ConnectionSecret: &corev1.LocalObjectReference{
+							Name: "a-secret",
+						},
+					},
+				},
+			}
+			new := connectionScr.DeepCopy()
+			new.Spec.RabbitmqClusterReference.ConnectionSecret.Name = "new-secret"
+			Expect(apierrors.IsForbidden(new.ValidateUpdate(&connectionScr))).To(BeTrue())
+		})
 
-	It("does not allow updates on routing key", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.RoutingKey = "not-allowed"
-		Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
-	})
+		It("does not allow updates on source", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.Source = "updated-source"
+			Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
 
-	It("does not allow updates on binding arguments", func() {
-		newBinding := oldBinding.DeepCopy()
-		newBinding.Spec.Arguments = &runtime.RawExtension{Raw: []byte(`{"new":"new-value"}`)}
-		Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		It("does not allow updates on destination", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.Destination = "updated-des"
+			Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
+
+		It("does not allow updates on destination type", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.DestinationType = "exchange"
+			Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
+
+		It("does not allow updates on routing key", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.RoutingKey = "not-allowed"
+			Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
+
+		It("does not allow updates on binding arguments", func() {
+			newBinding := oldBinding.DeepCopy()
+			newBinding.Spec.Arguments = &runtime.RawExtension{Raw: []byte(`{"new":"new-value"}`)}
+			Expect(apierrors.IsInvalid(newBinding.ValidateUpdate(&oldBinding))).To(BeTrue())
+		})
 	})
+
 })

api/v1beta1/exchange_webhook.go

@@ -19,9 +19,10 @@ func (r *Exchange) SetupWebhookWithManager(mgr ctrl.Manager) error {
 
 var _ webhook.Validator = &Exchange{}
 
-// no validation on create
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+// either rabbitmqClusterReference.name or rabbitmqClusterReference.connectionSecret must be provided but not both
 func (e *Exchange) ValidateCreate() error {
-	return nil
+	return e.Spec.RabbitmqClusterReference.ValidateOnCreate(e.GroupResource(), e.Name)
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
@@ -46,7 +47,7 @@ func (e *Exchange) ValidateUpdate(old runtime.Object) error {
 			field.Forbidden(field.NewPath("spec", "vhost"), detailMsg))
 	}
 
-	if e.Spec.RabbitmqClusterReference != oldExchange.Spec.RabbitmqClusterReference {
+	if !oldExchange.Spec.RabbitmqClusterReference.Matches(&e.Spec.RabbitmqClusterReference) {
 		return apierrors.NewForbidden(e.GroupResource(), e.Name,
 			field.Forbidden(field.NewPath("spec", "rabbitmqClusterReference"), detailMsg))
 	}