Add validation webhook for the IPv4 spec of Interface resource

Author: felix-kaestner

PROJECT

@@ -19,6 +19,9 @@ resources:
   kind: Interface
   path: github.com/ironcore-dev/network-operator/api/core/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 - api:
     crdVersion: v1
     namespaced: true

charts/network-operator/templates/webhook/webhooks.yaml

@@ -11,12 +11,32 @@ metadata:
   labels:
     {{- include "chart.labels" . | nindent 4 }}
 webhooks:
+  - name: interface-v1alpha1.kb.io
+    clientConfig:
+      service:
+        name: network-operator-webhook-service
+        namespace: {{ .Release.Namespace }}
+        path: /validate-networking-metal-ironcore-dev-v1alpha1-interface
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+        apiGroups:
+          - networking.metal.ironcore.dev
+        apiVersions:
+          - v1alpha1
+        resources:
+          - interfaces
   - name: vrf-v1alpha1.kb.io
     clientConfig:
       service:
         name: network-operator-webhook-service
         namespace: {{ .Release.Namespace }}
-        path: /validate-networking.metal.ironcore.dev-v1alpha1-vrf
+        path: /validate-networking-metal-ironcore-dev-v1alpha1-vrf
     failurePolicy: Fail
     sideEffects: None
     admissionReviewVersions:

cmd/main.go

@@ -427,13 +427,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err := webhookv1alpha1.SetupVRFWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "VRF")
-			os.Exit(1)
-		}
-	}
-
 	if err := (&nxcontroller.SystemReconciler{
 		Client:           mgr.GetClient(),
 		Scheme:           mgr.GetScheme(),
@@ -445,6 +438,19 @@ func main() {
 		os.Exit(1)
 	}
 
+	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+		if err := webhookv1alpha1.SetupVRFWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "VRF")
+			os.Exit(1)
+		}
+	}
+
+	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
+		if err := webhookv1alpha1.SetupInterfaceWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "Interface")
+			os.Exit(1)
+		}
+	}
 	// +kubebuilder:scaffold:builder
 
 	if metricsCertWatcher != nil {

config/webhook/manifests.yaml

@@ -10,7 +10,27 @@ webhooks:
     service:
       name: webhook-service
       namespace: system
-      path: /validate-networking.metal.ironcore.dev-v1alpha1-vrf
+      path: /validate-networking-metal-ironcore-dev-v1alpha1-interface
+  failurePolicy: Fail
+  name: interface-v1alpha1.kb.io
+  rules:
+  - apiGroups:
+    - networking.metal.ironcore.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - interfaces
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-networking-metal-ironcore-dev-v1alpha1-vrf
   failurePolicy: Fail
   name: vrf-v1alpha1.kb.io
   rules:

internal/provider/cisco/nxos/provider.go

@@ -427,7 +427,6 @@ func (p *Provider) EnsureInterface(ctx context.Context, req *provider.EnsureInte
 	}
 
 	var addr *AddrItem
-	var prefixes []netip.Prefix
 	if req.IPv4 != nil {
 		addr = new(AddrItem)
 		addr.ID = name
@@ -436,7 +435,6 @@ func (p *Provider) EnsureInterface(ctx context.Context, req *provider.EnsureInte
 		switch v := req.IPv4.(type) {
 		case provider.IPv4AddressList:
 			for i, p := range v {
-				prefixes = append(prefixes, p)
 				nth := IntfAddrTypePrimary
 				if i > 0 {
 					nth = IntfAddrTypeSecondary
@@ -445,9 +443,6 @@ func (p *Provider) EnsureInterface(ctx context.Context, req *provider.EnsureInte
 					Addr: p.String(),
 					Type: nth,
 				}
-				if p.Addr().Is6() {
-					return fmt.Errorf("invalid ipv4 address %q: not an ipv4 address", p.String())
-				}
 				addr.AddrItems.AddrList.Set(ip)
 			}
 
@@ -459,14 +454,6 @@ func (p *Provider) EnsureInterface(ctx context.Context, req *provider.EnsureInte
 		}
 	}
 
-	for i, p := range prefixes {
-		for j := i + 1; j < len(prefixes); j++ {
-			if p.Overlaps(prefixes[j]) {
-				return fmt.Errorf("overlapping IP prefixes: %s and %s", p, prefixes[j])
-			}
-		}
-	}
-
 	if req.Interface.Spec.Type != v1alpha1.InterfaceTypeAggregate {
 		del := make([]gnmiext.Configurable, 0, 2)
 		addrs := new(AddrList)

internal/webhook/core/v1alpha1/interface_webhook.go

@@ -0,0 +1,92 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
+)
+
+// log is for logging in this package.
+var interfacelog = logf.Log.WithName("interface-resource")
+
+// SetupInterfaceWebhookWithManager registers the webhook for Interfaces in the manager.
+func SetupInterfaceWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&v1alpha1.Interface{}).
+		WithValidator(&InterfaceCustomValidator{}).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/validate-networking-metal-ironcore-dev-v1alpha1-interface,mutating=false,failurePolicy=Fail,sideEffects=None,groups=networking.metal.ironcore.dev,resources=interfaces,verbs=create;update,versions=v1alpha1,name=interface-v1alpha1.kb.io,admissionReviewVersions=v1
+
+// InterfaceCustomValidator struct is responsible for validating the Interface resource
+// when it is created, updated, or deleted.
+type InterfaceCustomValidator struct{}
+
+var _ webhook.CustomValidator = &InterfaceCustomValidator{}
+
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type Interface.
+func (v *InterfaceCustomValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	intf, ok := obj.(*v1alpha1.Interface)
+	if !ok {
+		return nil, fmt.Errorf("expected a Interfaces object but got %T", obj)
+	}
+
+	interfacelog.Info("Validation for Interfaces upon creation", "name", intf.GetName())
+
+	return nil, validateInterfaceSpec(intf)
+}
+
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type Interface.
+func (v *InterfaceCustomValidator) ValidateUpdate(_ context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	intf, ok := newObj.(*v1alpha1.Interface)
+	if !ok {
+		return nil, fmt.Errorf("expected a Interfaces object for the newObj but got %T", newObj)
+	}
+
+	interfacelog.Info("Validation for Interfaces upon update", "name", intf.GetName())
+
+	return nil, validateInterfaceSpec(intf)
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type Interface.
+func (v *InterfaceCustomValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+// validateInterfaceSpec performs validation on the Interface spec.
+func validateInterfaceSpec(intf *v1alpha1.Interface) error {
+	if intf.Spec.IPv4 == nil {
+		return nil
+	}
+
+	return validateInterfaceIPv4(intf.Spec.IPv4)
+}
+
+// validateInterfaceIPv4 performs validation on the InterfaceIPv4 spec.
+func validateInterfaceIPv4(ip *v1alpha1.InterfaceIPv4) error {
+	var errAgg []error
+	for i, cidr := range ip.Addresses {
+		if cidr.Prefix.Addr().Is6() {
+			errAgg = append(errAgg, fmt.Errorf("invalid IPv4 address %q: address is IPv6", cidr.String()))
+			continue
+		}
+		for j := i + 1; j < len(ip.Addresses); j++ {
+			if p := ip.Addresses[j].Prefix; cidr.Overlaps(p) {
+				errAgg = append(errAgg, fmt.Errorf("invalid IPv4 address %q: overlaps with %q", cidr.String(), p.String()))
+			}
+		}
+	}
+	return errors.Join(errAgg...)
+}

internal/webhook/core/v1alpha1/interface_webhook_test.go

@@ -0,0 +1,94 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"context"
+	"net/netip"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
+)
+
+var _ = Describe("Interface Webhook", func() {
+	var (
+		obj       *v1alpha1.Interface
+		oldObj    *v1alpha1.Interface
+		validator InterfaceCustomValidator
+	)
+
+	BeforeEach(func() {
+		obj = &v1alpha1.Interface{
+			Spec: v1alpha1.InterfaceSpec{
+				DeviceRef:  v1alpha1.LocalObjectReference{Name: "test-device"},
+				Name:       "test-interface",
+				AdminState: v1alpha1.AdminStateUp,
+				Type:       v1alpha1.InterfaceTypeLoopback,
+			},
+		}
+		oldObj = &v1alpha1.Interface{
+			Spec: v1alpha1.InterfaceSpec{
+				DeviceRef:  v1alpha1.LocalObjectReference{Name: "test-device"},
+				Name:       "test-interface",
+				AdminState: v1alpha1.AdminStateUp,
+				Type:       v1alpha1.InterfaceTypeLoopback,
+			},
+		}
+		validator = InterfaceCustomValidator{}
+		Expect(validator).NotTo(BeNil(), "Expected validator to be initialized")
+		Expect(oldObj).NotTo(BeNil(), "Expected oldObj to be initialized")
+		Expect(obj).NotTo(BeNil(), "Expected obj to be initialized")
+	})
+
+	Context("When creating or updating Interfaces under Validating Webhook", func() {
+		It("Should allow valid IPv4 addresses", func() {
+			obj.Spec.IPv4 = &v1alpha1.InterfaceIPv4{
+				Addresses: []v1alpha1.IPPrefix{
+					{Prefix: netip.MustParsePrefix("10.0.0.1/32")},
+					{Prefix: netip.MustParsePrefix("10.0.1.1/32")},
+				},
+			}
+			_, err := validator.ValidateCreate(context.Background(), obj)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("Should reject IPv6 addresses in IPv4 field", func() {
+			obj.Spec.IPv4 = &v1alpha1.InterfaceIPv4{
+				Addresses: []v1alpha1.IPPrefix{
+					{Prefix: netip.MustParsePrefix("2001:db8::1/128")},
+				},
+			}
+			_, err := validator.ValidateCreate(context.Background(), obj)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("invalid IPv4 address"))
+			Expect(err.Error()).To(ContainSubstring("address is IPv6"))
+		})
+
+		It("Should reject overlapping IPv4 addresses", func() {
+			obj.Spec.IPv4 = &v1alpha1.InterfaceIPv4{
+				Addresses: []v1alpha1.IPPrefix{
+					{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+					{Prefix: netip.MustParsePrefix("10.0.0.128/25")},
+				},
+			}
+			_, err := validator.ValidateCreate(context.Background(), obj)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("overlaps with"))
+		})
+
+		It("Should reject updates with invalid IPv4 addresses", func() {
+			obj.Spec.IPv4 = &v1alpha1.InterfaceIPv4{
+				Addresses: []v1alpha1.IPPrefix{
+					{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
+					{Prefix: netip.MustParsePrefix("10.0.0.128/25")},
+				},
+			}
+			_, err := validator.ValidateUpdate(context.Background(), oldObj, obj)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("overlaps with"))
+		})
+	})
+})

internal/webhook/core/v1alpha1/vrf_webhook.go

@@ -25,12 +25,13 @@ var vrflog = logf.Log.WithName("vrf-resource")
 
 // SetupVRFWebhookWithManager registers the webhook for VRF in the manager.
 func SetupVRFWebhookWithManager(mgr ctrl.Manager) error {
-	return ctrl.NewWebhookManagedBy(mgr).For(&v1alpha1.VRF{}).
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&v1alpha1.VRF{}).
 		WithValidator(&VRFCustomValidator{}).
 		Complete()
 }
 
-// +kubebuilder:webhook:path=/validate-networking.metal.ironcore.dev-v1alpha1-vrf,mutating=false,failurePolicy=Fail,sideEffects=None,groups=networking.metal.ironcore.dev,resources=vrfs,verbs=create;update,versions=v1alpha1,name=vrf-v1alpha1.kb.io,admissionReviewVersions=v1
+// +kubebuilder:webhook:path=/validate-networking-metal-ironcore-dev-v1alpha1-vrf,mutating=false,failurePolicy=Fail,sideEffects=None,groups=networking.metal.ironcore.dev,resources=vrfs,verbs=create;update,versions=v1alpha1,name=vrf-v1alpha1.kb.io,admissionReviewVersions=v1
 
 // VRFCustomValidator struct is responsible for validating the VRF resource
 // when it is created, updated, or deleted.
@@ -62,11 +63,6 @@ func (v *VRFCustomValidator) ValidateUpdate(_ context.Context, oldObj, newObj ru
 
 // ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type VRF.
 func (v *VRFCustomValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
-	_, ok := obj.(*v1alpha1.VRF)
-	if !ok {
-		return nil, fmt.Errorf("expected a VRF object but got %T", obj)
-	}
-
 	return nil, nil
 }
 

internal/webhook/core/v1alpha1/vrf_webhook_test.go

@@ -130,19 +130,6 @@ var _ = Describe("VRF Webhook", func() {
 		})
 	})
 
-	Context("ValidateDelete", func() {
-		It("allows delete on VRF object", func() {
-			_, err := validator.ValidateDelete(ctx, obj)
-			Expect(err).ToNot(HaveOccurred())
-		})
-
-		It("rejects delete when object type is wrong", func() {
-			// Passing a different type (nil interface would panic so use something else)
-			_, err := validator.ValidateDelete(ctx, &v1alpha1.VRFList{})
-			Expect(err).To(HaveOccurred())
-		})
-	})
-
 	Context("ValidateCreate RouteTargets", func() {
 		It("accepts valid type-0 route target", func() {
 			obj.Spec.RouteTargets = []v1alpha1.RouteTarget{

internal/webhook/core/v1alpha1/webhook_suite_test.go

@@ -98,6 +98,9 @@ var _ = BeforeSuite(func() {
 	err = SetupVRFWebhookWithManager(mgr)
 	Expect(err).NotTo(HaveOccurred())
 
+	err = SetupInterfaceWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
 	// +kubebuilder:scaffold:webhook
 
 	go func() {