Create RayCluster ValidatingWebhook

Author: ChristianZaccaria

PROJECT

@@ -19,5 +19,6 @@ resources:
   version: v1
   webhooks:
     defaulting: true
+    validating: true # or might be validation: true
     webhookVersion: v1
 version: "3"

config/webhook/manifests.yaml

@@ -25,3 +25,30 @@ webhooks:
     resources:
     - rayclusters
   sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-ray-io-v1-raycluster
+  failurePolicy: Fail
+  name: vraycluster.kb.io
+  rules:
+  - apiGroups:
+    - ray.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - rayclusters
+  sideEffects: None

pkg/controllers/raycluster_webhook.go

@@ -29,6 +29,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/project-codeflare/codeflare-operator/pkg/config"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
 // log is for logging in this package.
@@ -40,16 +42,21 @@ func SetupRayClusterWebhookWithManager(mgr ctrl.Manager, cfg *config.KubeRayConf
 		WithDefaulter(&rayClusterDefaulter{
 			Config: cfg,
 		}).
+		WithValidator(&rayClusterValidator{}).
 		Complete()
 }
 
 // +kubebuilder:webhook:path=/mutate-ray-io-v1-raycluster,mutating=true,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=mraycluster.kb.io,admissionReviewVersions=v1
+//+kubebuilder:webhook:path=/validate-ray-io-v1-raycluster,mutating=false,failurePolicy=fail,sideEffects=None,groups=ray.io,resources=rayclusters,verbs=create;update,versions=v1,name=vraycluster.kb.io,admissionReviewVersions=v1
 
 type rayClusterDefaulter struct {
 	Config *config.KubeRayConfiguration
 }
+type rayClusterValidator struct{}
 
 var _ webhook.CustomDefaulter = &rayClusterDefaulter{}
+var _ webhook.CustomValidator = &rayClusterValidator{}
+
 
 // Default implements webhook.Defaulter so a webhook will be registered for the type
 func (r *rayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) error {
@@ -132,3 +139,32 @@ func (r *rayClusterDefaulter) Default(ctx context.Context, obj runtime.Object) e
 
 	return nil
 }
+
+func (v *rayClusterValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	raycluster := obj.(*rayv1.RayCluster)
+	var warnings admission.Warnings
+	var allErrors field.ErrorList
+	specPath := field.NewPath("spec")
+
+	if raycluster.Spec.HeadGroupSpec.EnableIngress == nil || *raycluster.Spec.HeadGroupSpec.EnableIngress {
+		rayclusterlog.Info("Creating RayCluster resources with EnableIngress set to true or unspecified is not allowed")
+		allErrors = append(allErrors, field.Invalid(specPath.Child("headGroupSpec").Child("enableIngress"), raycluster.Spec.HeadGroupSpec.EnableIngress, "creating RayCluster resources with EnableIngress set to true or unspecified is not allowed"))
+	}
+
+	return warnings, allErrors.ToAggregate()
+}
+
+func (v *rayClusterValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	newRayCluster := newObj.(*rayv1.RayCluster)
+	if !newRayCluster.DeletionTimestamp.IsZero() {
+		 // Object is being deleted, skip validations
+		return nil, nil
+	}
+	warnings, err := v.ValidateCreate(ctx, newRayCluster)
+	return warnings, err
+}
+
+func (v *rayClusterValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	// Optional: Add delete validation logic here
+	return nil, nil
+}