webhook: prevent changes to an already set VSphereVM.spec.biosUUID

kubernetes-sigs · Aug 3, 2023 · 6c9436b · 6c9436b
1 parent 2fae0a9
commit 6c9436b
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 4 deletions.
diff --git a/apis/v1beta1/vspherevm_webhook.go b/apis/v1beta1/vspherevm_webhook.go
@@ -100,15 +100,24 @@ func (r *VSphereVM) ValidateUpdate(old runtime.Object) (admission.Warnings, erro
 		return nil, apierrors.NewInternalError(errors.Wrap(err, "failed to convert old VSphereVM to unstructured object"))
 	}
 
+	oldTyped, ok := old.(*VSphereVM)
+	if !ok {
+		return nil, apierrors.NewInternalError(fmt.Errorf("failed to typecast old runtime object to VSphereVM"))
+	}
+
 	newVSphereVMSpec := newVSphereVM["spec"].(map[string]interface{})
 	oldVSphereVMSpec := oldVSphereVM["spec"].(map[string]interface{})
 
-	// allow changes to biosUUID, bootstrapRef, thumbprint
-	keys := []string{"biosUUID", "bootstrapRef", "thumbprint", "powerOffMode", "guestSoftPowerOffTimeout"}
-	// allow changes to os only if the old spec has empty OS field
-	if _, ok := oldVSphereVMSpec["os"]; !ok {
+	// Allow changes to bootstrapRef, thumbprint, powerOffMode, guestSoftPowerOffTimeout.
+	keys := []string{"bootstrapRef", "thumbprint", "powerOffMode", "guestSoftPowerOffTimeout"}
+	// Allow changes to os only if the old spec has empty OS field.
+	if oldTyped.Spec.OS == "" {
 		keys = append(keys, "os")
 	}
+	// Allow changes to biosUUID only if it is not already set.
+	if oldTyped.Spec.BiosUUID == "" {
+		keys = append(keys, "biosUUID")
+	}
 	r.deleteSpecKeys(oldVSphereVMSpec, keys)
 	r.deleteSpecKeys(newVSphereVMSpec, keys)
 

diff --git a/apis/v1beta1/vspherevm_webhook_test.go b/apis/v1beta1/vspherevm_webhook_test.go
@@ -191,6 +191,18 @@ func TestVSphereVM_ValidateUpdate(t *testing.T) {
 			vSphereVM:    createVSphereVM("vsphere-vm-1", "foo.com", biosUUID, "", "BB:CC:DD:EE:FF", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeSoft, nil),
 			wantErr:      false,
 		},
+		{
+			name:         "biosUUID cannot be set to a value",
+			oldVSphereVM: createVSphereVM("vsphere-vm-1", "foo.com", "", "", "AA:BB:CC:DD:EE", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeTrySoft, nil),
+			vSphereVM:    createVSphereVM("vsphere-vm-1", "foo.com", biosUUID, "", "AA:BB:CC:DD:EE", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeTrySoft, nil),
+			wantErr:      false,
+		},
+		{
+			name:         "biosUUID cannot be updated to a different value",
+			oldVSphereVM: createVSphereVM("vsphere-vm-1", "foo.com", "old-uuid", "", "AA:BB:CC:DD:EE", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeTrySoft, nil),
+			vSphereVM:    createVSphereVM("vsphere-vm-1", "foo.com", biosUUID, "", "AA:BB:CC:DD:EE", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeTrySoft, nil),
+			wantErr:      true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {