apis: prevent changes to an already set VSphereVM.spec.biosUUID

apis/v1beta1/vspherevm_webhook.go

@@ -103,12 +103,16 @@ func (r *VSphereVM) ValidateUpdate(old runtime.Object) (admission.Warnings, erro
 	newVSphereVMSpec := newVSphereVM["spec"].(map[string]interface{})
 	oldVSphereVMSpec := oldVSphereVM["spec"].(map[string]interface{})
 
-	// allow changes to biosUUID, bootstrapRef, thumbprint
-	keys := []string{"biosUUID", "bootstrapRef", "thumbprint", "powerOffMode", "guestSoftPowerOffTimeout"}
+	// allow changes to bootstrapRef, thumbprint, powerOffMode, guestSoftPowerOffTimeout
+	keys := []string{"bootstrapRef", "thumbprint", "powerOffMode", "guestSoftPowerOffTimeout"}
 	// allow changes to os only if the old spec has empty OS field
 	if _, ok := oldVSphereVMSpec["os"]; !ok {
 		keys = append(keys, "os")
 	}
+	// allow changes to biosUUID only to set the biosUUID once
+	if _, ok := oldVSphereVMSpec["biosUUID"]; !ok {
+		keys = append(keys, "biosUUID")
+	}
 	r.deleteSpecKeys(oldVSphereVMSpec, keys)
 	r.deleteSpecKeys(newVSphereVMSpec, keys)
 

apis/v1beta1/vspherevm_webhook_test.go

@@ -191,6 +191,12 @@ func TestVSphereVM_ValidateUpdate(t *testing.T) {
 			vSphereVM:    createVSphereVM("vsphere-vm-1", "foo.com", biosUUID, "", "BB:CC:DD:EE:FF", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeSoft, nil),
 			wantErr:      false,
 		},
+		{
+			name:         "biosUUID cannot be updated to a different value",
+			oldVSphereVM: createVSphereVM("vsphere-vm-1", "foo.com", "old-uuid", "", "AA:BB:CC:DD:EE", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeTrySoft, &metav1.Duration{Duration: GuestSoftPowerOffDefaultTimeout}),
+			vSphereVM:    createVSphereVM("vsphere-vm-1", "foo.com", biosUUID, "", "BB:CC:DD:EE:FF", []string{"192.168.0.1/32"}, nil, Linux, VirtualMachinePowerOpModeSoft, nil),
+			wantErr:      true,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {