Fix: validator validateEgressSecurityRuleForNSG (#458)

The API documentation points out both Destination and Protocol are
required https://docs.oracle.com/en-us/iaas/api/#/en/iaas/20160918/datatypes/EgressSecurityRule
but our validator doesn't catch those.

Author: joekr

api/v1beta2/ocicluster_webhook_test.go

@@ -357,6 +357,66 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "invalid egressRules CIDR format",
 			expectErr:             true,
 		},
+		{
+			name: "shouldn't allow empty NSG egress destination",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							NetworkSecurityGroup: NetworkSecurityGroup{
+								List: []*NSG{{
+									Role: Custom,
+									EgressRules: []EgressSecurityRuleForNSG{{
+										EgressSecurityRule: EgressSecurityRule{
+											Destination:     nil,
+											DestinationType: EgressSecurityRuleDestinationTypeCidrBlock,
+											Protocol:        common.String("all"),
+										},
+									}},
+								}},
+							},
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "invalid egressRules: Destination may not be empty",
+			expectErr:             true,
+		},
+		{
+			name: "shouldn't allow empty NSG egress protocol",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							NetworkSecurityGroup: NetworkSecurityGroup{
+								List: []*NSG{{
+									Role: Custom,
+									EgressRules: []EgressSecurityRuleForNSG{{
+										EgressSecurityRule: EgressSecurityRule{
+											Destination:     common.String("10.0.0.0/15"),
+											DestinationType: EgressSecurityRuleDestinationTypeCidrBlock,
+											Protocol:        nil,
+										},
+									}},
+								}},
+							},
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "invalid egressRules: Protocol may not be empty",
+			expectErr:             true,
+		},
 		{
 			name: "shouldn't allow bad NSG ingress cidr",
 			c: &OCICluster{
@@ -383,6 +443,66 @@ func TestOCICluster_ValidateCreate(t *testing.T) {
 			errorMgsShouldContain: "invalid ingressRule CIDR format",
 			expectErr:             true,
 		},
+		{
+			name: "shouldn't allow empty NSG ingress protocol",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							NetworkSecurityGroup: NetworkSecurityGroup{
+								List: []*NSG{{
+									Role: Custom,
+									IngressRules: []IngressSecurityRuleForNSG{{
+										IngressSecurityRule: IngressSecurityRule{
+											Source:     common.String("10.0.0.0/15"),
+											SourceType: IngressSecurityRuleSourceTypeCidrBlock,
+											Protocol:   nil,
+										},
+									}},
+								}},
+							},
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "invalid ingressRules: Protocol may not be empty",
+			expectErr:             true,
+		},
+		{
+			name: "shouldn't allow empty NSG ingress source",
+			c: &OCICluster{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: goodClusterName,
+				},
+				Spec: OCIClusterSpec{
+					CompartmentId:         "ocid",
+					OCIResourceIdentifier: "uuid",
+					NetworkSpec: NetworkSpec{
+						Vcn: VCN{
+							NetworkSecurityGroup: NetworkSecurityGroup{
+								List: []*NSG{{
+									Role: Custom,
+									IngressRules: []IngressSecurityRuleForNSG{{
+										IngressSecurityRule: IngressSecurityRule{
+											Source:     nil,
+											SourceType: IngressSecurityRuleSourceTypeCidrBlock,
+											Protocol:   common.String("all"),
+										},
+									}},
+								}},
+							},
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "invalid ingressRules: Source may not be empty",
+			expectErr:             true,
+		},
 		{
 			name: "shouldn't allow bad NSG role",
 			c: &OCICluster{

api/v1beta2/validator.go

@@ -167,6 +167,15 @@ func validateEgressSecurityRuleForNSG(egressRules []EgressSecurityRuleForNSG, fl
 	for _, r := range egressRules {
 		rule := r.EgressSecurityRule
 
+		// nsg_reconciler will set the service destination if not set for `SERVICE_CIDR_BLOCK` destination type
+		if rule.DestinationType != EgressSecurityRuleDestinationTypeServiceCidrBlock && rule.Destination == nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, rule.Destination, "invalid egressRules: Destination may not be empty"))
+		}
+
+		if rule.Protocol == nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, rule.Protocol, "invalid egressRules: Protocol may not be empty"))
+		}
+
 		if rule.DestinationType == EgressSecurityRuleDestinationTypeCidrBlock && rule.Destination != nil {
 			if _, _, err := net.ParseCIDR(ociutil.DerefString(rule.Destination)); err != nil {
 				allErrs = append(allErrs, field.Invalid(fldPath, rule.Destination, "invalid egressRules CIDR format"))
@@ -184,6 +193,15 @@ func validateIngressSecurityRuleForNSG(egressRules []IngressSecurityRuleForNSG,
 	for _, r := range egressRules {
 		rule := r.IngressSecurityRule
 
+		// nsg_reconciler will set the service source if not set for `SERVICE_CIDR_BLOCK` destination type
+		if rule.SourceType != IngressSecurityRuleSourceTypeServiceCidrBlock && rule.Source == nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, rule.Source, "invalid ingressRules: Source may not be empty"))
+		}
+
+		if rule.Protocol == nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, rule.Protocol, "invalid ingressRules: Protocol may not be empty"))
+		}
+
 		if rule.SourceType == IngressSecurityRuleSourceTypeCidrBlock && rule.Source != nil {
 			if _, _, err := net.ParseCIDR(ociutil.DerefString(rule.Source)); err != nil {
 				allErrs = append(allErrs, field.Invalid(fldPath, rule.Source, "invalid ingressRule CIDR format"))

cloud/scope/machine_pool_test.go

@@ -309,6 +309,112 @@ func TestInstanceConfigCreate(t *testing.T) {
 
 			},
 		},
+		{
+			name:          "instance config create - LaunchInstanceAgentConfig contains nil",
+			errorExpected: false,
+			testSpecificSetup: func(ms *MachinePoolScope) {
+				ms.OCIMachinePool.Spec.InstanceConfiguration = infrav2exp.InstanceConfiguration{
+					Shape: common.String("test-shape"),
+					ShapeConfig: &infrav2exp.ShapeConfig{
+						Ocpus:                   common.String("2"),
+						MemoryInGBs:             common.String("65"),
+						BaselineOcpuUtilization: "BASELINE_1_1",
+						Nvmes:                   common.Int(5),
+					},
+					InstanceVnicConfiguration: &infrastructurev1beta2.NetworkDetails{
+						AssignPublicIp:         true,
+						SubnetName:             "worker-subnet",
+						SkipSourceDestCheck:    common.Bool(true),
+						NsgNames:               []string{"worker-nsg"},
+						HostnameLabel:          common.String("test"),
+						DisplayName:            common.String("test-display"),
+						AssignPrivateDnsRecord: common.Bool(true),
+					},
+					PlatformConfig: &infrastructurev1beta2.PlatformConfig{
+						PlatformConfigType: infrastructurev1beta2.PlatformConfigTypeAmdvm,
+						AmdVmPlatformConfig: infrastructurev1beta2.AmdVmPlatformConfig{
+							IsMeasuredBootEnabled:          common.Bool(false),
+							IsTrustedPlatformModuleEnabled: common.Bool(true),
+							IsSecureBootEnabled:            common.Bool(true),
+							IsMemoryEncryptionEnabled:      common.Bool(true),
+						},
+					},
+					AgentConfig: &infrastructurev1beta2.LaunchInstanceAgentConfig{
+						IsMonitoringDisabled:  nil,
+						IsManagementDisabled:  nil,
+						AreAllPluginsDisabled: nil,
+						PluginsConfig: []infrastructurev1beta2.InstanceAgentPluginConfig{
+							{
+								Name:         nil,
+								DesiredState: infrastructurev1beta2.InstanceAgentPluginConfigDetailsDesiredStateEnabled,
+							},
+						},
+					},
+				}
+				computeManagementClient.EXPECT().ListInstanceConfigurations(gomock.Any(), gomock.Any()).
+					Return(core.ListInstanceConfigurationsResponse{}, nil)
+
+				computeManagementClient.EXPECT().CreateInstanceConfiguration(gomock.Any(), gomock.Eq(core.CreateInstanceConfigurationRequest{
+					CreateInstanceConfiguration: core.CreateInstanceConfigurationDetails{
+						DefinedTags:   definedTagsInterface,
+						DisplayName:   common.String("test-20"),
+						FreeformTags:  tags,
+						CompartmentId: common.String("test-compartment"),
+						InstanceDetails: core.ComputeInstanceDetails{
+							LaunchDetails: &core.InstanceConfigurationLaunchInstanceDetails{
+								DefinedTags:   definedTagsInterface,
+								FreeformTags:  tags,
+								DisplayName:   common.String("test"),
+								CompartmentId: common.String("test-compartment"),
+								CreateVnicDetails: &core.InstanceConfigurationCreateVnicDetails{
+									DefinedTags:            definedTagsInterface,
+									FreeformTags:           tags,
+									NsgIds:                 []string{"nsg-id"},
+									AssignPublicIp:         common.Bool(true),
+									SkipSourceDestCheck:    common.Bool(true),
+									SubnetId:               common.String("subnet-id"),
+									HostnameLabel:          common.String("test"),
+									DisplayName:            common.String("test-display"),
+									AssignPrivateDnsRecord: common.Bool(true),
+								},
+								PlatformConfig: core.AmdVmPlatformConfig{
+									IsMeasuredBootEnabled:          common.Bool(false),
+									IsTrustedPlatformModuleEnabled: common.Bool(true),
+									IsSecureBootEnabled:            common.Bool(true),
+									IsMemoryEncryptionEnabled:      common.Bool(true),
+								},
+								Metadata: map[string]string{"user_data": "dGVzdA=="},
+								Shape:    common.String("test-shape"),
+								ShapeConfig: &core.InstanceConfigurationLaunchInstanceShapeConfigDetails{
+									Ocpus:                   common.Float32(2),
+									MemoryInGBs:             common.Float32(65),
+									BaselineOcpuUtilization: "BASELINE_1_1",
+									Nvmes:                   common.Int(5),
+								},
+								AgentConfig: &core.InstanceConfigurationLaunchInstanceAgentConfigDetails{
+									IsMonitoringDisabled:  nil,
+									IsManagementDisabled:  nil,
+									AreAllPluginsDisabled: nil,
+									PluginsConfig: []core.InstanceAgentPluginConfigDetails{
+										{
+											Name:         nil,
+											DesiredState: core.InstanceAgentPluginConfigDetailsDesiredStateEnabled,
+										},
+									},
+								},
+								SourceDetails: core.InstanceConfigurationInstanceSourceViaImageDetails{},
+							},
+						},
+					},
+				})).
+					Return(core.CreateInstanceConfigurationResponse{
+						InstanceConfiguration: core.InstanceConfiguration{
+							Id: common.String("id"),
+						},
+					}, nil)
+
+			},
+		},
 		{
 			name:          "instance config update",
 			errorExpected: false,