flesh out service quota validator; refactor & handle edge cases

Author: TylerGillson

config/samples/awsvalidator-quota.yaml

@@ -10,39 +10,33 @@ spec:
     serviceCode: ec2
     serviceQuotas:
     - name: "EC2-VPC Elastic IPs"
+      buffer: 1
+    - name: "Public AMIs"
+      buffer: 1
+  - region: us-east-2
+    serviceCode: elasticfilesystem
+    serviceQuotas:
+    - name: "File systems per account"
+      buffer: 5
+  - region: us-east-2
+    serviceCode: elasticloadbalancing
+    serviceQuotas:
+    - name: "Application Load Balancers per Region"
+      buffer: 5
+    - name: "Classic Load Balancers per Region"
+      buffer: 5
+    - name: "Network Load Balancers per Region"
       buffer: 5
-  # - region: us-east-2
-  #   serviceCode: elb
-  #   serviceQuotas:
-  #   - name: "Application Load Balancers per Region"
-  #     buffer: 5
-  # - region: us-east-2
-  #   serviceCode: elb
-  #   serviceQuotas:
-  #   - name: "Classic Load Balancers per Region"
-  #     buffer: 5
   - region: us-east-2
     serviceCode: vpc
     serviceQuotas:
     - name: "VPCs per Region"
       buffer: 2
-  # - region: us-east-2
-  #   serviceCode: vpc
-  #   serviceQuotas:
-  #   - name: "Subnets per VPC"
-  #     buffer: 5
-  # - region: us-east-2
-  #   serviceCode: vpc
-  #   serviceQuotas:
-  #   - name: "NAT gateways per Availability Zone"
-  #     buffer: 5
-  # - region: us-east-2
-  #   serviceCode: vpc
-  #   serviceQuotas:
-  #   - name: "Network interfaces per Region"
-  #     buffer: 5
-  # - region: us-east-2
-  #   serviceCode: vpc
-  #   serviceQuotas:
-  #   - name: "Internet gateways per Region"
-  #     buffer: 5
+    - name: "Subnets per VPC"
+      buffer: 5
+    - name: "NAT gateways per Availability Zone"
+      buffer: 2
+    - name: "Network interfaces per Region"
+      buffer: 5
+    - name: "Internet gateways per Region"
+      buffer: 1

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/go-logr/logr v1.2.4
 	github.com/onsi/ginkgo/v2 v2.9.5
 	github.com/onsi/gomega v1.27.7
-	github.com/spectrocloud-labs/valid8or v0.0.0-20230824230819-6ac1c98bffb8
+	github.com/spectrocloud-labs/valid8or v0.0.0-20230825153231-57f7e708100e
 	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63
 	k8s.io/api v0.27.2
 	k8s.io/apimachinery v0.27.2

go.sum

@@ -143,8 +143,8 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.28.0 h1:MirSo27VyNi7RJYP3078AA1+Cyzd2GB66qy3aUHvsWY=
 github.com/rs/zerolog v1.28.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
-github.com/spectrocloud-labs/valid8or v0.0.0-20230824230819-6ac1c98bffb8 h1:BawkBTwqPCRvQZ707WrM5ujt53UwxjviICVh2j0oe4A=
-github.com/spectrocloud-labs/valid8or v0.0.0-20230824230819-6ac1c98bffb8/go.mod h1:d2uYGVs/uB0FnyTBup6EL94SQ27bLE0gejLkr3akqvQ=
+github.com/spectrocloud-labs/valid8or v0.0.0-20230825153231-57f7e708100e h1:pnBEWlOAbBrmGnVybAUGbX3wBRv1jsQyLQwG0XgRhec=
+github.com/spectrocloud-labs/valid8or v0.0.0-20230825153231-57f7e708100e/go.mod h1:d2uYGVs/uB0FnyTBup6EL94SQ27bLE0gejLkr3akqvQ=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=

internal/constants/constants.go

@@ -1,3 +1,9 @@
 package constants
 
-const ValidationRulePrefix string = "validation"
+const (
+	ValidationRulePrefix string = "validation"
+
+	ValidationTypeIAMRolePolicy = "aws-iam-role-policy"
+	ValidationTypeServiceQuota  = "aws-service-quota"
+	ValidationTypeTag           = "aws-tag"
+)

internal/controller/awsvalidator_controller.go

@@ -37,10 +37,10 @@ import (
 
 	"github.com/spectrocloud-labs/valid8or-plugin-aws/api/v1alpha1"
 	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/constants"
-	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/iam"
-	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/servicequota"
-	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/tag"
 	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/types"
+	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/validators/iam"
+	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/validators/servicequota"
+	"github.com/spectrocloud-labs/valid8or-plugin-aws/internal/validators/tag"
 	valid8orv1alpha1 "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
 )
 
@@ -51,12 +51,14 @@ type AwsValidatorReconciler struct {
 	Scheme *runtime.Scheme
 }
 
+// monotonicBool starts off false and remains true permanently if updated to true
 type monotonicBool struct {
 	ok bool
 }
 
+// Update updates the status of a monotonic bool. If the monotonic bool is already true, Update() is a noop.
 func (m *monotonicBool) Update(ok bool) {
-	m.ok = !ok || m.ok
+	m.ok = ok || m.ok
 }
 
 //+kubebuilder:rbac:groups=validation.spectrocloud.labs,resources=awsvalidators,verbs=get;list;watch;create;update;patch;delete
@@ -127,7 +129,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile IAM rule")
 		}
-		r.safeUpdateValidationResult(nn, *validationResult, failed)
+		r.safeUpdateValidationResult(nn, validationResult, failed, err)
 	}
 
 	// Service Quota rules
@@ -136,7 +138,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Service Quota rule")
 		}
-		r.safeUpdateValidationResult(nn, *validationResult, failed)
+		r.safeUpdateValidationResult(nn, validationResult, failed, err)
 	}
 
 	// Tag rules
@@ -145,7 +147,7 @@ func (r *AwsValidatorReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		if err != nil {
 			r.Log.V(0).Error(err, "failed to reconcile Tag rule")
 		}
-		r.safeUpdateValidationResult(nn, *validationResult, failed)
+		r.safeUpdateValidationResult(nn, validationResult, failed, err)
 	}
 
 	r.Log.V(0).Info("Requeuing for re-validation in two minutes.", "name", req.Name, "namespace", req.Namespace)
@@ -159,18 +161,6 @@ func (r *AwsValidatorReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
-// safeUpdateValidationResult updates the overall validation result, ensuring that the overall validation status remains failed if a single rule fails
-func (r *AwsValidatorReconciler) safeUpdateValidationResult(nn k8stypes.NamespacedName, validationResult types.ValidationResult, failed *monotonicBool) {
-	didFail := validationResult.State == valid8orv1alpha1.ValidationFailed
-	failed.Update(didFail)
-	if failed.ok && !didFail {
-		validationResult.State = valid8orv1alpha1.ValidationFailed
-	}
-	if err := r.updateValidationResult(nn, validationResult); err != nil {
-		r.Log.V(0).Error(err, "failed to update ValidationResult")
-	}
-}
-
 // secretKeyAuth creates AWS credentials from a secret containing an access key id and secret access key
 func (r *AwsValidatorReconciler) secretKeyAuth(req ctrl.Request, validator *v1alpha1.AwsValidator) (*credentials.Credentials, *reconcile.Result) {
 	authSecret := &corev1.Secret{}
@@ -259,6 +249,26 @@ func (r *AwsValidatorReconciler) handleNewValidationResult(nn k8stypes.Namespace
 	return nil, nil
 }
 
+// safeUpdateValidationResult updates the overall validation result, ensuring that the overall validation status remains failed if a single rule fails
+func (r *AwsValidatorReconciler) safeUpdateValidationResult(nn k8stypes.NamespacedName, validationResult *types.ValidationResult, failed *monotonicBool, err error) {
+	if err != nil {
+		validationResult.State = valid8orv1alpha1.ValidationFailed
+		validationResult.Condition.Status = corev1.ConditionFalse
+		validationResult.Condition.Message = "Validation failed with an unexpected error"
+		validationResult.Condition.Failures = append(validationResult.Condition.Failures, err.Error())
+	}
+
+	didFail := validationResult.State == valid8orv1alpha1.ValidationFailed
+	failed.Update(didFail)
+	if failed.ok && !didFail {
+		validationResult.State = valid8orv1alpha1.ValidationFailed
+	}
+
+	if err := r.updateValidationResult(nn, *validationResult); err != nil {
+		r.Log.V(0).Error(err, "failed to update ValidationResult")
+	}
+}
+
 // updateValidationResult updates the ValidationResult for the active validation rule
 func (r *AwsValidatorReconciler) updateValidationResult(nn k8stypes.NamespacedName, res types.ValidationResult) error {
 	vr := &valid8orv1alpha1.ValidationResult{}
@@ -269,9 +279,9 @@ func (r *AwsValidatorReconciler) updateValidationResult(nn k8stypes.NamespacedNa
 
 	idx := getConditionIndexByValidationRule(vr.Status.Conditions, res.Condition.ValidationRule)
 	if idx == -1 {
-		vr.Status.Conditions = append(vr.Status.Conditions, res.Condition)
+		vr.Status.Conditions = append(vr.Status.Conditions, *res.Condition)
 	} else {
-		vr.Status.Conditions[idx] = res.Condition
+		vr.Status.Conditions[idx] = *res.Condition
 	}
 
 	if err := r.Status().Update(context.Background(), vr); err != nil {

internal/servicequota/servicequota_validator.go

@@ -2,7 +2,30 @@ package types
 
 import valid8orv1alpha1 "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
 
+// UsageResult describes the maximum usage for an arbitrary category
+type UsageResult struct {
+	Description string
+	MaxUsage    float64
+}
+
+// UsageMap maps categories to their usage
+type UsageMap map[string]float64
+
+// Max returns a UsageResult describing the category with the maximum usage within a UsageMap
+func (u UsageMap) Max() *UsageResult {
+	var maxUsage float64
+	var maxUsageKey string
+	for k, v := range u {
+		if v > maxUsage {
+			maxUsage = v
+			maxUsageKey = k
+		}
+	}
+	return &UsageResult{Description: maxUsageKey, MaxUsage: maxUsage}
+}
+
+// ValidationResult is the result of the execution of a validation rule by a validator
 type ValidationResult struct {
-	Condition valid8orv1alpha1.ValidationCondition
+	Condition *valid8orv1alpha1.ValidationCondition
 	State     valid8orv1alpha1.ValidationState
 }