validator-labs
diff --git a/‎README.md‎
Lines changed: 26 additions & 8 deletions b/‎README.md‎
Lines changed: 26 additions & 8 deletions
diff --git a/‎api/v1alpha1/vspherevalidator_types.go‎
Lines changed: 40 additions & 33 deletions b/‎api/v1alpha1/vspherevalidator_types.go‎
Lines changed: 40 additions & 33 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 22 additions & 50 deletions b/‎api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 22 additions & 50 deletions
@@ -11,19 +11,37 @@ The vSphere [validator](https://github.com/validator-labs/validator) plugin ensu
 ## Description
 The vSphere validator plugin reconciles `VsphereValidator` custom resources to perform the following validations against your vSphere environment:
 
-1. Compare the privileges associated with a user against an expected privileges set
-2. Compare the privileges associated with a user against an expected privileges set on a particular entity(cluster, resourcepool, folder, vapp, host)
-3. Check if enough compute resources are available on a host, resourcepool or cluster against a resource request
-4. Compare the tags associated with a datacenter, cluster, host, vm, resourcepool or vm against an expected tag set
-5. Check if a given set of host systems have a valid NTP configuration
+1. Compare a user's privileges with respect to a particular entity against an expected privilege set.
+
+   Supported entities:
+   - Cluster, Datacenter, Datastore, Folder, ESXi Host, Network, Resource Pool, vApp, vCenter root, vSphere Distributed Switch (VDS)
+
+   Required Privileges:
+   - `System.View`
+   - TODO: identify and update any additional required privileges
+2. Check if sufficient compute resources are available on a particular entity to satify a resource request.
+
+   Supported entities:
+   - Cluster, ESXi Host, Resource Pool
+
+   Required Privileges:
+   - TODO: identify and update
+3. Compare the tags associated with a particular entity against an expected tag set.
+
+   Supported entities:
+   - Cluster, Datacenter, ESXi Host, Resource Pool, VM
+
+   Required Privileges:
+   - - TODO: identify and update
+4. Check if a given set of ESXi Hosts all have NTP enabled and running, with identical NTP servers configured.
+
+   Required Privileges:
+   - - TODO: identify and update
 
 Each `VsphereValidator` CR is (re)-processed every two minutes to continuously ensure that your vSphere environment matches the expected state.
 
 See the [samples](https://github.com/validator-labs/validator-plugin-vsphere/tree/main/config/samples) directory for example `VsphereValidator` configurations.
 
-> [!NOTE]
-> This plugin currently require a user with administrator role to perform all of the validations specified above. Further information on fine-grained permissions required by each validation will be updated in the future.
-
 ## Getting Started
 You’ll need a Kubernetes cluster to run against. You can use [KIND](https://sigs.k8s.io/kind) to get a local cluster for testing, or run against a remote cluster.
 **Note:** Your controller will automatically use the current context in your kubeconfig file (i.e. whatever cluster `kubectl cluster-info` shows).
 
@@ -14,13 +14,12 @@ import (
 
 // VsphereValidatorSpec defines the desired state of VsphereValidator
 type VsphereValidatorSpec struct {
-	Auth                           VsphereAuth                          `json:"auth" yaml:"auth"`
-	Datacenter                     string                               `json:"datacenter" yaml:"datacenter"`
-	EntityPrivilegeValidationRules []EntityPrivilegeValidationRule      `json:"entityPrivilegeValidationRules,omitempty" yaml:"entityPrivilegeValidationRules,omitempty"`
-	RolePrivilegeValidationRules   []GenericRolePrivilegeValidationRule `json:"rolePrivilegeValidationRules,omitempty" yaml:"rolePrivilegeValidationRules,omitempty"`
-	TagValidationRules             []TagValidationRule                  `json:"tagValidationRules,omitempty" yaml:"tagValidationRules,omitempty"`
-	ComputeResourceRules           []ComputeResourceRule                `json:"computeResourceRules,omitempty" yaml:"computeResourceRules,omitempty"`
-	NTPValidationRules             []NTPValidationRule                  `json:"ntpValidationRules,omitempty" yaml:"ntpValidationRules,omitempty"`
+	Auth                     VsphereAuth               `json:"auth" yaml:"auth"`
+	Datacenter               string                    `json:"datacenter" yaml:"datacenter"`
+	PrivilegeValidationRules []PrivilegeValidationRule `json:"privilegeValidationRules,omitempty" yaml:"privilegeValidationRules,omitempty"`
+	TagValidationRules       []TagValidationRule       `json:"tagValidationRules,omitempty" yaml:"tagValidationRules,omitempty"`
+	ComputeResourceRules     []ComputeResourceRule     `json:"computeResourceRules,omitempty" yaml:"computeResourceRules,omitempty"`
+	NTPValidationRules       []NTPValidationRule       `json:"ntpValidationRules,omitempty" yaml:"ntpValidationRules,omitempty"`
 }
 
 var _ plugins.PluginSpec = (*VsphereValidatorSpec)(nil)
@@ -32,16 +31,17 @@ func (s VsphereValidatorSpec) PluginCode() string {
 
 // ResultCount returns the number of validation results expected for an VsphereValidatorSpec.
 func (s VsphereValidatorSpec) ResultCount() int {
-	return len(s.RolePrivilegeValidationRules) + len(s.EntityPrivilegeValidationRules) + len(s.ComputeResourceRules) +
+	return len(s.PrivilegeValidationRules) + len(s.ComputeResourceRules) +
 		len(s.TagValidationRules) + len(s.NTPValidationRules)
 }
 
 // VsphereAuth defines authentication configuration for an VsphereValidator.
 type VsphereAuth struct {
 	// SecretName is the name of the secret containing the vSphere credentials
 	SecretName string `json:"secretName,omitempty" yaml:"secretName,omitempty"`
-	// CloudAccount is the vSphere cloud account to use for authentication
-	CloudAccount *vsphere.CloudAccount `json:"cloudAccount,omitempty" yaml:"cloudAccount,omitempty"`
+
+	// Account is the vSphere account to use for authentication
+	Account *vsphere.Account `json:"account,omitempty" yaml:"account,omitempty"`
 }
 
 // NTPValidationRule defines the NTP validation rule
@@ -50,8 +50,10 @@ type NTPValidationRule struct {
 
 	// RuleName is the name of the NTP validation rule
 	RuleName string `json:"name" yaml:"name"`
+
 	// ClusterName is required when the vCenter Host(s) reside beneath a Cluster in the vCenter object hierarchy
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName,omitempty"`
+
 	// Hosts is the list of vCenter Hosts to validate NTP configuration
 	Hosts []string `json:"hosts" yaml:"hosts"`
 }
@@ -74,12 +76,17 @@ type ComputeResourceRule struct {
 
 	// RuleName is the name of the compute resource validation rule
 	RuleName string `json:"name" yaml:"name"`
+
 	// ClusterName is required when the vCenter Entity resides beneath a Cluster in the vCenter object hierarchy
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName"`
+
 	// Scope is the scope of the compute resource validation rule
+	// +kubebuilder:validation:Enum=cluster;host;resourcepool
 	Scope string `json:"scope" yaml:"scope"`
+
 	// EntityName is the name of the entity to validate
 	EntityName string `json:"entityName" yaml:"entityName"`
+
 	// NodepoolResourceRequirements is the list of nodepool resource requirements
 	NodepoolResourceRequirements []NodepoolResourceRequirement `json:"nodepoolResourceRequirements" yaml:"nodepoolResourceRequirements"`
 }
@@ -96,65 +103,61 @@ func (r *ComputeResourceRule) SetName(name string) {
 	r.RuleName = name
 }
 
-// EntityPrivilegeValidationRule defines the entity privilege validation rule
-type EntityPrivilegeValidationRule struct {
+// PrivilegeValidationRule defines the privilege validation rule
+type PrivilegeValidationRule struct {
 	validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
 
 	// RuleName is the name of the entity privilege validation rule
 	RuleName string `json:"name" yaml:"name"`
+
 	// Username is the username to validate against
 	Username string `json:"username" yaml:"username"`
+
 	// ClusterName is required when the vCenter Entity resides beneath a Cluster in the vCenter object hierarchy
-	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName"`
+	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName,omitempty"`
+
 	// EntityType is the type of the entity to validate
+	// +kubebuilder:validation:Enum=cluster;datacenter;datastore;folder;host;network;resourcepool;vapp;vcenterroot;vds;vm
 	EntityType string `json:"entityType" yaml:"entityType"`
+
 	// EntityName is the name of the entity to validate
 	EntityName string `json:"entityName" yaml:"entityName"`
+
 	// Privileges is the list of privileges to validate that the user has
 	Privileges []string `json:"privileges" yaml:"privileges"`
+
+	// TODO: consider propagation somehow
 }
 
-var _ validationrule.Interface = (*EntityPrivilegeValidationRule)(nil)
+var _ validationrule.Interface = (*PrivilegeValidationRule)(nil)
 
 // Name returns the name of the EntityPrivilegeValidationRule.
-func (r EntityPrivilegeValidationRule) Name() string {
+func (r PrivilegeValidationRule) Name() string {
 	return r.RuleName
 }
 
 // SetName sets the name of the EntityPrivilegeValidationRule.
-func (r *EntityPrivilegeValidationRule) SetName(name string) {
+func (r *PrivilegeValidationRule) SetName(name string) {
 	r.RuleName = name
 }
 
-// GenericRolePrivilegeValidationRule defines the generic role privilege validation rule
-type GenericRolePrivilegeValidationRule struct {
-	validationrule.AutomaticallyNamed `json:",inline" yaml:",omitempty"`
-
-	// Username is the username to validate against
-	Username string `json:"username" yaml:"username"`
-	// Privileges is the list of privileges to validate that the user has
-	Privileges []string `json:"privileges" yaml:"privileges"`
-}
-
-var _ validationrule.Interface = (*GenericRolePrivilegeValidationRule)(nil)
-
-// Name returns the name of the GenericRolePrivilegeValidationRule.
-func (r GenericRolePrivilegeValidationRule) Name() string {
-	return r.Username
-}
-
 // TagValidationRule defines the tag validation rule
 type TagValidationRule struct {
 	validationrule.ManuallyNamed `json:",inline" yaml:",omitempty"`
 
 	// RuleName is the name of the tag validation rule
 	RuleName string `json:"name" yaml:"name"`
+
 	// ClusterName is required when the vCenter Entity resides beneath a Cluster in the vCenter object hierarchy
 	ClusterName string `json:"clusterName,omitempty" yaml:"clusterName"`
+
 	// EntityType is the type of the entity to validate
+	// +kubebuilder:validation:Enum=cluster;datacenter;folder;host;resourcepool;vm
 	EntityType string `json:"entityType" yaml:"entityType"`
+
 	// EntityName is the name of the entity to validate
 	EntityName string `json:"entityName" yaml:"entityName"`
+
 	// Tag is the tag to validate on the entity
 	Tag string `json:"tag" yaml:"tag"`
 }
@@ -175,12 +178,16 @@ func (r *TagValidationRule) SetName(name string) {
 type NodepoolResourceRequirement struct {
 	// Name is the name of the nodepool
 	Name string `json:"name" yaml:"name"`
+
 	// NumberOfNodes is the number of nodes in the nodepool
 	NumberOfNodes int `json:"numberOfNodes" yaml:"numberOfNodes"`
+
 	// CPU is the CPU requirement for the nodepool
 	CPU string `json:"cpu" yaml:"cpu"`
+
 	// Memory is the memory requirement for the nodepool
 	Memory string `json:"memory" yaml:"memory"`
+
 	// DiskSpace is the disk space requirement for the nodepool
 	DiskSpace string `json:"diskSpace" yaml:"diskSpace"`
 }