GT-452 Improve master endpoint validation (#1339)

jwierzbo · web-flow · commit 6052958ece6e · 2023-06-26T12:18:03.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## [master](https://github.com/arangodb/kube-arangodb/tree/master) (N/A)
 - (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode
+- (Improvement) Improve master endpoint validation.
 
 ## [1.2.30](https://github.com/arangodb/kube-arangodb/tree/1.2.30) (2023-06-16)
 - (Feature) AgencyCache Interface
diff --git a/pkg/apis/deployment/v1/sync_external_access_spec.go b/pkg/apis/deployment/v1/sync_external_access_spec.go
@@ -63,8 +63,15 @@ func (s SyncExternalAccessSpec) Validate() error {
 		return errors.WithStack(err)
 	}
 	for _, ep := range s.MasterEndpoint {
-		if _, err := url.Parse(ep); err != nil {
+		if u, err := url.Parse(ep); err != nil {
 			return errors.WithStack(errors.Newf("Failed to parse master endpoint '%s': %s", ep, err))
+		} else {
+			if u.Scheme != "http" && u.Scheme != "https" {
+				return errors.WithStack(errors.Newf("Invalid scheme '%s' in master endpoint '%s'", u.Scheme, ep))
+			}
+			if u.Host == "" {
+				return errors.WithStack(errors.Newf("Missing host in master endpoint '%s'", ep))
+			}
 		}
 	}
 	for _, name := range s.AccessPackageSecretNames {
diff --git a/pkg/apis/deployment/v1/sync_spec_test.go b/pkg/apis/deployment/v1/sync_spec_test.go
@@ -102,3 +102,37 @@ func TestSyncSpecResetImmutableFields(t *testing.T) {
 		assert.Equal(t, test.Expected, test.Target)
 	}
 }
+
+func TestSyncSpecMasterEndpointValidate(t *testing.T) {
+	auth := SyncAuthenticationSpec{
+		JWTSecretName:      util.NewType[string]("foo"),
+		ClientCASecretName: util.NewType[string]("foo-client"),
+	}
+	tls := TLSSpec{
+		CASecretName: util.NewType[string]("None"),
+	}
+	t.Run("Valid MasterEndpoint", func(t *testing.T) {
+		err := SyncSpec{
+			Authentication: auth,
+			TLS:            tls,
+			ExternalAccess: SyncExternalAccessSpec{
+				MasterEndpoint: []string{"https://arangodb.xyz:8629"},
+			},
+			Enabled: util.NewType[bool](true),
+		}.Validate(DeploymentModeCluster)
+		assert.Nil(t, err)
+	})
+
+	t.Run("Invalid MasterEndpoint without protocol", func(t *testing.T) {
+		err := SyncSpec{
+			Authentication: auth,
+			TLS:            tls,
+			ExternalAccess: SyncExternalAccessSpec{
+				MasterEndpoint: []string{"example.com:8629"},
+			},
+			Enabled: util.NewType[bool](true),
+		}.Validate(DeploymentModeCluster)
+		assert.Error(t, err)
+		assert.Equal(t, "Invalid scheme 'example.com' in master endpoint 'example.com:8629'", err.Error())
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,15 @@ func (s SyncExternalAccessSpec) Validate() error {`
`63`	`63`	`return errors.WithStack(err)`
`64`	`64`	`}`
`65`	`65`	`for _, ep := range s.MasterEndpoint {`
`66`		`- if _, err := url.Parse(ep); err != nil {`
	`66`	`+ if u, err := url.Parse(ep); err != nil {`
`67`	`67`	`return errors.WithStack(errors.Newf("Failed to parse master endpoint '%s': %s", ep, err))`
	`68`	`+ } else {`
	`69`	`+ if u.Scheme != "http" && u.Scheme != "https" {`
	`70`	`+ return errors.WithStack(errors.Newf("Invalid scheme '%s' in master endpoint '%s'", u.Scheme, ep))`
	`71`	`+ }`
	`72`	`+ if u.Host == "" {`
	`73`	`+ return errors.WithStack(errors.Newf("Missing host in master endpoint '%s'", ep))`
	`74`	`+ }`
`68`	`75`	`}`
`69`	`76`	`}`
`70`	`77`	`for _, name := range s.AccessPackageSecretNames {`