Validate Forbidden Regex Patterns

[oliverbaehler]

Bug description

When the Regex Pattern for any forbidden annotation is not correct, the capsule controller panics on resource creation because of the faulty pattern.

How to reproduce

Steps to reproduce the behavior:

1. Take a Regex which is not supported (eg. only compatible with PERL/Python):

(.*gitops|.*nsm).[bedag.ch/((?!(resource)).*|trusted)](http://bedag.ch/((?!(resource)).*%7Ctrusted))

2. Create Tenant which the faulty regexp as value for the forbidden labels and annotations:

kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  name: oil
  annotations:
    capsule.clastix.io/forbidden-namespace-annotations-regexp: (.*gitops|.*nsm).bedag.ch/((?!(resource)).*|trusted)
    capsule.clastix.io/forbidden-namespace-labels-regexp: (.*gitops|.*nsm).bedag.ch/((?!(resource)).*|trusted)
spec:
  owners:
  - name: alice
    kind: User
EOF

3. Apply is no problem, but here we should validate the patterns so we can't apply the tenant if the pattern is not compatible with go regexp (or just malformed).

4. Create Namespace (Will Timeout)

kubecdtl create ns oil-prod
...
Error from server (InternalError): Internal error occurred: failed calling webhook "[namespaces.capsule.clastix.io](http://namespaces.capsule.clastix.io/)": Post "[https://capsule-webhook-service.capsule-system.svc:443/namespaces?timeout=30s](https://capsule-webhook-service.capsule-system.svc/namespaces?timeout=30s)": EOF

Controller Logs:

2022/02/07 15:42:04 http: panic serving 172.29.61.147:50495: regexp: Compile(`(.*gitops|.*nsm).bedag.ch/((?!(resource)).*|trusted)`): error parsing regexp: invalid or unsupported Perl syntax: `(?!`
goroutine 2198747 [running]:
net/http.(*conn).serve.func1(0xc000ea4a00)
	/usr/local/go/src/net/http/server.go:1805 +0x153
panic(0x167e920, 0xc003bc87a0)

Expected behavior

For all the possible regex annotations:

• capsule.clastix.io/forbidden-node-labels-regexp
• capsule.clastix.io/forbidden-node-annotations-regexp
• capsule.clastix.io/forbidden-namespace-labels-regexp
• capsule.clastix.io/forbidden-namespace-annotations-regexp

Verify on apply that the given regexp patterns are valid. Otherwise fail on Tenant edit/create.

Logs

If applicable, please provide logs of capsule.

In a standard stand-alone installation of Capsule,
you'd get this by running kubectl -n capsule-system logs deploy/capsule-controller-manager.

Additional context

• Capsule version: 0.1.0
• Helm Chart version: (helm list -n capsule-system)

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                                               APP VERSION
capsule         capsule-system  7               2022-02-02 14:37:30.185632772 +0000 UTC deployed        capsule-0.1.6                                       0.1.1      
capsule-proxy   capsule-system  5               2022-02-07 09:27:34.760511973 +0000 UTC deployed        capsule-proxy-0.1.9                                 0.2.0      
tenant-rbac     capsule-system  18              2022-02-04 07:25:57.635037297 +0000 UTC deployed        tenant-rbac-1.4.1-alpha.1809494+d78708f.tekton      1.0.0 

• Kubernetes version:

Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.3", GitCommit:"c92036820499fedefec0f847e2054d824aea6cd1", GitTreeState:"clean", BuildDate:"2021-10-27T18:41:28Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-12T14:12:29Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/amd64"}

[prometherion]

@oliverbaehler would you like to work on this? Otherwise, we could ask @EthanAlban for help!

[Pandry]

Hi, I managed to write a fix (I still need to write the tests)