feat: Nutanix VM image preflight check

Author: dlipovetsky

cmd/main.go

@@ -42,6 +42,7 @@ import (
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/handlers/options"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/cluster"
 	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+	preflightnutanix "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight/nutanix"
 )
 
 func main() {
@@ -224,6 +225,7 @@ func main() {
 		Handler: preflight.New(mgr.GetClient(), admission.NewDecoder(mgr.GetScheme()),
 			[]preflight.Checker{
 				// Add your preflight checkers here.
+				&preflightnutanix.Checker{},
 			}...,
 		),
 	})

pkg/webhook/preflight/nutanix/client.go

@@ -0,0 +1,61 @@
+package nutanix
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	prism "github.com/nutanix-cloud-native/prism-go-client"
+	prismcredentials "github.com/nutanix-cloud-native/prism-go-client/environment/credentials"
+	prismv4 "github.com/nutanix-cloud-native/prism-go-client/v4"
+
+	carenvariables "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/variables"
+)
+
+func newV4Client(
+	ctx context.Context,
+	client ctrlclient.Client,
+	clusterNamespace string,
+	clusterConfig *carenvariables.ClusterConfigSpec,
+) (
+	*prismv4.Client,
+	error,
+) {
+	if clusterConfig.Nutanix.PrismCentralEndpoint.Credentials.SecretRef.Name == "" {
+		return nil, fmt.Errorf("Prism Central credentials reference SecretRef.Name has no value")
+	}
+
+	credentialsSecret := &corev1.Secret{}
+	if err := client.Get(
+		ctx,
+		types.NamespacedName{
+			Namespace: clusterNamespace,
+			Name:      clusterConfig.Nutanix.PrismCentralEndpoint.Credentials.SecretRef.Name,
+		},
+		credentialsSecret,
+	); err != nil {
+		return nil, fmt.Errorf("failed to get Prism Central credentials Secret: %w", err)
+	}
+
+	// Get username and password
+	credentials, err := prismcredentials.ParseCredentials(credentialsSecret.Data["credentials"])
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse Prism Central credentials from Secret: %w", err)
+	}
+
+	host, port, err := clusterConfig.Nutanix.PrismCentralEndpoint.ParseURL()
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse Prism Central endpoint: %w", err)
+	}
+
+	return prismv4.NewV4Client(prism.Credentials{
+		Endpoint: fmt.Sprintf("%s:%d", host, port),
+		Username: credentials.Username,
+		Password: credentials.Password,
+		Insecure: clusterConfig.Nutanix.PrismCentralEndpoint.Insecure,
+		// TODO AdditionalTrustBundle
+	})
+}

pkg/webhook/preflight/nutanix/image.go

@@ -0,0 +1,82 @@
+package nutanix
+
+import (
+	"context"
+	"fmt"
+
+	vmmv4 "github.com/nutanix/ntnx-api-golang-clients/vmm-go-client/v4/models/vmm/v4/content"
+
+	prismv4 "github.com/nutanix-cloud-native/prism-go-client/v4"
+
+	capxv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/external/github.com/nutanix-cloud-native/cluster-api-provider-nutanix/api/v1beta1"
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+func (n *Checker) VMImageCheck(details carenv1.NutanixMachineDetails, field string) preflight.Check {
+	return func(ctx context.Context) preflight.CheckResult {
+		result := preflight.CheckResult{
+			Allowed: true,
+			Field:   field,
+		}
+
+		if details.ImageLookup != nil {
+			result.Allowed = false
+			result.Message = "ImageLookup is not yet supported"
+			return result
+		}
+
+		if details.Image != nil {
+			images, err := getVMImages(n.nutanixClient, details.Image)
+			if err != nil {
+				result.Allowed = false
+				result.Error = true
+				result.Message = fmt.Sprintf("failed to count matching VM Images: %s", err)
+				return result
+			}
+
+			if len(images) != 1 {
+				result.Allowed = false
+				result.Message = fmt.Sprintf("expected to find 1 VM Image, found %d", len(images))
+				return result
+			}
+		}
+
+		return result
+	}
+}
+
+func getVMImages(
+	client *prismv4.Client,
+	id *capxv1.NutanixResourceIdentifier,
+) ([]vmmv4.Image, error) {
+	switch {
+	case id.IsUUID():
+		resp, err := client.ImagesApiInstance.GetImageById(id.UUID)
+		if err != nil {
+			return nil, err
+		}
+		image, ok := resp.GetData().(vmmv4.Image)
+		if !ok {
+			return nil, fmt.Errorf("failed to get data returned by GetImageById")
+		}
+		return []vmmv4.Image{image}, nil
+	case id.IsName():
+		filter_ := fmt.Sprintf("name eq '%s'", *id.Name)
+		resp, err := client.ImagesApiInstance.ListImages(nil, nil, &filter_, nil, nil)
+		if err != nil {
+			return nil, err
+		}
+		if resp == nil || resp.GetData() == nil {
+			// No images were returned.
+			return []vmmv4.Image{}, nil
+		}
+		images, ok := resp.GetData().([]vmmv4.Image)
+		if !ok {
+			return nil, fmt.Errorf("failed to get data returned by ListImages")
+		}
+		return images, nil
+	default:
+		return nil, fmt.Errorf("image identifier is missing both name and uuid")
+	}
+}

pkg/webhook/preflight/nutanix/nutanix.go

@@ -0,0 +1,92 @@
+// Copyright 2025 Nutanix. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package nutanix
+
+import (
+	"context"
+	"fmt"
+
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	prismv4 "github.com/nutanix-cloud-native/prism-go-client/v4"
+
+	carenv1 "github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/v1alpha1"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/api/variables"
+	"github.com/nutanix-cloud-native/cluster-api-runtime-extensions-nutanix/pkg/webhook/preflight"
+)
+
+type Checker struct {
+	client        ctrlclient.Client
+	nutanixClient *prismv4.Client
+	cluster       *clusterv1.Cluster
+	clusterConfig *variables.ClusterConfigSpec
+}
+
+func (n *Checker) Provider() string {
+	return "nutanix"
+}
+
+func (n *Checker) Checks(
+	ctx context.Context,
+	client ctrlclient.Client,
+	cluster *clusterv1.Cluster,
+) ([]preflight.Check, error) {
+	n.client = client
+
+	clusterConfig, err := variables.UnmarshalClusterConfigVariable(cluster.Spec.Topology.Variables)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal topology variable %q: %w", carenv1.ClusterConfigVariableName, err)
+	}
+
+	if clusterConfig.Nutanix == nil {
+		return nil, fmt.Errorf("missing Nutanix configuration in cluster topology")
+	}
+
+	// Initialize Nutanix client from the credentials referenced by the cluster configuration.
+	n.nutanixClient, err = newV4Client(ctx, client, cluster.Namespace, clusterConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Nutanix client: %w", err)
+	}
+
+	checks := []preflight.Check{}
+	if clusterConfig.ControlPlane != nil && clusterConfig.ControlPlane.Nutanix != nil {
+		checks = append(
+			checks,
+			n.VMImageCheck(clusterConfig.ControlPlane.Nutanix.MachineDetails, "controlPlane.nutanix.machineDetails"),
+		)
+	}
+
+	if cluster.Spec.Topology.Workers != nil {
+		for i, md := range cluster.Spec.Topology.Workers.MachineDeployments {
+			if md.Variables == nil {
+				continue
+			}
+
+			workerConfig, err := variables.UnmarshalWorkerConfigVariable(md.Variables.Overrides)
+			if err != nil {
+				return nil, fmt.Errorf(
+					"failed to unmarshal topology variable %q %d: %w",
+					carenv1.WorkerConfigVariableName,
+					i,
+					err,
+				)
+			}
+
+			if workerConfig.Nutanix == nil {
+				continue
+			}
+
+			n.VMImageCheck(
+				workerConfig.Nutanix.MachineDetails,
+				fmt.Sprintf(
+					"workers.machineDeployments[.name=%s].variables.overrides[.name=workerConfig].value.nutanix.machineDetails",
+					md.Name,
+				),
+			)
+		}
+	}
+
+	return checks, nil
+}