fix(webhook): address review feedback — license headers, decoder-first validation, table-driven tests

- Add Apache 2.0 license headers to all files
- Add kubebuilder:webhook marker for config generation
- Remove incorrect mounts+runtimes required check (Mounts is optional)
- Remove raw JSON fallback path in favor of decoder-only flow
- Handle DELETE requests with empty Object.Raw gracefully
- Validate individual mount entries and runtime entries
- Rewrite tests as table-driven with proper TypeMeta/ObjectMeta

Signed-off-by: Rajneesh180 <rajneeshrehsaan48@gmail.com>

Author: Rajneesh180

pkg/webhook/handler/validating/validating_handler.go

@@ -1,9 +1,23 @@
+/*
+Copyright 2021 The Fluid Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package validating
 
 import (
 	"context"
-	"encoding/json"
-	"net/http"
 
 	v1alpha1 "github.com/fluid-cloudnative/fluid/api/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -19,50 +33,45 @@ func NewValidatingHandler() *ValidatingHandler {
 }
 
 func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
-	// Try to decode into a known type (Dataset) when possible
+	// DELETE requests may have an empty Object.Raw; allow them through.
+	if len(req.Object.Raw) == 0 {
+		return admission.Allowed("no object to validate")
+	}
+
+	// Decode into a Dataset when possible.
 	var ds v1alpha1.Dataset
 	if h.decoder != nil {
 		if err := h.decoder.Decode(req, &ds); err == nil {
-			// Perform Dataset-specific validations
-			// Require either Mounts or Runtimes to be present
-			if len(ds.Spec.Mounts) == 0 && len(ds.Spec.Runtimes) == 0 {
-				return admission.Denied("dataset.spec must contain at least one mount or runtime")
-			}
-
-			// Validate mounts
-			for _, m := range ds.Spec.Mounts {
-				if m.MountPoint == "" {
-					return admission.Denied("mount.mountPoint must not be empty")
-				}
-			}
-
-			// Validate runtimes
-			for _, r := range ds.Spec.Runtimes {
-				if r.Name == "" || r.Namespace == "" {
-					return admission.Denied("runtime entries must include name and namespace")
-				}
-			}
-
-			return admission.Allowed("dataset validation passed")
+			return h.validateDataset(&ds)
 		}
 	}
 
-	// Fallback generic validation: ensure object contains metadata.name
-	var obj map[string]interface{}
-	if err := json.Unmarshal(req.Object.Raw, &obj); err != nil {
-		return admission.Errored(http.StatusBadRequest, err)
+	// For unknown types, allow through (skeleton — extend as needed).
+	return admission.Allowed("validation passed")
+}
+
+func (h *ValidatingHandler) validateDataset(ds *v1alpha1.Dataset) admission.Response {
+	// Mounts is optional (e.g. Vineyard runtime), so we only validate
+	// individual entries when present.
+	for _, m := range ds.Spec.Mounts {
+		if m.MountPoint == "" {
+			return admission.Denied("mount.mountPoint must not be empty")
+		}
 	}
 
-	metadata, ok := obj["metadata"].(map[string]interface{})
-	if !ok {
-		return admission.Denied("metadata.name is required")
+	// Validate runtime entries when present.
+	for _, r := range ds.Spec.Runtimes {
+		if r.Name == "" || r.Namespace == "" {
+			return admission.Denied("runtime entries must include name and namespace")
+		}
 	}
-	name, ok := metadata["name"].(string)
-	if !ok || name == "" {
+
+	// Require metadata.name (also covers generateName-only submissions).
+	if ds.Name == "" {
 		return admission.Denied("metadata.name is required")
 	}
 
-	return admission.Allowed("validation passed")
+	return admission.Allowed("dataset validation passed")
 }
 
 func (h *ValidatingHandler) InjectDecoder(d *admission.Decoder) error {

pkg/webhook/handler/validating/validating_handler_test.go

@@ -1,74 +1,126 @@
+/*
+Copyright 2021 The Fluid Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package validating
 
 import (
 	"context"
-	"testing"
-
 	"encoding/json"
+	"testing"
 
 	"github.com/stretchr/testify/assert"
 	admissionv1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
 	v1alpha1 "github.com/fluid-cloudnative/fluid/api/v1alpha1"
 )
 
-func TestValidatingHandler_Basic(t *testing.T) {
-	h := NewValidatingHandler()
+func TestValidatingHandler_EmptyRaw(t *testing.T) {
+	h := newHandler(t)
 
-	// Valid object
-	obj := []byte(`{"metadata":{"name":"test-dataset"}}`)
+	// DELETE requests may have empty Object.Raw — should be allowed.
 	req := admission.Request{
 		AdmissionRequest: admissionv1.AdmissionRequest{
-			Object: runtime.RawExtension{Raw: obj},
+			Object: runtime.RawExtension{Raw: nil},
 		},
 	}
 	resp := h.Handle(context.Background(), req)
 	assert.True(t, resp.Allowed)
-
-	// Missing metadata.name
-	obj = []byte(`{"metadata":{}}`)
-	req.AdmissionRequest.Object.Raw = obj
-	resp = h.Handle(context.Background(), req)
-	assert.False(t, resp.Allowed)
-	assert.Contains(t, resp.Result.Message, "metadata.name is required")
 }
 
 func TestValidatingHandler_Dataset(t *testing.T) {
-	h := NewValidatingHandler()
-	// prepare decoder with scheme so that typed decoding works
-	scheme := runtime.NewScheme()
-	err := v1alpha1.AddToScheme(scheme)
-	if err != nil {
-		t.Fatalf("failed to add v1alpha1 to scheme: %v", err)
-	}
-	dec := admission.NewDecoder(scheme)
-	h.InjectDecoder(dec)
+	h := newHandler(t)
 
-	// Dataset missing mounts and runtimes -> denied
-	ds := &v1alpha1.Dataset{}
-	raw, _ := json.Marshal(ds)
-	req := admission.Request{
-		AdmissionRequest: admissionv1.AdmissionRequest{
-			Object: runtime.RawExtension{Raw: raw},
+	tests := []struct {
+		name    string
+		ds      *v1alpha1.Dataset
+		allowed bool
+		message string
+	}{
+		{
+			name:    "empty mounts and runtimes is allowed (mounts are optional)",
+			ds:      &v1alpha1.Dataset{ObjectMeta: metav1.ObjectMeta{Name: "ds"}},
+			allowed: true,
+		},
+		{
+			name: "valid mount is allowed",
+			ds: &v1alpha1.Dataset{
+				ObjectMeta: metav1.ObjectMeta{Name: "ds"},
+				Spec:       v1alpha1.DatasetSpec{Mounts: []v1alpha1.Mount{{MountPoint: "/data"}}},
+			},
+			allowed: true,
+		},
+		{
+			name: "empty mountPoint is denied",
+			ds: &v1alpha1.Dataset{
+				ObjectMeta: metav1.ObjectMeta{Name: "ds"},
+				Spec:       v1alpha1.DatasetSpec{Mounts: []v1alpha1.Mount{{MountPoint: ""}}},
+			},
+			allowed: false,
+			message: "mount.mountPoint must not be empty",
+		},
+		{
+			name: "runtime missing namespace is denied",
+			ds: &v1alpha1.Dataset{
+				ObjectMeta: metav1.ObjectMeta{Name: "ds"},
+				Spec:       v1alpha1.DatasetSpec{Runtimes: []v1alpha1.Runtime{{Name: "alluxio"}}},
+			},
+			allowed: false,
+			message: "runtime entries must include name and namespace",
+		},
+		{
+			name:    "missing metadata.name is denied",
+			ds:      &v1alpha1.Dataset{},
+			allowed: false,
+			message: "metadata.name is required",
 		},
 	}
-	resp := h.Handle(context.Background(), req)
-	assert.False(t, resp.Allowed)
 
-	// Dataset with a valid mount -> allowed
-	ds = &v1alpha1.Dataset{}
-	ds.Spec.Mounts = []v1alpha1.Mount{{MountPoint: "/data"}}
-	raw, _ = json.Marshal(ds)
-	req.AdmissionRequest.Object.Raw = raw
-	resp = h.Handle(context.Background(), req)
-	assert.True(t, resp.Allowed)
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Set TypeMeta so the decoder can recognize the GVK.
+			tc.ds.TypeMeta = metav1.TypeMeta{
+				APIVersion: "data.fluid.io/v1alpha1",
+				Kind:       "Dataset",
+			}
+			raw, err := json.Marshal(tc.ds)
+			assert.NoError(t, err)
+
+			req := admission.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					Object: runtime.RawExtension{Raw: raw},
+				},
+			}
+			resp := h.Handle(context.Background(), req)
+			assert.Equal(t, tc.allowed, resp.Allowed, "test %q", tc.name)
+			if tc.message != "" {
+				assert.Contains(t, resp.Result.Message, tc.message)
+			}
+		})
+	}
+}
 
-	// Dataset with invalid mount (too short) -> denied
-	ds = &v1alpha1.Dataset{}
-	ds.Spec.Mounts = []v1alpha1.Mount{{MountPoint: "abc"}}
-	raw, _ = json.Marshal(ds)
-	req.AdmissionRequest.Object.Raw = raw
-	resp = h.Handle(context.Background(), req)
-	assert.False(t, resp.Allowed)
+// newHandler creates a ValidatingHandler wired with a decoder for v1alpha1.
+func newHandler(t *testing.T) *ValidatingHandler {
+	t.Helper()
+	scheme := runtime.NewScheme()
+	assert.NoError(t, v1alpha1.AddToScheme(scheme))
+	h := NewValidatingHandler()
+	h.InjectDecoder(admission.NewDecoder(scheme))
+	return h
 }

pkg/webhook/handler/validating/webhook.go

@@ -1,3 +1,19 @@
+/*
+Copyright 2021 The Fluid Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package validating
 
 import (
@@ -6,6 +22,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// +kubebuilder:webhook:path=/validate,mutating=false,failurePolicy=fail,sideEffects=None,admissionReviewVersions=v1;v1beta1,groups=data.fluid.io,resources=datasets,verbs=create;update,versions=v1alpha1,name=validate.fluid.io
+
 var HandlerMap = map[string]common.AdmissionHandler{
 	"/validate": &Handler{},
 }