webhook: Add validation for load balancer zone immutability

bryan-cox · bryan-cox · commit 8b04806741a1 · 2025-10-24T13:12:34.000-04:00
Add webhook validation to enforce Azure's requirement that availability
zones cannot be changed after a load balancer is created.

The validation checks all three load balancer types:
- APIServerLB
- NodeOutboundLB
- ControlPlaneOutboundLB

Any attempt to modify zones on an existing load balancer will be rejected
at admission time with a clear error message, preventing users from
attempting operations that would fail at the Azure API level.
diff --git a/api/v1beta1/azurecluster_webhook.go b/api/v1beta1/azurecluster_webhook.go
@@ -169,6 +169,43 @@ func (*AzureClusterWebhook) ValidateUpdate(_ context.Context, oldRaw, newObj run
 		allErrs = append(allErrs, err)
 	}
 
+	// Validate availability zones are immutable for load balancers
+	if c.Spec.NetworkSpec.APIServerLB != nil && old.Spec.NetworkSpec.APIServerLB != nil {
+		if !webhookutils.EnsureStringSlicesAreEquivalent(
+			c.Spec.NetworkSpec.APIServerLB.AvailabilityZones,
+			old.Spec.NetworkSpec.APIServerLB.AvailabilityZones) {
+			allErrs = append(allErrs,
+				field.Invalid(
+					field.NewPath("spec", "networkSpec", "apiServerLB", "availabilityZones"),
+					c.Spec.NetworkSpec.APIServerLB.AvailabilityZones,
+					"field is immutable"))
+		}
+	}
+
+	if c.Spec.NetworkSpec.NodeOutboundLB != nil && old.Spec.NetworkSpec.NodeOutboundLB != nil {
+		if !webhookutils.EnsureStringSlicesAreEquivalent(
+			c.Spec.NetworkSpec.NodeOutboundLB.AvailabilityZones,
+			old.Spec.NetworkSpec.NodeOutboundLB.AvailabilityZones) {
+			allErrs = append(allErrs,
+				field.Invalid(
+					field.NewPath("spec", "networkSpec", "nodeOutboundLB", "availabilityZones"),
+					c.Spec.NetworkSpec.NodeOutboundLB.AvailabilityZones,
+					"field is immutable"))
+		}
+	}
+
+	if c.Spec.NetworkSpec.ControlPlaneOutboundLB != nil && old.Spec.NetworkSpec.ControlPlaneOutboundLB != nil {
+		if !webhookutils.EnsureStringSlicesAreEquivalent(
+			c.Spec.NetworkSpec.ControlPlaneOutboundLB.AvailabilityZones,
+			old.Spec.NetworkSpec.ControlPlaneOutboundLB.AvailabilityZones) {
+			allErrs = append(allErrs,
+				field.Invalid(
+					field.NewPath("spec", "networkSpec", "controlPlaneOutboundLB", "availabilityZones"),
+					c.Spec.NetworkSpec.ControlPlaneOutboundLB.AvailabilityZones,
+					"field is immutable"))
+		}
+	}
+
 	allErrs = append(allErrs, c.validateSubnetUpdate(old)...)
 
 	if len(allErrs) == 0 {
