[BUG] No validation on Maintenance Strategy when Edit as YAML

[albinsun]

Describe the bug

During validate #5069, we found that no validation on Maintenance Strategy when Edit as YAML.
And the VM with unexpected configuration will be created successfully...

Warning

If the wrongly configured VM locates on the first node node-0, Enter Maintenance Mode on node-0 will cause it stuck in Cordoned.
See Additional context.

To Reproduce

Steps to reproduce the behavior:

1. Setup a 3 nodes witness cluster
2. Create image ubuntu-22.04-server-cloudimg-amd64.img
3. Create network mgmt-vlan1
4. Virtual Machines => Create = Enter Name, CPU, Memory and Image => Edit as YAML => Add harvesterhci.io/maintain-mode-strategy: xxx in metadata.labels => Create
   
5. ❌ Should FAIL to create VM cuz validation error
   • VM Running (Should NOT) and with empty Maintenance Strategy
     
   • Edit YAML
     

Expected behavior

Should FAIL to create VM cuz validation error since there are only 4 valid values:

1. Migrate (default)
2. ShutdownAndRestartAfterEnable
3. ShutdownAndRestartAfterDisable
4. Shutdown

Support bundle

• Before Enter Maintenance Mode on node-0: supportbundle_DoesNotValidateMaintenanceStrategy_2024-10-21T16-40-26Z.zip
• After Enter Maintenance Mode on node-0: supportbundle_MigrateXXX_2024-10-21T17-05-00Z.zip

Environment

• Harvester ISO version: v1.4.0-rc3
• Underlying Infrastructure (e.g. Baremetal with Dell PowerEdge R630): 3 nodes witness AMD64 QEMU/KVM includes 1 witness node.

Additional context

If the wrongly configured VM locates on the first node node-0, Enter Maintenance Mode on node-0 will cause it stuck in Cordoned.

1. Manually move the wrongly configured VM to node-0
   
2. Enter Maintenance Mode on node-0, it stucks Cordoned
   
   
3. A workaround here is to manually stop or migrate the problemed VM
   • Stop VM
     
   • And node-0 can entering maintenance mode
     

[m-ildefons]

There are several problems here:

1. When you create a VirtualMachine from the UI and you leave the setting at the default (Migrate), the label isn't set at all
   This is actually not a big deal, since it can be fixed in the admission webhook by just letting the mutating webhook add the label if it's not already there.

2. When you create a VirtualMachine from the UI and you do set the setting, or add the label in the YAML, then the label isn't transferred to the Pod. The UI (or the user) would need to set the label under .spec.template.metadata.labels, not under .metadata.labels in the VirtualMachine resource, or the admission webhook needs to make sure the label is transferred into the template.

3. The node-drain controller only deletes Pods for VirtualMachines, when the Pod has the label and it's set to Migrate, omitting the default behavior, when the label isn't set at all. But it also assumes that all VirtualMachines that should be shut down have the label set and it's value is one of the other three valid settings. This leaves all Pods of VirtualMachines, which have an invalid value in the label or don't have the label set at all, dangling.

4. The admission webhook doesn't check if the label is set, or if it has a valid value.

5. (Optional) Go through the Terraform provider and check that the schema for the virtual machine resources enforces that only valid values are parsed from .tf files. Otherwise the .tf files should be rejected with a helpful error message.

[m-ildefons]

The maintenance-mode strategy was introduced in v1.4.0. @innobead should this be fixed on master branch only, i.e. for v1.5.0, or should this also be backported to fix it for v1.4.1?

[innobead]

The maintenance-mode strategy was introduced in v1.4.0. @innobead should this be fixed on master branch only, i.e. for v1.5.0, or should this also be backported to fix it for v1.4.1?

yes, fix this in the master and add a backport label, and the corresponding backport issues will be created.

[harvesterhci-io-github-bot]

added backport-needed/1.4.1 issue: #7190.