diff --git a/.gitignore b/.gitignore index 2ae29cb61..62d97568a 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,9 @@ testbin/* bundle.Dockerfile bundle +# generated csv file. +config/manifests/bases/csi-addons.clusterserviceversion.yaml + # editor and IDE paraphernalia .idea *.swp diff --git a/Makefile b/Makefile index b158b5569..b97caa016 100644 --- a/Makefile +++ b/Makefile @@ -124,10 +124,6 @@ manifests: controller-gen kustomize ## Generate WebhookConfiguration, ClusterRol $(KUSTOMIZE) build config/crd > deploy/controller/crds.yaml $(KUSTOMIZE) build config/rbac > deploy/controller/rbac.yaml $(KUSTOMIZE) build config/manager > deploy/controller/setup-controller.yaml - # Disable admission webhooks by default in setup-controller as it need setting up cert managager - sed -i 's|enable-admission-webhooks=true|enable-admission-webhooks=false|g' deploy/controller/setup-controller.yaml - # generate single yaml which includes crds, rbac, controller, webhooks, certificates - $(KUSTOMIZE) build config/default > deploy/controller/install-all-in-one.yaml # generate the .clusterserviceversion.yaml base gen-csv-base: diff --git a/PROJECT b/PROJECT index ec3f8845b..c80854172 100644 --- a/PROJECT +++ b/PROJECT @@ -14,9 +14,6 @@ resources: kind: CSIAddonsNode path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -26,9 +23,6 @@ resources: kind: ReclaimSpaceJob path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - api: crdVersion: v1 controller: true @@ -37,18 +31,12 @@ resources: kind: NetworkFence path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - controller: true domain: openshift.io group: csiaddons kind: ReclaimSpaceCronJob path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - controller: true group: core kind: PersistentVolumeClaim @@ -62,9 +50,6 @@ resources: kind: VolumeReplication path: github.com/csi-addons/kubernetes-csi-addons/apis/replication.storage/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -73,7 +58,4 @@ resources: kind: VolumeReplicationClass path: github.com/csi-addons/kubernetes-csi-addons/apis/replication.storage/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 version: "3" diff --git a/apis/csiaddons/v1alpha1/csiaddonsnode_types.go b/apis/csiaddons/v1alpha1/csiaddonsnode_types.go index 9fef02d12..9db238ca9 100644 --- a/apis/csiaddons/v1alpha1/csiaddonsnode_types.go +++ b/apis/csiaddons/v1alpha1/csiaddonsnode_types.go @@ -36,6 +36,8 @@ type CSIAddonsNodeDriver struct { // This must be the same name returned by the CSI-Addons GetIdentity() // call for that driver. The name of the driver is in the format: // `example.csi.ceph.com` + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable" Name string `json:"name"` // EndPoint is url that contains the ip-address to which the CSI-Addons @@ -44,6 +46,8 @@ type CSIAddonsNodeDriver struct { // NodeID is the ID of the node to identify on which node the side-car // is running. + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="nodeID is immutable" NodeID string `json:"nodeID"` } diff --git a/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go b/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go deleted file mode 100644 index 53d9e5a90..000000000 --- a/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go +++ /dev/null @@ -1,81 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var csnLog = logf.Log.WithName("csiaddonsnode-webhook") - -func (c *CSIAddonsNode) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(c). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=csiaddonsnodes,verbs=update,versions=v1alpha1,name=vcsiaddonsnode.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &CSIAddonsNode{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (c *CSIAddonsNode) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (c *CSIAddonsNode) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - csnLog.Info("validate update", "name", c.Name) - - oldCSIAddonsNode, ok := old.(*CSIAddonsNode) - if !ok { - return nil, errors.New("error casting CSIAddonsNode object") - } - - var allErrs field.ErrorList - - if c.Spec.Driver.NodeID != oldCSIAddonsNode.Spec.Driver.NodeID { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "driver", "nodeID"), c.Spec.Driver.NodeID, "nodeID cannot be updated")) - } - - if c.Spec.Driver.Name != oldCSIAddonsNode.Spec.Driver.Name { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "driver", "name"), c.Spec.Driver.Name, "name cannot be updated")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "CSIAddonsNode"}, - c.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *CSIAddonsNode) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/networkfence_types.go b/apis/csiaddons/v1alpha1/networkfence_types.go index 04b1d6bda..8c82b692e 100644 --- a/apis/csiaddons/v1alpha1/networkfence_types.go +++ b/apis/csiaddons/v1alpha1/networkfence_types.go @@ -40,13 +40,18 @@ const ( FencingOperationResultFailed FencingOperationResult = "Failed" ) +// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="secret is immutable" // SecretSpec defines the secrets to be used for the network fencing operation. type SecretSpec struct { // Name specifies the name of the secret. + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable" Name string `json:"name,omitempty"` // Namespace specifies the namespace in which the secret // is located. + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable" Namespace string `json:"namespace,omitempty"` } @@ -54,6 +59,7 @@ type SecretSpec struct { type NetworkFenceSpec struct { // Driver contains the name of CSI driver. // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="driver is immutable" Driver string `json:"driver"` // FenceState contains the desired state for the CIDRs @@ -71,6 +77,7 @@ type NetworkFenceSpec struct { Secret SecretSpec `json:"secret,omitempty"` // Parameters is used to pass additional parameters to the CSI driver. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="parameters are immutable" Parameters map[string]string `json:"parameters,omitempty"` } diff --git a/apis/csiaddons/v1alpha1/networkfence_webhook.go b/apis/csiaddons/v1alpha1/networkfence_webhook.go deleted file mode 100644 index 4b59f9939..000000000 --- a/apis/csiaddons/v1alpha1/networkfence_webhook.go +++ /dev/null @@ -1,89 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - "reflect" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var nfLog = logf.Log.WithName("networkfence-webhook") - -func (n *NetworkFence) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(n). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-networkfence,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=networkfences,verbs=update,versions=v1alpha1,name=vnetworkfence.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &NetworkFence{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (n *NetworkFence) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (n *NetworkFence) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - nfLog.Info("validate update", "name", n.Name) - - oldNetworkFence, ok := old.(*NetworkFence) - if !ok { - return nil, errors.New("error casting NetworkFence object") - } - - var allErrs field.ErrorList - if n.Spec.Driver != oldNetworkFence.Spec.Driver { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("driver"), n.Spec.Driver, "driver cannot be changed")) - } - - if !reflect.DeepEqual(n.Spec.Parameters, oldNetworkFence.Spec.Parameters) { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("parameters"), n.Spec.Parameters, "parameters cannot be changed")) - } - - if n.Spec.Secret.Name != oldNetworkFence.Spec.Secret.Name { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "secret", "name"), n.Spec.Secret, "secret name cannot be changed")) - } - - if n.Spec.Secret.Namespace != oldNetworkFence.Spec.Secret.Namespace { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "secret", "namespace"), n.Spec.Secret, "secret namespace cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "NetworkFence"}, - n.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (n *NetworkFence) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go b/apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go deleted file mode 100644 index cc7a6ddb7..000000000 --- a/apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go +++ /dev/null @@ -1,76 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var rscjLog = logf.Log.WithName("reclaimspacecronjob-webhook") - -func (r *ReclaimSpaceCronJob) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-reclaimspacecronjob,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=reclaimspacecronjobs,verbs=update,versions=v1alpha1,name=vreclaimspacecronjob.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &ReclaimSpaceCronJob{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceCronJob) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceCronJob) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - rscjLog.Info("validate update", "name", r.Name) - - oldReclaimSpaceCronJob, ok := old.(*ReclaimSpaceCronJob) - if !ok { - return nil, errors.New("error casting ReclaimSpaceCronJob object") - } - - var allErrs field.ErrorList - - if r.Spec.JobSpec.Spec.Target.PersistentVolumeClaim != oldReclaimSpaceCronJob.Spec.JobSpec.Spec.Target.PersistentVolumeClaim { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "jobTemplate", "spec", "target", "persistentVolumeClaim"), r.Spec.JobSpec.Spec.Target.PersistentVolumeClaim, "persistentVolumeClaim cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "ReclaimSpaceCronJob"}, - r.Name, allErrs) - } - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceCronJob) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/reclaimspacejob_types.go b/apis/csiaddons/v1alpha1/reclaimspacejob_types.go index 892577662..333239b8e 100644 --- a/apis/csiaddons/v1alpha1/reclaimspacejob_types.go +++ b/apis/csiaddons/v1alpha1/reclaimspacejob_types.go @@ -36,6 +36,7 @@ const ( // performed. type TargetSpec struct { // PersistentVolumeClaim specifies the target PersistentVolumeClaim name. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="persistentVolumeClaim is immutable" PersistentVolumeClaim string `json:"persistentVolumeClaim,omitempty"` } diff --git a/apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go b/apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go deleted file mode 100644 index 286ed9df2..000000000 --- a/apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var rsjLog = logf.Log.WithName("reclaimspacejob-webhook") - -func (r *ReclaimSpaceJob) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-reclaimspacejob,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=reclaimspacejobs,verbs=update,versions=v1alpha1,name=vreclaimspacejob.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &ReclaimSpaceJob{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceJob) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceJob) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - rsjLog.Info("validate update", "name", r.Name) - - oldReclaimSpaceJob, ok := old.(*ReclaimSpaceJob) - if !ok { - return nil, errors.New("error casting ReclaimSpaceJob object") - } - - var allErrs field.ErrorList - - if r.Spec.Target.PersistentVolumeClaim != oldReclaimSpaceJob.Spec.Target.PersistentVolumeClaim { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "target", "persistentVolumeClaim"), r.Spec.Target.PersistentVolumeClaim, "persistentVolumeClaim cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "ReclaimSpaceJob"}, - r.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceJob) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/webhook_suite_test.go b/apis/csiaddons/v1alpha1/webhook_suite_test.go deleted file mode 100644 index dfb4c236a..000000000 --- a/apis/csiaddons/v1alpha1/webhook_suite_test.go +++ /dev/null @@ -1,145 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "context" - "crypto/tls" - "fmt" - "net" - "path/filepath" - "testing" - "time" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - admissionv1beta1 "k8s.io/api/admission/v1beta1" - //+kubebuilder:scaffold:imports - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/rest" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - "sigs.k8s.io/controller-runtime/pkg/webhook" -) - -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment -var ctx context.Context -var cancel context.CancelFunc - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecs(t, "Webhook Suite") -} - -var _ = BeforeSuite(func() { - logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - - ctx, cancel = context.WithCancel(context.TODO()) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, - ErrorIfCRDPathMissing: false, - WebhookInstallOptions: envtest.WebhookInstallOptions{ - Paths: []string{filepath.Join("..", "..", "..", "config", "webhook")}, - }, - } - - var err error - // cfg is defined in this file globally. - cfg, err = testEnv.Start() - Expect(err).NotTo(HaveOccurred()) - Expect(cfg).NotTo(BeNil()) - - scheme := runtime.NewScheme() - err = AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - err = admissionv1beta1.AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:scheme - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) - Expect(err).NotTo(HaveOccurred()) - Expect(k8sClient).NotTo(BeNil()) - - // start webhook server using Manager - webhookInstallOptions := &testEnv.WebhookInstallOptions - mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - LeaderElection: false, - Metrics: metricsserver.Options{BindAddress: "0"}, - WebhookServer: webhook.NewServer(webhook.Options{ - Host: webhookInstallOptions.LocalServingHost, - Port: webhookInstallOptions.LocalServingPort, - CertDir: webhookInstallOptions.LocalServingCertDir, - }), - }) - Expect(err).NotTo(HaveOccurred()) - - err = (&ReclaimSpaceJob{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&ReclaimSpaceCronJob{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&NetworkFence{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&CSIAddonsNode{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:webhook - - go func() { - defer GinkgoRecover() - err = mgr.Start(ctx) - Expect(err).NotTo(HaveOccurred()) - }() - - // wait for the webhook server to get ready - dialer := &net.Dialer{Timeout: time.Second} - addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) - Eventually(func() error { - conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return err - } - conn.Close() - return nil - }).Should(Succeed()) - -}, 60) - -var _ = AfterSuite(func() { - cancel() - By("tearing down the test environment") - err := testEnv.Stop() - Expect(err).NotTo(HaveOccurred()) -}) diff --git a/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go b/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go index 57a1000e0..86e250fda 100644 --- a/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go +++ b/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go @@ -24,7 +24,7 @@ package v1alpha1 import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" + runtime "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. diff --git a/apis/replication.storage/v1alpha1/volumereplication_types.go b/apis/replication.storage/v1alpha1/volumereplication_types.go index 9093b5c32..d9fca40ad 100644 --- a/apis/replication.storage/v1alpha1/volumereplication_types.go +++ b/apis/replication.storage/v1alpha1/volumereplication_types.go @@ -58,6 +58,7 @@ const ( type VolumeReplicationSpec struct { // VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="volumeReplicationClass is immutable" VolumeReplicationClass string `json:"volumeReplicationClass"` // ReplicationState represents the replication operation to be performed on the volume. @@ -67,6 +68,7 @@ type VolumeReplicationSpec struct { // DataSource represents the object associated with the volume // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="dataSource is immutable" DataSource corev1.TypedLocalObjectReference `json:"dataSource"` // AutoResync represents the volume to be auto resynced when diff --git a/apis/replication.storage/v1alpha1/volumereplication_webhook.go b/apis/replication.storage/v1alpha1/volumereplication_webhook.go deleted file mode 100644 index 70cf95a3e..000000000 --- a/apis/replication.storage/v1alpha1/volumereplication_webhook.go +++ /dev/null @@ -1,84 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - "reflect" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var vrLog = logf.Log.WithName("volumereplication-webhook") - -func (v *VolumeReplication) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(v). - Complete() -} - -//+kubebuilder:webhook:path=/validate-replication-storage-openshift-io-v1alpha1-volumereplication,mutating=false,failurePolicy=fail,sideEffects=None,groups=replication.storage.openshift.io,resources=volumereplications,verbs=update,versions=v1alpha1,name=vvolumereplication.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &VolumeReplication{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplication) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplication) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - vrLog.Info("validate update", "name", v.Name) - - oldReplication, ok := old.(*VolumeReplication) - if !ok { - return nil, errors.New("error casting old VolumeReplication object") - } - - var allErrs field.ErrorList - - if !reflect.DeepEqual(oldReplication.Spec.DataSource, v.Spec.DataSource) { - vrLog.Info("invalid request to change the DataSource", "exiting dataSource", oldReplication.Spec.DataSource, "new dataSource", v.Spec.DataSource) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("dataSource"), v.Spec.DataSource, "dataSource cannot be changed")) - } - - if oldReplication.Spec.VolumeReplicationClass != v.Spec.VolumeReplicationClass { - vrLog.Info("invalid request to change the volumeReplicationClass", "exiting volumeReplicationClass", oldReplication.Spec.VolumeReplicationClass, "new volumeReplicationClass", v.Spec.VolumeReplicationClass) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("volumeReplicationClass"), v.Spec.VolumeReplicationClass, "volumeReplicationClass cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "replication.storage.openshift.io", Kind: "VolumeReplication"}, - v.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplication) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/replication.storage/v1alpha1/volumereplicationclass_types.go b/apis/replication.storage/v1alpha1/volumereplicationclass_types.go index 4808519e0..274650310 100644 --- a/apis/replication.storage/v1alpha1/volumereplicationclass_types.go +++ b/apis/replication.storage/v1alpha1/volumereplicationclass_types.go @@ -26,10 +26,12 @@ import ( type VolumeReplicationClassSpec struct { // Provisioner is the name of storage provisioner // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="provisioner is immutable" Provisioner string `json:"provisioner"` // Parameters is a key-value map with storage provisioner specific configurations for // creating volume replicas // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="parameters are immutable" Parameters map[string]string `json:"parameters,omitempty"` } diff --git a/apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go b/apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go deleted file mode 100644 index f547eabdd..000000000 --- a/apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go +++ /dev/null @@ -1,84 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - "reflect" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var vrcLog = logf.Log.WithName("volumereplicationclass-webhook") - -func (v *VolumeReplicationClass) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(v). - Complete() -} - -//+kubebuilder:webhook:path=/validate-replication-storage-openshift-io-v1alpha1-volumereplicationclass,mutating=false,failurePolicy=fail,sideEffects=None,groups=replication.storage.openshift.io,resources=volumereplicationclasses,verbs=update,versions=v1alpha1,name=vvolumereplicationclass.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &VolumeReplicationClass{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplicationClass) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplicationClass) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - vrcLog.Info("validate update", "name", v.Name) - - oldReplicationClass, ok := old.(*VolumeReplicationClass) - if !ok { - return nil, errors.New("error casting old VolumeReplicationClass object") - } - - var allErrs field.ErrorList - if oldReplicationClass.Spec.Provisioner != v.Spec.Provisioner { - vrcLog.Info("invalid request to change the provisioner", "exiting provisioner", oldReplicationClass.Spec.Provisioner, "new provisioner", v.Spec.Provisioner) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("provisioner"), v.Spec.Provisioner, "provisioner cannot be changed")) - } - - if !reflect.DeepEqual(oldReplicationClass.Spec.Parameters, v.Spec.Parameters) { - vrcLog.Info("invalid request to change the parameters", "exiting parameters", oldReplicationClass.Spec.Parameters, "new parameters", v.Spec.Parameters) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("parameters"), v.Spec.Parameters, "parameters cannot be changed")) - } - - if len(allErrs) == 0 { - return nil, nil - } - - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "replication.storage.openshift.io", Kind: "VolumeReplicationClass"}, - v.Name, allErrs) - -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplicationClass) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/replication.storage/v1alpha1/webhook_suite_test.go b/apis/replication.storage/v1alpha1/webhook_suite_test.go deleted file mode 100644 index cec536a00..000000000 --- a/apis/replication.storage/v1alpha1/webhook_suite_test.go +++ /dev/null @@ -1,139 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "context" - "crypto/tls" - "fmt" - "net" - "path/filepath" - "testing" - "time" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - admissionv1beta1 "k8s.io/api/admission/v1beta1" - //+kubebuilder:scaffold:imports - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/rest" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - "sigs.k8s.io/controller-runtime/pkg/webhook" -) - -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment -var ctx context.Context -var cancel context.CancelFunc - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecs(t, "Webhook Suite") -} - -var _ = BeforeSuite(func() { - logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - - ctx, cancel = context.WithCancel(context.TODO()) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, - ErrorIfCRDPathMissing: false, - WebhookInstallOptions: envtest.WebhookInstallOptions{ - Paths: []string{filepath.Join("..", "..", "..", "config", "webhook")}, - }, - } - - var err error - // cfg is defined in this file globally. - cfg, err = testEnv.Start() - Expect(err).NotTo(HaveOccurred()) - Expect(cfg).NotTo(BeNil()) - - scheme := runtime.NewScheme() - err = AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - err = admissionv1beta1.AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:scheme - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) - Expect(err).NotTo(HaveOccurred()) - Expect(k8sClient).NotTo(BeNil()) - - // start webhook server using Manager - webhookInstallOptions := &testEnv.WebhookInstallOptions - mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - LeaderElection: false, - Metrics: metricsserver.Options{BindAddress: "0"}, - WebhookServer: webhook.NewServer(webhook.Options{ - Port: webhookInstallOptions.LocalServingPort, - Host: webhookInstallOptions.LocalServingHost, - CertDir: webhookInstallOptions.LocalServingCertDir, - }), - }) - Expect(err).NotTo(HaveOccurred()) - - err = (&VolumeReplicationClass{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&VolumeReplication{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:webhook - - go func() { - defer GinkgoRecover() - err = mgr.Start(ctx) - Expect(err).NotTo(HaveOccurred()) - }() - - // wait for the webhook server to get ready - dialer := &net.Dialer{Timeout: time.Second} - addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) - Eventually(func() error { - conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return err - } - conn.Close() - return nil - }).Should(Succeed()) - -}, 60) - -var _ = AfterSuite(func() { - cancel() - By("tearing down the test environment") - err := testEnv.Stop() - Expect(err).NotTo(HaveOccurred()) -}) diff --git a/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go b/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go index 6cb32c780..cd8fe3777 100644 --- a/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go +++ b/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go @@ -23,7 +23,7 @@ package v1alpha1 import ( "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" + runtime "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 20da9de9f..e3d714b11 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -70,8 +70,8 @@ func main() { metricsAddr string probeAddr string enableLeaderElection bool - enableAdmissionWebhooks bool showVersion bool + enableAdmissionWebhooks bool ctx = context.Background() cfg = util.NewConfig() ) @@ -83,7 +83,7 @@ func main() { flag.DurationVar(&cfg.ReclaimSpaceTimeout, "reclaim-space-timeout", cfg.ReclaimSpaceTimeout, "Timeout for reclaimspace operation") flag.IntVar(&cfg.MaxConcurrentReconciles, "max-concurrent-reconciles", cfg.MaxConcurrentReconciles, "Maximum number of concurrent reconciles") flag.StringVar(&cfg.Namespace, "namespace", cfg.Namespace, "Namespace where the CSIAddons pod is deployed") - flag.BoolVar(&enableAdmissionWebhooks, "enable-admission-webhooks", true, "Enable the admission webhooks") + flag.BoolVar(&enableAdmissionWebhooks, "enable-admission-webhooks", false, "[DEPRECATED] Enable the admission webhooks") flag.BoolVar(&showVersion, "version", false, "Print Version details") opts := zap.Options{ Development: true, @@ -97,6 +97,10 @@ func main() { return } + if enableAdmissionWebhooks { + setupLog.Info("enable-admission-webhooks flag is deprecated and will be removed in a future release") + } + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) kubeConfig := ctrl.GetConfigOrDie() @@ -184,38 +188,6 @@ func main() { os.Exit(1) } - if enableAdmissionWebhooks { - if err = (&replicationstoragev1alpha1.VolumeReplicationClass{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "VolumeReplicationClass") - os.Exit(1) - } - - if err = (&replicationstoragev1alpha1.VolumeReplication{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "VolumeReplication") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.ReclaimSpaceJob{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "ReclaimSpaceJob") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.ReclaimSpaceCronJob{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "ReclaimSpaceCronJob") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.NetworkFence{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "NetworkFence") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.CSIAddonsNode{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "CSIAddonsNode") - os.Exit(1) - } - } - //+kubebuilder:scaffold:builder if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml deleted file mode 100644 index 5550d6154..000000000 --- a/config/certmanager/certificate.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# The following manifests contain a self-signed issuer CR and a certificate CR. -# More document can be found at https://docs.cert-manager.io -# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: system -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - # this name should match the one appeared in kustomizeconfig.yaml - name: serving-cert - namespace: system -spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize - dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local - issuerRef: - kind: Issuer - name: selfsigned-issuer - # this secret will not be prefixed, since it's not managed by kustomize - secretName: webhook-server-cert diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml deleted file mode 100644 index b08880f76..000000000 --- a/config/certmanager/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# Adds namespace to all resources. -namespace: csi-addons-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: csi-addons- - -resources: - - certificate.yaml - -configurations: - - kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml deleted file mode 100644 index 80bde9289..000000000 --- a/config/certmanager/kustomizeconfig.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# This configuration is for teaching kustomize how to update name ref and var substitution -nameReference: - - kind: Issuer - group: cert-manager.io - fieldSpecs: - - kind: Certificate - group: cert-manager.io - path: spec/issuerRef/name - -varReference: - - kind: Certificate - group: cert-manager.io - path: spec/commonName - - kind: Certificate - group: cert-manager.io - path: spec/dnsNames diff --git a/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml b/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml index 19b25e58a..e577d22fb 100644 --- a/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml +++ b/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml @@ -64,10 +64,16 @@ spec: GetIdentity() call for that driver. The name of the driver is in the format: `example.csi.ceph.com`' type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf nodeID: description: NodeID is the ID of the node to identify on which node the side-car is running. type: string + x-kubernetes-validations: + - message: nodeID is immutable + rule: self == oldSelf required: - endpoint - name diff --git a/config/crd/bases/csiaddons.openshift.io_networkfences.yaml b/config/crd/bases/csiaddons.openshift.io_networkfences.yaml index ed416c1ce..3234ca5fd 100644 --- a/config/crd/bases/csiaddons.openshift.io_networkfences.yaml +++ b/config/crd/bases/csiaddons.openshift.io_networkfences.yaml @@ -59,6 +59,9 @@ spec: driver: description: Driver contains the name of CSI driver. type: string + x-kubernetes-validations: + - message: driver is immutable + rule: self == oldSelf fenceState: default: Fenced description: FenceState contains the desired state for the CIDRs mentioned @@ -73,6 +76,9 @@ spec: description: Parameters is used to pass additional parameters to the CSI driver. type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf secret: description: Secret is a kubernetes secret, which is required to perform the fence/unfence operation. @@ -80,11 +86,20 @@ spec: name: description: Name specifies the name of the secret. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf namespace: description: Namespace specifies the namespace in which the secret is located. type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: secret is immutable + rule: self == oldSelf required: - cidrs - driver diff --git a/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml b/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml index 105eb179c..7e5047b91 100644 --- a/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml @@ -113,6 +113,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for diff --git a/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml b/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml index 6cf218ccf..2a71ca267 100644 --- a/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml @@ -79,6 +79,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for the grpc diff --git a/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml b/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml index 260ec6514..8e22bd26c 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml @@ -49,9 +49,15 @@ spec: description: Parameters is a key-value map with storage provisioner specific configurations for creating volume replicas type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf provisioner: description: Provisioner is the name of storage provisioner type: string + x-kubernetes-validations: + - message: provisioner is immutable + rule: self == oldSelf required: - provisioner type: object diff --git a/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml b/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml index 3ca1d96d3..46f07df85 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml @@ -78,6 +78,9 @@ spec: - name type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: dataSource is immutable + rule: self == oldSelf replicationHandle: description: replicationHandle represents an existing (but new) replication id @@ -95,6 +98,9 @@ spec: description: VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource type: string + x-kubernetes-validations: + - message: volumeReplicationClass is immutable + rule: self == oldSelf required: - autoResync - dataSource diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index a955dd89f..677e7eae1 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -14,49 +14,49 @@ # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +# patchesStrategicMerge: # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - - manager_webhook_patch.yaml + #- manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection - - webhookcainjection_patch.yaml + #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -vars: - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service +#vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldref: +# fieldpath: metadata.namespace +# - name: CERTIFICATE_NAME +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# - name: SERVICE_NAMESPACE # namespace of the service +# objref: +# kind: Service +# version: v1 +# name: webhook-service +# fieldref: +# fieldpath: metadata.namespace +# - name: SERVICE_NAME +# objref: +# kind: Service +# version: v1 +# name: webhook-service apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization @@ -64,5 +64,3 @@ resources: - ../crd - ../rbac - ../manager - - ../webhook - - ../certmanager diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml deleted file mode 100644 index 4aaf150d2..000000000 --- a/config/default/manager_webhook_patch.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index a6a4b2160..000000000 --- a/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/manager/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml index 8f4abf76f..f30705fe0 100644 --- a/config/manager/manager_auth_proxy_patch.yaml +++ b/config/manager/manager_auth_proxy_patch.yaml @@ -36,4 +36,3 @@ spec: - "--health-probe-bind-address=:8081" - "--metrics-bind-address=127.0.0.1:8080" - "--leader-elect" - - "--enable-admission-webhooks=true" diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 5920ff456..eb52b171d 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -4,23 +4,3 @@ resources: - ../default - ../scorecard - -# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. -# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. -# These patches remove the unnecessary "cert" volume and its manager container volumeMount. -patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: controller-manager - namespace: system - patch: |- - # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. - # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. - - op: remove - path: /spec/template/spec/containers/0/volumeMounts/0 - # Remove the "cert" volume, since OLM will create and mount a set of certs. - # Update the indices in this path if adding or removing volumes in the manager's Deployment. - - op: remove - path: /spec/template/spec/volumes/0 diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml deleted file mode 100644 index 54d4b52e9..000000000 --- a/config/webhook/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Adds namespace to all resources. -namespace: csi-addons-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: csi-addons- - -resources: - - manifests.yaml - - service.yaml - -configurations: - - kustomizeconfig.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml deleted file mode 100644 index d45f3553b..000000000 --- a/config/webhook/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# the following config is for teaching kustomize where to look at when substituting vars. -# It requires kustomize v2.1.0 or newer to work properly. -nameReference: - - kind: Service - version: v1 - fieldSpecs: - - kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - -namespace: - - kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true - -varReference: - - path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml deleted file mode 100644 index 7299e9eb4..000000000 --- a/config/webhook/manifests.yaml +++ /dev/null @@ -1,120 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode - failurePolicy: Fail - name: vcsiaddonsnode.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - csiaddonsnodes - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-networkfence - failurePolicy: Fail - name: vnetworkfence.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - networkfences - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacecronjob - failurePolicy: Fail - name: vreclaimspacecronjob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacecronjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacejob - failurePolicy: Fail - name: vreclaimspacejob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacejobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplication - failurePolicy: Fail - name: vvolumereplication.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplications - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplicationclass - failurePolicy: Fail - name: vvolumereplicationclass.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplicationclasses - sideEffects: None diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml deleted file mode 100644 index 80ea703d7..000000000 --- a/config/webhook/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -apiVersion: v1 -kind: Service -metadata: - name: webhook-service - namespace: system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app.kubernetes.io/name: csi-addons diff --git a/deploy/controller/crds.yaml b/deploy/controller/crds.yaml index 67127ce7f..ccfe94de4 100644 --- a/deploy/controller/crds.yaml +++ b/deploy/controller/crds.yaml @@ -63,10 +63,16 @@ spec: GetIdentity() call for that driver. The name of the driver is in the format: `example.csi.ceph.com`' type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf nodeID: description: NodeID is the ID of the node to identify on which node the side-car is running. type: string + x-kubernetes-validations: + - message: nodeID is immutable + rule: self == oldSelf required: - endpoint - name @@ -161,6 +167,9 @@ spec: driver: description: Driver contains the name of CSI driver. type: string + x-kubernetes-validations: + - message: driver is immutable + rule: self == oldSelf fenceState: default: Fenced description: FenceState contains the desired state for the CIDRs mentioned @@ -175,6 +184,9 @@ spec: description: Parameters is used to pass additional parameters to the CSI driver. type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf secret: description: Secret is a kubernetes secret, which is required to perform the fence/unfence operation. @@ -182,11 +194,20 @@ spec: name: description: Name specifies the name of the secret. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf namespace: description: Namespace specifies the namespace in which the secret is located. type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: secret is immutable + rule: self == oldSelf required: - cidrs - driver @@ -394,6 +415,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for @@ -573,6 +597,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for the grpc @@ -739,9 +766,15 @@ spec: description: Parameters is a key-value map with storage provisioner specific configurations for creating volume replicas type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf provisioner: description: Provisioner is the name of storage provisioner type: string + x-kubernetes-validations: + - message: provisioner is immutable + rule: self == oldSelf required: - provisioner type: object @@ -836,6 +869,9 @@ spec: - name type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: dataSource is immutable + rule: self == oldSelf replicationHandle: description: replicationHandle represents an existing (but new) replication id @@ -853,6 +889,9 @@ spec: description: VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource type: string + x-kubernetes-validations: + - message: volumeReplicationClass is immutable + rule: self == oldSelf required: - autoResync - dataSource diff --git a/deploy/controller/install-all-in-one.yaml b/deploy/controller/install-all-in-one.yaml deleted file mode 100644 index ce7f3b55a..000000000 --- a/deploy/controller/install-all-in-one.yaml +++ /dev/null @@ -1,1564 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/name: csi-addons - name: csi-addons-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: csiaddonsnodes.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: CSIAddonsNode - listKind: CSIAddonsNodeList - plural: csiaddonsnodes - singular: csiaddonsnode - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.namespace - name: namespace - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.driver.name - name: DriverName - type: string - - jsonPath: .spec.driver.endpoint - name: Endpoint - type: string - - jsonPath: .spec.driver.nodeID - name: NodeID - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: CSIAddonsNode is the Schema for the csiaddonsnode API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CSIAddonsNodeSpec defines the desired state of CSIAddonsNode - properties: - driver: - description: Driver is the information of the CSI Driver existing - on a node. If the driver is uninstalled, this can become empty. - properties: - endpoint: - description: EndPoint is url that contains the ip-address to which - the CSI-Addons side-car listens to. - type: string - name: - description: 'Name is the name of the CSI driver that this object - refers to. This must be the same name returned by the CSI-Addons - GetIdentity() call for that driver. The name of the driver is - in the format: `example.csi.ceph.com`' - type: string - nodeID: - description: NodeID is the ID of the node to identify on which - node the side-car is running. - type: string - required: - - endpoint - - name - - nodeID - type: object - required: - - driver - type: object - status: - description: CSIAddonsNodeStatus defines the observed state of CSIAddonsNode - properties: - message: - description: Message is a human-readable message indicating details - about why the CSIAddonsNode is in this state. - type: string - reason: - description: Reason is a brief CamelCase string that describes any - failure and is meant for machine parsing and tidy display in the - CLI. - type: string - state: - description: State represents the state of the CSIAddonsNode object. - It informs whether or not the CSIAddonsNode is Connected to the - CSI Driver. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: networkfences.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: NetworkFence - listKind: NetworkFenceList - plural: networkfences - singular: networkfence - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.driver - name: Driver - type: string - - jsonPath: .spec.cidrs - name: Cidrs - type: string - - jsonPath: .spec.fenceState - name: FenceState - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.result - name: Result - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: NetworkFence is the Schema for the networkfences API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NetworkFenceSpec defines the desired state of NetworkFence - properties: - cidrs: - description: Cidrs contains a list of CIDR blocks, which are required - to be fenced. - items: - type: string - type: array - driver: - description: Driver contains the name of CSI driver. - type: string - fenceState: - default: Fenced - description: FenceState contains the desired state for the CIDRs mentioned - in the Spec. i.e. Fenced or Unfenced - enum: - - Fenced - - Unfenced - type: string - parameters: - additionalProperties: - type: string - description: Parameters is used to pass additional parameters to the - CSI driver. - type: object - secret: - description: Secret is a kubernetes secret, which is required to perform - the fence/unfence operation. - properties: - name: - description: Name specifies the name of the secret. - type: string - namespace: - description: Namespace specifies the namespace in which the secret - is located. - type: string - type: object - required: - - cidrs - - driver - - fenceState - type: object - status: - description: NetworkFenceStatus defines the observed state of NetworkFence - properties: - conditions: - description: Conditions are the list of conditions and their status. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: Message contains any message from the NetworkFence operation. - type: string - result: - description: Result indicates the result of Network Fence/Unfence - operation. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: reclaimspacecronjobs.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: ReclaimSpaceCronJob - listKind: ReclaimSpaceCronJobList - plural: reclaimspacecronjobs - singular: reclaimspacecronjob - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .spec.suspend - name: Suspend - type: boolean - - jsonPath: .status.active.name - name: Active - type: string - - jsonPath: .status.lastScheduleTime - name: Lastschedule - type: date - - jsonPath: .status.lastSuccessfulTime - name: Lastsuccessfultime - priority: 1 - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ReclaimSpaceCronJob is the Schema for the reclaimspacecronjobs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReclaimSpaceCronJobSpec defines the desired state of ReclaimSpaceJob - properties: - concurrencyPolicy: - default: Forbid - description: 'Specifies how to treat concurrent executions of a Job. - Valid values are: - "Forbid" (default): forbids concurrent runs, - skipping next run if previous run hasn''t finished yet; - "Replace": - cancels currently running job and replaces it with a new one' - enum: - - Forbid - - Replace - type: string - failedJobsHistoryLimit: - default: 1 - description: The number of failed finished jobs to retain. Value must - be non-negative integer. Defaults to 1. - format: int32 - maximum: 60 - minimum: 0 - type: integer - jobTemplate: - description: Specifies the job that will be created when executing - a CronJob. - properties: - metadata: - description: 'Standard object''s metadata of the jobs created - from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Specification of the desired behavior of the job. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - backOffLimit: - default: 6 - description: BackOffLimit specifies the number of retries - allowed before marking reclaim space operation as failed. - If not specified, defaults to 6. Maximum allowed value is - 60 and minimum allowed value is 0. - format: int32 - maximum: 60 - minimum: 0 - type: integer - retryDeadlineSeconds: - default: 600 - description: RetryDeadlineSeconds specifies the duration in - seconds relative to the start time that the operation may - be retried; value MUST be positive integer. If not specified, - defaults to 600 seconds. Maximum allowed value is 1800. - format: int64 - maximum: 1800 - minimum: 0 - type: integer - target: - description: Target represents volume target on which the - operation will be performed. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim specifies the target - PersistentVolumeClaim name. - type: string - type: object - timeout: - description: Timeout specifies the timeout in seconds for - the grpc request sent to the CSI driver. If not specified, - defaults to global reclaimspace timeout. Minimum allowed - value is 60. - format: int64 - minimum: 60 - type: integer - required: - - target - type: object - type: object - schedule: - description: The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. - pattern: .+ - type: string - startingDeadlineSeconds: - description: Optional deadline in seconds for starting the job if - it misses scheduled time for any reason. Missed jobs executions - will be counted as failed ones. - format: int64 - type: integer - successfulJobsHistoryLimit: - default: 3 - description: The number of successful finished jobs to retain. Value - must be non-negative integer. Defaults to 3. - format: int32 - maximum: 60 - minimum: 0 - type: integer - suspend: - description: This flag tells the controller to suspend subsequent - executions, it does not apply to already started executions. Defaults - to false. - type: boolean - required: - - jobTemplate - - schedule - type: object - status: - description: ReclaimSpaceCronJobStatus defines the observed state of ReclaimSpaceJob - properties: - active: - description: A pointer to currently running job. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - lastScheduleTime: - description: Information when was the last time the job was successfully - scheduled. - format: date-time - type: string - lastSuccessfulTime: - description: Information when was the last time the job successfully - completed. - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: reclaimspacejobs.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: ReclaimSpaceJob - listKind: ReclaimSpaceJobList - plural: reclaimspacejobs - singular: reclaimspacejob - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.namespace - name: Namespace - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.retries - name: Retries - type: integer - - jsonPath: .status.result - name: Result - type: string - - jsonPath: .status.reclaimedSpace - name: ReclaimedSpace - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ReclaimSpaceJob is the Schema for the reclaimspacejobs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReclaimSpaceJobSpec defines the desired state of ReclaimSpaceJob - properties: - backOffLimit: - default: 6 - description: BackOffLimit specifies the number of retries allowed - before marking reclaim space operation as failed. If not specified, - defaults to 6. Maximum allowed value is 60 and minimum allowed value - is 0. - format: int32 - maximum: 60 - minimum: 0 - type: integer - retryDeadlineSeconds: - default: 600 - description: RetryDeadlineSeconds specifies the duration in seconds - relative to the start time that the operation may be retried; value - MUST be positive integer. If not specified, defaults to 600 seconds. - Maximum allowed value is 1800. - format: int64 - maximum: 1800 - minimum: 0 - type: integer - target: - description: Target represents volume target on which the operation - will be performed. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim specifies the target PersistentVolumeClaim - name. - type: string - type: object - timeout: - description: Timeout specifies the timeout in seconds for the grpc - request sent to the CSI driver. If not specified, defaults to global - reclaimspace timeout. Minimum allowed value is 60. - format: int64 - minimum: 60 - type: integer - required: - - target - type: object - status: - description: ReclaimSpaceJobStatus defines the observed state of ReclaimSpaceJob - properties: - completionTime: - format: date-time - type: string - conditions: - description: Conditions are the list of conditions and their status. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: Message contains any message from the ReclaimSpaceJob. - type: string - reclaimedSpace: - anyOf: - - type: integer - - type: string - description: ReclaimedSpace indicates the amount of space reclaimed. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - result: - description: Result indicates the result of ReclaimSpaceJob. - type: string - retries: - description: Retries indicates the number of times the operation is - retried. - format: int32 - type: integer - startTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: volumereplicationclasses.replication.storage.openshift.io -spec: - group: replication.storage.openshift.io - names: - kind: VolumeReplicationClass - listKind: VolumeReplicationClassList - plural: volumereplicationclasses - shortNames: - - vrc - singular: volumereplicationclass - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.provisioner - name: provisioner - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: VolumeReplicationClass is the Schema for the volumereplicationclasses - API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VolumeReplicationClassSpec specifies parameters that an underlying - storage system uses when creating a volume replica. A specific VolumeReplicationClass - is used by specifying its name in a VolumeReplication object. - properties: - parameters: - additionalProperties: - type: string - description: Parameters is a key-value map with storage provisioner - specific configurations for creating volume replicas - type: object - provisioner: - description: Provisioner is the name of storage provisioner - type: string - required: - - provisioner - type: object - status: - description: VolumeReplicationClassStatus defines the observed state of - VolumeReplicationClass. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: volumereplications.replication.storage.openshift.io -spec: - group: replication.storage.openshift.io - names: - kind: VolumeReplication - listKind: VolumeReplicationList - plural: volumereplications - shortNames: - - vr - singular: volumereplication - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.volumeReplicationClass - name: volumeReplicationClass - type: string - - jsonPath: .spec.dataSource.name - name: pvcName - type: string - - jsonPath: .spec.replicationState - name: desiredState - type: string - - jsonPath: .status.state - name: currentState - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: VolumeReplication is the Schema for the volumereplications API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VolumeReplicationSpec defines the desired state of VolumeReplication. - properties: - autoResync: - default: false - description: AutoResync represents the volume to be auto resynced - when ReplicationState is "secondary" - type: boolean - dataSource: - description: DataSource represents the object associated with the - volume - properties: - apiGroup: - description: APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in - the core API group. For any other third-party types, APIGroup - is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - replicationHandle: - description: replicationHandle represents an existing (but new) replication - id - type: string - replicationState: - description: ReplicationState represents the replication operation - to be performed on the volume. Supported operations are "primary", - "secondary" and "resync" - enum: - - primary - - secondary - - resync - type: string - volumeReplicationClass: - description: VolumeReplicationClass is the VolumeReplicationClass - name for this VolumeReplication resource - type: string - required: - - autoResync - - dataSource - - replicationState - - volumeReplicationClass - type: object - status: - description: VolumeReplicationStatus defines the observed state of VolumeReplication. - properties: - conditions: - description: Conditions are the list of conditions and their status. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastCompletionTime: - format: date-time - type: string - lastStartTime: - format: date-time - type: string - lastSyncBytes: - format: int64 - type: integer - lastSyncDuration: - type: string - lastSyncTime: - format: date-time - type: string - message: - type: string - observedGeneration: - description: observedGeneration is the last generation change the - operator has dealt with - format: int64 - type: integer - state: - description: State captures the latest state of the replication operation. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: csi-addons-leader-election-role - namespace: csi-addons-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-addons-manager-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes/status - verbs: - - get - - patch - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - networkfences - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - networkfences/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - networkfences/status - verbs: - - get - - patch - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacecronjobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacecronjobs/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacecronjobs/status - verbs: - - get - - patch - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacejobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacejobs/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacejobs/status - verbs: - - get - - patch - - update -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplicationclasses - verbs: - - get - - list - - watch -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplications - verbs: - - get - - list - - update - - watch -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplications/finalizers - verbs: - - update -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplications/status - verbs: - - update -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-addons-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-addons-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: csi-addons-leader-election-rolebinding - namespace: csi-addons-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: csi-addons-leader-election-role -subjects: -- kind: ServiceAccount - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: csi-addons-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-addons-manager-role -subjects: -- kind: ServiceAccount - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: csi-addons-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-addons-proxy-role -subjects: -- kind: ServiceAccount - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: v1 -data: - controller_manager_config.yaml: | - --- - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: e8cd140a.openshift.io -kind: ConfigMap -metadata: - name: csi-addons-manager-config - namespace: csi-addons-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: csi-addons - name: csi-addons-controller-manager-metrics-service - namespace: csi-addons-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/name: csi-addons ---- -apiVersion: v1 -kind: Service -metadata: - name: csi-addons-webhook-service - namespace: csi-addons-system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app.kubernetes.io/name: csi-addons ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/name: csi-addons - name: csi-addons-controller-manager - namespace: csi-addons-system -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: csi-addons - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - app.kubernetes.io/name: csi-addons - spec: - containers: - - args: - - --namespace=$(POD_NAMESPACE) - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --enable-admission-webhooks=true - command: - - /csi-addons-manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/csiaddons/k8s-controller:latest - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - runAsNonRoot: true - serviceAccountName: csi-addons-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: csi-addons-serving-cert - namespace: csi-addons-system -spec: - dnsNames: - - csi-addons-webhook-service.csi-addons-system.svc - - csi-addons-webhook-service.csi-addons-system.svc.cluster.local - issuerRef: - kind: Issuer - name: csi-addons-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: csi-addons-selfsigned-issuer - namespace: csi-addons-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: csi-addons-system/csi-addons-serving-cert - name: csi-addons-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode - failurePolicy: Fail - name: vcsiaddonsnode.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - csiaddonsnodes - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-networkfence - failurePolicy: Fail - name: vnetworkfence.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - networkfences - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacecronjob - failurePolicy: Fail - name: vreclaimspacecronjob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacecronjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacejob - failurePolicy: Fail - name: vreclaimspacejob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacejobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplication - failurePolicy: Fail - name: vvolumereplication.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplications - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplicationclass - failurePolicy: Fail - name: vvolumereplicationclass.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplicationclasses - sideEffects: None diff --git a/deploy/controller/setup-controller.yaml b/deploy/controller/setup-controller.yaml index fab5b2aa8..aad6d9f48 100644 --- a/deploy/controller/setup-controller.yaml +++ b/deploy/controller/setup-controller.yaml @@ -61,7 +61,6 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - - --enable-admission-webhooks=false command: - /csi-addons-manager env: diff --git a/docs/deploy-controller.md b/docs/deploy-controller.md index 6cb9e25dd..c5fc35954 100644 --- a/docs/deploy-controller.md +++ b/docs/deploy-controller.md @@ -13,7 +13,6 @@ The CSI-Addons Controller can be deployed by different ways: | `--leader-elect` | `false` | Enable leader election for controller manager.| | `--reclaim-space-timeout` | `3m` | Timeout for reclaimspace operation | | `--max-concurrent-reconciles` | 100 | Maximum number of concurrent reconciles | -| `--enable-admission-webhooks` | `true` | Enable the admission webhooks | > Note: Some of the above configuration options can also be configured using [`"csi-addons-config"` configmap](./csi-addons-config.md). @@ -59,48 +58,6 @@ deployment.apps/csi-addons-controller-manager created * The "setup-controller.yaml" creates the csi-addons-controller-manager. -Webhooks are disabled by default in the controller deployment. If you are -looking to install controller with webhooks enabled, a single yaml file is -available in `deploy/controller` which contains all the required RBAC, CRD, -Deployment, Webhooks, Certificates etc. The versioned deployment is possible -with the yaml files that get generated for the [latest -release](https://github.com/csi-addons/kubernetes-csi-addons/releases/latest). -You can download the yaml file from there, or use them directly with kubectl. -This is the recommended and easiest way to deploy the controller with webhooks. - -**Note** The cert-manager need to be available/installed before installing the -controller. Please refer [doc](https://cert-manager.io/docs/installation) for -cert-manager installation. - -```console -$ cd deploy/controller - -$ kubectl create -f install-all-in-one.yaml - -namespace/csi-addons-system created -customresourcedefinition.apiextensions.k8s.io/csiaddonsnodes.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/networkfences.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/reclaimspacecronjobs.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/reclaimspacejobs.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/volumereplicationclasses.replication.storage.openshift.io created -customresourcedefinition.apiextensions.k8s.io/volumereplications.replication.storage.openshift.io created -serviceaccount/csi-addons-controller-manager created -role.rbac.authorization.k8s.io/csi-addons-leader-election-role created -clusterrole.rbac.authorization.k8s.io/csi-addons-manager-role created -clusterrole.rbac.authorization.k8s.io/csi-addons-metrics-reader created -clusterrole.rbac.authorization.k8s.io/csi-addons-proxy-role created -rolebinding.rbac.authorization.k8s.io/csi-addons-leader-election-rolebinding created -clusterrolebinding.rbac.authorization.k8s.io/csi-addons-manager-rolebinding created -clusterrolebinding.rbac.authorization.k8s.io/csi-addons-proxy-rolebinding created -configmap/csi-addons-manager-config created -service/csi-addons-controller-manager-metrics-service created -service/csi-addons-webhook-service created -deployment.apps/csi-addons-controller-manager created -certificate.cert-manager.io/csi-addons-serving-cert created -issuer.cert-manager.io/csi-addons-selfsigned-issuer created -validatingwebhookconfiguration.admissionregistration.k8s.io/csi-addons-validating-webhook-configuration created -``` - ## Installation by operator-sdk A CSI-Addons bundle can be used to install the CSI-Addons Controller with the @@ -172,4 +129,4 @@ for the CSI-Addons Controller are as follows: requests: cpu: 10m memory: 64Mi -``` \ No newline at end of file +```