From b39c02d09622901dbb36df9e83448c1fab05d986 Mon Sep 17 00:00:00 2001 From: Chunyi Lyu Date: Wed, 17 Mar 2021 13:32:14 +0000 Subject: [PATCH] Bootstrap admission webhook for bindings.rabbitmq.com --- Makefile | 6 +++ api/v1alpha1/binding_webhook.go | 41 +++++++++++++++++++ config/certmanager/certificate.yaml | 8 +--- config/crd/kustomization.yaml | 7 ++++ .../crd/patches/cainjection_in_bindings.yaml | 2 +- config/crd/patches/webhook_in_bindings.yaml | 18 ++++---- config/default/base/kustomization.yaml | 34 +++++++++++++++ .../default/base/manager_webhook_patch.yaml | 23 +++++++++++ .../base/webhookcainjection_patch.yaml | 7 ++++ config/webhook/kustomizeconfig.yaml | 2 - config/webhook/manifests.yaml | 28 +++++++++++++ config/webhook/service.yaml | 3 +- main.go | 6 +++ 13 files changed, 165 insertions(+), 20 deletions(-) create mode 100644 api/v1alpha1/binding_webhook.go create mode 100644 config/default/base/manager_webhook_patch.yaml create mode 100644 config/default/base/webhookcainjection_patch.yaml create mode 100644 config/webhook/manifests.yaml diff --git a/Makefile b/Makefile index 30d792db..79d8e1f8 100644 --- a/Makefile +++ b/Makefile @@ -123,3 +123,9 @@ generate-manifests: mkdir -p releases kustomize build config/installation/ > releases/messaging-topology-operator.yaml +CERT_MANAGER_VERSION ?=v1.2.0 +cert-manager: + kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml + +destroy-cert-manager: + kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/$(CERT_MANAGER_VERSION)/cert-manager.yaml diff --git a/api/v1alpha1/binding_webhook.go b/api/v1alpha1/binding_webhook.go new file mode 100644 index 00000000..2f8add76 --- /dev/null +++ b/api/v1alpha1/binding_webhook.go @@ -0,0 +1,41 @@ +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" +) + +var logger = logf.Log.WithName("binding-webhook") + +func (r *Binding) SetupWebhookWithManager(mgr ctrl.Manager) error { + return ctrl.NewWebhookManagedBy(mgr). + For(r). + Complete() +} + +// +kubebuilder:webhook:verbs=create;update,path=/validate-rabbitmq-com-v1alpha1-binding,mutating=false,failurePolicy=fail,groups=rabbitmq.com,resources=bindings,versions=v1alpha1,name=vbinding.kb.io,sideEffects=none,admissionReviewVersions=v1 + +var _ webhook.Validator = &Binding{} + +// ValidateCreate implements webhook.Validator so a webhook will be registered for the type +func (r *Binding) ValidateCreate() error { + logger.Info("validate create", "name", r.Name) + + return nil +} + +// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type +func (r *Binding) ValidateUpdate(old runtime.Object) error { + logger.Info("validate update", "name", r.Name) + + return nil +} + +// ValidateDelete implements webhook.Validator so a webhook will be registered for the type +func (r *Binding) ValidateDelete() error { + logger.Info("validate delete", "name", r.Name) + + return nil +} diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml index 58db114f..5c103694 100644 --- a/config/certmanager/certificate.yaml +++ b/config/certmanager/certificate.yaml @@ -1,8 +1,4 @@ -# The following manifests contain a self-signed issuer CR and a certificate CR. -# More document can be found at https://docs.cert-manager.io -# WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for -# breaking changes -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: selfsigned-issuer @@ -10,7 +6,7 @@ metadata: spec: selfSigned: {} --- -apiVersion: cert-manager.io/v1alpha2 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 0ee39489..535d2496 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -10,5 +10,12 @@ resources: - bases/rabbitmq.com_policies.yaml # +kubebuilder:scaffold:crdkustomizeresource +patchesStrategicMerge: +- patches/webhook_in_bindings.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +- patches/cainjection_in_bindings.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + configurations: - kustomizeconfig.yaml diff --git a/config/crd/patches/cainjection_in_bindings.yaml b/config/crd/patches/cainjection_in_bindings.yaml index b0bfdccc..686e35bf 100644 --- a/config/crd/patches/cainjection_in_bindings.yaml +++ b/config/crd/patches/cainjection_in_bindings.yaml @@ -1,6 +1,6 @@ # The following patch adds a directive for certmanager to inject CA into the CRD # CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1alpha1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: diff --git a/config/crd/patches/webhook_in_bindings.yaml b/config/crd/patches/webhook_in_bindings.yaml index f6c86c65..a9d42c36 100644 --- a/config/crd/patches/webhook_in_bindings.yaml +++ b/config/crd/patches/webhook_in_bindings.yaml @@ -1,17 +1,17 @@ # The following patch enables conversion webhook for CRD # CRD conversion requires k8s 1.13 or later. -apiVersion: apiextensions.k8s.io/v1alpha1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bindings.rabbitmq.com spec: conversion: strategy: Webhook - webhookClientConfig: - # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, - # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) - caBundle: Cg== - service: - namespace: system - name: webhook-service - path: /convert + webhook: + conversionReviewVersions: ["v1", "v1beta1"] + clientConfig: + caBundle: Cg== + service: + namespace: system + name: webhook-service + path: /convert diff --git a/config/default/base/kustomization.yaml b/config/default/base/kustomization.yaml index 0d101b3d..102ca860 100644 --- a/config/default/base/kustomization.yaml +++ b/config/default/base/kustomization.yaml @@ -6,6 +6,40 @@ namespace: rabbitmq-system resources: - ../../crd - ../../manager +- ../../webhook +- ../../certmanager + +patches: +- manager_webhook_patch.yaml +- webhookcainjection_patch.yaml + +vars: +- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml +- name: SERVICE_NAMESPACE # namespace of the service + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service images: - name: controller diff --git a/config/default/base/manager_webhook_patch.yaml b/config/default/base/manager_webhook_patch.yaml new file mode 100644 index 00000000..0465e073 --- /dev/null +++ b/config/default/base/manager_webhook_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: operator + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/config/default/base/webhookcainjection_patch.yaml b/config/default/base/webhookcainjection_patch.yaml new file mode 100644 index 00000000..7cc9d358 --- /dev/null +++ b/config/default/base/webhookcainjection_patch.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml index 25e21e3c..3091ac60 100644 --- a/config/webhook/kustomizeconfig.yaml +++ b/config/webhook/kustomizeconfig.yaml @@ -1,5 +1,3 @@ -# the following config is for teaching kustomize where to look at when substituting vars. -# It requires kustomize v2.1.0 or newer to work properly. nameReference: - kind: Service version: v1 diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 00000000..40de2130 --- /dev/null +++ b/config/webhook/manifests.yaml @@ -0,0 +1,28 @@ + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + creationTimestamp: null + name: validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /validate-rabbitmq-com-v1alpha1-binding + failurePolicy: Fail + name: vbinding.kb.io + rules: + - apiGroups: + - rabbitmq.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - bindings + sideEffects: None diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml index 31e0f829..48414412 100644 --- a/config/webhook/service.yaml +++ b/config/webhook/service.yaml @@ -1,4 +1,3 @@ - apiVersion: v1 kind: Service metadata: @@ -9,4 +8,4 @@ spec: - port: 443 targetPort: 9443 selector: - control-plane: controller-manager + app.kubernetes.io/name: messaging-topology-operator diff --git a/main.go b/main.go index 94379a36..38adbe56 100644 --- a/main.go +++ b/main.go @@ -21,6 +21,7 @@ import ( rabbitmqv1beta1 "github.com/rabbitmq/cluster-operator/api/v1beta1" + rabbitmqcomv1alpha1 "github.com/rabbitmq/messaging-topology-operator/api/v1alpha1" topologyv1alpha1 "github.com/rabbitmq/messaging-topology-operator/api/v1alpha1" "github.com/rabbitmq/messaging-topology-operator/controllers" // +kubebuilder:scaffold:imports @@ -43,6 +44,7 @@ func init() { _ = rabbitmqv1beta1.AddToScheme(scheme) _ = topologyv1alpha1.AddToScheme(scheme) + _ = rabbitmqcomv1alpha1.AddToScheme(scheme) // +kubebuilder:scaffold:scheme } @@ -118,6 +120,10 @@ func main() { log.Error(err, "unable to create controller", "controller", policyControllerName) os.Exit(1) } + if err = (&rabbitmqcomv1alpha1.Binding{}).SetupWebhookWithManager(mgr); err != nil { + log.Error(err, "unable to create webhook", "webhook", "Binding") + os.Exit(1) + } // +kubebuilder:scaffold:builder log.Info("starting manager")