Skip to content

Commit

Permalink
Add code to deploy rbac proxy (#13)
Browse files Browse the repository at this point in the history
* Add code to deploy rbac proxy

* Remove kustomize labels
  • Loading branch information
misohu authored Oct 6, 2023
1 parent 325f096 commit 844678c
Show file tree
Hide file tree
Showing 8 changed files with 138 additions and 10 deletions.
6 changes: 6 additions & 0 deletions metadata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,14 @@ docs: https://discourse.charmhub.io/t/8212
containers:
pvcviewer-operator:
resource: oci-image
kube-rbac-proxy:
resource: oci-image-proxy
resources:
oci-image:
type: oci-image
description: Backing OCI image
upstream-source: docker.io/kubeflownotebookswg/pvcviewer-controller:v1.8.0-rc.1
oci-image-proxy:
type: oci-image
description: OCI image for kube rbac proxy
upstream-source: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
22 changes: 18 additions & 4 deletions src/charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,14 @@
from ops.main import main

from certs import gen_certs
from components.pebble_component import PvcViewerPebbleService
from components.pebble_component import PvcViewerPebbleService, RbacProxyPebbleService

logger = logging.getLogger(__name__)

CERTS_FOLDER = "/tmp/k8s-webhook-server/serving-certs"
PORT = 443
CONTROLLER_PORT = 9443
WEBHOOK_PORT = 9443
METRICS_PORT = 8443
K8S_RESOURCE_FILES = [
"src/templates/auth_manifests.yaml.j2",
"src/templates/crd_manifests.yaml.j2",
Expand All @@ -60,9 +61,12 @@ def __init__(self, *args):
self._namespace = self.model.name

# Expose controller's port
http_port = ServicePort(port=PORT, targetPort=CONTROLLER_PORT, name=f"{self.app.name}")
webhook_port = ServicePort(port=PORT, targetPort=WEBHOOK_PORT, name=f"{self.app.name}")
metrics_port = ServicePort(
port=METRICS_PORT, targetPort=METRICS_PORT, name=f"{self.app.name}-metrics"
)
self.service_patcher = KubernetesServicePatch(
self, [http_port], service_name=f"{self.model.app.name}"
self, [webhook_port, metrics_port], service_name=f"{self.model.app.name}"
)

self.charm_reconciler = CharmReconciler(self)
Expand Down Expand Up @@ -143,6 +147,16 @@ def __init__(self, *args):
depends_on=[self.kubernetes_resources],
)

self.pebble_service_container_proxy = self.charm_reconciler.add(
component=RbacProxyPebbleService(
charm=self,
name="kube-rbac-proxy-pebble-service",
container_name="kube-rbac-proxy",
service_name="kube-rbac-proxy",
),
depends_on=[self.kubernetes_resources],
)

self.charm_reconciler.install_default_event_handlers()

def _gen_certs_if_missing(self) -> None:
Expand Down
25 changes: 24 additions & 1 deletion src/components/pebble_component.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,30 @@ def get_layer(self) -> Layer:
self.service_name: {
"override": "replace",
"summary": "Entry point for pvcviewer image",
"command": "/manager --leader-elect",
"command": "/manager --health-probe-bind-address=:8081 --metrics-bind-address=127.0.0.1:8080 --leader-elect", # noqa: E501
"startup": "enabled",
}
},
}
)


class RbacProxyPebbleService(PebbleServiceComponent):
def get_layer(self) -> Layer:
"""Defines and returns Pebble layer configuration
This method is required for subclassing PebbleServiceContainer
"""
logger.info("PebbleServiceComponent.get_layer executing")
return Layer(
{
"summary": "kube rbac proxy layer",
"description": "Pebble config layer for kube rbac proxy",
"services": {
self.service_name: {
"override": "replace",
"summary": "Entry point for kube rbac proxy image",
"command": "/usr/local/bin/kube-rbac-proxy --secure-listen-address=0.0.0.0:8443 --upstream=http://127.0.0.1:8080/ --logtostderr=true --v=0", # noqa: E501
"startup": "enabled",
}
},
Expand Down
54 changes: 52 additions & 2 deletions src/templates/auth_manifests.yaml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,43 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: controller-manager-sa
app.kubernetes.io/name: serviceaccount
app.kubernetes.io/part-of: {{ app_name }}
name: {{ app_name }}
namespace: {{ namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: metrics-reader
app.kubernetes.io/name: clusterrole
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-metrics-reader
rules:
- nonResourceURLs:
- "/metrics"
- /metrics
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: proxy-rolebinding
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand All @@ -32,6 +53,13 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: kube-rbac-proxy
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: proxy-role
app.kubernetes.io/name: clusterrole
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-proxy-role
rules:
- apiGroups:
Expand All @@ -50,6 +78,13 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: leader-election-rolebinding
app.kubernetes.io/name: rolebinding
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-leader-election-rolebinding
namespace: {{ namespace }}
roleRef:
Expand All @@ -65,6 +100,13 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: leader-election-role
app.kubernetes.io/name: role
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-leader-election-role
namespace: {{ namespace }}
rules:
Expand Down Expand Up @@ -103,6 +145,13 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: {{ app_name }}
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: manager-rolebinding
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand All @@ -116,7 +165,8 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: {{ app_name }}
name: pvcviewer-role
rules:
- apiGroups:
Expand Down
16 changes: 14 additions & 2 deletions src/templates/crd_manifests.yaml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,22 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/pvcviewer-serving-cert
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
labels:
app: {{ app_name }}
name: pvcviewers.kubeflow.org
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: {{ webhook_service_name }}
namespace: {{ namespace }}
path: /convert
conversionReviewVersions:
- v1
group: kubeflow.org
names:
kind: PVCViewer
Expand Down Expand Up @@ -3143,4 +3155,4 @@ status:
kind: ""
plural: ""
conditions: []
storedVersions: []
storedVersions: []
18 changes: 18 additions & 0 deletions src/templates/webhook_manifests.yaml.j2
Original file line number Diff line number Diff line change
@@ -1,6 +1,15 @@
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/pvcviewer-serving-cert
labels:
app: {{ app_name }}
app.kubernetes.io/component: webhook
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: mutating-webhook-configuration
app.kubernetes.io/name: mutatingwebhookconfiguration
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-mutating-webhook-configuration
webhooks:
- admissionReviewVersions:
Expand Down Expand Up @@ -28,6 +37,15 @@ webhooks:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: kubeflow/pvcviewer-serving-cert
labels:
app: {{ app_name }}
app.kubernetes.io/component: webhook
app.kubernetes.io/created-by: {{ app_name }}
app.kubernetes.io/instance: validating-webhook-configuration
app.kubernetes.io/name: validatingwebhookconfiguration
app.kubernetes.io/part-of: {{ app_name }}
name: pvcviewer-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
Expand Down
3 changes: 2 additions & 1 deletion tests/integration/test_charm.py
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,8 @@ async def test_build_and_deploy(ops_test: OpsTest):

charm_under_test = await ops_test.build_charm(".")
image_path = METADATA["resources"]["oci-image"]["upstream-source"]
resources = {"oci-image": image_path}
image_path_proxy = METADATA["resources"]["oci-image-proxy"]["upstream-source"]
resources = {"oci-image": image_path, "oci-image-proxy": image_path_proxy}
await ops_test.model.deploy(
charm_under_test, resources=resources, application_name=CHARM_NAME, trust=True
)
Expand Down
4 changes: 4 additions & 0 deletions tests/unit/test_operator.py
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ def test_pebble_services_running(
# Arrange
harness.begin()
harness.set_can_connect("pvcviewer-operator", True)
harness.set_can_connect("kube-rbac-proxy", True)

# Mock:
# * leadership_gate to have get_status=>Active
Expand All @@ -87,8 +88,11 @@ def test_pebble_services_running(

# Assert
container = harness.charm.unit.get_container("pvcviewer-operator")
container_rbac_proxy = harness.charm.unit.get_container("kube-rbac-proxy")
service = container.get_service("pvcviewer-operator")
service_rbac_proxy = container_rbac_proxy.get_service("kube-rbac-proxy")
assert service.is_running()
assert service_rbac_proxy.is_running()


def test_get_certs(harness, mocked_lightkube_client, mocked_kubernetes_service_patch):
Expand Down

0 comments on commit 844678c

Please sign in to comment.