Introduce webhook to prevent more than 1 KIP resource in a single namespace #115
Conversation
Signed-off-by: David Kwon <[email protected]>
operator-sdk create webhook --group che --version v1alpha1 --kind KubernetesImagePuller --defaulting --programmatic-validation --force Writing kustomize manifests for you to edit... Writing scaffold for you to edit... api/v1alpha1/kubernetesimagepuller_webhook.go $ operator-sdk version operator-sdk version: "v1.9.2", commit: "319e77f2fff57c6c862bddd64ecf9c562f2d2161", kubernetes version: "1.20.2", go version: "go1.16.6", GOOS: "linux", GOARCH: "amd64" Signed-off-by: David Kwon <[email protected]>
Signed-off-by: David Kwon <[email protected]>
Signed-off-by: David Kwon <[email protected]>
Signed-off-by: David Kwon <[email protected]>
|
Click here to review and test in web IDE: |
1 similar comment
|
Click here to review and test in web IDE: |
…bhook, remove mutating webhook Signed-off-by: David Kwon <[email protected]>
Signed-off-by: dkwon17 <[email protected]>
dkwon17
force-pushed
the
validation-webhook-restrict-cr
branch
from
4c49489 to
4c4d59a
Compare
|
Click here to review and test in web IDE: |
| @@ -169,7 +169,8 @@ bundle: generate manifests download-kustomize download-operator-sdk ## Generate | |||
|
|
|||
| CSV_PATH=$$($(MAKE) csv-path) | |||
| yq -riY '.metadata.annotations.containerImage = "'$(IMG)'"' $${CSV_PATH} | |||
| yq -riY '.spec.install.spec.deployments[0].spec.template.spec.containers[1].image = "'$(IMG)'"' $${CSV_PATH} | |||
| # Update container image for container 'kuebrnetes-image-puller-operator' in the list of deployments | |||
| yq -riY '.spec.install.spec.deployments[0].spec.template.spec.containers[] |= (select(.name == "kubernetes-image-puller-operator") .image |= "'$(IMG)'")' $${CSV_PATH} | |||
There was a problem hiding this comment.
When running make bundle on the dogfooding cluster, the order of the containers are different. This change makes it so that we don't assume that the kubernetes-image-puller-operator container is defined at index 1
Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
| metadata: | ||
| name: validating-webhook-configuration | ||
| annotations: | ||
| cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) |
There was a problem hiding this comment.
I haven't had a chance to test this, but speaking from (distant) experience in setting up similar for DWO -- have we verified this works on both Kubernetes and OpenShift? I recall some differences in how certs for webhooks are managed on OpenShift vs. Kubernetes. On Kubernetes we can use cert-manager but on OpenShift we need (IIRC) the service-ca.
There was a problem hiding this comment.
@dkwon17
We have different configuration for Kubernetes and OpenShift.
Please have a look at [1]. As far as I remember I was inspired from DWO configuration.
| apiVersion: cert-manager.io/v1 | ||
| kind: Issuer | ||
| metadata: | ||
| name: selfsigned-issuer |
There was a problem hiding this comment.
All resources names must be unique, like kubernetes-image-puller-selfsigned-issuer
There was a problem hiding this comment.
I believe it should be prefixed by kustomize on generation
Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
- Create gen-deployment makefile goal. Generates deploy folder for kubernetes and openshift. - Use name-prefix to prefix resources - Move operator service account from rbac directory to manager directory Signed-off-by: David Kwon <[email protected]>
- Create deploy.mk to avoid checking for kubectl or oc when make test is ran within to dockerfile - Create prefix overlay to prevent prefixing csv for bundle build Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
| for file in temp??; do | ||
| name_kind=$$(yq -r '"\(.metadata.name).\(.kind)"' "$${file}") | ||
| mv "$${file}" "$${OBJECTS_DIR}/$${name_kind}.yaml" | ||
| done |
There was a problem hiding this comment.
This is the approach taken by che-operator:
https://github.com/eclipse-che/che-operator/blob/d99f8923f8a7649295ce97e9c0f3650730823278/Makefile#L170-L191
config/kubernetes/kustomization.yaml
Outdated
| # Red Hat, Inc. - initial API and implementation | ||
| # | ||
|
|
||
| namePrefix: k8s-image-puller-operator- |
There was a problem hiding this comment.
I've set the prefix to k8s-image-puller-operator- instead of kubernetes-image-puller-operator- because the longer prefix led to resource names that were too long (IIRC, it was one of the rolebindings)
I stuck with kubernetes-image-puller-operator- to be consistent with the kubernetes-image-puller pod names
| @@ -13,7 +13,7 @@ | |||
| apiVersion: apps/v1 | |||
| kind: Deployment | |||
| metadata: | |||
| name: kubernetes-image-puller-operator | |||
| name: manager | |||
There was a problem hiding this comment.
Because of the new kustomize namePrefix (example) and resource renames, I plan to indicate in the KIP operator release notes what resource names have been changed
Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
Signed-off-by: David Kwon <[email protected]>
|
Click here to review and test in web IDE: |
|
Thanks for the reviews @amisevsk @tolusha, I've updated this PR. The main update is that there is a new goal in the makefile The kubernetes-image-puller-operator/build/make/deploy.mk Lines 23 to 24 in 57b2278 |
Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
|
|
||
| manifests: download-controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. | ||
| $(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases | ||
| $(CONTROLLER_GEN) crd:crdVersions=v1 rbac:roleName=manager-role paths="./..." output:crd:artifacts:config=config/crd/bases |
There was a problem hiding this comment.
if you remove webhook parameter, then you don't need annotation anymore // +kubebuilder:webhook:path ...
|
@dkwon17 |
|
@tolusha I've generated the bundle image and tried it out with Basically to build and deploy on a cluster, I've done:
What is the best way I can check that? |
Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
|
It is hard to review all resources and spot possible issues. So, in order to be sure everything works correctly, we have to:
|
|
I have tested this PR with Kubernetes and OpenShift, as well as the operator upgrade First, I created the operator image: Test make deploy on minikubeRun: (screenshots have a different image tag, it is the same image as
After creating 1 KIP CR in `kubernetes-image-puller-operator` namespace
After trying to create a second KIP CR in `kubernetes-image-puller-operator` namespace:
Test make deploy on openshiftRun:
After creating 1 KIP CR in `kubernetes-image-puller-operator` namespace
After trying to create a second KIP CR in `kubernetes-image-puller-operator` namespace:
|
|
Test and deploy using OLM Run:
KIP operator on the operators tab:
KIP pods after creating a KIP CR in a namespace:
Webhook when trying to create a second KIP CR in the same namespace:
The message appears twice, but this happens only once. Subsequent attempts only result in 1 message. I don't get this problem when trying to create the KIP CR using |
|
Test with release-olm-bundle Run The catalog image is pushed: |
|
Test upgrading KIP operator v1.0.6 to KIP operator v1.1.0
Screenshots
Deployment updated:
The following old components are updated as well Old components
with the exception of the New components
|
|
Is there something else I should check @tolusha ? I will add a new commit updating the readme for:
|
|
I run
The changes below are not critical if old resources are removed after upgrade: |
…m for webhook, update test-bundle.sh Signed-off-by: dkwon17 <[email protected]>
|
Click here to review and test in web IDE: |
|
Yes, I should mention, before |
|
|
Related issue: https://issues.redhat.com/browse/CRW-4980
This PR creates a validation webhook ensures that only one KIP CR can be created in a given namespace:
https://github.com/che-incubator/kubernetes-image-puller-operator/assets/83611742/09e20dad-6ec0-4a07-b326-ce2e40f26a39.
This PR also generates deployment manifests under
deploy/deployment:where manifests under
kubernetesis meant for installation on a kubernetes cluster (requires cert-manager), and manifests underopenshiftis meant for openshift cluster (requires service-ca)This is generated automatically when running
make deploy.How to test this PR
I've already built it here:
quay.io/dkwon17/kubernetes-image-puller-operator:validationThe image can be built by running this command:
defaultnamespace, try to create twoKubernetesImagePullerresources in the same namespace. The webhook should prevent that from happening with an error message:Screenshot
Testing the bundle build
With this PR, building a bundle image and deploying with
operator-sdk run bundleworks as expected:Note: you must have your own
kubernetes-image-puller-operatorandkubernetes-image-puller-operator-bundlerepositories available under your quay account.The Kubernetes Image Puller operator should install successfully, and the webhook functionality described in the How to test this PR should work as well.