Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(api): combine Cryostat and ClusterCryostat CRDs #721

Merged
merged 11 commits into from
Feb 13, 2024

Conversation

ebaron
Copy link
Member

@ebaron ebaron commented Feb 2, 2024

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

Fixes: #583

Description of the change:

  • Adds a v1beta2 version of the Cryostat CRD. At the moment, this is identical to v1beta1 except for the TargetNamespaces field in the spec and status.
  • Also temporarily adds a v1beta2 version of the ClusterCryostat CRD. This is identical to v1beta1, except the TargetNamespaces are now inherited from the v1beta2 CryostatSpec/Status. I intend to remove this CRD before release of 3.0, but left it in for now to avoid complicating this PR any further.
  • Adds a conversion webhook to convert to and from the v1beta1 and v1beta2 CRDs. This is unfortunately a lot of manual copying between structs, but I included some tests that take advantage of our many existing different test CRs. I copied these CRs to a test/conversion.go file where they return a v1beta1 copy of the CR instead.
  • Adds a defaulting webhook to automatically set the Spec.TargetNamespaces to the CR's namespace, if left unset. This retains the previous behaviour of the v1beta1 CRD.
  • Adds a validating webhook, which is probably the most interesting part of this PR. When a user creates or updates a Cryostat CR, the webhook performs a SubjectAccessReview on the requesting user against each of the target namespaces specified. The user is required to have create permissions on the Cryostat CRD in those namespaces for the check to pass. This ensures that a user can only create a multi-namespace Cryostat if they would have the permissions to create single namespace Cryostats in each of those namespaces.

Motivation for the change:

  • Consolidating the CRDs simplifies the experience of using the operator and also simplifies the amount of cases we need to test and support. Using the same CRD, a user will be able to create a single namespace Cryostat, or a multi-namespace Cryostat for any namespaces they're authorized for.

How to manually test:

  1. To test the conversion webhook: create a v1beta1 Cryostat CR. Query it back with kubectl and you should see it's a v1beta2 with the targetNamespaces set to the CR's namespace.
  2. To test the defaulting webhook: create a v1beta2 Cryostat CR with no spec.targetNamespaces. Query it with kubectl, and you should see the targetNamespaces set to the CR's namespace.
  3. To test the validating webhook: create a multi-namespace Cryostat CR with target namespaces that you permission to create Cryostat CRs in. This should succeed. Then try again with a target namespace that you don't have the create Cryostat permission for. This should fail.

@ebaron ebaron added the feat New feature or request label Feb 2, 2024
@mergify mergify bot added the safe-to-test label Feb 2, 2024
@ebaron ebaron marked this pull request as ready for review February 12, 2024 15:08
@ebaron ebaron requested review from a team February 12, 2024 15:08
@ebaron
Copy link
Member Author

ebaron commented Feb 12, 2024

This should be ready for review now. Apologies for the large PR, there's a lot of interconnected pieces when bumping the API version.

Copy link
Member

@andrewazores andrewazores left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few thoughts that came up. These are all things to address later.

dst.ServiceOptions = convertServiceOptionsTo(src.ServiceOptions)
dst.NetworkOptions = convertNetworkOptionsTo(src.NetworkOptions)
dst.ReportOptions = convertReportOptionsTo(src.ReportOptions)
dst.MaxWsConnections = src.MaxWsConnections
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we have an equivalent MaxWsConnections config in 3.0 and I'm not sure if we should bother reimplementing this. I think this is an old holdover from when the UI didn't work too well with concurrent users in the 1.0 days.

dst.Minimal = src.Minimal
dst.EnableCertManager = src.EnableCertManager
dst.TrustedCertSecrets = convertCertSecretsTo(src.TrustedCertSecrets)
dst.EventTemplates = convertEventTemplatesTo(src.EventTemplates)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3.0 hasn't yet reimplemented custom event templates, but when it does I'm expecting that to be done by using S3 storage rather than direct PVC access. That'll make it more complicated to support the feature from the CR level. Maybe we should drop this like we dropped the FlightRecording CRD?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would there still be a way to do this declaratively? I haven't really used this feature much, but I could see this being useful for GitOps-managed clusters.

Copy link
Member

@andrewazores andrewazores Feb 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess there are a few apparent routes:

  1. the Operator uses an HTTP client and creates the custom event templates on the Cryostat application instances through the API like any other client. This way they still end up in S3 along with any others the user may create, but without relying on the filesystem internal details
  2. when we do reimplement custom event templates in 3.0, we do it by direct filesystem access (PVC) like we had before rather than S3
  3. use S3 as a read-write store in addition to a read-only direct filesystem PVC source where additional templates can be mounted. The PVC-backed storage could also be read-write but then we need to figure out how to make the distinction apparent to users through the UI and give them a choice which one they write into etc. which is probably excessive

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there are other cases of things that could be useful for things like GitOps clusters, like Automated Rules as a CRD. In 3.0 those are defined in a Postgres table so IMO the most sensible way would be for the Operator to talk to Cryostat via the HTTP API there, too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seems reasonable. These sorts of features would likely never be possible for the Helm Chart, but that could be an advantage of using the operator instead.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then again, we do have other things that seem to make the most sense as files directly injected into the PVC still, like TLS certs...

}

func convertSpecFrom(src *operatorv1beta2.CryostatSpec, dst *CryostatSpec) {
dst.Minimal = src.Minimal
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in favour of removing the minimal config option: cryostatio/cryostat-helm#122

@ebaron
Copy link
Member Author

ebaron commented Feb 12, 2024

/build_test

@ebaron
Copy link
Member Author

ebaron commented Feb 12, 2024

@andrewazores
Copy link
Member

So the equivalent to the old ClusterCryostat InstallNamespace is now just that the Operator will deploy Cryostat into the Namespace in which the Cryostat CR is created, right?


When I try to create a new Cryostat CR through the OpenShift UI:

image

The TargetNamespaces list is just a text list, no dropdown selector of namespaces to choose from. Is that expected now?

@ebaron
Copy link
Member Author

ebaron commented Feb 12, 2024

So the equivalent to the old ClusterCryostat InstallNamespace is now just that the Operator will deploy Cryostat into the Namespace in which the Cryostat CR is created, right?

That's right.

When I try to create a new Cryostat CR through the OpenShift UI:

image

The TargetNamespaces list is just a text list, no dropdown selector of namespaces to choose from. Is that expected now?

Thanks for noticing this. We had a Kustomize patch for the ClusterCryostat CRD to add the descriptors. It didn't seem to be possible to define the x-descriptor using markers for the array elements, as opposed to the array itself.

I updated the patch and also the initialization resource (the UI prompt to create a Cryostat) from v1beta1 to v1beta2.

@ebaron ebaron merged commit 30ad2ba into cryostatio:cryostat3 Feb 13, 2024
5 checks passed
andrewazores pushed a commit that referenced this pull request Feb 22, 2024
* feat(api): combine Cryostat and ClusterCryostat CRDs

* Make webhook internal, add tests

* Add v1beta2 apiVersion with conversion webhook

* Add conversion webhook tests

* Run multi-namespace tests for Cryostat CRD

* Formatting, generate bundle

* Enable conversion webhooks

* add conversion webhook to bundle, fixes

* Remove log message

* Update spec descriptors patch and initialization resource

---------

Signed-off-by: Elliott Baron <[email protected]>
mwangggg pushed a commit to mwangggg/cryostat-operator that referenced this pull request Feb 29, 2024
* feat(api): combine Cryostat and ClusterCryostat CRDs

* Make webhook internal, add tests

* Add v1beta2 apiVersion with conversion webhook

* Add conversion webhook tests

* Run multi-namespace tests for Cryostat CRD

* Formatting, generate bundle

* Enable conversion webhooks

* add conversion webhook to bundle, fixes

* Remove log message

* Update spec descriptors patch and initialization resource

---------

Signed-off-by: Elliott Baron <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request safe-to-test
Projects
No open projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants