feat: Automatically create the container build SCC if containerBuildC… (

#1542) * feat: Automatically create the container build SCC if containerBuildCapability is enabled Signed-off-by: Anatolii Bazko <[email protected]>
eclipse-che · Oct 18, 2022 · 21b652e · 21b652e
1 parent 774f8bf
commit 21b652e
Show file tree

Hide file tree

Showing 42 changed files with 7,900 additions and 16 deletions.
diff --git a/Makefile b/Makefile
@@ -262,6 +262,9 @@ gen-chectl-tmpl: ## Generate Eclipse Che k8s deployment resources used by chectl
 	if [[ -f $${src}/org.eclipse.che.ValidatingWebhookConfiguration.yaml ]]; then
 	  cp $${src}/org.eclipse.che.ValidatingWebhookConfiguration.yaml $${cheOperatorDst}/org.eclipse.che.ValidatingWebhookConfiguration.yaml
 	fi
+	if [[ -f $${src}/org.eclipse.che.MutatingWebhookConfiguration.yaml ]]; then
+	  cp $${src}/org.eclipse.che.MutatingWebhookConfiguration.yaml $${cheOperatorDst}/org.eclipse.che.MutatingWebhookConfiguration.yaml
+	fi
 	cp $${src}/che-operator-serving-cert.Certificate.yaml $${cheOperatorDst}/serving-cert.yaml
 	cp $${src}/che-operator-selfsigned-issuer.Issuer.yaml $${cheOperatorDst}/selfsigned-issuer.yaml
 
@@ -351,6 +354,7 @@ install-che-operands: generate manifests download-kustomize download-gateway-res
 
 	# Disable Webhooks since che operator pod is scaled down
 	$(K8S_CLI) delete validatingwebhookconfiguration org.eclipse.che
+	$(K8S_CLI) delete mutatingwebhookconfiguration org.eclipse.che
 	$(K8S_CLI) patch crd checlusters.org.eclipse.che --patch '{"spec": {"conversion": null}}' --type=merge
 
 	$(MAKE) store_tls_cert

diff --git a/PROJECT b/PROJECT
@@ -26,6 +26,7 @@ resources:
   version: v2
   webhooks:
     conversion: true
+    defaulting: true
     validation: true
     webhookVersion: v1
 version: "3"
diff --git a/api/v2/checluster_types.go b/api/v2/checluster_types.go
@@ -111,6 +111,9 @@ type CheClusterDevEnvironments struct {
 	// +optional
 	// +kubebuilder:default:=true
 	DisableContainerBuildCapabilities *bool `json:"disableContainerBuildCapabilities,omitempty"`
+	// Container build configuration.
+	// +optional
+	ContainerBuildConfiguration *ContainerBuildConfiguration `json:"containerBuildConfiguration,omitempty"`
 }
 
 // Che components configuration.
@@ -628,6 +631,14 @@ type BitBucketService struct {
 	Endpoint string `json:"endpoint,omitempty"`
 }
 
+// Container build configuration.
+type ContainerBuildConfiguration struct {
+	// OpenShift security context constraint to build containers.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default:=container-build
+	OpenShiftSecurityContextConstraint string `json:"openShiftSecurityContextConstraint,omitempty"`
+}
+
 // GatewayPhase describes the different phases of the Che gateway lifecycle.
 type GatewayPhase string
 
@@ -797,3 +808,11 @@ func (c *CheCluster) GetIdentityToken() string {
 func (c *CheCluster) IsAccessTokenConfigured() bool {
 	return c.GetIdentityToken() == constants.AccessToken
 }
+
+func (c *CheCluster) IsContainerBuildCapabilitiesEnabled() bool {
+	return c.Spec.DevEnvironments.DisableContainerBuildCapabilities != nil && !*c.Spec.DevEnvironments.DisableContainerBuildCapabilities
+}
+
+func (c *CheCluster) IsOpenShiftSecurityContextConstraintSet() bool {
+	return c.Spec.DevEnvironments.ContainerBuildConfiguration != nil && c.Spec.DevEnvironments.ContainerBuildConfiguration.OpenShiftSecurityContextConstraint != ""
+}
diff --git a/api/v2/checluster_webhook.go b/api/v2/checluster_webhook.go
@@ -40,6 +40,15 @@ func (r *CheCluster) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
+var _ webhook.Defaulter = &CheCluster{}
+
+// Default implements webhook.Defaulter so a webhook will be registered for the type
+func (r *CheCluster) Default() {
+	if r.IsContainerBuildCapabilitiesEnabled() && r.Spec.DevEnvironments.ContainerBuildConfiguration == nil {
+		r.Spec.DevEnvironments.ContainerBuildConfiguration = &ContainerBuildConfiguration{}
+	}
+}
+
 var _ webhook.Validator = &CheCluster{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type

diff --git a/api/v2/zz_generated.deepcopy.go b/api/v2/zz_generated.deepcopy.go
diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@@ -77,7 +77,7 @@ metadata:
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
     repository: https://github.com/eclipse-che/che-operator
     support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.55.0-699.next
+  name: eclipse-che-preview-openshift.v7.56.0-707.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -863,6 +863,15 @@ spec:
                 - subjectaccessreviews
               verbs:
                 - create
+            - apiGroups:
+                - security.openshift.io
+              resources:
+                - securitycontextconstraints
+              verbs:
+                - get
+                - create
+                - delete
+                - update
           serviceAccountName: che-operator
       deployments:
         - name: che-operator
@@ -1230,7 +1239,7 @@ spec:
   maturity: stable
   provider:
     name: Eclipse Foundation
-  version: 7.55.0-699.next
+  version: 7.56.0-707.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1
@@ -1253,6 +1262,27 @@ spec:
       targetPort: 9443
       type: ValidatingAdmissionWebhook
       webhookPath: /validate-org-eclipse-che-v2-checluster
+    - admissionReviewVersions:
+        - v1
+        - v1beta1
+      containerPort: 443
+      deploymentName: che-operator
+      failurePolicy: Fail
+      generateName: mchecluster.kb.io
+      rules:
+        - apiGroups:
+            - org.eclipse.che
+          apiVersions:
+            - v2
+          operations:
+            - CREATE
+            - UPDATE
+          resources:
+            - checlusters
+      sideEffects: None
+      targetPort: 9443
+      type: MutatingAdmissionWebhook
+      webhookPath: /mutate-org-eclipse-che-v2-checluster
     - admissionReviewVersions:
         - v1
         - v2

diff --git a/bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml b/bundle/next/eclipse-che-preview-openshift/manifests/org.eclipse.che_checlusters.yaml
@@ -5414,6 +5414,15 @@ spec:
                       pvcStrategy: per-user
                   description: Development environment default configuration options.
                   properties:
+                    containerBuildConfiguration:
+                      description: Container build configuration.
+                      properties:
+                        openShiftSecurityContextConstraint:
+                          default: container-build
+                          description: OpenShift security context constraint to build
+                            containers.
+                          type: string
+                      type: object
                     defaultComponents:
                       default:
                         - container:

diff --git a/config/crd/bases/org.eclipse.che_checlusters.yaml b/config/crd/bases/org.eclipse.che_checlusters.yaml
@@ -5275,6 +5275,15 @@ spec:
                     pvcStrategy: per-user
                 description: Development environment default configuration options.
                 properties:
+                  containerBuildConfiguration:
+                    description: Container build configuration.
+                    properties:
+                      openShiftSecurityContextConstraint:
+                        default: container-build
+                        description: OpenShift security context constraint to build
+                          containers.
+                        type: string
+                    type: object
                   defaultComponents:
                     default:
                     - container:

diff --git a/config/kubernetes/patches/cainjection_in_webhook.yaml b/config/kubernetes/patches/cainjection_in_webhook.yaml
@@ -9,7 +9,14 @@
 # Contributors:
 #   Red Hat, Inc. - initial API and implementation
 #
-
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: org.eclipse.che
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:

diff --git a/config/rbac/cluster_role.yaml b/config/rbac/cluster_role.yaml
@@ -391,4 +391,13 @@ rules:
     resources:
       - subjectaccessreviews
     verbs:
-      - create
+      - create
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - get
+      - create
+      - delete
+      - update
diff --git a/config/webhook/webhooks.yaml b/config/webhook/webhooks.yaml
@@ -9,7 +9,39 @@
 # Contributors:
 #   Red Hat, Inc. - initial API and implementation
 #
-
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: org.eclipse.che
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+webhooks:
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        name: che-operator-service
+        namespace: eclipse-che
+        path: /mutate-org-eclipse-che-v2-checluster
+    failurePolicy: Fail
+    name: mchecluster.kb.io
+    rules:
+      - apiGroups:
+          - org.eclipse.che
+        apiVersions:
+          - v2
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - checlusters
+    sideEffects: None
+---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:

diff --git a/controllers/che/checluster_controller.go b/controllers/che/checluster_controller.go
@@ -15,9 +15,11 @@ package che
 import (
 	"context"
 
+	"github.com/eclipse-che/che-operator/pkg/common/test"
+	containerbuild "github.com/eclipse-che/che-operator/pkg/deploy/container-build"
+
 	"github.com/devfile/devworkspace-operator/pkg/infrastructure"
 	"github.com/eclipse-che/che-operator/pkg/common/chetypes"
-	"github.com/eclipse-che/che-operator/pkg/common/test"
 	"github.com/eclipse-che/che-operator/pkg/common/utils"
 	"github.com/eclipse-che/che-operator/pkg/deploy"
 	"github.com/eclipse-che/che-operator/pkg/deploy/consolelink"
@@ -114,6 +116,7 @@ func NewReconciler(
 	reconcileManager.RegisterReconciler(dashboard.NewDashboardReconciler())
 	reconcileManager.RegisterReconciler(gateway.NewGatewayReconciler())
 	reconcileManager.RegisterReconciler(server.NewCheServerReconciler())
+	reconcileManager.RegisterReconciler(containerbuild.NewContainerBuildReconciler())
 
 	if infrastructure.IsOpenShift() {
 		reconcileManager.RegisterReconciler(consolelink.NewConsoleLinkReconciler())

diff --git a/deploy/deployment/kubernetes/combined.yaml b/deploy/deployment/kubernetes/combined.yaml
@@ -3616,6 +3616,14 @@ spec:
                     pvcStrategy: per-user
                 description: Development environment default configuration options.
                 properties:
+                  containerBuildConfiguration:
+                    description: Container build configuration.
+                    properties:
+                      openShiftSecurityContextConstraint:
+                        default: container-build
+                        description: OpenShift security context constraint to build containers.
+                        type: string
+                    type: object
                   defaultComponents:
                     default:
                     - container:
@@ -5612,6 +5620,15 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - get
+  - create
+  - delete
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -5866,6 +5883,40 @@ spec:
   selfSigned: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: eclipse-che/che-operator-serving-cert
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+  name: org.eclipse.che
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: che-operator-service
+      namespace: eclipse-che
+      path: /mutate-org-eclipse-che-v2-checluster
+  failurePolicy: Fail
+  name: mchecluster.kb.io
+  rules:
+  - apiGroups:
+    - org.eclipse.che
+    apiVersions:
+    - v2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - checlusters
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   annotations:

diff --git a/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml b/deploy/deployment/kubernetes/objects/che-operator.ClusterRole.yaml
@@ -392,3 +392,12 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
+- apiGroups:
+  - security.openshift.io
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - get
+  - create
+  - delete
+  - update