From bf58e9bcde75dbac97cfb3e3036132329a034f7f Mon Sep 17 00:00:00 2001 From: Balazs Gibizer Date: Wed, 27 Sep 2023 15:22:56 +0200 Subject: [PATCH] Add missing NovaCompute CRD definitions --- PROJECT | 13 + ...nova.openstack.org_novacomputeironics.yaml | 275 ------------------ ...nova.openstack.org_novacomputeironics.yaml | 275 ------------------ config/crd/kustomization.yaml | 1 + .../patches/cainjection_in_novacomputes.yaml | 7 + .../crd/patches/webhook_in_novacomputes.yaml | 16 + .../nova-operator.clusterserviceversion.yaml | 5 + config/rbac/novacompute_editor_role.yaml | 24 ++ config/rbac/novacompute_viewer_role.yaml | 20 ++ hack/clean_local_webhook.sh | 2 + hack/configure_local_webhook.sh | 56 ++++ 11 files changed, 144 insertions(+), 550 deletions(-) delete mode 100644 api/bases/nova.openstack.org_novacomputeironics.yaml delete mode 100644 config/crd/bases/nova.openstack.org_novacomputeironics.yaml create mode 100644 config/crd/patches/cainjection_in_novacomputes.yaml create mode 100644 config/crd/patches/webhook_in_novacomputes.yaml create mode 100644 config/rbac/novacompute_editor_role.yaml create mode 100644 config/rbac/novacompute_viewer_role.yaml diff --git a/PROJECT b/PROJECT index 46a4eaa54..89c2c00a5 100644 --- a/PROJECT +++ b/PROJECT @@ -98,4 +98,17 @@ resources: defaulting: true validation: true webhookVersion: v1 +- api: + crdVersion: v1 + namespaced: true + controller: true + domain: openstack.org + group: nova + kind: NovaCompute + path: github.com/openstack-k8s-operators/nova-operator/api/v1beta1 + version: v1beta1 + webhooks: + defaulting: true + validation: true + webhookVersion: v1 version: "3" diff --git a/api/bases/nova.openstack.org_novacomputeironics.yaml b/api/bases/nova.openstack.org_novacomputeironics.yaml deleted file mode 100644 index 3a6cd56aa..000000000 --- a/api/bases/nova.openstack.org_novacomputeironics.yaml +++ /dev/null @@ -1,275 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: novacomputes.nova.openstack.org -spec: - group: nova.openstack.org - names: - kind: NovaCompute - listKind: NovaComputeList - plural: novacomputes - singular: novacompute - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: NetworkAttachments - jsonPath: .spec.networkAttachments - name: NetworkAttachments - type: string - - description: Status - jsonPath: .status.conditions[0].status - name: Status - type: string - - description: Message - jsonPath: .status.conditions[0].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: NovaCompute is the Schema for the NovaCompute - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NovaComputeSpec defines the desired state of NovaCompute - properties: - cellDatabaseHostname: - description: CellDatabaseHostname - hostname to use when accessing - the cell DB - type: string - cellDatabaseUser: - default: nova - description: CellDatabaseUser - username to use when accessing the - cell DB - type: string - cellMessageBusSecretName: - description: CellMessageBusSecretName - the name of the Secret conntaining - the transport URL information to use when accessing the API message - bus. - type: string - cellName: - description: CellName is the name of the Nova Cell this novncproxy - belongs to. - type: string - containerImage: - description: The service specific Container Image URL (will be set - to environmental default if empty) - type: string - customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as custom.conf - file. - type: string - debug: - description: Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity - properties: - preserveJobs: - default: false - description: PreserveJobs - do not delete jobs after they finished - e.g. to check logs - type: boolean - stopDBSync: - default: false - description: 'StopDBSync allows stopping the init container before - running db sync to apply the DB schema QUESTION(gibi): Not all - CR will run dbsync, should we have per CR Debug struct or keep - this generic one and ignore fields in the controller that are - not applicable' - type: boolean - stopService: - default: false - description: 'StopService allows stopping the service container - before staring the openstack service binary QUESTION(gibi): - Not all CR will run a service, should we have per CR Debug struct - or keep this generic one and ignore fields in the controller - that are not applicable' - type: boolean - type: object - defaultConfigOverwrite: - additionalProperties: - type: string - description: ConfigOverwrite - interface to overwrite default config - files like e.g. logging.conf or policy.json. But can also be used - to add additional files. Those get added to the service config dir - in /etc/ . - type: object - keystoneAuthURL: - type: string - networkAttachments: - description: NetworkAttachments is a list of NetworkAttachment resource - names to expose the services to the given network - items: - type: string - type: array - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to target subset of worker nodes running - this service - type: object - replicas: - default: 1 - description: Replicas of the service to run - format: int32 - maximum: 32 - minimum: 0 - type: integer - resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - secret: - description: Secret is the name of the Secret instance containing - password information for the NovaCompute service. This secret - is expected to be generated by the nova-operator based on the information - passed to the Nova CR. - type: string - serviceAccount: - description: ServiceAccount - service account name used internally - to provide Nova services the default SA name - type: string - serviceUser: - default: nova - description: ServiceUser - optional username used for this service - to register in keystone - type: string - required: - - cellDatabaseHostname - - cellMessageBusSecretName - - cellName - - keystoneAuthURL - - secret - - serviceAccount - type: object - status: - description: NovaComputeStatus defines the observed state of NovaCompute - properties: - conditions: - description: Conditions - items: - description: Condition defines an observation of a API resource - operational state. - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. - format: date-time - type: string - message: - description: A human readable message indicating details about - the transition. - type: string - reason: - description: The reason for the condition's last transition - in CamelCase. - type: string - severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition in CamelCase. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - hash: - additionalProperties: - type: string - description: Map of hashes to track e.g. job status - type: object - networkAttachments: - additionalProperties: - items: - type: string - type: array - description: NetworkAttachments status of the deployment pods - type: object - readyCount: - description: ReadyCount defines the number of replicas ready from - NovaCompute - format: int32 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/crd/bases/nova.openstack.org_novacomputeironics.yaml b/config/crd/bases/nova.openstack.org_novacomputeironics.yaml deleted file mode 100644 index 3a6cd56aa..000000000 --- a/config/crd/bases/nova.openstack.org_novacomputeironics.yaml +++ /dev/null @@ -1,275 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - creationTimestamp: null - name: novacomputes.nova.openstack.org -spec: - group: nova.openstack.org - names: - kind: NovaCompute - listKind: NovaComputeList - plural: novacomputes - singular: novacompute - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: NetworkAttachments - jsonPath: .spec.networkAttachments - name: NetworkAttachments - type: string - - description: Status - jsonPath: .status.conditions[0].status - name: Status - type: string - - description: Message - jsonPath: .status.conditions[0].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: NovaCompute is the Schema for the NovaCompute - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NovaComputeSpec defines the desired state of NovaCompute - properties: - cellDatabaseHostname: - description: CellDatabaseHostname - hostname to use when accessing - the cell DB - type: string - cellDatabaseUser: - default: nova - description: CellDatabaseUser - username to use when accessing the - cell DB - type: string - cellMessageBusSecretName: - description: CellMessageBusSecretName - the name of the Secret conntaining - the transport URL information to use when accessing the API message - bus. - type: string - cellName: - description: CellName is the name of the Nova Cell this novncproxy - belongs to. - type: string - containerImage: - description: The service specific Container Image URL (will be set - to environmental default if empty) - type: string - customServiceConfig: - description: CustomServiceConfig - customize the service config using - this parameter to change service defaults, or overwrite rendered - information using raw OpenStack config format. The content gets - added to to /etc//.conf.d directory as custom.conf - file. - type: string - debug: - description: Debug - enable debug for different deploy stages. If - an init container is used, it runs and the actual action pod gets - started with sleep infinity - properties: - preserveJobs: - default: false - description: PreserveJobs - do not delete jobs after they finished - e.g. to check logs - type: boolean - stopDBSync: - default: false - description: 'StopDBSync allows stopping the init container before - running db sync to apply the DB schema QUESTION(gibi): Not all - CR will run dbsync, should we have per CR Debug struct or keep - this generic one and ignore fields in the controller that are - not applicable' - type: boolean - stopService: - default: false - description: 'StopService allows stopping the service container - before staring the openstack service binary QUESTION(gibi): - Not all CR will run a service, should we have per CR Debug struct - or keep this generic one and ignore fields in the controller - that are not applicable' - type: boolean - type: object - defaultConfigOverwrite: - additionalProperties: - type: string - description: ConfigOverwrite - interface to overwrite default config - files like e.g. logging.conf or policy.json. But can also be used - to add additional files. Those get added to the service config dir - in /etc/ . - type: object - keystoneAuthURL: - type: string - networkAttachments: - description: NetworkAttachments is a list of NetworkAttachment resource - names to expose the services to the given network - items: - type: string - type: array - nodeSelector: - additionalProperties: - type: string - description: NodeSelector to target subset of worker nodes running - this service - type: object - replicas: - default: 1 - description: Replicas of the service to run - format: int32 - maximum: 32 - minimum: 0 - type: integer - resources: - description: Resources - Compute Resources required by this service - (Limits/Requests). https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - properties: - claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - secret: - description: Secret is the name of the Secret instance containing - password information for the NovaCompute service. This secret - is expected to be generated by the nova-operator based on the information - passed to the Nova CR. - type: string - serviceAccount: - description: ServiceAccount - service account name used internally - to provide Nova services the default SA name - type: string - serviceUser: - default: nova - description: ServiceUser - optional username used for this service - to register in keystone - type: string - required: - - cellDatabaseHostname - - cellMessageBusSecretName - - cellName - - keystoneAuthURL - - secret - - serviceAccount - type: object - status: - description: NovaComputeStatus defines the observed state of NovaCompute - properties: - conditions: - description: Conditions - items: - description: Condition defines an observation of a API resource - operational state. - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. This should be when the underlying condition changed. - If that is not known, then using the time when the API field - changed is acceptable. - format: date-time - type: string - message: - description: A human readable message indicating details about - the transition. - type: string - reason: - description: The reason for the condition's last transition - in CamelCase. - type: string - severity: - description: Severity provides a classification of Reason code, - so the current situation is immediately understandable and - could act accordingly. It is meant for situations where Status=False - and it should be indicated if it is just informational, warning - (next reconciliation might fix it) or an error (e.g. DB create - issue and no actions to automatically resolve the issue can/should - be done). For conditions where Status=Unknown or Status=True - the Severity should be SeverityNone. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition in CamelCase. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - hash: - additionalProperties: - type: string - description: Map of hashes to track e.g. job status - type: object - networkAttachments: - additionalProperties: - items: - type: string - type: array - description: NetworkAttachments status of the deployment pods - type: object - readyCount: - description: ReadyCount defines the number of replicas ready from - NovaCompute - format: int32 - type: integer - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 19057af1b..5df6d225d 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -9,6 +9,7 @@ resources: - bases/nova.openstack.org_novanovncproxies.yaml - bases/nova.openstack.org_novacells.yaml - bases/nova.openstack.org_nova.yaml +- bases/nova.openstack.org_novacomputes.yaml #+kubebuilder:scaffold:crdkustomizeresource patchesStrategicMerge: diff --git a/config/crd/patches/cainjection_in_novacomputes.yaml b/config/crd/patches/cainjection_in_novacomputes.yaml new file mode 100644 index 000000000..d8de897b7 --- /dev/null +++ b/config/crd/patches/cainjection_in_novacomputes.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: novacomputes.nova.openstack.org diff --git a/config/crd/patches/webhook_in_novacomputes.yaml b/config/crd/patches/webhook_in_novacomputes.yaml new file mode 100644 index 000000000..6b636d4ad --- /dev/null +++ b/config/crd/patches/webhook_in_novacomputes.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: novacomputes.nova.openstack.org +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/manifests/bases/nova-operator.clusterserviceversion.yaml b/config/manifests/bases/nova-operator.clusterserviceversion.yaml index cf6ae5a21..39d4996cb 100644 --- a/config/manifests/bases/nova-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/nova-operator.clusterserviceversion.yaml @@ -38,6 +38,11 @@ spec: kind: NovaNoVNCProxy name: novanovncproxies.nova.openstack.org version: v1beta1 + - description: NovaCompute is the Schema for the novacomputes API + displayName: Nova Compute + kind: NovaCompute + name: novacomputes.nova.openstack.org + version: v1beta1 - description: Nova is the Schema for the nova API displayName: Nova kind: Nova diff --git a/config/rbac/novacompute_editor_role.yaml b/config/rbac/novacompute_editor_role.yaml new file mode 100644 index 000000000..d2bc35002 --- /dev/null +++ b/config/rbac/novacompute_editor_role.yaml @@ -0,0 +1,24 @@ +# permissions for end users to edit novacomputes. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: novacompute-editor-role +rules: +- apiGroups: + - nova.openstack.org + resources: + - novacomputes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - nova.openstack.org + resources: + - novacomputes/status + verbs: + - get diff --git a/config/rbac/novacompute_viewer_role.yaml b/config/rbac/novacompute_viewer_role.yaml new file mode 100644 index 000000000..54cded4d0 --- /dev/null +++ b/config/rbac/novacompute_viewer_role.yaml @@ -0,0 +1,20 @@ +# permissions for end users to view novacomputes. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: novacompute-viewer-role +rules: +- apiGroups: + - nova.openstack.org + resources: + - novacomputes + verbs: + - get + - list + - watch +- apiGroups: + - nova.openstack.org + resources: + - novacomputes/status + verbs: + - get diff --git a/hack/clean_local_webhook.sh b/hack/clean_local_webhook.sh index db0bc09bc..db457995a 100755 --- a/hack/clean_local_webhook.sh +++ b/hack/clean_local_webhook.sh @@ -15,3 +15,5 @@ oc delete validatingwebhookconfiguration/vnovanovncproxy.kb.io --ignore-not-foun oc delete mutatingwebhookconfiguration/mnovanovncproxy.kb.io --ignore-not-found oc delete validatingwebhookconfiguration/vnovascheduler.kb.io --ignore-not-found oc delete mutatingwebhookconfiguration/mnovascheduler.kb.io --ignore-not-found +oc delete validatingwebhookconfiguration/vnovacompute.kb.io --ignore-not-found +oc delete mutatingwebhookconfiguration/mnovacompute.kb.io --ignore-not-found diff --git a/hack/configure_local_webhook.sh b/hack/configure_local_webhook.sh index a737fe9cb..9f315aba9 100755 --- a/hack/configure_local_webhook.sh +++ b/hack/configure_local_webhook.sh @@ -423,6 +423,62 @@ webhooks: scope: '*' sideEffects: None timeoutSeconds: 10 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: vnovacompute.kb.io +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: ${CA_BUNDLE} + url: https://${CRC_IP}:9443/validate-nova-openstack-org-v1beta1-novacompute + failurePolicy: Fail + matchPolicy: Equivalent + name: vnovacompute.kb.io + objectSelector: {} + rules: + - apiGroups: + - nova.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - novacomputes + scope: '*' + sideEffects: None + timeoutSeconds: 10 +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mnovacomputes.kb.io +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + caBundle: ${CA_BUNDLE} + url: https://${CRC_IP}:9443/mutate-nova-openstack-org-v1beta1-novacompute + failurePolicy: Fail + matchPolicy: Equivalent + name: mnovacompute.kb.io + objectSelector: {} + rules: + - apiGroups: + - nova.openstack.org + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - novacomputes + scope: '*' + sideEffects: None + timeoutSeconds: 10 EOF_CAT oc apply -n openstack -f ${TMPDIR}/patch_webhook_configurations.yaml