Skip to content

Commit

Permalink
Added run-with-webhook make target
Browse files Browse the repository at this point in the history
It will help to run with webhook.

Signed-off-by: Chandan Kumar <[email protected]>
  • Loading branch information
raukadah committed Nov 29, 2024
1 parent 354419d commit c71f46a
Show file tree
Hide file tree
Showing 3 changed files with 321 additions and 0 deletions.
15 changes: 15 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -437,3 +437,18 @@ PHONY: crd-schema-check
crd-schema-check: manifests
INSTALL_DIR=$(LOCALBIN) CRD_SCHEMA_CHECKER_VERSION=$(CRD_SCHEMA_CHECKER_VERSION) hack/build-crd-schema-checker.sh
INSTALL_DIR=$(LOCALBIN) BASE_REF="$${PULL_BASE_SHA:-$(BRANCH)}" hack/crd-schema-checker.sh

# Used for webhook testing
# The configure_local_webhook.sh script below will remove any OLM webhooks
# for the operator and also scale its deployment replicas down to 0 so that
# the operator can run locally.
# We will attempt to catch SIGINT/SIGTERM and clean up the local webhooks,
# but it may be necessary to manually run ./hack/clean_local_webhook.sh
# before deploying with OLM again for other untrappable signals.
SKIP_CERT ?=false
.PHONY: run-with-webhook
run-with-webhook: export METRICS_PORT?=8080
run-with-webhook: export HEALTH_PORT?=8081
run-with-webhook: manifests generate fmt vet ## Run a controller from your host.
/bin/bash hack/clean_local_webhook.sh
/bin/bash hack/run_with_local_webhook.sh
11 changes: 11 additions & 0 deletions hack/clean_local_webhook.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#!/bin/bash
set -ex

oc delete validatingwebhookconfiguration/vwatcher.kb.io --ignore-not-found
oc delete mutatingwebhookconfiguration/mwatcher.kb.io --ignore-not-found
oc delete validatingwebhookconfiguration/vwatcherapi.kb.io --ignore-not-found
oc delete mutatingwebhookconfiguration/mwatcherapi.kb.io --ignore-not-found
oc delete validatingwebhookconfiguration/vwatcherdecisionengine.kb.io --ignore-not-found
oc delete mutatingwebhookconfiguration/mwatcherdecisionengine.kb.io --ignore-not-found
oc delete validatingwebhookconfiguration/vwatcherapplier.kb.io --ignore-not-found
oc delete mutatingwebhookconfiguration/mwatcherapplier.kb.io --ignore-not-found
295 changes: 295 additions & 0 deletions hack/run_with_local_webhook.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,295 @@
#!/bin/bash
set -ex

# Define a cleanup function
cleanup() {
echo "Caught signal, cleaning up local webhooks..."
./hack/clean_local_webhook.sh
exit 0
}

# Set trap to catch SIGINT and SIGTERM
trap cleanup SIGINT SIGTERM

TMPDIR=${TMPDIR:-"/tmp/k8s-webhook-server/serving-certs"}
SKIP_CERT=${SKIP_CERT:-false}
CRC_IP=${CRC_IP:-$(/sbin/ip -o -4 addr list crc | awk '{print $4}' | cut -d/ -f1)}
FIREWALL_ZONE=${FIREWALL_ZONE:-"libvirt"}
SKIP_FIREWALL=${SKIP_FIREWALL:-false}

if [ "$SKIP_FIREWALL" = false ] ; then
#Open 9443
sudo firewall-cmd --zone=${FIREWALL_ZONE} --add-port=9443/tcp
sudo firewall-cmd --runtime-to-permanent
fi

# Generate the certs and the ca bundle
if [ "$SKIP_CERT" = false ] ; then
mkdir -p ${TMPDIR}
rm -rf ${TMPDIR}/* || true

openssl req -newkey rsa:2048 -days 3650 -nodes -x509 \
-subj "/CN=${HOSTNAME}" \
-addext "subjectAltName = IP:${CRC_IP}" \
-keyout ${TMPDIR}/tls.key \
-out ${TMPDIR}/tls.crt

cat ${TMPDIR}/tls.crt ${TMPDIR}/tls.key | base64 -w 0 > ${TMPDIR}/bundle.pem

fi

CA_BUNDLE=`cat ${TMPDIR}/bundle.pem`

# Patch the webhook(s)
cat >> ${TMPDIR}/patch_webhook_configurations.yaml <<EOF_CAT
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: vwatcher.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/validate-watcher-openstack-org-v1beta1-watcher
failurePolicy: Fail
matchPolicy: Equivalent
name: vwatcher.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcher
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mwatcher.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/mutate-watcher-openstack-org-v1beta1-watcher
failurePolicy: Fail
matchPolicy: Equivalent
name: mwatcher.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcher
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: vwatcherapi.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/validate-watcher-openstack-org-v1beta1-watcherapi
failurePolicy: Fail
matchPolicy: Equivalent
name: vwatcherapi.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcherapis
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mwatcherapi.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/mutate-watcher-openstack-org-v1beta1-watcherapi
failurePolicy: Fail
matchPolicy: Equivalent
name: mwatcherapi.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcherapis
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: vwatcherdecisionengine.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/validate-watcher-openstack-org-v1beta1-watcherdecisionengine
failurePolicy: Fail
matchPolicy: Equivalent
name: vwatcherdecisionengine.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcherdecisionengines
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mwatcherdecisionengine.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/mutate-watcher-openstack-org-v1beta1-watcherdecisionengine
failurePolicy: Fail
matchPolicy: Equivalent
name: mwatcherdecisionengine.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcherdecisionengines
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: vwatcherapplier.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/validate-watcher-openstack-org-v1beta1-watcherapplier
failurePolicy: Fail
matchPolicy: Equivalent
name: vwatcherapplier.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcherappliers
scope: '*'
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: mwatcherapplier.kb.io
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: ${CA_BUNDLE}
url: https://${CRC_IP}:9443/mutate-watcher-openstack-org-v1beta1-watcherapplier
failurePolicy: Fail
matchPolicy: Equivalent
name: mwatcherapplier.kb.io
objectSelector: {}
rules:
- apiGroups:
- watcher.openstack.org
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- watcherappliers
scope: '*'
sideEffects: None
timeoutSeconds: 10
EOF_CAT

oc apply -n openstack -f ${TMPDIR}/patch_webhook_configurations.yaml

# Scale-down operator deployment replicas to zero and remove OLM webhooks
CSV_NAME="$(oc get csv -n openstack-operators -l operators.coreos.com/watcher-operator.openstack-operators -o name)"

if [ -n "${CSV_NAME}" ]; then
CUR_REPLICAS=$(oc get -n openstack-operators "${CSV_NAME}" -o=jsonpath='{.spec.install.spec.deployments[0].spec.replicas}')
CUR_WEBHOOK_DEFS=$(oc get -n openstack-operators "${CSV_NAME}" -o=jsonpath='{.spec.webhookdefinitions}')

# Back-up CSV if it currently uses OLM defaults for deployment replicas or webhook definitions
if [[ "${CUR_REPLICAS}" -gt 0 || ( -n "${CUR_WEBHOOK_DEFS}" && "${CUR_WEBHOOK_DEFS}" != "[]" ) ]]; then
CSV_FILE=$(mktemp -t "$(echo "${CSV_NAME}" | cut -d "/" -f 2).XXXXXX" --suffix .json)
oc get -n openstack-operators "${CSV_NAME}" -o json | \
jq -r 'del(.metadata.generation, .metadata.resourceVersion, .metadata.uid)' > "${CSV_FILE}"

printf \
"\n\tNow patching operator CSV to remove its OLM deployment and associated webhooks.
The original OLM version of the operator's CSV has been copied to %s. To restore it, use:
oc patch -n openstack-operators %s --type=merge --patch-file=%s\n\n" "${CSV_FILE}" "${CSV_NAME}" "${CSV_FILE}"
fi

oc patch "${CSV_NAME}" -n openstack-operators --type=json -p="[{'op': 'replace', 'path': '/spec/install/spec/deployments/0/spec/replicas', 'value': 0}]"
oc patch "${CSV_NAME}" -n openstack-operators --type=json -p="[{'op': 'replace', 'path': '/spec/webhookdefinitions', 'value': []}]"
fi

go run ./main.go -metrics-bind-address ":${METRICS_PORT}" -health-probe-bind-address ":${HEALTH_PORT}"

0 comments on commit c71f46a

Please sign in to comment.