diff --git a/Makefile b/Makefile index d49c480a..8e1635f9 100644 --- a/Makefile +++ b/Makefile @@ -78,6 +78,60 @@ manifests: controller-gen generate: controller-gen $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." +# Setup development env +# Usage: +# LAPTOP_HOST_IP= make dev-setup +# For example: +# LAPTOP_HOST_IP=192.168.10.101 make dev-setup +define tls_cnf +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +req_extensions = req_ext +[ req_distinguished_name ] +countryName = SG +stateOrProvinceName = SG +localityName = SG +organizationName = CAPSULE +commonName = CAPSULE +[ req_ext ] +subjectAltName = @alt_names +[alt_names] +IP.1 = $(LAPTOP_HOST_IP) +endef +export tls_cnf +dev-setup: + kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 + mkdir -p /tmp/k8s-webhook-server/serving-certs + echo "$${tls_cnf}" > _tls.cnf + openssl req -newkey rsa:4096 -days 3650 -nodes -x509 \ + -subj "/C=SG/ST=SG/L=SG/O=CAPSULE/CN=CAPSULE" \ + -extensions req_ext \ + -config _tls.cnf \ + -keyout /tmp/k8s-webhook-server/serving-certs/tls.key \ + -out /tmp/k8s-webhook-server/serving-certs/tls.crt + rm -f _tls.cnf + export WEBHOOK_URL="https://$${LAPTOP_HOST_IP}:9443"; \ + export CA_BUNDLE=`openssl base64 -in /tmp/k8s-webhook-server/serving-certs/tls.crt | tr -d '\n'`; \ + kubectl patch MutatingWebhookConfiguration capsule-mutating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/mutate-v1-namespace-owner-reference\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/cordoning\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/1/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/ingresses\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/2/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/namespaces\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/3/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/networkpolicies\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/4/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/pods\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/5/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/persistentvolumeclaims\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/6/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/services\",'caBundle':\"$${CA_BUNDLE}\"}}]" && \ + kubectl patch ValidatingWebhookConfiguration capsule-validating-webhook-configuration \ + --type='json' -p="[{'op': 'replace', 'path': '/webhooks/7/clientConfig', 'value':{'url':\"$${WEBHOOK_URL}/tenants\",'caBundle':\"$${CA_BUNDLE}\"}}]"; + # Build the docker image docker-build: test docker build . -t ${IMG} --build-arg GIT_HEAD_COMMIT=$(GIT_HEAD_COMMIT) \ diff --git a/docs/dev-guide.md b/docs/dev-guide.md index 9e4ab006..57d7b7da 100644 --- a/docs/dev-guide.md +++ b/docs/dev-guide.md @@ -7,8 +7,8 @@ Make sure you have these tools installed: - [Go 1.16+](https://golang.org/dl/) -- [OperatorSDK 1.7.2+](https://github.com/operator-framework/operator-sdk), or [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) -- [KinD](https://github.com/kubernetes-sigs/kind), or [k3d](https://k3d.io/), with kubectl +- [Operator SDK 1.7.2+](https://github.com/operator-framework/operator-sdk), or [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) +- [KinD](https://github.com/kubernetes-sigs/kind) or [k3d](https://k3d.io/), with `kubectl` - [ngrok](https://ngrok.com/) (if you want to run locally with remote Kubernetes) - [golangci-lint](https://github.com/golangci/golangci-lint) - OpenSSL @@ -29,7 +29,7 @@ $ export LAPTOP_HOST_IP=192.168.10.101 # Spin up a bare minimum cluster # Refer to here for more options: https://k3d.io/v4.4.8/usage/commands/k3d_cluster_create/ -$ k3d cluster create k3s-capsule --servers 1 --agents 1 --no-lb --k3s-server-arg --tls-san=${K8S_API_IP} +$ k3d cluster create k3s-capsule --servers 1 --agents 1 --no-lb --k3s-server-arg --tls-san=${LAPTOP_HOST_IP} # This will create a cluster with 1 server and 1 worker node $ kubectl get nodes @@ -47,6 +47,9 @@ CONTAINER ID IMAGE COMMAND CREATED #### By `kind` ```sh +# # Install kind cli by brew in Mac, or your preferred way +$ brew install kind + # Prepare a kind config file with necessary customization $ cat > kind.yaml < make dev-setup +``` + +This is a very common setup for typical Kubernetes Operator development so we'd better walk them through with more details here. + +1. Scaling down the deployed Pod(s) to 0 + +We need to scale the existing replicas of `capsule-controller-manager` to 0 to avoid reconciliation competition between the Pod(s) and the code running outside of the cluster, in our preferred IDE for example. ```sh $ kubectl -n capsule-system scale deployment capsule-controller-manager --replicas=0 deployment.apps/capsule-controller-manager scaled ``` -## Preparing TLS certificate for webhooks +2. Preparing TLS certificate for the webhooks -Running webhooks requires TLS, so let's prepare the TLS key pair in our development env to handle HTTPS requests. +Running webhooks requires TLS, we can prepare the TLS key pair in our development env to handle HTTPS requests. ```sh +# Prepare a simple OpenSSL config file +# Do remember to export LAPTOP_HOST_IP before running this command +$ cat > _tls.cnf <