Skip to content

Commit

Permalink
modified document for autoscaler webhook and self signed certificate (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
kevinliu24 authored Jun 20, 2024
1 parent 9dc9688 commit e30aa25
Showing 1 changed file with 51 additions and 9 deletions.
60 changes: 51 additions & 9 deletions doc/user/webhook.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,35 @@ validating admission webhook and mutating admission webhook. Mutating admission
to enforce custom defaults. After all object modifications are complete, and after the incoming object is validated by the API server,
validating admission webhooks are invoked and can reject requests to enforce custom policies.

The nebula-operator controller-manager starts a built-in admission webhook server and manages policies about how to validate NebulaCluster.
The nebula-operator controller-manager and autoscaler starts a built-in admission webhook server and manages policies about how to validate NebulaCluster and NebulaAutoscaler respectively. The webhook server can be deployed by either using kubernetes cert-manager or using a self-signed certificate generated with the included certificate generator provided by NebulaGraph. This gives you the flexibility of choosing the certificate you want to use and not having to install cert-manager if not already used.

Follow this guide to enable webhook.
Follow this guide to enable the webhook with or without cert-manager.

### Deploy cert-manager
### Deploying with cert-manager

#### Deploy cert-manager
Refer to the [cert-manager installation](https://cert-manager.io/docs/installation) to get started.

### Enable admission webhook
#### Enable the admission webhook for the needed component and set the `useCertManager` option
```yaml
# helm chart nebula-operator values.yaml, set `create` to true
# helm chart nebula-operator values.yaml, set `create` to true under `contollerManagerAdmissionWebhook`
# to enable the webhook for the controller manager and under `autoscalerAdmissionWebhook`
# to enable the webhook for the autoscaler. The two can be enabled both independently or together.
admissionWebhook:
create: true
# The TCP port the Webhook server binds to. (default 9443)
webhookBindPort: 9443
contollerManagerAdmissionWebhook:
create: true
# The TCP port the Webhook server binds to. (default 9443)
webhookBindPort: 9443
autoscalerAdmissionWebhook:
create: true
# The TCP port the Webhook server binds to. (default 9448)
webhookBindPort: 9448
# set useCertManager to true to have the webhook server use the certificates
# generated by cert-manager
useCertManager: true
```
Verify resource Issuer and Certificate status
#### Verify resource Issuer and Certificate status
```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
Expand Down Expand Up @@ -93,7 +105,30 @@ status:
renewalTime: "2023-11-19T18:03:06Z"
```
### Deploying with self-signed certificate
#### Enable the admission webhook for the needed component and clear the `useCertManager` option. Also set `certValidity` (in number of days)
```yaml
# helm chart nebula-operator values.yaml, set `create` to true under `contollerManagerAdmissionWebhook`
# to enable the webhook for the controller manager and under `autoscalerAdmissionWebhook`
# to enable the webhook for the autoscaler. The two can be enabled both independently or together.
admissionWebhook:
contollerManagerAdmissionWebhook:
create: true
# The TCP port the Webhook server binds to. (default 9443)
webhookBindPort: 9443
autoscalerAdmissionWebhook:
create: true
# The TCP port the Webhook server binds to. (default 9448)
webhookBindPort: 9448
# set useCertManager to false to use self-signed certificate
useCertManager: false
# Number of days. Only needed if useCertManager is false. (default 1)
certValidity: 1
```
### Validate rules
#### Controller Manager
Append storage volume
```shell
$ kubectl patch nc nebula --type='merge' --patch '{"spec": {"storaged": {"dataVolumeClaims":[{"resources": {"requests": {"storage": "2Gi"}}, "storageClassName": "local-path"},{"resources": {"requests": {"storage": "3Gi"}}, "storageClassName": "fask-disks"}]}}}'
Expand Down Expand Up @@ -127,4 +162,11 @@ Deletion protection
$ kubectl annotate nc nebula -n nebula-test nebula-graph.io/delete-protection=true
$ kubectl delete sc nebula -n nebula-test
Error from server: admission webhook "nebulaclustervalidating.nebula-graph.io" denied the request: metadata.annotations[nebula-graph.io/delete-protection]: Forbidden: protected cluster cannot be deleted
```
#### Autoscaler
min replica greater than max replica protection
```shell
$ kubectl patch na nebula-autoscaler --type='merge' --patch '{"spec": {"graphdPolicy": {"minReplicas":3, "maxReplicas":2}}}'
$ Error from server: admission webhook "nebulaautoscalingvalidating.nebula-graph.io" denied the request: spec.graphPolicy.minReplicas: Invalid value: 3: min replica 3 should be less than or equal to max replicas 2
```

0 comments on commit e30aa25

Please sign in to comment.