feat: Add ValidatingWebhookConfiguration to ensure only one CheCluste…

…r is created (#1518)

Signed-off-by: Anatolii Bazko <abazko@redhat.com>

Makefile

@@ -282,6 +282,9 @@ gen-chectl-tmpl: ## Generate Eclipse Che k8s deployment resources used by chectl
 			cp $${src}/$${TARGET_PLATFORM}/objects/che-operator.Role.yaml $${dst}/$${TARGET_PLATFORM}/role.yaml
 
 			cp $${src}/$${TARGET_PLATFORM}/objects/che-operator-service.Service.yaml $${dst}/$${TARGET_PLATFORM}/webhook-service.yaml
+			if [[ -f $${src}/org.eclipse.che.ValidatingWebhookConfiguration.yaml ]]; then
+			  cp $${src}/org.eclipse.che.ValidatingWebhookConfiguration.yaml $${dst}/org.eclipse.che.ValidatingWebhookConfiguration.yaml
+			fi
 
 			if [[ $${TARGET_PLATFORM} == "kubernetes" ]]; then
 				cp $${src}/$${TARGET_PLATFORM}/objects/che-operator-serving-cert.Certificate.yaml $${dst}/$${TARGET_PLATFORM}/serving-cert.yaml

PROJECT

@@ -26,5 +26,6 @@ resources:
   version: v2
   webhooks:
     conversion: true
+    validation: true
     webhookVersion: v1
 version: "3"

api/v2/checluster_webhook.go

@@ -13,17 +13,57 @@
 package v2
 
 import (
+	"context"
+	"fmt"
+
+	k8shelper "github.com/eclipse-che/che-operator/pkg/common/k8s-helper"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
-	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
 // log is for logging in this package.
-var checlusterlog = logf.Log.WithName("checluster-resource")
+var (
+	logger = ctrl.Log.WithName("webhook")
+)
 
 func (r *CheCluster) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(r).
 		Complete()
 }
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+var _ webhook.Validator = &CheCluster{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *CheCluster) ValidateCreate() error {
+	return ensureSingletonCheCluster()
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *CheCluster) ValidateUpdate(old runtime.Object) error {
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *CheCluster) ValidateDelete() error {
+	return nil
+}
+
+func ensureSingletonCheCluster() error {
+	client := k8shelper.New().GetClient()
+	utilruntime.Must(AddToScheme(client.Scheme()))
+
+	che := &CheClusterList{}
+	err := client.List(context.TODO(), che)
+	if err != nil {
+		logger.Error(err, "Failed to list CheCluster Custom Resources.")
+	}
+
+	if len(che.Items) != 0 {
+		return fmt.Errorf("only one CheCluster is allowed")
+	}
+
+	return nil
+}

bundle/next/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml

@@ -1393,6 +1393,27 @@ spec:
     name: Eclipse Foundation
   version: 7.52.0-644.next
   webhookdefinitions:
+    - admissionReviewVersions:
+        - v1
+        - v1beta1
+      containerPort: 443
+      deploymentName: che-operator
+      failurePolicy: Fail
+      generateName: vchecluster.kb.io
+      rules:
+        - apiGroups:
+            - org.eclipse.che
+          apiVersions:
+            - v2
+          operations:
+            - CREATE
+            - UPDATE
+          resources:
+            - checlusters
+      sideEffects: None
+      targetPort: 9443
+      type: ValidatingAdmissionWebhook
+      webhookPath: /validate-org-eclipse-che-v2-checluster
     - admissionReviewVersions:
         - v1
         - v2

config/kubernetes/kustomization.yaml

@@ -21,6 +21,7 @@ resources:
 # Kubernetes platform specific patches
 patchesStrategicMerge:
   - patches/cainjection_in_checlusters.yaml
+  - patches/cainjection_in_webhook.yaml
   - patches/manager_pod_security_context.yaml
 
 vars:

config/kubernetes/patches/cainjection_in_checlusters.yaml

@@ -14,6 +14,6 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
+  name: checlusters.org.eclipse.che
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
-  name: checlusters.org.eclipse.che

config/kubernetes/patches/cainjection_in_webhook.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: org.eclipse.che
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

config/openshift/kustomization.yaml

@@ -19,4 +19,5 @@ resources:
 
 patchesStrategicMerge:
   - patches/cainjection_in_checlusters.yaml
+  - patches/cainjection_in_webhook.yaml
   - patches/service_cert_patch.yaml

config/openshift/patches/cainjection_in_webhook.yaml

@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: org.eclipse.che
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"

config/webhook/kustomization.yaml

@@ -11,6 +11,7 @@
 #
 
 resources:
+- webhooks.yaml
 - service.yaml
 
 configurations:

config/webhook/webhooks.yaml

@@ -0,0 +1,43 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: org.eclipse.che
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+webhooks:
+  - admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        name: che-operator-service
+        namespace: eclipse-che
+        path: /validate-org-eclipse-che-v2-checluster
+    failurePolicy: Fail
+    name: vchecluster.kb.io
+    rules:
+      - apiGroups:
+          - org.eclipse.che
+        apiVersions:
+          - v2
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - checlusters
+    sideEffects: None

deploy/deployment/kubernetes/combined.yaml

@@ -6200,3 +6200,37 @@ metadata:
   namespace: eclipse-che
 spec:
   selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: eclipse-che/che-operator-serving-cert
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+  name: org.eclipse.che
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: che-operator-service
+      namespace: eclipse-che
+      path: /validate-org-eclipse-che-v2-checluster
+  failurePolicy: Fail
+  name: vchecluster.kb.io
+  rules:
+  - apiGroups:
+    - org.eclipse.che
+    apiVersions:
+    - v2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - checlusters
+  sideEffects: None

deploy/deployment/kubernetes/objects/org.eclipse.che.ValidatingWebhookConfiguration.yaml

@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: eclipse-che/che-operator-serving-cert
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+  name: org.eclipse.che
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: che-operator-service
+      namespace: eclipse-che
+      path: /validate-org-eclipse-che-v2-checluster
+  failurePolicy: Fail
+  name: vchecluster.kb.io
+  rules:
+  - apiGroups:
+    - org.eclipse.che
+    apiVersions:
+    - v2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - checlusters
+  sideEffects: None

deploy/deployment/openshift/combined.yaml

@@ -6167,3 +6167,37 @@ spec:
         secret:
           defaultMode: 420
           secretName: che-operator-webhook-server-cert
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+  name: org.eclipse.che
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: che-operator-service
+      namespace: eclipse-che
+      path: /validate-org-eclipse-che-v2-checluster
+  failurePolicy: Fail
+  name: vchecluster.kb.io
+  rules:
+  - apiGroups:
+    - org.eclipse.che
+    apiVersions:
+    - v2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - checlusters
+  sideEffects: None

deploy/deployment/openshift/objects/org.eclipse.che.ValidatingWebhookConfiguration.yaml

@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2019-2021 Red Hat, Inc.
+# This program and the accompanying materials are made
+# available under the terms of the Eclipse Public License 2.0
+# which is available at https://www.eclipse.org/legal/epl-2.0/
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+# Contributors:
+#   Red Hat, Inc. - initial API and implementation
+#
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  labels:
+    app.kubernetes.io/component: che-operator
+    app.kubernetes.io/instance: che
+    app.kubernetes.io/name: che
+    app.kubernetes.io/part-of: che.eclipse.org
+  name: org.eclipse.che
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: che-operator-service
+      namespace: eclipse-che
+      path: /validate-org-eclipse-che-v2-checluster
+  failurePolicy: Fail
+  name: vchecluster.kb.io
+  rules:
+  - apiGroups:
+    - org.eclipse.che
+    apiVersions:
+    - v2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - checlusters
+  sideEffects: None