-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: enable webhooks in
sidero-controller-manager
Based on #794, but instead of using a dedicated controller for all webhooks keep all of them in each own controller. Additionally, implement validation webhooks for `Server` resource, which validates that `bootFromDiskMethod` and `configPatches` are using proper values. Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>
- Loading branch information
Showing
23 changed files
with
312 additions
and
109 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 15 additions & 0 deletions
15
app/sidero-controller-manager/api/v1alpha1/environment_webhook.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// This Source Code Form is subject to the terms of the Mozilla Public | ||
// License, v. 2.0. If a copy of the MPL was not distributed with this | ||
// file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
package v1alpha1 | ||
|
||
import ( | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
) | ||
|
||
func (r *Environment) SetupWebhookWithManager(mgr ctrl.Manager) error { | ||
return ctrl.NewWebhookManagedBy(mgr). | ||
For(r). | ||
Complete() | ||
} |
112 changes: 112 additions & 0 deletions
112
app/sidero-controller-manager/api/v1alpha1/server_webhook.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
// This Source Code Form is subject to the terms of the Mozilla Public | ||
// License, v. 2.0. If a copy of the MPL was not distributed with this | ||
// file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
package v1alpha1 | ||
|
||
import ( | ||
"fmt" | ||
"sort" | ||
|
||
apierrors "k8s.io/apimachinery/pkg/api/errors" | ||
runtime "k8s.io/apimachinery/pkg/runtime" | ||
"k8s.io/apimachinery/pkg/runtime/schema" | ||
"k8s.io/apimachinery/pkg/util/validation/field" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook" | ||
|
||
siderotypes "github.com/talos-systems/sidero/app/sidero-controller-manager/pkg/types" | ||
) | ||
|
||
var operations = map[string]struct{}{ | ||
"add": {}, | ||
"remove": {}, | ||
"replace": {}, | ||
"copy": {}, | ||
"move": {}, | ||
"test": {}, | ||
} | ||
|
||
var operationKinds = []string{} | ||
|
||
func (r *Server) SetupWebhookWithManager(mgr ctrl.Manager) error { | ||
return ctrl.NewWebhookManagedBy(mgr). | ||
For(r). | ||
Complete() | ||
} | ||
|
||
//+kubebuilder:webhook:verbs=create;update;delete,path=/validate-metal-sidero-dev-v1alpha1-server,mutating=false,failurePolicy=fail,groups=metal.sidero.dev,resources=servers,versions=v1alpha1,name=vservers.metal.sidero.dev,sideEffects=None,admissionReviewVersions=v1 | ||
|
||
var _ webhook.Validator = &Server{} | ||
|
||
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type. | ||
func (r *Server) ValidateCreate() error { | ||
return r.validate() | ||
} | ||
|
||
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type. | ||
func (r *Server) ValidateUpdate(old runtime.Object) error { | ||
return r.validate() | ||
} | ||
|
||
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type. | ||
func (r *Server) ValidateDelete() error { | ||
return nil | ||
} | ||
|
||
func (r *Server) validate() error { | ||
var allErrs field.ErrorList | ||
|
||
validValues := []siderotypes.BootFromDisk{ | ||
"", | ||
siderotypes.BootIPXEExit, | ||
siderotypes.Boot404, | ||
siderotypes.BootSANDisk, | ||
} | ||
|
||
var valid bool | ||
|
||
for _, v := range validValues { | ||
if r.Spec.BootFromDiskMethod == v { | ||
valid = true | ||
|
||
break | ||
} | ||
} | ||
|
||
if !valid { | ||
allErrs = append(allErrs, | ||
field.Invalid(field.NewPath("spec").Child("bootFromDiskMethod"), r.Spec.BootFromDiskMethod, | ||
fmt.Sprintf("valid values are: %q", validValues), | ||
), | ||
) | ||
} | ||
|
||
for index, patch := range r.Spec.ConfigPatches { | ||
if _, ok := operations[patch.Op]; !ok { | ||
allErrs = append(allErrs, | ||
field.Invalid(field.NewPath("spec").Child("configPatches").Child(fmt.Sprintf("%d", index)).Child("op"), patch.Op, | ||
fmt.Sprintf("valid values are: %q", operationKinds), | ||
), | ||
) | ||
} | ||
} | ||
|
||
if len(allErrs) == 0 { | ||
return nil | ||
} | ||
|
||
return apierrors.NewInvalid( | ||
schema.GroupKind{Group: GroupVersion.Group, Kind: "Server"}, | ||
r.Name, allErrs) | ||
} | ||
|
||
func init() { | ||
operationKinds = make([]string, 0, len(operations)) | ||
|
||
for key := range operations { | ||
operationKinds = append(operationKinds, key) | ||
} | ||
|
||
sort.Strings(operationKinds) | ||
} |
15 changes: 15 additions & 0 deletions
15
app/sidero-controller-manager/api/v1alpha1/serverclass_webhook.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
// This Source Code Form is subject to the terms of the Mozilla Public | ||
// License, v. 2.0. If a copy of the MPL was not distributed with this | ||
// file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
package v1alpha1 | ||
|
||
import ( | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
) | ||
|
||
func (r *ServerClass) SetupWebhookWithManager(mgr ctrl.Manager) error { | ||
return ctrl.NewWebhookManagedBy(mgr). | ||
For(r). | ||
Complete() | ||
} |
2 changes: 1 addition & 1 deletion
2
app/sidero-controller-manager/api/v1alpha1/zz_generated.deepcopy.go
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 2 additions & 2 deletions
4
app/sidero-controller-manager/config/crd/patches/cainjection_in_environments.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,8 @@ | ||
# The following patch adds a directive for certmanager to inject CA into the CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(SIDERO_CERTIFICATE_NAME) | ||
name: environments.metal.sidero.dev |
4 changes: 2 additions & 2 deletions
4
app/sidero-controller-manager/config/crd/patches/cainjection_in_serverclasses.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,8 @@ | ||
# The following patch adds a directive for certmanager to inject CA into the CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(SIDERO_CERTIFICATE_NAME) | ||
name: serverclasses.metal.sidero.dev |
4 changes: 2 additions & 2 deletions
4
app/sidero-controller-manager/config/crd/patches/cainjection_in_servers.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,8 @@ | ||
# The following patch adds a directive for certmanager to inject CA into the CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
annotations: | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) | ||
cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(SIDERO_CERTIFICATE_NAME) | ||
name: servers.metal.sidero.dev |
20 changes: 11 additions & 9 deletions
20
app/sidero-controller-manager/config/crd/patches/webhook_in_environments.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,19 @@ | ||
# The following patch enables conversion webhook for CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: environments.metal.sidero.dev | ||
spec: | ||
conversion: | ||
strategy: Webhook | ||
webhookClientConfig: | ||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, | ||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) | ||
caBundle: Cg== | ||
service: | ||
namespace: system | ||
name: webhook-service | ||
path: /convert | ||
webhook: | ||
conversionReviewVersions: ["v1", "v1beta1"] | ||
clientConfig: | ||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, | ||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) | ||
caBundle: Cg== | ||
service: | ||
namespace: system | ||
name: webhook-service | ||
path: /convert |
20 changes: 11 additions & 9 deletions
20
app/sidero-controller-manager/config/crd/patches/webhook_in_serverclasses.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,19 @@ | ||
# The following patch enables conversion webhook for CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: serverclasses.metal.sidero.dev | ||
spec: | ||
conversion: | ||
strategy: Webhook | ||
webhookClientConfig: | ||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, | ||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) | ||
caBundle: Cg== | ||
service: | ||
namespace: system | ||
name: webhook-service | ||
path: /convert | ||
webhook: | ||
conversionReviewVersions: ["v1", "v1beta1"] | ||
clientConfig: | ||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, | ||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) | ||
caBundle: Cg== | ||
service: | ||
namespace: system | ||
name: webhook-service | ||
path: /convert |
20 changes: 11 additions & 9 deletions
20
app/sidero-controller-manager/config/crd/patches/webhook_in_servers.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,19 @@ | ||
# The following patch enables conversion webhook for CRD | ||
# CRD conversion requires k8s 1.13 or later. | ||
apiVersion: apiextensions.k8s.io/v1beta1 | ||
apiVersion: apiextensions.k8s.io/v1 | ||
kind: CustomResourceDefinition | ||
metadata: | ||
name: servers.metal.sidero.dev | ||
spec: | ||
conversion: | ||
strategy: Webhook | ||
webhookClientConfig: | ||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, | ||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) | ||
caBundle: Cg== | ||
service: | ||
namespace: system | ||
name: webhook-service | ||
path: /convert | ||
webhook: | ||
conversionReviewVersions: ["v1", "v1beta1"] | ||
clientConfig: | ||
# this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, | ||
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) | ||
caBundle: Cg== | ||
service: | ||
namespace: system | ||
name: webhook-service | ||
path: /convert |
Oops, something went wrong.