feat: setup admission webhook

[daviderli614]

Summary by CodeRabbit

• New Features

  • Added support for admission webhooks in the GreptimeDB operator, enhancing request validation and mutation capabilities.
  • Introduced new configuration options for enabling admission webhooks, including port and certificate directory settings.

• Bug Fixes

  • Updated the Kafka version from 3.7.0 to 3.9.0 to ensure compatibility and access to the latest features.

[coderabbitai]

Warning

Rate limit exceeded

@daviderli614 has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 11 minutes and 3 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between bef5aa1 and a71adc2.

📒 Files selected for processing (1)

• tests/e2e/setup/kafka-wal.yaml (1 hunks)

Walkthrough

This pull request introduces enhancements to the GreptimeDB operator's admission webhook capabilities. The changes span across multiple files, adding new configuration options and implementation details for enabling admission webhooks. The modifications include updating the operator's command configuration, expanding configuration options, and updating a Kafka WAL configuration with a version bump. The primary focus is on providing more flexible webhook management and configuration for the GreptimeDB operator.

Changes

File	Change Summary
cmd/operator/app/command.go	- Added imports for admission webhooks - Introduced webhookServer initialization - Updated manager options to include webhook server - Added webhook setup for GreptimeDBCluster and GreptimeDBStandalone
cmd/operator/app/options/options.go	- Added new constants for webhook defaults - Extended Options struct with webhook-related fields - Updated NewDefaultOptions and AddFlags to support webhook configuration
tests/e2e/setup/kafka-wal.yaml	- Upgraded Kafka version from 3.7.0 to 3.9.0

Possibly related PRs

• feat: initialize admission webhook #234: Implementation of admission webhooks for GreptimeDBCluster and GreptimeDBStandalone resources.

Suggested reviewers

• zyy17

Poem

🐰 Webhooks dance, a digital ballet,
Clusters validated with graceful sway,
Kubernetes whispers, configurations bright,
GreptimeDB operator takes its flight!
Code evolves, with rabbit's delight! 🚀

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

cmd/operator/app/command.go (1)

85-92: Consider initializing the webhook server only when needed.

Currently you create a default webhookServer and then reinitialize it if admission is enabled. This is fine, but you might omit the initial creation altogether if EnableAdmissionWebhook is false to streamline logic.

- webhookServer := webhook.NewServer(webhook.Options{})
- if o.EnableAdmissionWebhook {
-     ...
-     webhookServer = webhook.NewServer(webhookServerOptions)
- }
+ var webhookServer webhook.Server
+ if o.EnableAdmissionWebhook {
+     webhookServer = webhook.NewServer(webhookServerOptions)
+ }

cmd/operator/app/options/options.go (1)

30-38: Ensure consistent data types for port fields.

The “APIServerPort” field is int32 while “AdmissionWebhookPort” is int. For consistency and to avoid potential confusion, consider using the same type.

-type Options struct {
-    ...
-    APIServerPort           int32
-    ...
-    AdmissionWebhookPort    int
-    ...
-}
+type Options struct {
+    ...
+    APIServerPort           int32
+    ...
+    AdmissionWebhookPort    int32
+    ...
+}

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a390045 and 0113cf2.

📒 Files selected for processing (2)

• cmd/operator/app/command.go (6 hunks)
• cmd/operator/app/options/options.go (2 hunks)

🔇 Additional comments (6)

cmd/operator/app/command.go (3)

34-34: New webhook import looks good.

No issues found here.

---

101-101: WebhookServer integration recognized.

Attaching the webhook server to the manager appears correct.

---

128-137: SetupWebhookWithManager logic is appropriate.

Each CRD’s webhook is registered separately, and the manager exits on error to avoid partial registration. That is a sound approach.

cmd/operator/app/options/options.go (3)

22-26: Default port assignments look reasonable.

Ports 8081 and 8082 are commonly open. No immediate conflicts foreseen.

---

43-50: Default values for new fields look appropriate.

These defaults match typical operator usage patterns.

---

61-63: Flag definitions correctly map to the new fields.

The flag descriptions are clear and user-friendly.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

cmd/operator/app/command.go (2)

85-92: Optimize webhook server initialization

The initial creation of the webhook server with empty options at line 85 is redundant since it's immediately replaced when webhooks are enabled. Consider consolidating the initialization:

-webhookServer := webhook.NewServer(webhook.Options{})
-if o.EnableAdmissionWebhook {
-    webhookServerOptions := webhook.Options{
-        Port:    o.AdmissionWebhookPort,
-        CertDir: o.AdmissionWebhookCertDir,
-    }
-    webhookServer = webhook.NewServer(webhookServerOptions)
-}
+webhookServer := webhook.NewServer(webhook.Options{
+    Port:    o.AdmissionWebhookPort,
+    CertDir: o.AdmissionWebhookCertDir,
+})

---

128-137: Consider graceful shutdown for webhook setup failures

While the error handling is generally good, immediately calling os.Exit(1) might not allow other goroutines (like the API server) to shut down gracefully. Consider implementing a more graceful shutdown mechanism:

 if o.EnableAdmissionWebhook {
+    setupWebhooks := func() error {
         if err := (&v1alpha1.GreptimeDBCluster{}).SetupWebhookWithManager(mgr); err != nil {
-            setupLog.Error(err, "unable to setup admission webhook", "controller", "greptimedbcluster")
-            os.Exit(1)
+            return fmt.Errorf("setup greptimedbcluster webhook: %w", err)
         }
         if err := (&v1alpha1.GreptimeDBStandalone{}).SetupWebhookWithManager(mgr); err != nil {
-            setupLog.Error(err, "unable to setup admission webhook", "controller", "greptimedbstandalone")
-            os.Exit(1)
+            return fmt.Errorf("setup greptimedbstandalone webhook: %w", err)
         }
+        return nil
+    }
+    if err := setupWebhooks(); err != nil {
+        setupLog.Error(err, "unable to setup admission webhooks")
+        os.Exit(1)
+    }
 }

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0113cf2 and 6a1abed.

📒 Files selected for processing (1)

• cmd/operator/app/command.go (6 hunks)

🔇 Additional comments (2)

cmd/operator/app/command.go (2)

23-23: LGTM: Proper use of admission.v1 API

The code correctly uses the stable admission.v1 API instead of the deprecated v1beta1 version, following the recommendations from previous reviews.

Also applies to: 34-34, 68-70

---

101-101: LGTM: Proper manager configuration

The webhook server is correctly integrated into the manager configuration using the standard controller-runtime pattern.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

tests/e2e/setup/create-cluster.sh (2)

276-284: Enhance debugging capabilities with robust error handling and log preservation.

While the added logging is helpful, consider these improvements for better debugging:

1. Add error handling for kubectl commands
2. Handle multi-container pods
3. Include timestamps in logs
4. Preserve logs for post-mortem analysis

   kubectl get pods -A | grep -E 'e2e|greptimedb-operator' | awk '{print $2 " " $1}' | while read -r line; do
     namespace=$(echo "$line" | awk '{print $2}')
     pod=$(echo "$line" | awk '{print $1}')
-    echo "===> Describing pod $pod in namespace $namespace"
-    kubectl describe pod "$pod" -n "$namespace"
-    echo "===> Start dumping logs for pod $pod in namespace $namespace"
-    kubectl logs "$pod" -n "$namespace"
-    echo "<=== Finish dumping logs for pod $pod in namespace $namespace"
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ===> Describing pod $pod in namespace $namespace"
+    if ! kubectl describe pod "$pod" -n "$namespace" > "/tmp/e2e-${namespace}-${pod}-describe.log" 2>&1; then
+      echo "Failed to describe pod $pod in namespace $namespace"
+    fi
+    
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] ===> Start dumping logs for pod $pod in namespace $namespace"
+    # Handle multi-container pods
+    containers=$(kubectl get pod "$pod" -n "$namespace" -o jsonpath='{.spec.containers[*].name}')
+    for container in $containers; do
+      echo "[$(date '+%Y-%m-%d %H:%M:%S')] ====> Dumping logs for container $container"
+      if ! kubectl logs "$pod" -c "$container" -n "$namespace" > "/tmp/e2e-${namespace}-${pod}-${container}.log" 2>&1; then
+        echo "Failed to get logs for container $container in pod $pod"
+      fi
+    done
+    echo "[$(date '+%Y-%m-%d %H:%M:%S')] <=== Finish dumping logs for pod $pod in namespace $namespace"
   done

This enhancement:

• Adds timestamps to log entries
• Saves pod descriptions and logs to files for post-mortem analysis
• Handles multi-container pods by iterating through all containers
• Adds basic error handling for kubectl commands

---

Line range hint 19-20: Make timeout values configurable and component-specific.

The script uses a fixed timeout value of 300s for all wait operations. Different components might need different timeout values, especially when waiting for webhook components to be ready.

 CLUSTER_NAME=${1:-"greptimedb-operator-e2e"}
 KUBERNETES_VERSION=${2:-"v1.28.0"}
+
+# Configurable timeout values for different components
+OPERATOR_READY_TIMEOUT=${OPERATOR_READY_TIMEOUT:-"300s"}
+ETCD_READY_TIMEOUT=${ETCD_READY_TIMEOUT:-"300s"}
+KAFKA_READY_TIMEOUT=${KAFKA_READY_TIMEOUT:-"300s"}
+WEBHOOK_READY_TIMEOUT=${WEBHOOK_READY_TIMEOUT:-"60s"}
 
 # The argument for deploying local registry.
 REGISTRY_NAME=kind-registry
 REGISTRY_PORT=5001
-
-# The default timeout for waiting for resources to be ready.
-DEFAULT_TIMEOUT=300s

Then update the wait operations to use component-specific timeout values:

   kubectl wait \
     --for=condition=Ready \
     pod -l app.kubernetes.io/instance=etcd \
     -n "$ETCD_NAMESPACE" \
-    --timeout="$DEFAULT_TIMEOUT"
+    --timeout="$ETCD_READY_TIMEOUT"

This change:

• Makes timeout values configurable through environment variables
• Allows different timeouts for different components
• Provides reasonable defaults

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6a1abed and 4f3f033.

⛔ Files ignored due to path filters (2)

• config/manager/manager.yaml is excluded by !config/**
• manifests/bundle.yaml is excluded by !manifests/**

📒 Files selected for processing (1)

• tests/e2e/setup/create-cluster.sh (1 hunks)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

cmd/operator/app/options/options.go (2)

22-26: LGTM! Consider adding documentation about port assignments.

The constants are well-defined and follow a clear pattern. The port numbers are properly distributed without conflicts.

Consider adding a comment block above the constants explaining the purpose of each port to help with deployment planning and avoid potential conflicts:

// Port assignments:
// - 8080: Metrics endpoint for Prometheus scraping
// - 8081: API server for operator management
// - 8082: Admission webhook for validating/mutating resources
// - 9494: Health probe endpoint for kubernetes liveness/readiness checks

---

36-38: Add field documentation for better maintainability.

The new admission webhook fields are well-structured, but adding documentation would improve maintainability.

Consider adding documentation for the new fields:

+   // EnableAdmissionWebhook determines if the admission webhook server should be started
    EnableAdmissionWebhook  bool
+   // AdmissionWebhookPort is the port number the admission webhook server listens on
    AdmissionWebhookPort    int
+   // AdmissionWebhookCertDir is the directory containing the TLS certificate and private key for the webhook server
    AdmissionWebhookCertDir string

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 949783a and bef5aa1.

📒 Files selected for processing (2)

• cmd/operator/app/options/options.go (2 hunks)
• tests/e2e/setup/kafka-wal.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/e2e/setup/kafka-wal.yaml

🔇 Additional comments (2)

cmd/operator/app/options/options.go (2)

48-50: LGTM! Sensible defaults for admission webhook configuration.

The default configuration is well-thought-out:

• Webhook disabled by default (safe for backward compatibility)
• Port and cert directory aligned with declared constants

---

61-63: Enhance flag descriptions and verify usage.

The flag implementation is correct, but the descriptions could be more detailed to help users understand the implications.

Consider enhancing the flag descriptions:

-   "Enable admission webhook for GreptimeDB operator."
+   "Enable admission webhook for validating and mutating GreptimeDB resources. Requires valid certificates in the specified directory."

-   "The port the admission webhook binds to."
+   "The port number for the admission webhook server. Ensure this port is accessible from the Kubernetes API server."

-   "The directory that contains the server key and certificate."
+   "Directory containing the TLS certificate (tls.crt) and private key (tls.key) for the webhook server. Must be readable by the operator process."

Let's verify the flag usage in the codebase:

✅ Verification successful

Let me gather more information about the webhook implementation to ensure the flags are properly used.

---

Let me check one more thing about the webhook implementation.

---

Let me try one last search with a different path.

---

Enhance flag descriptions and verify webhook configuration

The flag implementation is correct, and based on the codebase analysis:

• The flags are properly used in cmd/operator/app/command.go for webhook configuration
• The webhook configuration is present in config/webhook/ with proper manifests and service definitions
• Default values are sensibly set (defaultAdmissionWebhookPort = 8082, defaultAdmissionWebhookCertDir = "/etc/greptimedb/admission-webhook-tls")

The suggested description improvements are still valid and would be helpful:

-   "Enable admission webhook for GreptimeDB operator."
+   "Enable admission webhook for validating and mutating GreptimeDB resources. Requires valid certificates in the specified directory."

-   "The port the admission webhook binds to."
+   "The port number for the admission webhook server. Ensure this port is accessible from the Kubernetes API server."

-   "The directory that contains the server key and certificate."
+   "Directory containing the TLS certificate (tls.crt) and private key (tls.key) for the webhook server. Must be readable by the operator process."

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if these flags are properly used in deployment manifests
rg --type yaml "admission-webhook|webhook" config/

Length of output: 3617

---

Script:

#!/bin/bash
# Check webhook implementation and flag usage
rg "EnableAdmissionWebhook|AdmissionWebhookPort|AdmissionWebhookCertDir" --type go

# Check if there's a webhook setup in the code
ast-grep --pattern 'func Setup$$$Webhook($$$) {
  $$$
}'

Length of output: 1587

---

Script:

#!/bin/bash
# Check webhook server setup and configuration
rg "webhook" --type go -A 5 internal/

Length of output: 87

---

Script:

#!/bin/bash
# Check webhook implementation in pkg directory
rg "webhook" --type go -A 5 pkg/

Length of output: 32