Skip to content

Commit

Permalink
add webhook config to helm chart
Browse files Browse the repository at this point in the history
  • Loading branch information
@bakito
bakito committed Feb 2, 2022
1 parent c7186b7 commit f5ceec6
Show file tree
Hide file tree
Showing 12 changed files with 171 additions and 47 deletions.
3 changes: 2 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,5 @@ bin
*~
/helm/*-values.yaml
dist
gomock*
gomock*
certs
23 changes: 5 additions & 18 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,25 +21,8 @@ test: generate mocks tidy fmt vet manifests
manager: generate fmt vet
go build -o bin/manager main.go

# Run against the configured Kubernetes cluster in ~/.kube/config
run: generate fmt vet manifests
go run ./main.go

# Install CRDs into a cluster
install: manifests kustomize
$(KUSTOMIZE) build config/crd | kubectl apply -f -

# Uninstall CRDs from a cluster
uninstall: manifests kustomize
$(KUSTOMIZE) build config/crd | kubectl delete -f -

# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: manifests kustomize
cd config/manager && kustomize edit set image controller=${IMG}
$(KUSTOMIZE) build config/default | kubectl apply -f -

manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./pkg/..." paths="./api/..." paths="./controllers/..." output:crd:artifacts:config=config/crd/bases
cp config/crd/bases/*.yaml helm/crds/

generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
Expand Down Expand Up @@ -84,6 +67,10 @@ mocks: mockgen

$(MOCKGEN) -destination pkg/mocks/logr/mock.go github.com/go-logr/logr LogSink

.PHONY: lint-helm
lint-helm:
helm lint helm/ --set webhook.enabled=true --set webhook.certManager.enabled=true

CONTROLLER_GEN = ./bin/controller-gen
controller-gen: ## Download controller-gen locally if necessary.
$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/[email protected])
Expand Down
20 changes: 10 additions & 10 deletions PROJECT
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
domain: bakito.ch
layout: go.kubebuilder.io/v2
layout:
- go.kubebuilder.io/v3
plugins:
manifests.sdk.operatorframework.io/v2: {}
scorecard.sdk.operatorframework.io/v2: {}
projectName: k8s-event-logger-operator
repo: github.com/bakito/k8s-event-logger-operator
resources:
- group: eventlogger
kind: EventLogger
version: v1
- group: eventlogger
kind: Event
version: v1
- group: eventlogger
kind: Pod
version: v1
version: 3-alpha
plugins:
go.sdk.operatorframework.io/v2-alpha: {}
webhooks:
defaulting: false
validation: true
webhookVersion: v1
version: "3"
13 changes: 1 addition & 12 deletions api/v1/eventlogger_webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,29 +19,18 @@ package v1
import (
"k8s.io/apimachinery/pkg/runtime"
ctrl "sigs.k8s.io/controller-runtime"
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/webhook"
)

// log is for logging in this package.
var eventloggerlog = logf.Log.WithName("eventlogger-resource")

// SetupWebhookWithManager setup with manager
func (in *EventLogger) SetupWebhookWithManager(mgr ctrl.Manager) error {
return ctrl.NewWebhookManagedBy(mgr).
For(in).
Complete()
}

// +kubebuilder:webhook:path=/mutate-eventlogger-bakito-ch-v1-eventlogger,mutating=true,failurePolicy=fail,sideEffects=None,groups=eventlogger.bakito.ch,resources=eventloggers,verbs=create;update,versions=v1,name=meventlogger.kb.io,admissionReviewVersions={v1,v1beta1}
var _ webhook.Defaulter = &EventLogger{}

// Default implements webhook.Defaulter so a webhook will be registered for the type
func (in *EventLogger) Default() {
eventloggerlog.Info("default", "name", in.Name)
}
// +kubebuilder:webhook:verbs=create;update,path=/validate-eventlogger-bakito-ch-v1-eventlogger,mutating=false,failurePolicy=fail,sideEffects=None,groups=eventlogger.bakito.ch,resources=eventloggers,versions=v1,name=veventlogger.bakito.ch,admissionReviewVersions={v1,v1beta1}

// +kubebuilder:webhook:verbs=create;update,path=/validate-eventlogger-bakito-ch-v1-eventlogger,mutating=false,failurePolicy=fail,sideEffects=None,groups=eventlogger.bakito.ch,resources=eventloggers,versions=v1,name=veventlogger.kb.io,admissionReviewVersions={v1,v1beta1}
var _ webhook.Validator = &EventLogger{}

// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
Expand Down
1 change: 0 additions & 1 deletion api/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions helm/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,3 +73,10 @@ Create the name of the role to use
{{ default "default" .Values.rbac.roleName }}
{{- end -}}
{{- end -}}

{{/*
Get the webhook cert secret name
*/}}
{{- define "k8s-event-logger-operator.webhookCertSecretName" -}}
{{- default (printf "%s-webhook" (include "k8s-event-logger-operator.fullname" .)) .Values.webhook.certsSecret.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
45 changes: 41 additions & 4 deletions helm/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "k8s-event-logger-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "k8s-event-logger-operator.labels" . | nindent 4 }}
spec:
Expand Down Expand Up @@ -47,9 +48,38 @@ spec:
- name: LOGGER_POD_LIMIT_MEM
value: "{{ .Values.eventLogger.resources.limits.memory }}"
- name: "ENABLE_WEBHOOKS"
value: "false"
value: "{{ .Values.webhook.enabled }}"
{{- if .Values.eventLogger.leaderElectionResourceLock }}
- name: EnvLeaderElectionResourceLock
value: .Values.eventLogger.leaderElectionResourceLock
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- toYaml .Values.resources | nindent 12 }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
ports:
- containerPort: 8080
name: metrics
{{- if .Values.webhook.enabled }}
- containerPort: 9443
name: webhook
{{- end }}
{{- if .Values.webhook.enabled }}
volumeMounts:
- mountPath: /opt/go/certs
name: "webhook-certs"
readOnly: true
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -60,5 +90,12 @@ spec:
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.webhook.enabled }}
volumes:
- name: "webhook-certs"
secret:
defaultMode: 420
secretName: {{ include "k8s-event-logger-operator.webhookCertSecretName" . }}
{{- end }}
24 changes: 24 additions & 0 deletions helm/templates/service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "k8s-event-logger-operator.fullname" . }}
labels:
{{- include "k8s-event-logger-operator.labels" . | nindent 4 }}
{{- if .Values.webhook.openShiftServiceCert.enabled }}
annotations:
service.beta.openshift.io/serving-cert-secret-name: {{ include "k8s-event-logger-operator.webhookCertSecretName" . }}
{{- end }}
namespace: {{ .Release.Namespace }}
spec:
ports:
{{- if .Values.webhook.enabled }}
- name: webhook
port: 443
targetPort: webhook
{{- end }}
- name: metrics
protocol: TCP
port: 8080
targetPort: metrics
selector:
{{- include "k8s-event-logger-operator.selectorLabels" . | nindent 6 }}
27 changes: 27 additions & 0 deletions helm/templates/webhook/certificate.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{{- if and (.Values.webhook.enabled) (.Values.webhook.certManager.enabled) -}}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "k8s-event-logger-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "k8s-event-logger-operator.labels" . | nindent 4 }}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "k8s-event-logger-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "k8s-event-logger-operator.labels" . | nindent 4 }}
spec:
dnsNames:
- {{ include "k8s-event-logger-operator.fullname" . }}.{{ .Release.Namespace }}.svc
- {{ include "k8s-event-logger-operator.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
issuerRef:
kind: Issuer
name: {{ include "k8s-event-logger-operator.fullname" . }}
secretName: {{ include "k8s-event-logger-operator.webhookCertSecretName" . }}
{{- end -}}
33 changes: 33 additions & 0 deletions helm/templates/webhook/validating.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{{- if .Values.webhook.enabled -}}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
{{- if .Values.webhook.openShiftServiceCert.enabled }}
annotations:
service.beta.openshift.io/inject-cabundle: "true"
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: {{ .Values.webhook.caBundle }}
service:
name: {{ include "k8s-event-logger-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
path: /validate-eventlogger-bakito-ch-v1-eventlogger
failurePolicy: Fail
name: veventlogger.bakito.ch
rules:
- apiGroups:
- eventlogger.bakito.ch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- eventloggers
sideEffects: None
{{- end -}}
10 changes: 10 additions & 0 deletions helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ image:

eventLogger:
leaderElection: true
leaderElectionResourceLock:
resources:
requests:
cpu: 100m
Expand All @@ -20,6 +21,15 @@ logging: # see https://github.com/operator-framework/operator-sdk/blob/master/do
level: info
timeEncoding: iso8601

webhook:
enabled: false
certManager:
enabled: false
openShiftServiceCert:
enabled: false
certsSecret:
name:
caBundle: Cg==

nameOverride: ""
fullnameOverride: ""
Expand Down
12 changes: 11 additions & 1 deletion main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import (
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
"k8s.io/klog/v2"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/log/zap"
)

Expand Down Expand Up @@ -95,6 +96,7 @@ func main() {
Scheme: scheme,
MetricsBindAddress: metricsAddr,
Port: 9443,
CertDir: "certs",
LeaderElection: enableLeaderElection && !enableLoggerMode,
LeaderElectionID: "leader.eventlogger.bakito.ch",
LeaderElectionResourceLock: os.Getenv(EnvLeaderElectionResourceLock),
Expand Down Expand Up @@ -136,7 +138,6 @@ func main() {
os.Exit(1)
}
}

} else {
if err = (&logging.Reconciler{
Client: mgr.GetClient(),
Expand All @@ -160,6 +161,15 @@ func main() {
}
}

if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
setupLog.Error(err, "unable to set up health check")
os.Exit(1)
}
if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
setupLog.Error(err, "unable to set up ready check")
os.Exit(1)
}

setupLog.Info("starting manager")
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
setupLog.Error(err, "problem running manager")
Expand Down

0 comments on commit f5ceec6

Please sign in to comment.