From 85c9ff1555749f9a7652b96d907b115fda4dc25e Mon Sep 17 00:00:00 2001 From: Dan Prince Date: Thu, 19 Dec 2024 07:12:37 -0500 Subject: [PATCH] bindata: add support for service operator webhooks Currently configured just to extra webhooks for the infra operator as it is also a multigroup operator which requires webhooks to be enabled --- .../operator.openstack.org_openstacks.yaml | 3 +- .../operator/v1beta1/zz_generated.deepcopy.go | 1 - .../operator.openstack.org_openstacks.yaml | 3 +- config/operator/managers.yaml | 17 +++ config/operator/rbac/role.yaml | 1 - hack/sync-bindata.sh | 114 +++++++++++++++++- 6 files changed, 128 insertions(+), 11 deletions(-) diff --git a/apis/bases/operator.openstack.org_openstacks.yaml b/apis/bases/operator.openstack.org_openstacks.yaml index cd4bc2838..ca4161ede 100644 --- a/apis/bases/operator.openstack.org_openstacks.yaml +++ b/apis/bases/operator.openstack.org_openstacks.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: openstacks.operator.openstack.org spec: group: operator.openstack.org diff --git a/apis/operator/v1beta1/zz_generated.deepcopy.go b/apis/operator/v1beta1/zz_generated.deepcopy.go index 8ea973b19..4c181de9a 100644 --- a/apis/operator/v1beta1/zz_generated.deepcopy.go +++ b/apis/operator/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2022. diff --git a/config/crd/bases/operator.openstack.org_openstacks.yaml b/config/crd/bases/operator.openstack.org_openstacks.yaml index cd4bc2838..ca4161ede 100644 --- a/config/crd/bases/operator.openstack.org_openstacks.yaml +++ b/config/crd/bases/operator.openstack.org_openstacks.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: openstacks.operator.openstack.org spec: group: operator.openstack.org diff --git a/config/operator/managers.yaml b/config/operator/managers.yaml index d416bfd3f..f38e8606a 100644 --- a/config/operator/managers.yaml +++ b/config/operator/managers.yaml @@ -30,7 +30,11 @@ spec: - /manager env: - name: ENABLE_WEBHOOKS +{{ if eq $operatorName "infra" }} + value: 'true' +{{ else }} value: 'false' +{{ end }} image: {{ $operatorImage }} livenessProbe: httpGet: @@ -54,6 +58,12 @@ spec: memory: 128Mi securityContext: allowPrivilegeEscalation: false +{{ if eq $operatorName "infra" }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true +{{ end }} - args: - --secure-listen-address=0.0.0.0:8443 - --upstream=http://127.0.0.1:8080/ @@ -78,5 +88,12 @@ spec: runAsNonRoot: true serviceAccountName: {{ $operatorName }}-operator-controller-manager terminationGracePeriodSeconds: 10 +{{ if eq $operatorName "infra" }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ $operatorName }}-operator-serving-cert +{{ end }} --- {{ end }} diff --git a/config/operator/rbac/role.yaml b/config/operator/rbac/role.yaml index d865d0b51..09ccf9607 100644 --- a/config/operator/rbac/role.yaml +++ b/config/operator/rbac/role.yaml @@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: operator-role rules: - apiGroups: diff --git a/hack/sync-bindata.sh b/hack/sync-bindata.sh index fc128c84f..3dd4a754d 100755 --- a/hack/sync-bindata.sh +++ b/hack/sync-bindata.sh @@ -5,6 +5,12 @@ # -TODO: role data set -ex +OUT_DATA=bindata +EXTRACT_DIR=tmp/bindata + +mkdir -p "$EXTRACT_DIR" +mkdir -p "$OUT_DATA/crds" + function extract_bundle { local IN_DIR=$1 local OUT_DIR=$2 @@ -13,11 +19,105 @@ function extract_bundle { done } -OUT_DATA=bindata -EXTRACT_DIR=tmp/bindata -mkdir -p "$EXTRACT_DIR" -mkdir -p "$OUT_DATA/crds" +function extract_webhooks { +local CSV_FILENAME=$1 +local OPERATOR_NAME=$2 +local TYPE=$3 + +cat $CSV_FILENAME | yq -r ".spec.webhookdefinitions.[] | select(.type == \"$TYPE\")" | \ + sed -e '/^containerPort:/d' | \ + sed -e '/^deploymentName:/d' | \ + sed -e '/^targetPort:/d' | \ + sed -e '/^type:/d' | \ + sed -e 's|^| |' | sed -e 's|.*admissionReviewVersions:|- admissionReviewVersions:|' | \ + sed -e 's|.*generateName:| name:|' | \ + sed -e 's| - v1| - v1|' | \ + sed -e "s|.*webhookPath:| clientConfig:\n service:\n name: ${OPERATOR_NAME}-webhook-service\n namespace: '{{ .OperatorNamespace }}'\n path:|" + +} + + +function write_webhooks { +local CSV_FILENAME=$1 +local OPERATOR_NAME=$2 + +MUTATING_WEBHOOKS=$(extract_webhooks "$CSV_FILENAME" "$OPERATOR_NAME" "MutatingAdmissionWebhook") +VALIDATING_WEBHOOKS=$(extract_webhooks "$CSV_FILENAME" "$OPERATOR_NAME" "ValidatingAdmissionWebhook") + +cat > operator/$OPERATOR_NAME-webhooks.yaml < rbac/$OPERATOR_NAME-rbac.yaml <