Inject pod readiness gate

Makefile

@@ -98,10 +98,17 @@ docker-build: test ## Build docker image with the manager.
 docker-push: ## Push docker image with the manager.
 	docker push ${IMG}
 
+# also generates a placeholder cert for the webhook - this cert is not intended to be valid
 .PHONY: build-deploy
 build-deploy: ## Create a deployment file that can be applied with `kubectl apply -f deploy.yaml`
 	cd config/manager && kustomize edit set image controller=${ECRIMAGES}
 	kustomize build config/default > deploy.yaml
+	openssl req -x509 -nodes -days 1 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=not-a-real-cn/O=not-a-real-o" > /dev/null 2>&1
+	$(eval export KEY_B64 := $(shell cat tls.key | base64))
+	$(eval export CERT_B64 := $(shell cat tls.crt | base64))
+	yq -i e '(.[] as $$item | select(.metadata.name == "webhook-cert" and .kind == "Secret") | .data."tls.crt") = env(CERT_B64)' deploy.yaml 2>&1
+	yq -i e '(.[] as $$item | select(.metadata.name == "webhook-cert" and .kind == "Secret") | .data."tls.key") = env(KEY_B64)' deploy.yaml 2>&1
+	rm tls.key tls.crt
 
 .PHONY: manifest
 manifest: ## Generate CRD manifest
@@ -144,3 +151,20 @@ api-reference: ## Update documentation in docs/api-reference.md
 docs:
 	mkdir -p site
 	mkdocs build
+
+# NB webhook tests can only run if the controller is deployed to the cluster
+webhook-e2e-test-namespace := "webhook-e2e-test"
+
+.PHONY: webhook-e2e-test
+webhook-e2e-test:
+	@kubectl create namespace $(webhook-e2e-test-namespace) > /dev/null 2>&1 || true # ignore already exists error
+	LOG_LEVEL=debug
+	cd test && go test \
+		-p 1 \
+		-count 1 \
+		-timeout 10m \
+		-v \
+		./suites/webhook/... \
+		--ginkgo.focus="${FOCUS}" \
+		--ginkgo.skip="${SKIP}" \
+		--ginkgo.v

cmd/aws-application-networking-k8s/main.go

@@ -18,10 +18,11 @@ package main
 
 import (
 	"flag"
-	"os"
-
+	"github.com/aws/aws-application-networking-k8s/pkg/webhook"
 	"github.com/go-logr/zapr"
 	"go.uber.org/zap/zapcore"
+	"os"
+	k8swebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/aws/aws-application-networking-k8s/pkg/aws"
 	"github.com/aws/aws-application-networking-k8s/pkg/utils/gwlog"
@@ -49,7 +50,6 @@ import (
 	"github.com/aws/aws-application-networking-k8s/pkg/config"
 	"github.com/aws/aws-application-networking-k8s/pkg/k8s"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
 var (
@@ -128,14 +128,24 @@ func main() {
 		setupLog.Fatal("cloud client setup failed: %s", err)
 	}
 
+	// do not create the webhook server when running locally
+	var webhookServer k8swebhook.Server
+	isLocalDev := config.DevMode != ""
+	if !isLocalDev {
+		webhookServer = k8swebhook.NewServer(k8swebhook.Options{
+			Port:     9443,
+			CertDir:  "/etc/webhook-cert/",
+			CertName: "tls.crt",
+			KeyName:  "tls.key",
+		})
+	}
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme: scheme,
 		Metrics: metricsserver.Options{
 			BindAddress: metricsAddr,
 		},
-		WebhookServer: webhook.NewServer(webhook.Options{
-			Port: 9443,
-		}),
+		WebhookServer:          webhookServer,
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "amazon-vpc-lattice.io",
@@ -144,6 +154,15 @@ func main() {
 		setupLog.Fatal("manager setup failed:", err)
 	}
 
+	if !isLocalDev {
+		// register webhook handlers
+		readinessGateInjector := webhook.NewPodReadinessGateInjector(
+			mgr.GetClient(),
+			log.Named("pod-readiness-gate-injector"),
+		)
+		webhook.NewPodMutator(scheme, readinessGateInjector).SetupWithManager(mgr)
+	}
+
 	finalizerManager := k8s.NewDefaultFinalizerManager(mgr.GetClient())
 
 	// parent logging scope for all controllers

config/default/kustomization.yaml

@@ -1,26 +1,10 @@
-# Adds namespace to all resources.
-#namespace: code-aws-application-networking-system
-
-# Value of this field is prepended to the
-# names of all resources, e.g. a deployment named
-# "wordpress" becomes "alices-wordpress".
-# Note that it should also match with the prefix (text before '-') of the namespace
-# field above.
-#namePrefix: code-
-
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
-
-bases:
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
 - ../crds
 - ../rbac
 - ../manager
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-#- ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
+- ../webhook
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 
@@ -33,42 +17,3 @@ patchesStrategicMerge:
 # Mount the controller config file for loading manager configurations
 # through a ComponentConfig type
 #- manager_config_patch.yaml
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-#- manager_webhook_patch.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-#- webhookcainjection_patch.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-vars:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service

config/manager/manager.yaml

@@ -60,5 +60,26 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        volumeMounts:
+          - mountPath: /etc/webhook-cert
+            name: webhook-cert
+            readOnly: true
       serviceAccountName: gateway-api-controller
       terminationGracePeriodSeconds: 10
+      volumes:
+        - name: webhook-cert
+          secret:
+            defaultMode: 420
+            secretName: webhook-cert
+---
+# placeholder secret so volume can mount successfully and controller can start
+# populated during make-deploy. Will not pass validations (no CA, expires after 1 day, wrong DNS names)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-cert
+  namespace: aws-application-networking-system
+type: kubernetes.io/tls
+data:
+    tls.crt: Cg==
+    tls.key: Cg==

config/prometheus/kustomization.yaml

@@ -1,2 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
 - monitor.yaml

config/rbac/kustomization.yaml

@@ -1,3 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
 # All RBAC will be applied under this service account in
 # the deployment namespace. You may comment out this resource

config/webhook/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - manifests.yaml

config/webhook/manifests.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: aws-appnet-gwc-mutating-webhook
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: webhook-service
+        namespace: aws-application-networking-system
+        path: /mutate-pod
+    failurePolicy: Fail
+    name: mpod.gwc.k8s.aws
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+    sideEffects: None
+    namespaceSelector:
+      matchExpressions:
+        - key: application-networking.k8s.aws/pod-readiness-gate-inject
+          operator: In
+          values:
+            - enabled
+    objectSelector:
+      matchExpressions:
+        - key: app.kubernetes.io/name
+          operator: NotIn
+          values:
+            - gateway-api-controller
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-service
+  namespace: aws-application-networking-system
+spec:
+  ports:
+    - port: 443
+      targetPort: 9443
+  selector:
+    control-plane: gateway-api-controller