jsonnet: allow rollout-operator to be used as webhook endpoint

This change adds jsonnet configuration that allows the rollout-operator to be
used as a validating or mutating webhook for changes to statefulsets. This is
required to use the `no-downscale` or `prepare-downscale` labels on stateful
components.

This doesn't make any changes to the functionality used internally at Grafana
or make anything more configurable. For example, this jsonnet still has the
rollout-operator create self-signed certificates for the HTTPS webhook
endpoints.

Signed-off-by: Nick Pillitteri <nick.pillitteri@grafana.com>

CHANGELOG.md

@@ -73,6 +73,7 @@
   * `ingest_storage_migration_partition_ingester_zone_c_replicas`
 * [ENHANCEMENT] Distributor: increase `-distributor.remote-timeout` when the experimental ingest storage is enabled. #8518
 * [ENHANCEMENT] Memcached: Update to Memcached 1.6.28 and memcached-exporter 0.14.4. #8557
+* [ENHANCEMENT] Rollout-operator: Allow the rollout-operator to be used as Kubernetes statefulset webhook to enable `no-downscale` and `prepare-downscale` annotations to be used on ingesters or store-gateways. #8743
 
 ### Mimirtool
 
@@ -82,8 +83,8 @@
 
 * [CHANGE] Use test metrics that do not pass through 0 to make identifying incorrect results easier. #8630
 * [ENHANCEMENT] Include human-friendly timestamps in diffs logged when a test fails. #8630
-* [BUGFIX] Initialize test result metrics to 0 at startup so that alerts can correctly identify the first failure after startup. #8630
 * [ENHANCEMENT] Add histograms to measure latency of read and write requests. #8583
+* [BUGFIX] Initialize test result metrics to 0 at startup so that alerts can correctly identify the first failure after startup. #8630
 
 ### Query-tee
 

operations/helm/charts/mimir-distributed/templates/metamonitoring/grafana-agent-cluster-role-binding.yaml

@@ -4,7 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "mimir.resourceName" (dict "ctx" $ "component" "grafana-agent") }}
-  namespace: {{ .namespace | default $.Release.Namespace | quote }}
   labels:
     {{- include "mimir.labels" (dict "ctx" $ "component" "meta-monitoring" ) | nindent 4 }}
 roleRef:

operations/helm/charts/mimir-distributed/templates/metamonitoring/grafana-agent-cluster-role.yaml

@@ -4,7 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ include "mimir.resourceName" (dict "ctx" $ "component" "grafana-agent") }}
-  namespace: {{ .namespace | default $.Release.Namespace | quote }}
   labels:
     {{- include "mimir.labels" (dict "ctx" $ "component" "meta-monitoring" ) | nindent 4 }}
 rules:

operations/helm/tests/metamonitoring-values-generated/mimir-distributed/templates/metamonitoring/grafana-agent-cluster-role-binding.yaml

@@ -4,7 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: metamonitoring-values-mimir-grafana-agent
-  namespace: "citestns"
   labels:
     app.kubernetes.io/name: mimir
     app.kubernetes.io/instance: metamonitoring-values

operations/helm/tests/metamonitoring-values-generated/mimir-distributed/templates/metamonitoring/grafana-agent-cluster-role.yaml

@@ -4,7 +4,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: metamonitoring-values-mimir-grafana-agent
-  namespace: "citestns"
   labels:
     app.kubernetes.io/name: mimir
     app.kubernetes.io/instance: metamonitoring-values

operations/mimir-tests/test-multi-zone-with-store-gateway-automated-downscaling-generated.yaml

@@ -201,6 +201,33 @@ metadata:
   namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rollout-operator-default-webhook-cert-update-role
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  - mutatingwebhookconfigurations
+  verbs:
+  - list
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rollout-operator-default-webhook-cert-secret-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rollout-operator-default-webhook-cert-update-role
+subjects:
+- kind: ServiceAccount
+  name: rollout-operator
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: rollout-operator-role
@@ -232,6 +259,28 @@ rules:
   - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: rollout-operator-webhook-cert-secret-role
+  namespace: default
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resourceNames:
+  - rollout-operator-self-signed-certificate
+  resources:
+  - secrets
+  verbs:
+  - update
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: rollout-operator-rolebinding
@@ -245,6 +294,20 @@ subjects:
   name: rollout-operator
   namespace: default
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: rollout-operator-webhook-cert-secret-rolebinding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: rollout-operator-webhook-cert-secret-role
+subjects:
+- kind: ServiceAccount
+  name: rollout-operator
+  namespace: default
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -551,6 +614,20 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  name: rollout-operator
+  namespace: default
+spec:
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    name: rollout-operator
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     name: ruler
@@ -1015,6 +1092,7 @@ spec:
     spec:
       containers:
       - args:
+        - --server-tls.enabled=true
         - -kubernetes.namespace=default
         image: grafana/rollout-operator:v0.17.0
         imagePullPolicy: IfNotPresent
@@ -2391,3 +2469,75 @@ spec:
         memory: 512Mi
   size: 3
   version: 3.3.13
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  labels:
+    grafana.com/inject-rollout-operator-ca: "true"
+    grafana.com/namespace: default
+  name: prepare-downscale-default
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: rollout-operator
+      namespace: default
+      path: /admission/prepare-downscale
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: prepare-downscale-default.grafana.com
+  namespaceSelector:
+    matchLabels:
+      kubernetes.io/metadata.name: default
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - statefulsets
+    - statefulsets/scale
+    scope: Namespaced
+  sideEffects: NoneOnDryRun
+  timeoutSeconds: 10
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    grafana.com/inject-rollout-operator-ca: "true"
+    grafana.com/namespace: default
+  name: no-downscale-default
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: rollout-operator
+      namespace: default
+      path: /admission/no-downscale
+      port: 443
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: no-downscale-default.grafana.com
+  namespaceSelector:
+    matchLabels:
+      kubernetes.io/metadata.name: default
+  rules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - UPDATE
+    resources:
+    - statefulsets
+    - statefulsets/scale
+    scope: Namespaced
+  sideEffects: None
+  timeoutSeconds: 10

operations/mimir-tests/test-multi-zone-with-store-gateway-automated-downscaling.jsonnet

@@ -1,6 +1,7 @@
 // Based on test-multi-zone.jsonnet.
 (import 'test-multi-zone.jsonnet') {
   _config+:: {
+    enable_rollout_operator_webhook: true,
     store_gateway_automated_downscale_enabled: true,
     store_gateway_automated_downscale_min_time_between_zones: '20m',
   },