Skip to content

Commit

Permalink
✨ improve webhook scaffolding
Browse files Browse the repository at this point in the history
  • Loading branch information
Mengqi Yu committed Jun 4, 2019
1 parent 86e5e18 commit b324032
Show file tree
Hide file tree
Showing 24 changed files with 213 additions and 98 deletions.
1 change: 1 addition & 0 deletions pkg/scaffold/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ func (api *API) scaffoldV2() error {
&resourcev2.Group{Resource: r},
&resourcev2.CRDSample{Resource: r},
&crdv2.EnableWebhookPatch{Resource: r},
&crdv2.EnableCAInjectionPatch{Resource: r},
)
if err != nil {
return fmt.Errorf("error scaffolding APIs: %v", err)
Expand Down
18 changes: 11 additions & 7 deletions pkg/scaffold/v2/certmanager/kustomize.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,20 +41,24 @@ var kustomizationTemplate = `resources:
# the following config is for teaching kustomize how to do var substitution
vars:
- name: NAMESPACE # namespace of the service and the certificate CR
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATENAME
objref:
kind: Certificate
group: certmanager.k8s.io
version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml
- name: CERTIFICATENAMESPACE
- name: SERVICENAME
objref:
kind: Certificate
group: certmanager.k8s.io
version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
kind: Service
version: v1
name: webhook-service
configurations:
- kustomizeconfig.yaml
Expand Down
63 changes: 63 additions & 0 deletions pkg/scaffold/v2/crd/enablecainjection_patch.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v2

import (
"fmt"
"path/filepath"
"strings"

"github.com/markbates/inflect"

"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
"sigs.k8s.io/kubebuilder/pkg/scaffold/v1/resource"
)

// EnableCAInjectionPatch scaffolds a EnableCAInjectionPatch for a Resource
type EnableCAInjectionPatch struct {
input.Input

// Resource is the Resource to make the EnableCAInjectionPatch for
Resource *resource.Resource
}

// GetInput implements input.File
func (p *EnableCAInjectionPatch) GetInput() (input.Input, error) {
if p.Path == "" {
rs := inflect.NewDefaultRuleset()
plural := rs.Pluralize(strings.ToLower(p.Resource.Kind))
p.Path = filepath.Join("config", "crd", "patches",
fmt.Sprintf("cainjection_in_%s.yaml", plural))
}
p.TemplateBody = EnableCAInjectionPatchTemplate
return p.Input, nil
}

// Validate validates the values
func (g *EnableCAInjectionPatch) Validate() error {
return g.Resource.Validate()
}

var EnableCAInjectionPatchTemplate = `# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }}
`
10 changes: 4 additions & 6 deletions pkg/scaffold/v2/crd/enablewebhook_patch.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,11 @@ func (g *EnableWebhookPatch) Validate() error {
return g.Resource.Validate()
}

// TODO(mengqiy): plural of the resources
var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRDw
var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }}
spec:
conversion:
Expand All @@ -68,7 +66,7 @@ spec:
# but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
caBundle: Cg==
service:
namespace: $(NAMESPACE)
namespace: system
name: webhook-service
path: /convert-{{ lower .Resource.Kind }}
path: /convert
`
20 changes: 13 additions & 7 deletions pkg/scaffold/v2/crd/kustomization.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ import (
)

const (
kustomizeResourceScaffoldMarker = "# +kubebuilder:scaffold:kustomizeresource"
kustomizePatchScaffoldMarker = "# +kubebuilder:scaffold:kustomizepatch"
kustomizeResourceScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizeresource"
kustomizeWebhookPatchScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizewebhookpatch"
kustomizeCAInjectionPatchScaffoldMarker = "# +kubebuilder:scaffold:crdkustomizecainjectionpatch"
)

var _ input.File = &Kustomization{}
Expand Down Expand Up @@ -64,12 +65,14 @@ func (c *Kustomization) Update() error {
plural := rs.Pluralize(strings.ToLower(c.Resource.Kind))

kustomizeResourceCodeFragment := fmt.Sprintf("- bases/%s.%s_%s.yaml\n", c.Resource.Group, c.Domain, plural)
kustomizePatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural)
kustomizeWebhookPatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural)
kustomizeCAInjectionPatchCodeFragment := fmt.Sprintf("#- patches/cainjection_in_%s.yaml\n", plural)

return internal.InsertStringsInFile(c.Path,
map[string][]string{
kustomizeResourceScaffoldMarker: []string{kustomizeResourceCodeFragment},
kustomizePatchScaffoldMarker: []string{kustomizePatchCodeFragment},
kustomizeResourceScaffoldMarker: {kustomizeResourceCodeFragment},
kustomizeWebhookPatchScaffoldMarker: {kustomizeWebhookPatchCodeFragment},
kustomizeCAInjectionPatchScaffoldMarker: {kustomizeCAInjectionPatchCodeFragment},
})
}

Expand All @@ -80,10 +83,13 @@ resources:
%s
patches:
# patches here are for enabling the conversion webhook for each CRD
# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
%s
# [CAINJECTION] patches here are for enabling the CA injection for each CRD
%s
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml
`, kustomizeResourceScaffoldMarker, kustomizePatchScaffoldMarker)
`, kustomizeResourceScaffoldMarker, kustomizeWebhookPatchScaffoldMarker, kustomizeCAInjectionPatchScaffoldMarker)
7 changes: 5 additions & 2 deletions pkg/scaffold/v2/crd/kustomizeconfig.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,12 @@ nameReference:
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
varReference:
- path: metadata/annotations
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations
`
11 changes: 6 additions & 5 deletions pkg/scaffold/v2/kustomize.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,9 @@ bases:
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] Uncomment next line to enable cert-manager
# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
#- ../certmanager
patches:
Expand All @@ -87,10 +87,11 @@ patches:
# manager_prometheus_metrics_patch.yaml should be enabled.
#- manager_prometheus_metrics_patch.yaml
# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
#- manager_webhook_patch.yaml
# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be
# enabled to use ca injection
# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks.
# Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
# 'CERTMANAGER' needs to be enabled to use ca injection
#- webhookcainjection_patch.yaml
`
14 changes: 10 additions & 4 deletions pkg/scaffold/v2/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,21 +138,27 @@ func init() {
%s
}
// Persmissions to do leader election.
// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
func main() {
var metricsAddr string
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
flag.Parse()
ctrl.SetLogger(zap.Logger(true))
// Persmissions to do leader election.
// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
leaderElectionNamespace := "default"
if len(os.Getenv("POD_NAMESPACE")) != 0 {
leaderElectionNamespace = os.Getenv("POD_NAMESPACE")
}
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
Scheme: scheme,
MetricsBindAddress: metricsAddr,
LeaderElection: true,
LeaderElectionNamespace: "default",
LeaderElectionNamespace: leaderElectionNamespace,
})
if err != nil {
setupLog.Error(err, "unable to start manager")
Expand Down
7 changes: 6 additions & 1 deletion pkg/scaffold/v2/manager/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ spec:
matchLabels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
replicas: 1
replicas: 2
template:
metadata:
labels:
Expand All @@ -86,6 +86,11 @@ spec:
containers:
- command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ .Image }}
imagePullPolicy: Always
name: manager
Expand Down
4 changes: 2 additions & 2 deletions pkg/scaffold/v2/webhook/enablecainection_patch.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,12 @@ kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
annotations:
certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME)
certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
annotations:
certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME)
certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
`
15 changes: 0 additions & 15 deletions pkg/scaffold/v2/webhook/kustomization.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,19 +45,4 @@ var KustomizeWebhookTemplate = `resources:
configurations:
- kustomizeconfig.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
- name: NAMESPACE
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: SERVICENAME
objref:
kind: Service
version: v1
name: webhook-service
`
18 changes: 11 additions & 7 deletions testdata/project-v2/config/certmanager/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,24 @@ resources:

# the following config is for teaching kustomize how to do var substitution
vars:
- name: NAMESPACE # namespace of the service and the certificate CR
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATENAME
objref:
kind: Certificate
group: certmanager.k8s.io
version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml
- name: CERTIFICATENAMESPACE
- name: SERVICENAME
objref:
kind: Certificate
group: certmanager.k8s.io
version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml
fieldref:
fieldpath: metadata.namespace
kind: Service
version: v1
name: webhook-service

configurations:
- kustomizeconfig.yaml
11 changes: 8 additions & 3 deletions testdata/project-v2/config/crd/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,18 @@
resources:
- bases/crew.testproject.org_captains.yaml
- bases/crew.testproject.org_firstmates.yaml
# +kubebuilder:scaffold:kustomizeresource
# +kubebuilder:scaffold:crdkustomizeresource

patches:
# patches here are for enabling the conversion webhook for each CRD
# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
#- patches/webhook_in_captains.yaml
#- patches/webhook_in_firstmates.yaml
# +kubebuilder:scaffold:kustomizepatch
# +kubebuilder:scaffold:crdkustomizewebhookpatch

# [CAINJECTION] patches here are for enabling the CA injection for each CRD
#- patches/cainjection_in_captains.yaml
#- patches/cainjection_in_firstmates.yaml
# +kubebuilder:scaffold:crdkustomizecainjectionpatch

# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
Expand Down
7 changes: 5 additions & 2 deletions testdata/project-v2/config/crd/kustomizeconfig.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ nameReference:
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name

varReference:
- path: metadata/annotations
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false

varReference:
- path: metadata/annotations
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
name: captains.crew.testproject.org
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# The following patch adds a directive for certmanager to inject CA into the CRD
# CRD conversion requires k8s 1.13 or later.
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
name: firstmates.crew.testproject.org

0 comments on commit b324032

Please sign in to comment.