✨ improve webhook scaffolding

kubernetes-sigs · May 22, 2019 · e0ee8df · e0ee8df
1 parent 626bf60
commit e0ee8df
Show file tree

Hide file tree

Showing 19 changed files with 152 additions and 83 deletions.
diff --git a/pkg/scaffold/api.go b/pkg/scaffold/api.go
@@ -158,6 +158,7 @@ func (api *API) scaffoldV2() error {
 			&resourcev2.Group{Resource: r},
 			&resourcev2.CRDSample{Resource: r},
 			&crdv2.EnableWebhookPatch{Resource: r},
+			&crdv2.EnableCAInjectionPatch{Resource: r},
 		)
 		if err != nil {
 			return fmt.Errorf("error scaffolding APIs: %v", err)

diff --git a/pkg/scaffold/v2/certmanager/kustomize.go b/pkg/scaffold/v2/certmanager/kustomize.go
@@ -41,20 +41,24 @@ var kustomizationTemplate = `resources:
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
+- name: NAMESPACE # namespace of the service and the certificate CR
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
 - name: CERTIFICATENAME
   objref:
     kind: Certificate
     group: certmanager.k8s.io
     version: v1alpha1
     name: serving-cert # this name should match the one in certificate.yaml
-- name: CERTIFICATENAMESPACE
+- name: SERVICENAME
   objref:
-    kind: Certificate
-    group: certmanager.k8s.io
-    version: v1alpha1
-    name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
+    kind: Service
+    version: v1
+    name: webhook-service
 
 configurations:
 - kustomizeconfig.yaml

diff --git a/pkg/scaffold/v2/crd/enablecainjection_patch.go b/pkg/scaffold/v2/crd/enablecainjection_patch.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/markbates/inflect"
+
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/v1/resource"
+)
+
+// EnableCAInjectionPatch scaffolds a EnableCAInjectionPatch for a Resource
+type EnableCAInjectionPatch struct {
+	input.Input
+
+	// Resource is the Resource to make the EnableCAInjectionPatch for
+	Resource *resource.Resource
+}
+
+// GetInput implements input.File
+func (p *EnableCAInjectionPatch) GetInput() (input.Input, error) {
+	if p.Path == "" {
+		rs := inflect.NewDefaultRuleset()
+		plural := rs.Pluralize(strings.ToLower(p.Resource.Kind))
+		p.Path = filepath.Join("config", "crd", "patches",
+			fmt.Sprintf("cainjection_in_%s.yaml", plural))
+	}
+	p.TemplateBody = EnableCAInjectionPatchTemplate
+	return p.Input, nil
+}
+
+// Validate validates the values
+func (g *EnableCAInjectionPatch) Validate() error {
+	return g.Resource.Validate()
+}
+
+// TODO(mengqiy): plural of the resources
+var EnableCAInjectionPatchTemplate = `# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+  name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }}
+`
diff --git a/pkg/scaffold/v2/crd/enablewebhook_patch.go b/pkg/scaffold/v2/crd/enablewebhook_patch.go
@@ -53,12 +53,10 @@ func (g *EnableWebhookPatch) Validate() error {
 }
 
 // TODO(mengqiy): plural of the resources
-var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRDw
+var enableWebhookPatchTemplate = `# The following patch enables conversion webhook for CRD
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
   name: {{ .Resource.Resource }}.{{ .Resource.Group }}.{{ .Domain }}
 spec:
   conversion:
@@ -68,7 +66,7 @@ spec:
       # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
       caBundle: Cg==
       service:
-        namespace: $(NAMESPACE)
+        namespace: system
         name: webhook-service
         path: /convert-{{ lower .Resource.Kind }}
 `
diff --git a/pkg/scaffold/v2/crd/kustomization.go b/pkg/scaffold/v2/crd/kustomization.go
@@ -29,8 +29,9 @@ import (
 )
 
 const (
-	kustomizeResourceScaffoldMarker = "+kubebuilder:scaffold:kustomizeresource"
-	kustomizePatchScaffoldMarker    = "+kubebuilder:scaffold:kustomizepatch"
+	kustomizeResourceScaffoldMarker         = "+kubebuilder:scaffold:crdkustomizeresource"
+	kustomizeWebhookPatchScaffoldMarker     = "+kubebuilder:scaffold:crdkustomizewebhookpatch"
+	kustomizeCAInjectionPatchScaffoldMarker = "+kubebuilder:scaffold:crdkustomizecainjectionpatch"
 )
 
 var _ input.File = &Kustomization{}
@@ -64,11 +65,13 @@ func (c *Kustomization) Update() error {
 	plural := rs.Pluralize(strings.ToLower(c.Resource.Kind))
 
 	kustomizeResourceCodeFragment := fmt.Sprintf("- bases/%s.%s_%s.yaml\n", c.Resource.Group, c.Domain, plural)
-	kustomizePatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural)
+	kustomizeWebhookPatchCodeFragment := fmt.Sprintf("#- patches/webhook_in_%s.yaml\n", plural)
+	kustomizeCAInjectionPatchCodeFragment := fmt.Sprintf("#- patches/cainjection_in_%s.yaml\n", plural)
 
 	return internal.InsertStringsInFile(c.Path,
 		kustomizeResourceScaffoldMarker, kustomizeResourceCodeFragment,
-		kustomizePatchScaffoldMarker, kustomizePatchCodeFragment)
+		kustomizeWebhookPatchScaffoldMarker, kustomizeWebhookPatchCodeFragment,
+		kustomizeCAInjectionPatchScaffoldMarker, kustomizeCAInjectionPatchCodeFragment)
 }
 
 var kustomizationTemplate = fmt.Sprintf(`# This kustomization.yaml is not intended to be run by itself,
@@ -78,10 +81,13 @@ resources:
 # %s
 
 patches:
-# patches here are for enabling the conversion webhook for each CRD
+# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
+# %s
+
+# [CAINJECTION] patches here are for enabling the CA injection for each CRD
 # %s
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:
 - kustomizeconfig.yaml
-`, kustomizeResourceScaffoldMarker, kustomizePatchScaffoldMarker)
+`, kustomizeResourceScaffoldMarker, kustomizeWebhookPatchScaffoldMarker, kustomizeCAInjectionPatchScaffoldMarker)
diff --git a/pkg/scaffold/v2/crd/kustomizeconfig.go b/pkg/scaffold/v2/crd/kustomizeconfig.go
@@ -48,9 +48,12 @@ nameReference:
     group: apiextensions.k8s.io
     path: spec/conversion/webhookClientConfig/service/name
 
-varReference:
-- path: metadata/annotations
+namespace:
 - kind: CustomResourceDefinition
   group: apiextensions.k8s.io
   path: spec/conversion/webhookClientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations
 `
diff --git a/pkg/scaffold/v2/kustomize.go b/pkg/scaffold/v2/kustomize.go
@@ -69,9 +69,9 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
-# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- ../webhook
-# [CERTMANAGER] Uncomment next line to enable cert-manager
+# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
 #- ../certmanager
 
 patches:
@@ -87,10 +87,11 @@ patches:
   # manager_prometheus_metrics_patch.yaml should be enabled.
 #- manager_prometheus_metrics_patch.yaml
 
-# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- manager_webhook_patch.yaml
 
-# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be
-# enabled to use ca injection
+# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks.
+# Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml
 `
diff --git a/pkg/scaffold/v2/webhook/enablecainection_patch.go b/pkg/scaffold/v2/webhook/enablecainection_patch.go
@@ -46,12 +46,12 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: mutating-webhook-configuration
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: validating-webhook-configuration
   annotations:
-    certmanager.k8s.io/inject-ca-from: $(CERTIFICATENAMESPACE)/$(CERTIFICATENAME)
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
 `
diff --git a/pkg/scaffold/v2/webhook/kustomization.go b/pkg/scaffold/v2/webhook/kustomization.go
@@ -45,19 +45,4 @@ var KustomizeWebhookTemplate = `resources:
 
 configurations:
 - kustomizeconfig.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-vars:
-- name: NAMESPACE
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
-  fieldref:
-    fieldpath: metadata.namespace
-- name: SERVICENAME
-  objref:
-    kind: Service
-    version: v1
-    name: webhook-service
 `
diff --git a/testdata/project-v2/config/certmanager/kustomization.yaml b/testdata/project-v2/config/certmanager/kustomization.yaml
@@ -3,20 +3,24 @@ resources:
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
+- name: NAMESPACE # namespace of the service and the certificate CR
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
 - name: CERTIFICATENAME
   objref:
     kind: Certificate
     group: certmanager.k8s.io
     version: v1alpha1
     name: serving-cert # this name should match the one in certificate.yaml
-- name: CERTIFICATENAMESPACE
+- name: SERVICENAME
   objref:
-    kind: Certificate
-    group: certmanager.k8s.io
-    version: v1alpha1
-    name: serving-cert # this name should match the one in certificate.yaml
-  fieldref:
-    fieldpath: metadata.namespace
+    kind: Service
+    version: v1
+    name: webhook-service
 
 configurations:
 - kustomizeconfig.yaml
diff --git a/testdata/project-v2/config/crd/kustomization.yaml b/testdata/project-v2/config/crd/kustomization.yaml
@@ -4,13 +4,18 @@
 resources:
 - bases/crew.testproject.org_captains.yaml
 - bases/crew.testproject.org_firstmates.yaml
-# +kubebuilder:scaffold:kustomizeresource
+# +kubebuilder:scaffold:crdkustomizeresource
 
 patches:
-# patches here are for enabling the conversion webhook for each CRD
+# [WEBHOOK] patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_captains.yaml
 #- patches/webhook_in_firstmates.yaml
-# +kubebuilder:scaffold:kustomizepatch
+# +kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# [CAINJECTION] patches here are for enabling the CA injection for each CRD
+#- patches/cainjection_in_captains.yaml
+#- patches/cainjection_in_firstmates.yaml
+# +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 configurations:

diff --git a/testdata/project-v2/config/crd/kustomizeconfig.yaml b/testdata/project-v2/config/crd/kustomizeconfig.yaml
@@ -7,8 +7,11 @@ nameReference:
     group: apiextensions.k8s.io
     path: spec/conversion/webhookClientConfig/service/name
 
-varReference:
-- path: metadata/annotations
+namespace:
 - kind: CustomResourceDefinition
   group: apiextensions.k8s.io
   path: spec/conversion/webhookClientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations
diff --git a/testdata/project-v2/config/crd/patches/cainjection_in_captains.yaml b/testdata/project-v2/config/crd/patches/cainjection_in_captains.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+  name: captains.crew.testproject.org
diff --git a/testdata/project-v2/config/crd/patches/cainjection_in_firstmates.yaml b/testdata/project-v2/config/crd/patches/cainjection_in_firstmates.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
+  name: firstmates.crew.testproject.org
diff --git a/testdata/project-v2/config/crd/patches/webhook_in_captains.yaml b/testdata/project-v2/config/crd/patches/webhook_in_captains.yaml
@@ -1,9 +1,7 @@
-# The following patch enables conversion webhook for CRDw
+# The following patch enables conversion webhook for CRD
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
   name: captains.crew.testproject.org
 spec:
   conversion:
@@ -13,6 +11,6 @@ spec:
       # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
       caBundle: Cg==
       service:
-        namespace: $(NAMESPACE)
+        namespace: system
         name: webhook-service
         path: /convert-captain
diff --git a/testdata/project-v2/config/crd/patches/webhook_in_firstmates.yaml b/testdata/project-v2/config/crd/patches/webhook_in_firstmates.yaml
@@ -1,9 +1,7 @@
-# The following patch enables conversion webhook for CRDw
+# The following patch enables conversion webhook for CRD
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
-  annotations:
-    certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME)
   name: firstmates.crew.testproject.org
 spec:
   conversion:
@@ -13,6 +11,6 @@ spec:
       # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
       caBundle: Cg==
       service:
-        namespace: $(NAMESPACE)
+        namespace: system
         name: webhook-service
         path: /convert-firstmate
diff --git a/testdata/project-v2/config/default/kustomization.yaml b/testdata/project-v2/config/default/kustomization.yaml
@@ -16,9 +16,9 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
-# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- ../webhook
-# [CERTMANAGER] Uncomment next line to enable cert-manager
+# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
 #- ../certmanager
 
 patches:
@@ -34,9 +34,10 @@ patches:
   # manager_prometheus_metrics_patch.yaml should be enabled.
 #- manager_prometheus_metrics_patch.yaml
 
-# [WEBHOOK] Uncomment all the sections with [WEBHOOK] prefix to enable webhook.
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
 #- manager_webhook_patch.yaml
 
-# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks. [CERTMANAGER] needs to be
-# enabled to use ca injection
+# [CAINJECTION] Uncomment next line to enable the CA injection in the admission webhooks.
+# Uncomment 'CAINJECTION' in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
 #- webhookcainjection_patch.yaml