wip: runtime-config

openshift · Aug 14, 2023 · 268765b · 268765b
1 parent 7d5e2e0
commit 268765b
Show file tree

Hide file tree

Showing 5 changed files with 86 additions and 3 deletions.
diff --git a/bindata/assets/config/defaultconfig.yaml b/bindata/assets/config/defaultconfig.yaml
@@ -75,6 +75,7 @@ apiServerArguments:
     - StorageObjectInUseProtection
     - TaintNodesByCondition
     - ValidatingAdmissionWebhook
+    - ValidatingAdmissionPolicy
     - authorization.openshift.io/RestrictSubjectBindings
     - authorization.openshift.io/ValidateRoleBindingRestriction
     - config.openshift.io/DenyDeleteClusterConfiguration

diff --git a/bindata/bootkube/config/bootstrap-config-overrides.yaml b/bindata/bootkube/config/bootstrap-config-overrides.yaml
@@ -63,6 +63,8 @@ apiServerArguments:
     - /etc/kubernetes/secrets/apiserver-proxy.key
   requestheader-client-ca-file:
     - /etc/kubernetes/secrets/aggregator-signer.crt
+  runtime-config: {{range .RuntimeConfig}}
+    - {{.}}{{end}}
   service-account-key-file:
     - /etc/kubernetes/secrets/service-account.pub
     - /etc/kubernetes/secrets/bound-service-account-signing-key.pub

diff --git a/pkg/cmd/render/render.go b/pkg/cmd/render/render.go
@@ -9,7 +9,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	"io/ioutil"
 	"net"
 	"os"
@@ -19,8 +18,10 @@ import (
 	configv1 "github.com/openshift/api/config/v1"
 	kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
 	"github.com/openshift/cluster-kube-apiserver-operator/bindata"
+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/apienablement"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/auth"
 	libgoaudit "github.com/openshift/library-go/pkg/operator/apiserver/audit"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
 	genericrender "github.com/openshift/library-go/pkg/operator/render"
 	genericrenderoptions "github.com/openshift/library-go/pkg/operator/render/options"
 	"github.com/spf13/cobra"
@@ -148,6 +149,9 @@ type TemplateData struct {
 	// FeatureGates is list of featuregates to apply
 	FeatureGates []string
 
+	// RuntimeConfig is a list of API group-versions to enable or disable.
+	RuntimeConfig []string
+
 	// ServiceClusterIPRange is the IP range for service IPs.
 	ServiceCIDR []string
 
@@ -498,6 +502,7 @@ func setFeatureGatesFromAccessor(renderConfig *TemplateData, featureGates featur
 		}
 	}
 	renderConfig.FeatureGates = allGates
+	renderConfig.RuntimeConfig = apienablement.RuntimeConfigFromFeatureGates(featureGates, apienablement.DefaultGroupVersionsByFeatureGate)
 	return nil
 }
 

diff --git a/pkg/operator/configobservation/apienablement/observe_runtime_config.go b/pkg/operator/configobservation/apienablement/observe_runtime_config.go
@@ -0,0 +1,74 @@
+package apienablement
+
+import (
+	"fmt"
+	"sort"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/library-go/pkg/operator/configobserver"
+	"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
+	"github.com/openshift/library-go/pkg/operator/events"
+)
+
+var DefaultGroupVersionsByFeatureGate = map[configv1.FeatureGateName][]schema.GroupVersion{
+	"ValidatingAdmissionPolicy": {{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}},
+}
+
+func NewFeatureGateObserverWithRuntimeConfig(featureWhitelist sets.Set[configv1.FeatureGateName], featureBlacklist sets.Set[configv1.FeatureGateName], featureGateAccessor featuregates.FeatureGateAccess, groupVersionsByFeatureGate map[configv1.FeatureGateName][]schema.GroupVersion) configobserver.ObserveConfigFunc {
+	featureGatesPath := []string{"apiServerArguments", "feature-gates"}
+	runtimeConfigPath := []string{"apiServerArguments", "runtime-config"}
+
+	featureGateObserver := featuregates.NewObserveFeatureFlagsFunc(
+		featureWhitelist,
+		featureBlacklist,
+		featureGatesPath,
+		featureGateAccessor,
+	)
+
+	return func(listers configobserver.Listers, recorder events.Recorder, existingConfig map[string]interface{}) (observedConfig map[string]interface{}, errs []error) {
+		defer func() {
+			observedConfig = configobserver.Pruned(observedConfig, featureGatesPath, runtimeConfigPath)
+		}()
+
+		if !featureGateAccessor.AreInitialFeatureGatesObserved() {
+			return existingConfig, nil
+		}
+
+		featureGates, err := featureGateAccessor.CurrentFeatureGates()
+		if err != nil {
+			return existingConfig, []error{err}
+		}
+
+		observedConfig, errs = featureGateObserver(listers, recorder, existingConfig)
+
+		runtimeConfig := RuntimeConfigFromFeatureGates(featureGates, groupVersionsByFeatureGate)
+		if len(runtimeConfig) == 0 {
+			return observedConfig, errs
+		}
+
+		if err := unstructured.SetNestedStringSlice(observedConfig, runtimeConfig, runtimeConfigPath...); err != nil {
+			// The new feature gate config is broken without its required APIs.
+			return existingConfig, append(errs, err)
+		}
+
+		return observedConfig, errs
+	}
+}
+
+func RuntimeConfigFromFeatureGates(featureGates featuregates.FeatureGate, groupVersionsByFeatureGate map[configv1.FeatureGateName][]schema.GroupVersion) []string {
+	var entries []string
+	for name, gvs := range groupVersionsByFeatureGate {
+		if !featureGates.Enabled(name) {
+			continue
+		}
+		for _, gv := range gvs {
+			entries = append(entries, fmt.Sprintf("%s=true", gv.String()))
+		}
+	}
+	sort.Strings(entries)
+	return entries
+}
diff --git a/pkg/operator/configobservation/configobservercontroller/observe_config_controller.go b/pkg/operator/configobservation/configobservercontroller/observe_config_controller.go
@@ -20,6 +20,7 @@ import (
 	"github.com/openshift/library-go/pkg/operator/v1helpers"
 
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation"
+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/apienablement"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/apiserver"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/auth"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/etcdendpoints"
@@ -145,11 +146,11 @@ func NewConfigObserver(
 				[]string{"apiServerArguments", "cloud-config"},
 				featureGateAccessor,
 			),
-			featuregates.NewObserveFeatureFlagsFunc(
+			apienablement.NewFeatureGateObserverWithRuntimeConfig(
 				nil,
 				FeatureBlacklist,
-				[]string{"apiServerArguments", "feature-gates"},
 				featureGateAccessor,
+				apienablement.DefaultGroupVersionsByFeatureGate,
 			),
 			network.ObserveRestrictedCIDRs,
 			network.ObserveServicesSubnet,