Add validation webhook xray (#618)

Signed-off-by: Tamal Saha <tamal@appscode.com>

api/openapi-spec/swagger.json

@@ -5312,16 +5312,7 @@
     },
     "io.k8s.apimachinery.pkg.runtime.RawExtension": {
       "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package: type MyAPIObject struct {\n\truntime.TypeMeta `json:\",inline\"`\n\tMyPlugin runtime.Object `json:\"myPlugin\"`\n} type PluginA struct {\n\tAOption string `json:\"aOption\"`\n}\n\n// External package: type MyAPIObject struct {\n\truntime.TypeMeta `json:\",inline\"`\n\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n} type PluginA struct {\n\tAOption string `json:\"aOption\"`\n}\n\n// On the wire, the JSON will look something like this: {\n\t\"kind\":\"MyAPIObject\",\n\t\"apiVersion\":\"v1\",\n\t\"myPlugin\": {\n\t\t\"kind\":\"PluginA\",\n\t\t\"aOption\":\"foo\",\n\t},\n}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
-      "required": [
-        "Raw"
-      ],
-      "properties": {
-        "Raw": {
-          "description": "Raw is the underlying serialization of this object.",
-          "type": "string",
-          "format": "byte"
-        }
-      }
+      "type": "object"
     },
     "xyz.kmodules.objectstore-api.api.v1.AzureSpec": {
       "properties": {

chart/stash/README.md

@@ -67,7 +67,9 @@ The following table lists the configurable parameters of the Stash chart and the
 | `apiserver.enableValidatingWebhook`  | Enable validating webhooks for Stash CRDs                                                                                                                                  | true                                                      |
 | `apiserver.enableMutatingWebhook`    | Enable mutating webhooks for Kubernetes workloads                                                                                                                          | true                                                      |
 | `apiserver.ca`                       | CA certificate used by main Kubernetes api server                                                                                                                          | `not-ca-cert`                                             |
-| `apiserver.disableStatusSubresource` | If true, disables status sub resource for crds. Otherwise enables based on Kubernetes version                                                                              | `false`                                                   |
+| `apiserver.disableStatusSubresource` | If true, disables status sub resource for crds. Otherwise enables based on Kubernetes version | `false`            |
+| `apiserver.bypassValidatingWebhookXray` | If true, bypasses validating webhook xray checks           | `false`               |
+| `apiserver.useKubeapiserverFqdnForAks`  | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 | `true`             |
 | `enableAnalytics`                    | Send usage events to Google Analytics                                                                                                                                      | `true`                                                    |
 | `monitoring.agent`                   | Specify which monitoring agent to use for monitoring Stash. It accepts either `prometheus.io/builtin` or `prometheus.io/coreos-operator`.                                  | `none`                                                    |
 | `monitoring.backup`                  | Specify whether to monitor Stash backup and recovery.                                                                                                                      | `false`                                                   |

chart/stash/templates/cluster-role.yaml

@@ -14,12 +14,17 @@ rules:
   resources:
   - customresourcedefinitions
   verbs: ["*"]
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs: ["get", "patch"]
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - mutatingwebhookconfigurations
   - validatingwebhookconfigurations
-  verbs: ["delete", "list", "watch", "patch"]
+  verbs: ["delete", "get", "list", "watch", "patch"]
 - apiGroups:
   - stash.appscode.com
   resources:
@@ -54,6 +59,7 @@ rules:
   - ""
   resources:
   - secrets
+  - services
   verbs: ["get"]
 - apiGroups:
   - ""

chart/stash/templates/deployment.yaml

@@ -53,9 +53,20 @@ spec:
 {{- if and (not .Values.apiserver.disableStatusSubresource) (ge $major 1) (ge $minor 11) }}
         - --enable-status-subresource=true
 {{- end }}
+        - --bypass-validating-webhook-xray={{ .Values.apiserver.bypassValidatingWebhookXray }}
+        - --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }}
         - --enable-analytics={{ .Values.enableAnalytics }}
         ports:
         - containerPort: 8443
+        env:
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         readinessProbe:
           httpGet:
             path: /healthz

chart/stash/templates/mutating-webhook.yaml

@@ -1,3 +1,6 @@
+# GKE returns Major:"1", Minor:"10+"
+{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }}
+{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }}
 {{- if .Values.apiserver.enableMutatingWebhook }}
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -31,6 +34,9 @@ webhooks:
     resources:
     - deployments
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 - name: daemonset.admission.stash.appscode.com
   clientConfig:
     service:
@@ -50,6 +56,9 @@ webhooks:
     resources:
     - daemonsets
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 - name: statefulset.admission.stash.appscode.com
   clientConfig:
     service:
@@ -67,6 +76,9 @@ webhooks:
     resources:
     - statefulsets
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 - name: replicationcontroller.admission.stash.appscode.com
   clientConfig:
     service:
@@ -85,6 +97,9 @@ webhooks:
     resources:
     - replicationcontrollers
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 - name: replicaset.admission.stash.appscode.com
   clientConfig:
     service:
@@ -104,4 +119,7 @@ webhooks:
     resources:
     - replicasets
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 {{ end }}

chart/stash/templates/validating-webhook.yaml

@@ -1,3 +1,6 @@
+# GKE returns Major:"1", Minor:"10+"
+{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }}
+{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }}
 {{- if .Values.apiserver.enableValidatingWebhook }}
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
@@ -30,6 +33,9 @@ webhooks:
     resources:
     - restics
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 - name: recovery.admission.stash.appscode.com
   clientConfig:
     service:
@@ -48,4 +54,7 @@ webhooks:
     resources:
     - recoveries
   failurePolicy: Fail
+{{- if and (ge $major 1) (ge $minor 12) }}
+  sideEffects: None
+{{- end }}
 {{ end }}

chart/stash/values.yaml

@@ -14,7 +14,7 @@ pushgateway:
 cleaner:
   registry: appscode
   repository: kubectl
-  tag: v1.11
+  tag: v1.12
 ## Optionally specify an array of imagePullSecrets.
 ## Secrets must be manually created in the namespace.
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
@@ -39,7 +39,9 @@ annotations: {}
 ## Node labels for pod assignment
 ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
 ##
-nodeSelector: {}
+nodeSelector:
+  beta.kubernetes.io/os: linux
+  beta.kubernetes.io/arch: amd64
 
 ## Tolerations for pod assignment
 ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
@@ -81,6 +83,10 @@ apiserver:
   # If true, disables status sub resource for crds.
   # Otherwise, enables status sub resource for Kubernetes version >= 1.11 and disables for other versions.
   disableStatusSubresource: false
+  # If true, bypasses validating webhook xray checks
+  bypassValidatingWebhookXray: false
+  # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
+  useKubeapiserverFqdnForAks: true
 
 # Send usage events to Google Analytics
 enableAnalytics: true

docs/reference/stash.md

@@ -26,13 +26,17 @@ Stash is a Kubernetes operator for restic. For more information, visit here: htt
 
 ```
       --alsologtostderr                  log to standard error as well as files
+      --bypass-validating-webhook-xray   if true, bypasses validating webhook xray checks
       --enable-analytics                 Send analytical events to Google Analytics (default true)
       --enable-status-subresource        If true, uses sub resource for crds.
   -h, --help                             help for stash
+      --log-flush-frequency duration     Maximum number of seconds between log flushes (default 5s)
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                   If non-empty, write log files in this directory
-      --logtostderr                      log to standard error instead of files
+      --logtostderr                      log to standard error instead of files (default true)
+      --service-name string              Stash service name. (default "stash-operator")
       --stderrthreshold severity         logs at or above this threshold go to stderr
+      --use-kubeapiserver-fqdn-for-aks   if true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
   -v, --v Level                          log level for V logs
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```

docs/reference/stash_backup.md

@@ -45,12 +45,16 @@ stash backup [flags]
 
 ```
       --alsologtostderr                  log to standard error as well as files
+      --bypass-validating-webhook-xray   if true, bypasses validating webhook xray checks
       --enable-analytics                 Send analytical events to Google Analytics (default true)
       --enable-status-subresource        If true, uses sub resource for crds.
+      --log-flush-frequency duration     Maximum number of seconds between log flushes (default 5s)
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                   If non-empty, write log files in this directory
-      --logtostderr                      log to standard error instead of files
+      --logtostderr                      log to standard error instead of files (default true)
+      --service-name string              Stash service name. (default "stash-operator")
       --stderrthreshold severity         logs at or above this threshold go to stderr
+      --use-kubeapiserver-fqdn-for-aks   if true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
   -v, --v Level                          log level for V logs
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```

docs/reference/stash_check.md

@@ -36,12 +36,16 @@ stash check [flags]
 
 ```
       --alsologtostderr                  log to standard error as well as files
+      --bypass-validating-webhook-xray   if true, bypasses validating webhook xray checks
       --enable-analytics                 Send analytical events to Google Analytics (default true)
       --enable-status-subresource        If true, uses sub resource for crds.
+      --log-flush-frequency duration     Maximum number of seconds between log flushes (default 5s)
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                   If non-empty, write log files in this directory
-      --logtostderr                      log to standard error instead of files
+      --logtostderr                      log to standard error instead of files (default true)
+      --service-name string              Stash service name. (default "stash-operator")
       --stderrthreshold severity         logs at or above this threshold go to stderr
+      --use-kubeapiserver-fqdn-for-aks   if true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
   -v, --v Level                          log level for V logs
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```

docs/reference/stash_forget.md

@@ -34,12 +34,16 @@ stash forget [snapshotID ...] [flags]
 
 ```
       --alsologtostderr                  log to standard error as well as files
+      --bypass-validating-webhook-xray   if true, bypasses validating webhook xray checks
       --enable-analytics                 Send analytical events to Google Analytics (default true)
       --enable-status-subresource        If true, uses sub resource for crds.
+      --log-flush-frequency duration     Maximum number of seconds between log flushes (default 5s)
       --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                   If non-empty, write log files in this directory
-      --logtostderr                      log to standard error instead of files
+      --logtostderr                      log to standard error instead of files (default true)
+      --service-name string              Stash service name. (default "stash-operator")
       --stderrthreshold severity         logs at or above this threshold go to stderr
+      --use-kubeapiserver-fqdn-for-aks   if true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
   -v, --v Level                          log level for V logs
       --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
 ```