Use kubebuilder to generate webhook configuration

* Register cluster run template webhook Co-authored-by: Marty Spiewak <mspiewak@vmware.com>
vmware-tanzu · Mar 25, 2022 · baaaaed · baaaaed
1 parent e2c2d87
commit baaaaed
Show file tree

Hide file tree

Showing 15 changed files with 269 additions and 146 deletions.
diff --git a/Makefile b/Makefile
@@ -35,11 +35,20 @@ config/crd/bases/*.yaml &: $(crd_sources)
 		-f ./hack/boilerplate.go.txt \
 		config/crd/bases
 
+config/webhook/manifests.yaml: $(crd_sources)
+	$(CONTROLLER_GEN) \
+		webhook \
+		paths=./pkg/apis/v1alpha1 \
+		output:webhook:dir=config/webhook
+	$(ADDLICENSE) \
+		-f ./hack/boilerplate.go.txt \
+		config/webhook/manifests.yaml
+
 .PHONY: gen-objects
 gen-objects: pkg/apis/v1alpha1/zz_generated.deepcopy.go
 
 .PHONY: gen-manifests
-gen-manifests: config/crd/bases/*.yaml
+gen-manifests: config/crd/bases/*.yaml config/webhook/manifests.yaml
 
 test_crd_sources := $(filter-out tests/resources/zz_generated.deepcopy.go,$(wildcard tests/resources/*.go))
 

diff --git a/config/webhook/delivery_webhook.yaml b/config/webhook/delivery_webhook.yaml
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -0,0 +1,189 @@
+# Copyright 2021 VMware
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clusterconfigtemplate
+  failurePolicy: Fail
+  name: config-template-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterconfigtemplates
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clusterdelivery
+  failurePolicy: Fail
+  name: delivery-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterdeliveries
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clusterdeploymenttemplate
+  failurePolicy: Fail
+  name: deployment-template-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterdeploymenttemplates
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clusterimagetemplate
+  failurePolicy: Fail
+  name: image-template-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterimagetemplates
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clusterruntemplate
+  failurePolicy: Fail
+  name: run-template-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusterruntemplates
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clustersourcetemplate
+  failurePolicy: Fail
+  name: source-template-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustersourcetemplates
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clustersupplychain
+  failurePolicy: Fail
+  name: supply-chain-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustersupplychains
+  sideEffects: None
+- admissionReviewVersions:
+  - v1beta1
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-carto-run-v1alpha1-clustertemplate
+  failurePolicy: Fail
+  name: template-validator.cartographer.com
+  rules:
+  - apiGroups:
+    - carto.run
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustertemplates
+  sideEffects: None
diff --git a/config/webhook/supply_chain_webhook.yaml b/config/webhook/supply_chain_webhook.yaml
diff --git a/hack/overlays/webhook-configuration.yaml b/hack/overlays/webhook-configuration.yaml
@@ -0,0 +1,36 @@
+# Copyright 2021 VMware
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#@ load("@ytt:overlay", "overlay")
+
+#@overlay/match by=overlay.subset({"kind": "ValidatingWebhookConfiguration"})
+
+---
+metadata:
+  #@overlay/match missing_ok=True
+  annotations:
+    cert-manager.io/inject-ca-from: cartographer-system/cartographer-webhook
+
+webhooks:
+  #@overlay/match by=overlay.all, expects="1+"
+  -
+    clientConfig:
+      service:
+        name: cartographer-webhook
+        namespace: cartographer-system
+    rules:
+      #@overlay/match by=overlay.all, expects="1+"
+      -
+        #@overlay/match missing_ok=True
+        scope: Cluster
diff --git a/hack/release.sh b/hack/release.sh
@@ -73,6 +73,7 @@ download_ytt_to_kodata() {
 generate_release() {
         mkdir -p ./release
         ytt --ignore-unknown-comments -f ./config \
+                -f ./hack/overlays/webhook-configuration.yaml \
                 --data-value version=$RELEASE_VERSION |
                 KO_DOCKER_REPO=$REGISTRY ko resolve -B -f- > \
                         ./release/cartographer.yaml