feat(webhooks): Add validation webhooks and cert support. (#136)

This closes #3.

This adds support for validation webhooks.
Validation webhooks may be implemented anywhere
with the according `IValidationWebhook{TEntity}` interface.
When registered to the operator builder, they perform
validation on entities.

During build time, a CA certificate is created
and during container startup, the corresponding server
certificate for the instance.

Signed-off-by: Christoph Bühler <[email protected]>

Author: buehler

config/CodeAnalysis.targets

@@ -1,9 +1,9 @@
 <Project>
 
     <ItemGroup>
-        <PackageReference Include="Roslynator.Analyzers" Version="3.0.0" PrivateAssets="All"/>
-        <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.261" PrivateAssets="All"/>
-        <AdditionalFiles Include="$(MSBuildThisFileDirectory)/stylecop.json"/>
+        <PackageReference Include="Roslynator.Analyzers" Version="3.0.0" PrivateAssets="All" />
+        <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.261" PrivateAssets="All" />
+        <AdditionalFiles Include="$(MSBuildThisFileDirectory)/stylecop.json" />
     </ItemGroup>
 
     <PropertyGroup>

config/Common.targets

@@ -18,4 +18,4 @@
         </AssemblyAttribute>
     </ItemGroup>
 
-</Project>
+</Project>

docs/docfx.json

@@ -39,6 +39,7 @@
     "dest": "public",
     "sitemap": {
       "baseUrl": "https://buehler.github.io/dotnet-operator-sdk/"
-    }
+    },
+    "template":["default","templates/discordfx"]
   }
 }

docs/docs/events.md

@@ -1,4 +1,4 @@
-# Events
+# Events / Event Series
 
 Kubernetes knows "Events" which can be sort of attached to a resource
 (i.e. a Kubernetes object).

docs/docs/toc.yml

@@ -12,6 +12,8 @@
   href: events.md
 - name: Finalizer
   href: finalizer.md
+- name: Webhooks
+  href: webhooks.md
 - name: Utilities
   href: utilities.md
 - name: CLI Commands

docs/docs/webhooks.md

@@ -0,0 +1,128 @@
+# Webhooks
+
+Kubernetes supports various webhooks to extend the normal api behaviour
+of the master api. Those are documented on the 
+[kubernetes website](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).
+
+`KubeOps` supports the following webhooks out of the box:
+- Validator / Validation
+
+The following documentation should give the user an overview
+on how to implement a webhook what this implies to the written operator.
+
+## General
+
+In general, if your operator contains _any_ registered (registered in the
+DI) the build process that is provided via `KubeOps.targets` will
+generate a CA certificate for you.
+
+So if you add a webhook to your operator the following changes
+to the normal deployment of the operator will happen:
+1. During "after build" phase, the sdk will generate
+   a CA-certificate for self signed certificates for you.
+2. The ca certificate and the corresponding key are added
+   to the deployment via kustomization config.
+3. A special config is added to the deployment via
+   kustomization to use https.
+4. The deployment of the operator now contains an `init-container`
+   that loads the `ca.pem` and `ca-key.pem` files and creates
+   a server certificate. Also, a service and the corresponding
+   webhook configurations are created.
+5. When the operator starts, an additional https route is registered
+   with the created server certificate.
+
+When a webhook is registered, the specified operations will
+trigger a POST call to the operator.
+
+> [!NOTE]
+> Make sure you commit the `ca.pem` / `ca-key.pem` file.
+> During operator startup (init container) those files
+> are needed. Since this represents a self signed certificate,
+> and it is only used for cluster internal communication,
+> it is no security issue to the system. The service is not
+> exposed to the internet.
+
+> [!NOTE]
+> The `server.pem` and `server-key.pem` files are generated
+> in the init container during pod startup.
+> Each pod / instance of the operator gets its own server
+> certificate but the CA must be shared among them.
+
+## Local development
+
+It is possible to test webhooks locally. For this, you need
+to register the webhook via dependency injection with the corresponding
+method (in the builder) and then start your operator.
+
+The operator will run on a specific http address, depending on your
+configuration.
+Now, use [ngrok](https://ngrok.com/) or
+[localtunnel](https://localtunnel.github.io/www/) or something
+similar to create a HTTPS tunnel to your local running operator.
+
+Now you can use the cli command of the sdk
+`dotnet run -- webhooks register --base-url <<TUNNEL URL>>` to
+register the webhooks under the tunnel's url.
+
+The result is your webhook being called by the kubernetes api.
+It is suggested one uses `Docker Desktop` with kubernetes.
+
+## Validation webhook
+
+The general idea of this webhook type is to validate an entity
+before it is definitely created / updated or deleted.
+
+The implementation of a webhook is fairly simple:
+- Create a class somewhere in your project.
+- Implement the `IValidationWebhook{TEntity}` interface.
+- Define the `Operations` (from the interface) that the validator
+  is interested in.
+- Overwrite the corresponding methods.
+- Register it in the `IOperatorBuilder` with `AddValidationWebhook`.
+
+> [!WARNING]
+> The interface contains default implementations for _ALL_ methods.
+> The default of the async methods are to call the sync ones.
+> The default of the sync methods is to return a "not implemented"
+> result.
+> The async methods take precedence over the synchronous ones.
+
+The return value of the validation methods are `ValidationResult`
+objects. A result contains a boolean flag if the entity / operation
+is valid or not. It may contain additional warnings (if it is valid)
+that are presented to the user if the kubernetes api supports it.
+If the result is invalid, one may add a custom http status code
+as well as a custom error message that is presented to the user.
+
+### Example
+
+```c#
+public class TestValidator : IValidationWebhook<V2TestEntity>
+ {
+     public ValidatedOperations Operations => ValidatedOperations.Create | ValidatedOperations.Update;
+
+     public ValidationResult Create(V2TestEntity newEntity, bool dryRun) =>
+         CheckSpec(newEntity)
+             ? ValidationResult.Success("The username may not be foobar.")
+             : ValidationResult.Fail(StatusCodes.Status400BadRequest, @"Username is ""foobar"".");
+
+     public ValidationResult Update(V2TestEntity _, V2TestEntity newEntity, bool dryRun) =>
+         CheckSpec(newEntity)
+             ? ValidationResult.Success("The username may not be foobar.")
+             : ValidationResult.Fail(StatusCodes.Status400BadRequest, @"Username is ""foobar"".");
+
+     private static bool CheckSpec(V2TestEntity entity) => entity.Spec.Username != "foobar";
+ }
+```
+
+And then register the webhook in `Startup.cs`:
+
+```c#
+public void ConfigureServices(IServiceCollection services)
+{
+    services
+        .AddKubernetesOperator()
+        // ...
+        .AddValidationWebhook<TestValidator>();
+}
+```

src/KubeOps/Build/KubeOps.targets

@@ -1,96 +1,98 @@
-<Project DefaultTargets="GenerateAfterBuild">
-    <Target Name="GenerateDockerfile">
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" DefaultTargets="GenerateAfterBuild">
+    <Target Name="BaseConfig">
+        <PropertyGroup>
+            <!-- Configuration for the base -->
+            <KubeOpsBasePath Condition="'$(KubeOpsBasePath)' == ''">$(MSBuildProjectDirectory)</KubeOpsBasePath>
+        </PropertyGroup>
+
+        <PropertyGroup>
+            <!-- Configuration for the pathes where to store the generated yamls and elements -->
+            <KubeOpsConfigRoot Condition="'$(KubeOpsConfigRoot)' == ''">$(KubeOpsBasePath)\config</KubeOpsConfigRoot>
+        </PropertyGroup>
+
         <PropertyGroup>
             <!-- Configuration for Docker related commands -->
             <KubeOpsDockerfilePath Condition="'$(KubeOpsDockerfilePath)' == ''">$(KubeOpsBasePath)\Dockerfile</KubeOpsDockerfilePath>
             <KubeOpsDockerTag Condition="'$(KubeOpsDockerTag)' == ''">latest</KubeOpsDockerTag>
         </PropertyGroup>
 
-        <Message Text="Generating Dockerfile" Importance="high"/>
-        <Message Text="Dockerfile path: $(KubeOpsDockerfilePath)" Importance="normal"/>
-
-        <Message Condition="Exists('$(KubeOpsDockerfilePath)')" Text="Dockerfile already exists. Don't overwrite."
-                 Importance="high"/>
-        <Exec Condition="!Exists('$(KubeOpsDockerfilePath)')"
-              Command="dotnet $(OutputPath)$(TargetFileName) generator docker --out $(KubeOpsDockerfilePath) --dotnet-tag $(KubeOpsDockerTag) --solution-dir $(SolutionDir) --target-file $(TargetFileName) --project-path $(ProjectPath)"/>
-    </Target>
-
-    <Target Name="GenerateCrds">
         <PropertyGroup>
             <!-- Configuration for the crd generation -->
             <KubeOpsCrdDir Condition="'$(KubeOpsCrdDir)' == ''">$(KubeOpsConfigRoot)\crds</KubeOpsCrdDir>
             <KubeOpsCrdFormat Condition="'$(KubeOpsCrdFormat)' == ''">Yaml</KubeOpsCrdFormat>
             <KubeOpsCrdUseOldCrds Condition="'$(KubeOpsCrdUseOldCrds)' == ''">false</KubeOpsCrdUseOldCrds>
         </PropertyGroup>
 
-        <Message Text="Generating CRDs" Importance="high"/>
-        <Message Text="Configuration path: $(KubeOpsCrdDir)" Importance="normal"/>
-
-        <Exec Condition="'$(KubeOpsCrdUseOldCrds)' == 'false'"
-              Command="dotnet $(OutputPath)$(TargetFileName) generator crds --out $(KubeOpsCrdDir) --format $(KubeOpsCrdFormat)"/>
-        <Exec Condition="'$(KubeOpsCrdUseOldCrds)' == 'true'"
-              Command="dotnet $(OutputPath)$(TargetFileName) generator crds --out $(KubeOpsCrdDir) --format $(KubeOpsCrdFormat) --use-old-crds"/>
-    </Target>
-
-    <Target Name="GenerateRbac">
         <PropertyGroup>
             <!-- Configuration for the rbac generation -->
             <KubeOpsRbacDir Condition="'$(KubeOpsRbacDir)' == ''">$(KubeOpsConfigRoot)\rbac</KubeOpsRbacDir>
             <KubeOpsRbacFormat Condition="'$(KubeOpsRbacFormat)' == ''">Yaml</KubeOpsRbacFormat>
         </PropertyGroup>
 
-        <Message Text="Generating Rbac roles" Importance="high"/>
-        <Message Text="Configuration path: $(KubeOpsRbacDir)" Importance="normal"/>
-
-        <Exec
-                Command="dotnet $(OutputPath)$(TargetFileName) generator rbac --out $(KubeOpsRbacDir) --format $(KubeOpsRbacFormat)"/>
-    </Target>
-
-    <Target Name="GenerateOperator">
         <PropertyGroup>
             <!-- Configuration for the operator manifest generation -->
             <KubeOpsOperatorDir Condition="'$(KubeOpsOperatorDir)' == ''">$(KubeOpsConfigRoot)\operator</KubeOpsOperatorDir>
             <KubeOpsOperatorFormat Condition="'$(KubeOpsOperatorFormat)' == ''">Yaml</KubeOpsOperatorFormat>
         </PropertyGroup>
 
-        <Message Text="Generating Operator yamls" Importance="high"/>
-        <Message Text="Configuration path: $(KubeOpsOperatorDir)" Importance="normal"/>
-
-        <Exec
-                Command="dotnet $(OutputPath)$(TargetFileName) generator operator --out $(KubeOpsOperatorDir) --format $(KubeOpsOperatorFormat)"/>
-    </Target>
-
-    <Target Name="GenerateInstaller">
         <PropertyGroup>
             <!-- Configuration for the installer manifest generation -->
             <KubeOpsInstallerDir Condition="'$(KubeOpsInstallerDir)' == ''">$(KubeOpsConfigRoot)\install</KubeOpsInstallerDir>
             <KubeOpsInstallerFormat Condition="'$(KubeOpsInstallerFormat)' == ''">Yaml</KubeOpsInstallerFormat>
         </PropertyGroup>
+    </Target>
 
-        <Message Text="Generating Installer yamls" Importance="high"/>
-        <Message Text="Configuration path: $(KubeOpsInstallerDir)" Importance="normal"/>
+    <Target Name="GenerateDockerfile" DependsOnTargets="BaseConfig">
+        <Message Text="Generating Dockerfile" Importance="high" />
+        <Message Text="Dockerfile path: $(KubeOpsDockerfilePath)" Importance="normal" />
 
-        <Message Condition="Exists('$(KubeOpsInstallerDir)')" Text="Installer dir exists, don't overwrite contents."
-                 Importance="high"/>
-        <Exec Condition="!Exists('$(KubeOpsInstallerDir)')"
-              Command="dotnet $(OutputPath)$(TargetFileName) generator installer --out $(KubeOpsInstallerDir) --format $(KubeOpsInstallerFormat) --crds-dir $(KubeOpsCrdDir) --rbac-dir $(KubeOpsRbacDir) --operator-dir $(KubeOpsOperatorDir)"/>
+        <Message Condition="Exists('$(KubeOpsDockerfilePath)')" Text="Dockerfile already exists. Don't overwrite."
+                 Importance="high" />
+        <Exec Condition="!Exists('$(KubeOpsDockerfilePath)')"
+              Command="dotnet $(OutputPath)$(TargetFileName) generator docker --out $(KubeOpsDockerfilePath) --dotnet-tag $(KubeOpsDockerTag) --solution-dir $(SolutionDir) --target-file $(TargetFileName) --project-path $(ProjectPath)" />
     </Target>
 
-    <Target Name="GenerateAfterBuild" AfterTargets="Build">
-        <PropertyGroup>
-            <!-- Configuration for the base -->
-            <KubeOpsBasePath Condition="'$(KubeOpsBasePath)' == ''">$(MSBuildProjectDirectory)</KubeOpsBasePath>
-        </PropertyGroup>
+    <Target Name="GenerateCrds" DependsOnTargets="BaseConfig">
+        <Message Text="Generating CRDs" Importance="high" />
+        <Message Text="Configuration path: $(KubeOpsCrdDir)" Importance="normal" />
 
-        <PropertyGroup>
-            <!-- Configuration for the pathes where to store the generated yamls and elements -->
-            <KubeOpsConfigRoot Condition="'$(KubeOpsConfigRoot)' == ''">$(KubeOpsBasePath)\config</KubeOpsConfigRoot>
-        </PropertyGroup>
+        <Exec Condition="'$(KubeOpsCrdUseOldCrds)' == 'false'"
+              Command="dotnet $(OutputPath)$(TargetFileName) generator crds --out $(KubeOpsCrdDir) --format $(KubeOpsCrdFormat)" />
+        <Exec Condition="'$(KubeOpsCrdUseOldCrds)' == 'true'"
+              Command="dotnet $(OutputPath)$(TargetFileName) generator crds --out $(KubeOpsCrdDir) --format $(KubeOpsCrdFormat) --use-old-crds" />
+    </Target>
+
+    <Target Name="GenerateRbac" DependsOnTargets="BaseConfig">
+        <Message Text="Generating Rbac roles" Importance="high" />
+        <Message Text="Configuration path: $(KubeOpsRbacDir)" Importance="normal" />
+
+        <Exec
+            Command="dotnet $(OutputPath)$(TargetFileName) generator rbac --out $(KubeOpsRbacDir) --format $(KubeOpsRbacFormat)" />
+    </Target>
+
+    <Target Name="GenerateOperator" DependsOnTargets="BaseConfig">
+        <Message Text="Generating Operator yamls" Importance="high" />
+        <Message Text="Configuration path: $(KubeOpsOperatorDir)" Importance="normal" />
+
+        <Exec
+            Command="dotnet $(OutputPath)$(TargetFileName) generator operator --out $(KubeOpsOperatorDir) --format $(KubeOpsOperatorFormat)" />
+    </Target>
+
+    <Target Name="GenerateInstaller" DependsOnTargets="BaseConfig">
+        <Message Text="Generating Installer yamls" Importance="high" />
+        <Message Text="Configuration path: $(KubeOpsInstallerDir)" Importance="normal" />
+
+        <Message Condition="Exists('$(KubeOpsInstallerDir)')" Text="Installer dir exists, don't overwrite contents."
+                 Importance="high" />
+        <Exec Condition="!Exists('$(KubeOpsInstallerDir)')"
+              Command="dotnet $(OutputPath)$(TargetFileName) generator installer --out $(KubeOpsInstallerDir) --format $(KubeOpsInstallerFormat) --crds-dir $(KubeOpsCrdDir) --rbac-dir $(KubeOpsRbacDir) --operator-dir $(KubeOpsOperatorDir)" />
+    </Target>
 
-        <CallTarget Condition="'$(KubeOpsSkipDockerfile)' == ''" Targets="GenerateDockerfile"/>
-        <CallTarget Condition="'$(KubeOpsSkipCrds)' == ''" Targets="GenerateCrds"/>
-        <CallTarget Condition="'$(KubeOpsSkipRbac)' == ''" Targets="GenerateRbac"/>
-        <CallTarget Condition="'$(KubeOpsSkipOperator)' == ''" Targets="GenerateOperator"/>
-        <CallTarget Condition="'$(KubeOpsSkipInstaller)' == ''" Targets="GenerateInstaller"/>
+    <Target Name="GenerateAfterBuild" AfterTargets="Build" DependsOnTargets="BaseConfig">
+        <CallTarget Condition="'$(KubeOpsSkipDockerfile)' == ''" Targets="GenerateDockerfile" />
+        <CallTarget Condition="'$(KubeOpsSkipCrds)' == ''" Targets="GenerateCrds" />
+        <CallTarget Condition="'$(KubeOpsSkipRbac)' == ''" Targets="GenerateRbac" />
+        <CallTarget Condition="'$(KubeOpsSkipOperator)' == ''" Targets="GenerateOperator" />
+        <CallTarget Condition="'$(KubeOpsSkipInstaller)' == ''" Targets="GenerateInstaller" />
     </Target>
-</Project>
+</Project>

src/KubeOps/Operator/ApplicationBuilderExtensions.cs

@@ -1,7 +1,13 @@
-using KubeOps.Operator.Builder;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Reflection;
+using KubeOps.Operator.Builder;
+using KubeOps.Operator.Webhooks;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Prometheus;
 
 namespace KubeOps.Operator
@@ -34,6 +40,37 @@ public static void UseKubernetesOperator(
                         new HealthCheckOptions { Predicate = reg => reg.Tags.Contains(OperatorBuilder.ReadinessTag) });
 
                     endpoints.MapMetrics(settings.MetricsEndpoint);
+
+                    var logger = app.ApplicationServices
+                        .GetRequiredService<ILoggerFactory>()
+                        .CreateLogger("ApplicationStartup");
+
+                    foreach (var validator in app.ApplicationServices
+                                                  .GetService<IEnumerable<IValidationWebhook>>() ??
+                                              new List<IValidationWebhook>())
+                    {
+                        var hookType = validator
+                            .GetType()
+                            .GetInterfaces()
+                            .FirstOrDefault(
+                                t => t.IsGenericType &&
+                                     typeof(IValidationWebhook<>).IsAssignableFrom(t.GetGenericTypeDefinition()));
+                        if (hookType == null)
+                        {
+                            throw new Exception(
+                                $@"Validator ""{validator.GetType().Name}"" is not of IValidationWebhook<TEntity> type.");
+                        }
+
+                        var registerMethod = hookType
+                            .GetMethods(BindingFlags.Instance | BindingFlags.NonPublic)
+                            .First(m => m.Name == "Register");
+
+                        registerMethod.Invoke(validator, new object[] { endpoints });
+                        logger.LogInformation(
+                            @"Registered validation webhook ""{namespace}.{name}"".",
+                            validator.GetType().Namespace,
+                            validator.GetType().Name);
+                    }
                 });
         }
     }