Merge pull request #776 from mengqiy/webhookdoc

📖 add doc for admission webhooks

Author: k8s-ci-robot

docs/book/src/SUMMARY.md

@@ -6,7 +6,7 @@
 
 ---
 
-- [Tutorial: Building CronJob](./cronjob-tutorial.md)
+- [Tutorial: Building CronJob](cronjob-tutorial/cronjob-tutorial.md)
 
   - [What's in a basic project?](./cronjob-tutorial/basic-project.md)
   - [Every journey needs a start, every program a main](./cronjob-tutorial/empty-main.md)
@@ -19,9 +19,14 @@
   - [What's in a controller?](./cronjob-tutorial/controller-overview.md)
   - [Implementing a controller](./cronjob-tutorial/controller-implementation.md)
 
-      - [You said something about main?](./cronjob-tutorial/main-revisited.md)
+    - [You said something about main?](./cronjob-tutorial/main-revisited.md)
 
+  - [Implementing defaulting/validating webhooks](./cronjob-tutorial/webhook-implementation.md)
   - [Running and deploying the controller](./cronjob-tutorial/running.md)
+
+    - [Deploying the cert manager](./cronjob-tutorial/cert-manager.md)
+    - [Deploying webhooks](./cronjob-tutorial/running-webhook.md)
+
   - [Epilogue](./cronjob-tutorial/epilogue.md)
 
 ---
@@ -30,6 +35,10 @@
 
   - [Generating CRD](./reference/generating-crd.md)
   - [Using Finalizers](./reference/using-finalizers.md)
+  - [Kind cluster](reference/kind.md)
+  - [What's a webhook?](reference/webhook-overview.md)
+
+    - [Admission webhook](reference/admission-webhook.md)
 
 ---
 

docs/book/src/cronjob-tutorial/cert-manager.md

@@ -0,0 +1,24 @@
+# Deploying the cert manager
+
+We suggest using [cert manager](https://github.com/jetstack/cert-manager) for
+provisioning the certificates for the webhook server. Other solutions should
+also work as long as they put the certificates in the desired location.
+
+You can follow
+[the cert manager document](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html)
+to install it.
+
+Cert manager also has a component called CA injector, which is responsible for
+injecting the CA bundle into the Mutating|ValidatingWebhookConfiguration.
+
+To accomplish that, you need to use an annotation with key
+`certmanager.k8s.io/inject-ca-from`
+in the Mutating|ValidatingWebhookConfiguration objects.
+The value of the annotation should point to an existing certificate CR instance
+in the format of `<certificate-namespace>/<certificate-name>`.
+
+This is the [kustomize](https://github.com/kubernetes-sigs/kustomize) patch we
+used for annotating the Mutating|ValidatingWebhookConfiguration objects.
+```yaml
+{{#include ./testdata/project/config/default/webhookcainjection_patch.yaml}}
+```

docs/book/src/cronjob-tutorial.md renamed to docs/book/src/cronjob-tutorial/cronjob-tutorial.md

@@ -21,9 +21,9 @@ use this as an opportunity to see how to interact with external types.
 
 ## Scaffolding Out Our Project
 
-As covered in the [quick start](./quick-start.md), we'll need to scaffold
+As covered in the [quick start](../quick-start.md), we'll need to scaffold
 out a new project.  Make sure you've [installed
-Kubebuilder](./quick-start.md#installation), then scaffold out a new
+Kubebuilder](../quick-start.md#installation), then scaffold out a new
 project:
 
 ```bash

docs/book/src/cronjob-tutorial/running-webhook.md

@@ -0,0 +1,61 @@
+# Deploying Admission Webhooks
+
+## Kind Cluster
+
+It is recommended to develop your webhook with a
+[kind](../reference/kind.md) cluster for faster iteration.
+Why?
+
+- You can bring up a multi-node cluster locally within 1 minute.
+- You can tear it down in seconds.
+- You don't need to push your images to remote registry.
+
+## Cert Manager
+
+You need follow [this](./cert-manager.md) to install the cert manager bundle.
+
+## Build your image
+
+Run the following command to build your image locally.
+
+```bash
+make docker-build
+```
+
+You don't need to push the image to a remote container registry if you are using
+a kind cluster. You can directly load your local image to your kind cluster:
+
+```bash
+kind load docker-image your-image-namge:your-tag
+```
+
+## Deploy Webhooks
+
+You need to enable the webhook and cert manager configuration through kustomize.
+`config/default/kustomization.yaml` should now look like the following:
+
+```yaml
+{{#include ./testdata/project/config/default/kustomization.yaml}}
+```
+
+Now you can deploy it to your cluster by
+
+```bash
+make deploy
+```
+
+Wait a while til the webhook pod comes up and the certificates are provisioned.
+It usually completes within 1 minute.
+
+Now you can create a valid CronJob to test your webhooks. The creation should
+successfully go through.
+
+```bash
+kubectl create -f config/samples/batch_v1_cronjob.yaml
+```
+
+You can also try to create an invalid CronJob (e.g. use an ill-formatted
+schedule field). You should see a creation failure with a validation error.
+
+**Note**: If you are
+

docs/book/src/cronjob-tutorial/running.md

@@ -13,6 +13,9 @@ Now that we've installed our CRDs, we can run the controller against our
 cluster.  This will use whatever credentials that we connect to the
 cluster with, so we don't need to worry about RBAC just yet.
 
+Note that if you have a webhook and want to deploy it locally, you need to
+ensure the certificates are in the right place.
+
 In a separate terminal, run
 
 ```bash

docs/book/src/cronjob-tutorial/testdata/project/api/v1/cronjob_types.go

@@ -57,9 +57,13 @@ the fields.
 
 // CronJobSpec defines the desired state of CronJob
 type CronJobSpec struct {
+	// +kubebuilder:validation:Minimum=0
+
 	// The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
 	Schedule string `json:"schedule"`
 
+	// +kubebuilder:validation:Minimum=0
+
 	// Optional deadline in seconds for starting the job if it misses scheduled
 	// time for any reason.  Missed jobs executions will be counted as failed ones.
 	// +optional
@@ -81,11 +85,15 @@ type CronJobSpec struct {
 	// Specifies the job that will be created when executing a CronJob.
 	JobTemplate batchv1beta1.JobTemplateSpec `json:"jobTemplate"`
 
+	// +kubebuilder:validation:Minimum=0
+
 	// The number of successful finished jobs to retain.
 	// This is a pointer to distinguish between explicit zero and not specified.
 	// +optional
 	SuccessfulJobsHistoryLimit *int32 `json:"successfulJobsHistoryLimit,omitempty"`
 
+	// +kubebuilder:validation:Minimum=0
+
 	// The number of failed finished jobs to retain.
 	// This is a pointer to distinguish between explicit zero and not specified.
 	// +optional

docs/book/src/cronjob-tutorial/testdata/project/api/v1/cronjob_webhook.go

@@ -0,0 +1,201 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// +kubebuilder:docs-gen:collapse=Apache License
+
+package v1
+
+import (
+	"github.com/robfig/cron"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	validationutils "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// +kubebuilder:docs-gen:collapse=Go imports
+
+/*
+Next, we'll setup a logger for the webhooks.
+*/
+
+var cronjoblog = logf.Log.WithName("cronjob-resource")
+
+/*
+Then, we set up the webhook with the manager.
+*/
+
+func (r *CronJob) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+/*
+Notice that we use kubebuilder markers to generate webhook manifests.
+This markers is responsible for generating a mutating webhook manifest.
+
+The meaning of each marker can be found [here](../TODO.md).
+*/
+
+// +kubebuilder:webhook:path=/mutate-batch-tutorial-kubebuilder-io-tutorial-kubebuilder-io-v1-cronjob,mutating=true,failurePolicy=fail,groups=batch.tutorial.kubebuilder.io.tutorial.kubebuilder.io,resources=cronjobs,verbs=create;update,versions=v1,name=mcronjob.kb.io
+
+/*
+We use the `webhook.Defaulter` interface to set defaults to our CRD.
+A webhook will automatically be served that calls this defaulting.
+
+The `Default` method is expected to mutate the receiver, setting the defaults.
+*/
+
+var _ webhook.Defaulter = &CronJob{}
+
+// Default implements webhook.Defaulter so a webhook will be registered for the type
+func (r *CronJob) Default() {
+	cronjoblog.Info("default", "name", r.Name)
+
+	if r.Spec.ConcurrencyPolicy == "" {
+		r.Spec.ConcurrencyPolicy = AllowConcurrent
+	}
+	if r.Spec.Suspend == nil {
+		r.Spec.Suspend = new(bool)
+	}
+	if r.Spec.SuccessfulJobsHistoryLimit == nil {
+		r.Spec.SuccessfulJobsHistoryLimit = new(int32)
+		*r.Spec.SuccessfulJobsHistoryLimit = 3
+	}
+	if r.Spec.FailedJobsHistoryLimit == nil {
+		r.Spec.FailedJobsHistoryLimit = new(int32)
+		*r.Spec.FailedJobsHistoryLimit = 1
+	}
+}
+
+/*
+Notice that we use kubebuilder markers to generate webhook manifests.
+This markers is responsible for generating a validating webhook manifest.
+
+The meaning of each marker can be found [here](../TODO.md).
+*/
+
+// +kubebuilder:webhook:path=/validate-batch-tutorial-kubebuilder-io-tutorial-kubebuilder-io-v1-cronjob,mutating=false,failurePolicy=fail,groups=batch.tutorial.kubebuilder.io.tutorial.kubebuilder.io,resources=cronjobs,verbs=create;update,versions=v1,name=vcronjob.kb.io
+
+/*
+To validate our CRD beyond what's possible with declarative validation.
+Generally, declarative validation should be sufficient, but sometimes more
+advanced use cases call for complex validation.
+
+For instance, we'll see below that we use this to validate a well-formed cron
+schedule without making up a long regular expression.
+
+If `webhook.Validator` interface is implemented, a webhook will automatically be
+served that calls the validation.
+
+The `ValidateCreate` and `ValidateUpdate` methods are expected to validate that its
+receiver upon creation and update respectively. We separate out ValidateCreate
+from ValidateUpdate to allow behavior like making certain fields immutable, so
+that they can only be set on creation.
+Here, however, we just use the same shared validation.
+*/
+
+var _ webhook.Validator = &CronJob{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *CronJob) ValidateCreate() error {
+	cronjoblog.Info("validate create", "name", r.Name)
+
+	return r.validateCronJob()
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *CronJob) ValidateUpdate(old runtime.Object) error {
+	cronjoblog.Info("validate update", "name", r.Name)
+
+	return r.validateCronJob()
+}
+
+/*
+We validate the name and the spec of the CronJob.
+*/
+
+func (c *CronJob) validateCronJob() error {
+	allErrs := c.validateCronJobSpec()
+	if err := c.validateCronJobName(); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
+	return apierrors.NewInvalid(
+		schema.GroupKind{Group: "batch.tutorial.kubebuilder.io", Kind: "CronJob"},
+		c.Name, allErrs)
+}
+
+/*
+Some fields are declaratively validated by OpenAPI schema.
+You can find kubebuilder validation markers (prefixed
+with `// +kubebuilder:validation`) in the [API](api-design.md)
+You can find all of the kubebuilder supported markers for
+declaring validation in [here](../TODO.md).
+*/
+
+func (c *CronJob) validateCronJobSpec() field.ErrorList {
+	// The field helpers from the kubernetes API machinery help us return nicely
+	// structured validation errors.
+	allErrs := field.ErrorList{}
+	allErrs = append(allErrs, validateScheduleFormat(
+		c.Spec.Schedule,
+		field.NewPath("spec").Child("schedule"))...)
+	return allErrs
+}
+
+/*
+Validating the length of a string field can be done declaratively by
+the validation schema.
+
+But the `ObjectMeta.Name` field is defined in a shared package under
+the apimachinery repo, so we can't declaratively validate it using
+the validation schema.
+*/
+
+func (c *CronJob) validateCronJobName() *field.Error {
+	if len(c.ObjectMeta.Name) > validationutils.DNS1035LabelMaxLength-11 {
+		// The job name length is 63 character like all Kubernetes objects
+		// (which must fit in a DNS subdomain). The cronjob controller appends
+		// a 11-character suffix to the cronjob (`-$TIMESTAMP`) when creating
+		// a job. The job name length limit is 63 characters. Therefore cronjob
+		// names must have length <= 63-11=52. If we don't validate this here,
+		// then job creation will fail later.
+		return field.Invalid(field.NewPath("metadata").Child("name"), c.Name, "must be no more than 52 characters")
+	}
+	return nil
+}
+
+// +kubebuilder:docs-gen:collapse=Validate object name
+
+/*
+We'll need to validate the [cron](https://en.wikipedia.org/wiki/Cron) schedule
+is well-formatted.
+*/
+
+func validateScheduleFormat(schedule string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if _, err := cron.ParseStandard(schedule); err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, schedule, err.Error()))
+	}
+
+	return allErrs
+}