Prevent VKS CnsFileAccessConfig CR deletion (#3360)

Author: skogta

manifests/supervisorcluster/1.29/cns-csi.yaml

@@ -230,7 +230,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: vsphere-csi-provisioner-configmap-writer
+  name: vsphere-csi-controller-configmap-writer
   namespace: vmware-system-csi
 subjects:
   - kind: ServiceAccount
@@ -649,13 +649,43 @@ webhooks:
         scope: "Namespaced"
       - apiGroups:   ["cns.vmware.com"]
         apiVersions: ["v1alpha1"]
-        operations: ["CREATE"]
+        operations: ["CREATE", "DELETE"]
         resources:   ["cnsfileaccessconfigs"]
         scope:       "Namespaced"
     sideEffects: None
     admissionReviewVersions: ["v1"]
     failurePolicy: Fail
 ---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: vmware-system-csi-mutating-webhook-configuration
+  labels:
+    app: vsphere-csi-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: vmware-system-csi/vmware-system-csi-serving-cert
+webhooks:
+  - name: mutation.csi.vsphere.vmware.com
+    clientConfig:
+      service:
+        name: vmware-system-csi-webhook-service
+        namespace: vmware-system-csi
+        path: "/mutate"
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1", "v1beta1"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["persistentvolumeclaims"]
+        scope: "Namespaced"
+      - apiGroups:   ["cns.vmware.com"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE"]
+        resources:   ["cnsfileaccessconfigs"]
+        scope: "Namespaced"
+    sideEffects: None
+    admissionReviewVersions: ["v1"]
+    failurePolicy: Fail
+---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -667,9 +697,12 @@ rules:
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
     verbs: ["get", "list"]
+  - apiGroups: ["encryption.vmware.com"]
+    resources: ["encryptionclasses"]
+    verbs: ["get", "list", "watch"]
   - apiGroups: ["cns.vmware.com"]
     resources: ["cnsfileaccessconfigs"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "update"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/supervisorcluster/1.30/cns-csi.yaml

@@ -663,7 +663,7 @@ webhooks:
         scope:       "Namespaced"
       - apiGroups:   ["cns.vmware.com"]
         apiVersions: ["v1alpha1"]
-        operations: ["CREATE"]
+        operations: ["CREATE", "DELETE"]
         resources:   ["cnsfileaccessconfigs"]
         scope:       "Namespaced"
     sideEffects: None
@@ -691,6 +691,11 @@ webhooks:
         operations: ["CREATE", "UPDATE"]
         resources: ["persistentvolumeclaims"]
         scope: "Namespaced"
+      - apiGroups:   ["cns.vmware.com"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE"]
+        resources:   ["cnsfileaccessconfigs"]
+        scope: "Namespaced"
     sideEffects: None
     admissionReviewVersions: ["v1"]
     failurePolicy: Fail
@@ -714,7 +719,7 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["cns.vmware.com"]
     resources: ["cnsfileaccessconfigs"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "update"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/supervisorcluster/1.31/cns-csi.yaml

@@ -663,7 +663,7 @@ webhooks:
         scope:       "Namespaced"
       - apiGroups:   ["cns.vmware.com"]
         apiVersions: ["v1alpha1"]
-        operations: ["CREATE"]
+        operations: ["CREATE", "DELETE"]
         resources:   ["cnsfileaccessconfigs"]
         scope:       "Namespaced"
     sideEffects: None
@@ -691,6 +691,11 @@ webhooks:
         operations: ["CREATE", "UPDATE"]
         resources: ["persistentvolumeclaims"]
         scope: "Namespaced"
+      - apiGroups:   ["cns.vmware.com"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE"]
+        resources:   ["cnsfileaccessconfigs"]
+        scope: "Namespaced"
     sideEffects: None
     admissionReviewVersions: ["v1"]
     failurePolicy: Fail
@@ -714,7 +719,7 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["cns.vmware.com"]
     resources: ["cnsfileaccessconfigs"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "update"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

manifests/supervisorcluster/1.32/cns-csi.yaml

@@ -661,7 +661,7 @@ webhooks:
         scope:       "Namespaced"
       - apiGroups:   ["cns.vmware.com"]
         apiVersions: ["v1alpha1"]
-        operations: ["CREATE"]
+        operations: ["CREATE", "DELETE"]
         resources:   ["cnsfileaccessconfigs"]
         scope:       "Namespaced"
     sideEffects: None
@@ -689,6 +689,11 @@ webhooks:
         operations: ["CREATE", "UPDATE"]
         resources: ["persistentvolumeclaims"]
         scope: "Namespaced"
+      - apiGroups:   ["cns.vmware.com"]
+        apiVersions: ["v1alpha1"]
+        operations: ["CREATE"]
+        resources:   ["cnsfileaccessconfigs"]
+        scope: "Namespaced"
     sideEffects: None
     admissionReviewVersions: ["v1"]
     failurePolicy: Fail
@@ -712,7 +717,7 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["cns.vmware.com"]
     resources: ["cnsfileaccessconfigs"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "update"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

pkg/syncer/admissionhandler/cnscsi_admissionhandler.go

@@ -21,6 +21,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
+	cnsfileaccessconfigv1alpha1 "sigs.k8s.io/vsphere-csi-driver/v3/pkg/apis/cnsoperator/cnsfileaccessconfig/v1alpha1"
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/common/cns-lib/crypto"
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service/logger"
 )
@@ -30,6 +31,7 @@ const (
 	MutationWebhookPath              = "/mutate"
 	DefaultWebhookPort               = 9883
 	DefaultWebhookMetricsBindAddress = "0"
+	devopsUserLabelKey               = "cns.vmware.com/user-created"
 )
 
 var (
@@ -184,9 +186,14 @@ func (h *CSISupervisorWebhook) Handle(ctx context.Context, req admission.Request
 		}
 	} else if req.Kind.Kind == "CnsFileAccessConfig" {
 		if featureFileVolumesWithVmServiceEnabled {
-			admissionResp := validateCnsFileAccessConfig(ctx, h.clientConfig, &req.AdmissionRequest)
-			resp.AdmissionResponse = *admissionResp.DeepCopy()
-
+			switch req.Operation {
+			case admissionv1.Create:
+				admissionResp := validateCreateCnsFileAccessConfig(ctx, h.clientConfig, &req.AdmissionRequest)
+				resp.AdmissionResponse = *admissionResp.DeepCopy()
+			case admissionv1.Delete:
+				admissionResp := validateDeleteCnsFileAccessConfig(ctx, h.clientConfig, &req.AdmissionRequest)
+				resp.AdmissionResponse = *admissionResp.DeepCopy()
+			}
 		}
 	}
 	return
@@ -209,11 +216,57 @@ func (h *CSISupervisorMutationWebhook) Handle(ctx context.Context, req admission
 		case admissionv1.Create:
 			return h.mutateNewPVC(ctx, req)
 		}
+	} else if req.Kind.Kind == "CnsFileAccessConfig" {
+		if featureFileVolumesWithVmServiceEnabled {
+			switch req.Operation {
+			case admissionv1.Create:
+				return h.mutateNewCnsFileAccessConfig(ctx, req)
+			}
+		}
 	}
 
 	return admission.Allowed("")
 }
 
+// mutateNewCnsFileAccessConfig adds devops label on a CnsFileAccessConfig CR
+// if it is being created by a devops user.
+func (h *CSISupervisorMutationWebhook) mutateNewCnsFileAccessConfig(ctx context.Context,
+	req admission.Request) admission.Response {
+	log := logger.GetLogger(ctx)
+
+	newCnsFileAccessConfig := cnsfileaccessconfigv1alpha1.CnsFileAccessConfig{}
+	if err := json.Unmarshal(req.Object.Raw, &newCnsFileAccessConfig); err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+
+	// If CR is created by CSI service account, do not add devops label.
+	isPvCSIServiceAccount, err := validatePvCSIServiceAccount(req.UserInfo.Username)
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+
+	if isPvCSIServiceAccount {
+		log.Infof("Skip mutating CnsFileAccessConfig instance %s for PVCSI service account user",
+			newCnsFileAccessConfig.Name)
+		return admission.Allowed("")
+	}
+
+	if newCnsFileAccessConfig.Labels == nil {
+		newCnsFileAccessConfig.Labels = make(map[string]string)
+	}
+	if _, ok := newCnsFileAccessConfig.Labels[devopsUserLabelKey]; ok {
+		log.Debugf("Devops label already present on instance %s", newCnsFileAccessConfig.Name)
+		return admission.Allowed("")
+	}
+	newCnsFileAccessConfig.Labels[devopsUserLabelKey] = "true"
+	newRawCnsFileAccessConfig, err := json.Marshal(newCnsFileAccessConfig)
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+
+	return admission.PatchResponseFromRaw(req.Object.Raw, newRawCnsFileAccessConfig)
+}
+
 func (h *CSISupervisorMutationWebhook) mutateNewPVC(ctx context.Context, req admission.Request) admission.Response {
 	newPVC := &corev1.PersistentVolumeClaim{}
 	if err := json.Unmarshal(req.Object.Raw, newPVC); err != nil {