add base implementation for admission controller (#545)

Author: zubenkoivan

charts/platform-disks/Chart.yaml

@@ -7,3 +7,6 @@ dependencies:
   - name: k8s-resources
     version: "1.0.1"
     repository: https://neuro-inc.github.io/helm-charts
+  - name: admission-controller-lib
+    version: "0.1.10"
+    repository: https://neuro-inc.github.io/helm-charts

charts/platform-disks/templates/_helpers.tpl

@@ -26,6 +26,71 @@ heritage: {{ .Release.Service | quote }}
 release: {{ .Release.Name | quote }}
 {{- end -}}
 
+{{/*
+Selector labels
+*/}}
+{{- define "platformDisks.selectorLabels" -}}
+app: {{ include "platformDisks.name" . }}
+release: {{ .Release.Name }}
+service: {{ include "platformDisks.name" . }}
+{{- end }}
+
+{{/*
+Admission controller selector labels
+*/}}
+{{- define "platformDisks.admissionController.selectorLabels" -}}
+app: {{ include "platformDisks.name" . }}
+release: {{ .Release.Name }}
+service: {{ include "platformDisks.name" . }}-admission-controller
+{{- end }}
+
 {{- define "platformDisks.kubeAuthMountRoot" -}}
 {{- printf "/var/run/secrets/kubernetes.io/serviceaccount" -}}
 {{- end -}}
+
+{{- define "platformDisks.admissionControllerCertMountRoot" -}}
+{{- printf "/var/run/secrets/admission-controller/cert" -}}
+{{- end -}}
+
+{{- define "platformDisks.env" -}}
+- name: NP_DISK_API_PLATFORM_AUTH_URL
+  value: {{ .Values.platform.authUrl | quote }}
+- name: NP_DISK_API_PLATFORM_AUTH_TOKEN
+{{- if .Values.platform.token }}
+{{ toYaml .Values.platform.token | indent 2 }}
+{{- end }}
+- name: NP_DISK_API_K8S_API_URL
+  value: https://kubernetes.default:443
+- name: NP_DISK_API_K8S_AUTH_TYPE
+  value: token
+- name: NP_DISK_API_K8S_CA_PATH
+  value: {{ include "platformDisks.kubeAuthMountRoot" . }}/ca.crt
+- name: NP_DISK_API_K8S_TOKEN_PATH
+  value: {{ include "platformDisks.kubeAuthMountRoot" . }}/token
+- name: NP_DISK_API_K8S_NS
+  value: {{ .Values.disks.namespace | default "default" | quote }}
+{{- if .Values.disks.storageClassName }}
+- name: NP_DISK_API_K8S_STORAGE_CLASS
+  value: {{ .Values.disks.storageClassName }}
+{{- end }}
+- name: NP_DISK_API_STORAGE_LIMIT_PER_PROJECT
+  value: {{ .Values.disks.limitPerProject | quote }}
+- name: NP_DISK_API_ENABLE_DOCS
+  value: {{ .Values.docs.enabled | quote }}
+- name: NP_CLUSTER_NAME
+  value: {{ .Values.platform.clusterName | quote }}
+{{- if .Values.cors.origins }}
+- name: NP_CORS_ORIGINS
+  value: {{ join "," .Values.cors.origins | quote }}
+{{- end }}
+{{- if .Values.sentry }}
+- name: SENTRY_DSN
+  value: {{ .Values.sentry.dsn }}
+- name: SENTRY_CLUSTER_NAME
+  value: {{ .Values.sentry.clusterName }}
+- name: SENTRY_APP_NAME
+  value: platform-disks
+- name: SENTRY_SAMPLE_RATE
+  value: {{ .Values.sentry.sampleRate | default 0 | quote }}
+{{- end }}
+{{- end -}}

charts/platform-disks/templates/admission-controller-deployment.yaml

@@ -0,0 +1,91 @@
+{{ include "admission-controller-lib.preinstallJob" . }}
+---
+{{ include "admission-controller-lib.postinstallJob" . }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "platformDisks.fullname" . }}
+  labels:
+    {{- include "platformDisks.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "platformDisks.admissionController.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "platformDisks.admissionController.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: admission-controller
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - platform-disk-admission-controller
+          ports:
+            - containerPort: {{ .Values.admissionControllerService.port }}
+              name: http
+              protocol: TCP
+
+          {{- if .Values.resources }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: http
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: http
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+
+          env:
+            - name: NP_DISK_API_TLS_CERT_PATH
+              value: "{{ include "platformDisks.admissionControllerCertMountRoot" . }}/tls.crt"
+            - name: NP_DISK_API_TLS_KEY_PATH
+              value: "{{ include "platformDisks.admissionControllerCertMountRoot" . }}/tls.key"
+            {{- include "platformDisks.env" . | nindent 12 }}
+
+          volumeMounts:
+            - mountPath: {{ include "platformDisks.admissionControllerCertMountRoot" . }}
+              readOnly: true
+              name: admission-controller-cert
+            - mountPath: {{ include "platformDisks.kubeAuthMountRoot" . }}
+              name: kube-api-data
+              readOnly: true
+
+        {{- with .Values.imagePullSecrets }}
+        imagePullSecrets:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+
+        volumes:
+          - name: admission-controller-cert
+            secret:
+              secretName: "{{ .Values.admissionController.serviceName }}-cert"
+          - name: kube-api-data
+            projected:
+              sources:
+              - serviceAccountToken:
+                  expirationSeconds: 3600
+                  path: token
+              - configMap:
+                  name: kube-root-ca.crt
+                  items:
+                  - key: ca.crt
+                    path: ca.crt

charts/platform-disks/templates/admission-controller-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.admissionController.serviceName }}
+  labels:
+    {{- include "platformDisks.labels.standard" . | nindent 4 }}
+spec:
+  selector:
+    {{- include "platformDisks.admissionController.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: https
+      port: 443
+      targetPort: {{ .Values.admissionControllerService.port }}
+      protocol: TCP

charts/platform-disks/templates/deployment.yaml

@@ -8,9 +8,7 @@ spec:
   replicas: {{ .Values.replicas }}
   selector:
     matchLabels:
-      app: {{ include "platformDisks.name" . }}
-      release: {{ .Release.Name }}
-      service: platform-disks
+      {{- include "platformDisks.selectorLabels" . | nindent 6 }}
   strategy:
     rollingUpdate:
       maxSurge: 1
@@ -19,9 +17,7 @@ spec:
   template:
     metadata:
       labels:
-        app: {{ include "platformDisks.name" . }}
-        release: {{ .Release.Name }}
-        service: platform-disks
+        {{- include "platformDisks.selectorLabels" . | nindent 8 }}
       {{- if .Values.secrets }}
       annotations:
         checksum/secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
@@ -53,46 +49,7 @@ spec:
         resources: {{ toYaml .Values.resources | nindent 10 }}
         {{- end }}
         env:
-        - name: NP_DISK_API_PLATFORM_AUTH_URL
-          value: {{ .Values.platform.authUrl | quote }}
-        - name: NP_DISK_API_PLATFORM_AUTH_TOKEN
-{{- if .Values.platform.token }}
-{{ toYaml .Values.platform.token | indent 10 }}
-{{- end }}
-        - name: NP_DISK_API_K8S_API_URL
-          value: https://kubernetes.default:443
-        - name: NP_DISK_API_K8S_AUTH_TYPE
-          value: token
-        - name: NP_DISK_API_K8S_CA_PATH
-          value: {{ include "platformDisks.kubeAuthMountRoot" . }}/ca.crt
-        - name: NP_DISK_API_K8S_TOKEN_PATH
-          value: {{ include "platformDisks.kubeAuthMountRoot" . }}/token
-        - name: NP_DISK_API_K8S_NS
-          value: {{ .Values.disks.namespace | default "default" | quote }}
-        {{- if .Values.disks.storageClassName }}
-        - name: NP_DISK_API_K8S_STORAGE_CLASS
-          value: {{ .Values.disks.storageClassName }}
-        {{- end }}
-        - name: NP_DISK_API_STORAGE_LIMIT_PER_PROJECT
-          value: {{ .Values.disks.limitPerProject | quote }}
-        - name: NP_DISK_API_ENABLE_DOCS
-          value: {{ .Values.docs.enabled | quote }}
-        - name: NP_CLUSTER_NAME
-          value: {{ .Values.platform.clusterName | quote }}
-        {{- if .Values.cors.origins }}
-        - name: NP_CORS_ORIGINS
-          value: {{ join "," .Values.cors.origins | quote }}
-        {{- end }}
-        {{- if .Values.sentry }}
-        - name: SENTRY_DSN
-          value: {{ .Values.sentry.dsn }}
-        - name: SENTRY_CLUSTER_NAME
-          value: {{ .Values.sentry.clusterName }}
-        - name: SENTRY_APP_NAME
-          value: platform-disks
-        - name: SENTRY_SAMPLE_RATE
-          value: {{ .Values.sentry.sampleRate | default 0 | quote }}
-        {{- end }}
+          {{- include "platformDisks.env" . | nindent 10 }}
         volumeMounts:
         - mountPath: {{ include "platformDisks.kubeAuthMountRoot" . }}
           name: kube-api-data

charts/platform-disks/values.yaml

@@ -60,3 +60,39 @@ jobProjectNamespaceMigration:
     limits:
       cpu: "200m"
       memory: "200Mi"
+
+admissionControllerDeployment:
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "100Mi"
+    limits:
+      cpu: "200m"
+      memory: "200Mi"
+
+admissionControllerService:
+  port: 8080
+
+admissionController:
+  serviceName: platform-disks-admission-controller
+  webhookPath: /mutate
+  namespaceSelector:
+    matchExpressions:
+    - key: platform.apolo.us/org
+      operator: Exists
+    - key: platform.apolo.us/project
+      operator: Exists
+  objectSelector: {}
+  rules:
+  - apiGroups: [""]
+    apiVersions: [v1]
+    operations: [CREATE, UPDATE]
+    resources: [pods]
+    scope: '*'
+  - apiGroups: [""]
+    apiVersions: [v1]
+    operations: [CREATE]
+    resources: [persistentvolumeclaims]
+    scope: '*'
+  reinvocationPolicy: IfNeeded
+  failurePolicy: Fail

platform_disk_api/admission_controller/__main__.py

@@ -0,0 +1,49 @@
+import logging
+import ssl
+
+import aiohttp
+import uvloop
+from neuro_logging import init_logging, setup_sentry
+
+from ..config import Config
+from ..config_factory import EnvironConfigFactory
+from .api import create_app
+
+LOGGER = logging.getLogger(__name__)
+
+
+async def create_ssl_context(config: Config) -> ssl.SSLContext | None:
+    context = None
+    if config.server.tls_cert_path and config.server.tls_key_path:
+        LOGGER.info("Loading SSL cert chain from http server config")
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        context.load_cert_chain(
+            certfile=config.server.tls_cert_path,
+            keyfile=config.server.tls_key_path,
+        )
+        LOGGER.info("Loaded SSL cert chain")
+    return context
+
+
+def main() -> None:
+    init_logging(health_check_url_path="/ping")
+    setup_sentry()
+
+    config = EnvironConfigFactory().create()
+    LOGGER.info("Loaded config: %s", config)
+
+    loop = uvloop.new_event_loop()
+    ssl_context = loop.run_until_complete(create_ssl_context(config))
+    app = loop.run_until_complete(create_app(config))
+    aiohttp.web.run_app(
+        app,
+        host=config.server.host,
+        port=config.server.port,
+        ssl_context=ssl_context,
+        handler_cancellation=True,
+        loop=loop,
+    )
+
+
+if __name__ == "__main__":
+    main()

platform_disk_api/admission_controller/api.py

@@ -0,0 +1,43 @@
+import logging
+
+import aiohttp
+import aiohttp.web
+
+from ..config import Config
+
+LOGGER = logging.getLogger(__name__)
+
+
+class AdmissionControllerHandler:
+    def __init__(self, app: aiohttp.web.Application) -> None:
+        self._app = app
+
+    def register(self) -> None:
+        self._app.add_routes(
+            [
+                aiohttp.web.get("/ping", self.handle_ping),
+                aiohttp.web.post("/mutate", self.handle_post_mutate),
+            ]
+        )
+
+    async def handle_ping(self, request: aiohttp.web.Request) -> aiohttp.web.Response:
+        return aiohttp.web.Response(text="ok")
+
+    async def handle_post_mutate(
+        self, request: aiohttp.web.Request
+    ) -> aiohttp.web.Response:
+        return aiohttp.web.json_response(
+            {
+                "apiVersion": "admission.k8s.io/v1",
+                "kind": "AdmissionReview",
+                "status": {"allowed": True},
+            }
+        )
+
+
+async def create_app(config: Config) -> aiohttp.web.Application:
+    app = aiohttp.web.Application()
+
+    AdmissionControllerHandler(app=app).register()
+
+    return app