Deploy and manage Kubernetes webhook based on pipelineStorage flag

Signed-off-by: VaniHaripriya <[email protected]>

Author: VaniHaripriya

.github/resources/webhook/cert-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: dspa-webhook-selfsigned-issuer
+  namespace: opendatahub
+spec:
+  selfSigned: {}

.github/resources/webhook/certificate.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dspa-webhook-cert
+  namespace: opendatahub
+spec:
+  commonName: dspa-webhook-cert
+  isCA: false
+  dnsNames:
+  - ds-pipelines-webhook
+  - ds-pipelines-webhook.opendatahub
+  - ds-pipelines-webhook.opendatahub.svc
+  - ds-pipelines-webhook.opendatahub.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: dspa-webhook-selfsigned-issuer
+    group: cert-manager.io
+  secretName: ds-pipelines-webhook-tls

.github/resources/webhook/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: opendatahub
+resources:
+  - cert-issuer.yaml
+  - certificate.yaml

.github/scripts/tests/collect_logs.sh

@@ -30,7 +30,7 @@ function display_pod_info {
     local NAMESPACE=$1
     local POD_NAMES
 
-    POD_NAMES=$(kubectl -n "${DSPA_NS}" get pods -o custom-columns=":metadata.name")
+    POD_NAMES=$(kubectl -n "${NAMESPACE}" get pods -o custom-columns=":metadata.name")
 
     if [[ -z "${POD_NAMES}" ]]; then
         echo "No pods found in namespace '${NAMESPACE}'."

.github/scripts/tests/tests.sh

@@ -16,13 +16,16 @@ CLEAN_INFRA=false
 K8SAPISERVERHOST=""
 DSPA_NAMESPACE="test-dspa"
 DSPA_EXTERNAL_NAMESPACE="dspa-ext"
+DSPA_K8S_NAMESPACE="test-k8s-dspa"
 MINIO_NAMESPACE="test-minio"
 MARIADB_NAMESPACE="test-mariadb"
 PYPISERVER_NAMESPACE="test-pypiserver"
+CERT_MANAGER_NAMESPACE="cert-manager"
 DSPA_DEPLOY_WAIT_TIMEOUT="300"
 INTEGRATION_TESTS_DIR="${GIT_WORKSPACE}/tests"
 DSPA_PATH="${GIT_WORKSPACE}/tests/resources/dspa-lite.yaml"
 DSPA_EXTERNAL_PATH="${GIT_WORKSPACE}/tests/resources/dspa-external-lite.yaml"
+DSPA_K8S_PATH="${GIT_WORKSPACE}/tests/resources/dspa-k8s.yaml"
 CONFIG_DIR="${GIT_WORKSPACE}/config"
 RESOURCES_DIR_CRD="${GIT_WORKSPACE}/.github/resources"
 OPENDATAHUB_NAMESPACE="opendatahub"
@@ -127,6 +130,17 @@ deploy_pypi_server() {
   ( cd "${GIT_WORKSPACE}/.github/resources/pypiserver/base" && kubectl -n $PYPISERVER_NAMESPACE apply -k . )
 }
 
+deploy_cert_manager() {
+  echo "---------------------------------"
+  echo "Create Cert Manager Namespace"
+  echo "---------------------------------"
+  kubectl create namespace $CERT_MANAGER_NAMESPACE
+  echo "---------------------------------"
+  echo "Deploy Cert Manager"
+  echo "---------------------------------"
+  ( kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml )
+}
+
 wait_for_dspo_dependencies() {
   echo "---------------------------------"
   echo "Wait for DSPO Dependencies"
@@ -164,6 +178,13 @@ create_namespace_dspa_external_connections() {
   kubectl create namespace $DSPA_EXTERNAL_NAMESPACE
 }
 
+create_dspa_k8s_namespace() {
+  echo "---------------------------------"
+  echo "Create DSPA Namespace with Kubernetes Pipeline Storage"
+  echo "---------------------------------"
+  kubectl create namespace $DSPA_K8S_NAMESPACE
+}
+
 apply_mariadb_minio_secrets_configmaps_external_namespace() {
   echo "---------------------------------"
   echo "Apply MariaDB and Minio Secrets and Configmaps in the External Namespace"
@@ -175,7 +196,17 @@ apply_pip_server_configmap() {
   echo "---------------------------------"
   echo "Apply PIP Server ConfigMap"
   echo "---------------------------------"
-  ( cd "${GIT_WORKSPACE}/.github/resources/pypiserver/base" && kubectl apply -f $RESOURCES_DIR_PYPI/nginx-tls-config.yaml -n $DSPA_NAMESPACE )
+  for ns in $DSPA_NAMESPACE $DSPA_K8S_NAMESPACE; do
+    echo "Applying ConfigMap in namespace: $ns"
+    ( cd "${GIT_WORKSPACE}/.github/resources/pypiserver/base" && kubectl apply -f "$RESOURCES_DIR_PYPI/nginx-tls-config.yaml" -n "$ns" )
+  done
+}
+
+apply_webhook_certs() {
+  echo "---------------------------------"
+  echo "Apply Webhook Certs"
+  echo "---------------------------------"
+  ( cd "${GIT_WORKSPACE}/.github/resources/webhook" && kubectl -n $OPENDATAHUB_NAMESPACE apply -k . )
 }
 
 run_tests() {
@@ -192,6 +223,20 @@ run_tests_dspa_external_connections() {
   ( cd $GIT_WORKSPACE && make integrationtest K8SAPISERVERHOST=${K8SAPISERVERHOST} DSPANAMESPACE=${DSPA_EXTERNAL_NAMESPACE} DSPAPATH=${DSPA_EXTERNAL_PATH} ENDPOINT_TYPE=${ENDPOINT_TYPE} MINIONAMESPACE=${MINIO_NAMESPACE} )
 }
 
+run_tests_dspa_k8s() {
+  echo "---------------------------------"
+  echo "Run tests for DSPA with Kubernetes Pipeline Storage"
+  echo "---------------------------------"
+  if [ "$TARGET" = "kind" ]; then
+    echo "Detected kind target: deploying cert-manager"
+    deploy_cert_manager
+    echo "Waiting for Cert Manager pods to be ready"
+    kubectl wait -n $CERT_MANAGER_NAMESPACE --timeout=90s --for=condition=Ready pods --all
+    apply_webhook_certs
+  fi
+  ( cd $GIT_WORKSPACE && make integrationtest K8SAPISERVERHOST=${K8SAPISERVERHOST} DSPANAMESPACE=${DSPA_K8S_NAMESPACE} DSPAPATH=${DSPA_K8S_PATH} ENDPOINT_TYPE=${ENDPOINT_TYPE})
+}
+
 undeploy_kind_resources() {
   echo "---------------------------------"
   echo "Clean up resources created for testing on kind"
@@ -205,6 +250,7 @@ remove_namespace_created_for_rhoai() {
   echo "---------------------------------"
   kubectl delete projects $DSPA_NAMESPACE --now || true
   kubectl delete projects $DSPA_EXTERNAL_NAMESPACE --now || true
+  kubectl delete projects $DSPA_K8S_NAMESPACE --now || true
   kubectl delete projects $MINIO_NAMESPACE --now || true
   kubectl delete projects $MARIADB_NAMESPACE --now || true
   kubectl delete projects $PYPISERVER_NAMESPACE --now || true
@@ -224,6 +270,7 @@ setup_kind_requirements() {
   upload_python_packages_to_pypi_server
   create_dspa_namespace
   create_namespace_dspa_external_connections
+  create_dspa_k8s_namespace
   apply_mariadb_minio_secrets_configmaps_external_namespace
   apply_pip_server_configmap
 }
@@ -241,6 +288,7 @@ setup_openshift_ci_requirements() {
   upload_python_packages_to_pypi_server
   create_dspa_namespace
   create_namespace_dspa_external_connections
+  create_dspa_k8s_namespace
   apply_mariadb_minio_secrets_configmaps_external_namespace
   apply_pip_server_configmap
 }
@@ -253,6 +301,7 @@ setup_rhoai_requirements() {
   upload_python_packages_to_pypi_server
   create_dspa_namespace
   create_namespace_dspa_external_connections
+  create_dspa_k8s_namespace
   apply_mariadb_minio_secrets_configmaps_external_namespace
   apply_pip_server_configmap
 }
@@ -309,6 +358,16 @@ while [ "$#" -gt 0 ]; do
         exit 1
       fi
       ;;
+    --dspa-k8s-namespace)
+      shift
+      if [[ -n "$1" ]]; then
+        DSPA_K8S_NAMESPACE="$1"
+        shift
+      else
+        echo "Error: --dspa-k8s-namespace requires a value"
+        exit 1
+      fi
+      ;;
     --dspa-path)
       shift
       if [[ -n "$1" ]]; then
@@ -329,6 +388,16 @@ while [ "$#" -gt 0 ]; do
         exit 1
       fi
       ;;
+    --dspa-k8s-path)
+      shift
+      if [[ -n "$1" ]]; then
+        DSPA_K8S_PATH="$1"
+        shift
+      else
+        echo "Error: --dspa-k8s-path requires a value"
+        exit 1
+      fi
+      ;;
     --kube-config)
       shift
       if [[ -n "$1" ]]; then
@@ -377,3 +446,4 @@ fi
 
 run_tests
 run_tests_dspa_external_connections
+run_tests_dspa_k8s

.github/workflows/kind-integration.yml

@@ -61,4 +61,5 @@ jobs:
         run: |
           ./collect_logs.sh --dspa-ns test-dspa --dspo-ns opendatahub
           ./collect_logs.sh --dspa-ns dspa-ext --dspo-ns opendatahub
+          ./collect_logs.sh --dspa-ns test-k8s-dspa --dspo-ns opendatahub
           exit 1

Makefile

@@ -52,6 +52,8 @@ IMG ?= quay.io/opendatahub/data-science-pipelines-operator:main
 ENVTEST_K8S_VERSION = 1.25.0
 # Namespace to deploy the operator
 OPERATOR_NS ?= opendatahub
+# Namespace where the webhook and related resources live
+DSPO_NAMESPACE ?= $(OPERATOR_NS)
 # Namespace to deploy v2 infrastructure
 V2INFRA_NS ?= openshift-pipelines
 # Namespace to deploy argo infrastructure
@@ -127,7 +129,7 @@ unittest: manifests generate fmt vet envtest ## Run tests.
 
 .PHONY: functest
 functest: manifests generate fmt vet envtest ## Run tests.
-	export SSL_CERT_FILE=${ROOT_DIR}/controllers/testdata/tls/ca-bundle.crt && KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... --tags=test_functional -coverprofile cover.out
+	export SSL_CERT_FILE=${ROOT_DIR}/controllers/testdata/tls/ca-bundle.crt && export DSPO_NAMESPACE=$(DSPO_NAMESPACE) && KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... --tags=test_functional -coverprofile cover.out
 
 .PHONY: integrationtest
 integrationtest: ## Run integration tests

api/v1/dspipeline_types.go

@@ -152,15 +152,20 @@ type APIServer struct {
 	// +kubebuilder:validation:Optional
 	ArtifactSignedURLExpirySeconds *int `json:"artifactSignedURLExpirySeconds"`
 
-	// The Pipeline Storage type for Pipelines and Pipeline Versions. It can be
-	// either 'database' or 'kubernetes'. Default to 'database'.
+	// The storage for pipeline definitions (pipelines and pipeline versions). It can be
+	// either 'database' or 'kubernetes' (Pipeline and PipelineVersion kinds). Defaults to 'database'.
 	// +kubebuilder:default:=database
 	// +kubebuilder:validation:Optional
-	PipelineStorage string `json:"pipelineStorage"`
+	// +kubebuilder:validation:Enum=database;kubernetes
+	PipelineStorage string `json:"pipelineStorage,omitempty"`
 
 	// Enable/disable caching in the DSP API server. Default: true
 	// +kubebuilder:default:=true
 	CacheEnabled *bool `json:"cacheEnabled,omitempty"`
+
+	// WebhookAnnotations is a map of annotations to add to the validating and mutating webhooks.
+	// +kubebuilder:validation:Optional
+	WebhookAnnotations map[string]string `json:"webhookAnnotations,omitempty"`
 }
 
 type CABundle struct {

api/v1/zz_generated.deepcopy.go

@@ -204,15 +204,20 @@ type APIServer struct {
 	// +kubebuilder:validation:Optional
 	ArtifactSignedURLExpirySeconds *int `json:"artifactSignedURLExpirySeconds"`
 
-	// The Pipeline Storage type for Pipelines and Pipeline Versions. It can be
-	// either 'database' or 'kubernetes'. Default to 'database'.
+	// The storage for pipeline definitions (pipelines and pipeline versions). It can be
+	// either 'database' or 'kubernetes' (Pipeline and PipelineVersion kinds). Defaults to 'database'.
 	// +kubebuilder:default:=database
 	// +kubebuilder:validation:Optional
-	PipelineStorage string `json:"pipelineStorage"`
+	// +kubebuilder:validation:Enum=database;kubernetes
+	PipelineStorage string `json:"pipelineStorage,omitempty"`
 
 	// Enable/disable caching in the DSP API server. Default: true
 	// +kubebuilder:default:=true
 	CacheEnabled *bool `json:"cacheEnabled,omitempty"`
+
+	// WebhookAnnotations is a map of annotations to add to the validating and mutating webhooks.
+	// +kubebuilder:validation:Optional
+	WebhookAnnotations map[string]string `json:"webhookAnnotations,omitempty"`
 }
 
 type CABundle struct {