bindata: add support for service operator webhooks

Currently configured just to extra webhooks for the
infra operator as it is also a multigroup operator
which requires webhooks to be enabled

Author: dprince

apis/bases/operator.openstack.org_openstacks.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: openstacks.operator.openstack.org
 spec:
   group: operator.openstack.org

apis/operator/v1beta1/zz_generated.deepcopy.go

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: openstacks.operator.openstack.org
 spec:
   group: operator.openstack.org

config/crd/bases/operator.openstack.org_openstacks.yaml

@@ -30,7 +30,11 @@ spec:
         - /manager
         env:
         - name: ENABLE_WEBHOOKS
+{{ if eq $operatorName "infra" }}
+          value: 'true'
+{{ else }}
           value: 'false'
+{{ end }}
         image: {{ $operatorImage }}
         livenessProbe:
           httpGet:
@@ -54,6 +58,12 @@ spec:
             memory: 128Mi
         securityContext:
           allowPrivilegeEscalation: false
+{{ if eq $operatorName "infra" }}
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+{{ end }}
       - args:
         - --secure-listen-address=0.0.0.0:8443
         - --upstream=http://127.0.0.1:8080/
@@ -78,5 +88,12 @@ spec:
         runAsNonRoot: true
       serviceAccountName: {{ $operatorName }}-operator-controller-manager
       terminationGracePeriodSeconds: 10
+{{ if eq $operatorName "infra" }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ $operatorName }}-operator-webhook-server-cert
+{{ end }}
 ---
 {{ end }}

config/operator/managers.yaml

@@ -2,7 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: operator-role
 rules:
 - apiGroups:

config/operator/rbac/role.yaml

@@ -5,6 +5,12 @@
 #  -TODO: role data
 set -ex
 
+OUT_DATA=bindata
+EXTRACT_DIR=tmp/bindata
+
+mkdir -p "$EXTRACT_DIR"
+mkdir -p "$OUT_DATA/crds"
+
 function extract_bundle {
     local IN_DIR=$1
     local OUT_DIR=$2
@@ -13,11 +19,125 @@ function extract_bundle {
     done
 }
 
-OUT_DATA=bindata
-EXTRACT_DIR=tmp/bindata
 
-mkdir -p "$EXTRACT_DIR"
-mkdir -p "$OUT_DATA/crds"
+function extract_webhooks {
+local CSV_FILENAME=$1
+local OPERATOR_NAME=$2
+local TYPE=$3
+
+cat $CSV_FILENAME | yq -r ".spec.webhookdefinitions.[] | select(.type == \"$TYPE\")" | \
+    sed -e '/^containerPort:/d' | \
+    sed -e '/^deploymentName:/d' | \
+    sed -e '/^targetPort:/d' | \
+    sed -e '/^type:/d' | \
+    sed -e 's|^|  |' | sed -e 's|.*admissionReviewVersions:|- admissionReviewVersions:|' | \
+    sed -e 's|.*generateName:|  name:|' | \
+    sed -e 's|    - v1|  - v1|' | \
+    sed -e "s|.*webhookPath:|  clientConfig:\n    service:\n      name: ${OPERATOR_NAME}-webhook-service\n      namespace: '{{ .OperatorNamespace }}'\n      path:|"
+
+}
+
+
+function write_webhooks {
+local CSV_FILENAME=$1
+local OPERATOR_NAME=$2
+
+MUTATING_WEBHOOKS=$(extract_webhooks "$CSV_FILENAME" "$OPERATOR_NAME" "MutatingAdmissionWebhook")
+VALIDATING_WEBHOOKS=$(extract_webhooks "$CSV_FILENAME" "$OPERATOR_NAME" "ValidatingAdmissionWebhook")
+
+cat > operator/$OPERATOR_NAME-webhooks.yaml <<EOF_CAT
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: webhook-service
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: service
+    app.kubernetes.io/part-of: $OPERATOR_NAME
+  name: $OPERATOR_NAME-webhook-service
+  namespace: '{{ .OperatorNamespace }}'
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    openstack.org/operator-name: ${OPERATOR_NAME//-operator}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: serving-cert
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: certificate
+    app.kubernetes.io/part-of: $OPERATOR_NAME
+  name: $OPERATOR_NAME-serving-cert
+  namespace: '{{ .OperatorNamespace }}'
+spec:
+  dnsNames:
+  - $OPERATOR_NAME-webhook-service.{{ .OperatorNamespace }}.svc
+  - $OPERATOR_NAME-webhook-service.{{ .OperatorNamespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: $OPERATOR_NAME-selfsigned-issuer
+  secretName: $OPERATOR_NAME-webhook-server-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: selfsigned-issuer
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: issuer
+    app.kubernetes.io/part-of: $OPERATOR_NAME
+  name: $OPERATOR_NAME-selfsigned-issuer
+  namespace: '{{ .OperatorNamespace }}'
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .OperatorNamespace }}/$OPERATOR_NAME-serving-cert'
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: mutating-webhook-configuration
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: mutatingwebhookconfiguration
+    app.kubernetes.io/part-of: $OPERATOR_NAME
+  name: $OPERATOR_NAME-mutating-webhook-configuration
+webhooks:
+${MUTATING_WEBHOOKS}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .OperatorNamespace }}/$OPERATOR_NAME-serving-cert'
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: validating-webhook-configuration
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: validatingwebhookconfiguration
+    app.kubernetes.io/part-of: $OPERATOR_NAME
+  name: $OPERATOR_NAME-validating-webhook-configuration
+webhooks:
+${VALIDATING_WEBHOOKS}
+EOF_CAT
+
+}
 
 for BUNDLE in $(hack/pin-bundle-images.sh | tr "," " "); do
     skopeo copy "docker://$BUNDLE" dir:${EXTRACT_DIR}/tmp;
@@ -30,13 +150,17 @@ grep -l CustomResourceDefinition manifests/* | xargs -I % sh -c 'cp % ./crds/'
 
 # extract role, clusterRole, and deployment from CSV's
 for X in $(ls manifests/*clusterserviceversion.yaml); do
-        echo $OPERATOR_NAME
         OPERATOR_NAME=$(echo $X | sed -e "s|manifests\/\([^\.]*\)\..*|\1|")
+        echo $OPERATOR_NAME
         LEADER_ELECTION_ROLE_RULES=$(cat $X | yq -r .spec.install.spec.permissions | sed -e 's|- rules:|rules:|' | sed -e 's|    ||' | sed -e '/  serviceAccountName.*/d'
 )
         CLUSTER_ROLE_RULES=$(cat $X | yq -r .spec.install.spec.clusterPermissions| sed -e 's|- rules:|rules:|' | sed -e 's|    ||' | sed -e '/  serviceAccountName.*/d'
 )
 
+if [[ "$OPERATOR_NAME" == "infra-operator" ]]; then
+    write_webhooks "$X" "$OPERATOR_NAME"
+fi
+
 mkdir -p rbac
 cat > rbac/$OPERATOR_NAME-rbac.yaml <<EOF_CAT
 # NOTE: this file is automatically generated by hack/sync-bindata.sh!