From 9d97cedd189edf45d8f63dc6180c096141eea64f Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Thu, 21 Sep 2023 12:01:16 +0200 Subject: [PATCH 1/3] Remove support for webhook from csi-addons As webhooks are complicated and hard to maintain removing it from the repo and will use CEL for all the required validations. print deprecated log for webhook as webhook is disabled and print a log if its enabled. Signed-off-by: Madhu Rajanna --- Makefile | 4 - PROJECT | 18 - .../v1alpha1/csiaddonsnode_webhook.go | 81 - .../v1alpha1/networkfence_webhook.go | 89 - .../v1alpha1/reclaimspacecronjob_webhook.go | 76 - .../v1alpha1/reclaimspacejob_webhook.go | 77 - apis/csiaddons/v1alpha1/webhook_suite_test.go | 145 -- .../v1alpha1/zz_generated.deepcopy.go | 2 +- .../v1alpha1/volumereplication_webhook.go | 84 - .../volumereplicationclass_webhook.go | 84 - .../v1alpha1/webhook_suite_test.go | 139 -- .../v1alpha1/zz_generated.deepcopy.go | 2 +- cmd/manager/main.go | 40 +- config/certmanager/certificate.yaml | 28 - config/certmanager/kustomization.yaml | 16 - config/certmanager/kustomizeconfig.yaml | 17 - config/default/kustomization.yaml | 64 +- config/default/manager_webhook_patch.yaml | 24 - config/default/webhookcainjection_patch.yaml | 10 - config/manager/manager_auth_proxy_patch.yaml | 1 - config/manifests/kustomization.yaml | 20 - config/webhook/kustomization.yaml | 17 - config/webhook/kustomizeconfig.yaml | 19 - config/webhook/manifests.yaml | 120 -- config/webhook/service.yaml | 14 - deploy/controller/install-all-in-one.yaml | 1564 ----------------- deploy/controller/setup-controller.yaml | 1 - docs/deploy-controller.md | 45 +- 28 files changed, 40 insertions(+), 2761 deletions(-) delete mode 100644 apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go delete mode 100644 apis/csiaddons/v1alpha1/networkfence_webhook.go delete mode 100644 apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go delete mode 100644 apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go delete mode 100644 apis/csiaddons/v1alpha1/webhook_suite_test.go delete mode 100644 apis/replication.storage/v1alpha1/volumereplication_webhook.go delete mode 100644 apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go delete mode 100644 apis/replication.storage/v1alpha1/webhook_suite_test.go delete mode 100644 config/certmanager/certificate.yaml delete mode 100644 config/certmanager/kustomization.yaml delete mode 100644 config/certmanager/kustomizeconfig.yaml delete mode 100644 config/default/manager_webhook_patch.yaml delete mode 100644 config/default/webhookcainjection_patch.yaml delete mode 100644 config/webhook/kustomization.yaml delete mode 100644 config/webhook/kustomizeconfig.yaml delete mode 100644 config/webhook/manifests.yaml delete mode 100644 config/webhook/service.yaml delete mode 100644 deploy/controller/install-all-in-one.yaml diff --git a/Makefile b/Makefile index b158b5569..b97caa016 100644 --- a/Makefile +++ b/Makefile @@ -124,10 +124,6 @@ manifests: controller-gen kustomize ## Generate WebhookConfiguration, ClusterRol $(KUSTOMIZE) build config/crd > deploy/controller/crds.yaml $(KUSTOMIZE) build config/rbac > deploy/controller/rbac.yaml $(KUSTOMIZE) build config/manager > deploy/controller/setup-controller.yaml - # Disable admission webhooks by default in setup-controller as it need setting up cert managager - sed -i 's|enable-admission-webhooks=true|enable-admission-webhooks=false|g' deploy/controller/setup-controller.yaml - # generate single yaml which includes crds, rbac, controller, webhooks, certificates - $(KUSTOMIZE) build config/default > deploy/controller/install-all-in-one.yaml # generate the .clusterserviceversion.yaml base gen-csv-base: diff --git a/PROJECT b/PROJECT index ec3f8845b..c80854172 100644 --- a/PROJECT +++ b/PROJECT @@ -14,9 +14,6 @@ resources: kind: CSIAddonsNode path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -26,9 +23,6 @@ resources: kind: ReclaimSpaceJob path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - api: crdVersion: v1 controller: true @@ -37,18 +31,12 @@ resources: kind: NetworkFence path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - controller: true domain: openshift.io group: csiaddons kind: ReclaimSpaceCronJob path: github.com/csi-addons/kubernetes-csi-addons/apis/csiaddons/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - controller: true group: core kind: PersistentVolumeClaim @@ -62,9 +50,6 @@ resources: kind: VolumeReplication path: github.com/csi-addons/kubernetes-csi-addons/apis/replication.storage/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 - api: crdVersion: v1 namespaced: true @@ -73,7 +58,4 @@ resources: kind: VolumeReplicationClass path: github.com/csi-addons/kubernetes-csi-addons/apis/replication.storage/v1alpha1 version: v1alpha1 - webhooks: - validation: true - webhookVersion: v1 version: "3" diff --git a/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go b/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go deleted file mode 100644 index 53d9e5a90..000000000 --- a/apis/csiaddons/v1alpha1/csiaddonsnode_webhook.go +++ /dev/null @@ -1,81 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var csnLog = logf.Log.WithName("csiaddonsnode-webhook") - -func (c *CSIAddonsNode) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(c). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=csiaddonsnodes,verbs=update,versions=v1alpha1,name=vcsiaddonsnode.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &CSIAddonsNode{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (c *CSIAddonsNode) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (c *CSIAddonsNode) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - csnLog.Info("validate update", "name", c.Name) - - oldCSIAddonsNode, ok := old.(*CSIAddonsNode) - if !ok { - return nil, errors.New("error casting CSIAddonsNode object") - } - - var allErrs field.ErrorList - - if c.Spec.Driver.NodeID != oldCSIAddonsNode.Spec.Driver.NodeID { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "driver", "nodeID"), c.Spec.Driver.NodeID, "nodeID cannot be updated")) - } - - if c.Spec.Driver.Name != oldCSIAddonsNode.Spec.Driver.Name { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "driver", "name"), c.Spec.Driver.Name, "name cannot be updated")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "CSIAddonsNode"}, - c.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *CSIAddonsNode) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/networkfence_webhook.go b/apis/csiaddons/v1alpha1/networkfence_webhook.go deleted file mode 100644 index 4b59f9939..000000000 --- a/apis/csiaddons/v1alpha1/networkfence_webhook.go +++ /dev/null @@ -1,89 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - "reflect" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var nfLog = logf.Log.WithName("networkfence-webhook") - -func (n *NetworkFence) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(n). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-networkfence,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=networkfences,verbs=update,versions=v1alpha1,name=vnetworkfence.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &NetworkFence{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (n *NetworkFence) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (n *NetworkFence) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - nfLog.Info("validate update", "name", n.Name) - - oldNetworkFence, ok := old.(*NetworkFence) - if !ok { - return nil, errors.New("error casting NetworkFence object") - } - - var allErrs field.ErrorList - if n.Spec.Driver != oldNetworkFence.Spec.Driver { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("driver"), n.Spec.Driver, "driver cannot be changed")) - } - - if !reflect.DeepEqual(n.Spec.Parameters, oldNetworkFence.Spec.Parameters) { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("parameters"), n.Spec.Parameters, "parameters cannot be changed")) - } - - if n.Spec.Secret.Name != oldNetworkFence.Spec.Secret.Name { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "secret", "name"), n.Spec.Secret, "secret name cannot be changed")) - } - - if n.Spec.Secret.Namespace != oldNetworkFence.Spec.Secret.Namespace { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "secret", "namespace"), n.Spec.Secret, "secret namespace cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "NetworkFence"}, - n.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (n *NetworkFence) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go b/apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go deleted file mode 100644 index cc7a6ddb7..000000000 --- a/apis/csiaddons/v1alpha1/reclaimspacecronjob_webhook.go +++ /dev/null @@ -1,76 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var rscjLog = logf.Log.WithName("reclaimspacecronjob-webhook") - -func (r *ReclaimSpaceCronJob) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-reclaimspacecronjob,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=reclaimspacecronjobs,verbs=update,versions=v1alpha1,name=vreclaimspacecronjob.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &ReclaimSpaceCronJob{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceCronJob) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceCronJob) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - rscjLog.Info("validate update", "name", r.Name) - - oldReclaimSpaceCronJob, ok := old.(*ReclaimSpaceCronJob) - if !ok { - return nil, errors.New("error casting ReclaimSpaceCronJob object") - } - - var allErrs field.ErrorList - - if r.Spec.JobSpec.Spec.Target.PersistentVolumeClaim != oldReclaimSpaceCronJob.Spec.JobSpec.Spec.Target.PersistentVolumeClaim { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "jobTemplate", "spec", "target", "persistentVolumeClaim"), r.Spec.JobSpec.Spec.Target.PersistentVolumeClaim, "persistentVolumeClaim cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "ReclaimSpaceCronJob"}, - r.Name, allErrs) - } - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceCronJob) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go b/apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go deleted file mode 100644 index 286ed9df2..000000000 --- a/apis/csiaddons/v1alpha1/reclaimspacejob_webhook.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var rsjLog = logf.Log.WithName("reclaimspacejob-webhook") - -func (r *ReclaimSpaceJob) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(r). - Complete() -} - -//+kubebuilder:webhook:path=/validate-csiaddons-openshift-io-v1alpha1-reclaimspacejob,mutating=false,failurePolicy=fail,sideEffects=None,groups=csiaddons.openshift.io,resources=reclaimspacejobs,verbs=update,versions=v1alpha1,name=vreclaimspacejob.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &ReclaimSpaceJob{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceJob) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceJob) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - rsjLog.Info("validate update", "name", r.Name) - - oldReclaimSpaceJob, ok := old.(*ReclaimSpaceJob) - if !ok { - return nil, errors.New("error casting ReclaimSpaceJob object") - } - - var allErrs field.ErrorList - - if r.Spec.Target.PersistentVolumeClaim != oldReclaimSpaceJob.Spec.Target.PersistentVolumeClaim { - allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "target", "persistentVolumeClaim"), r.Spec.Target.PersistentVolumeClaim, "persistentVolumeClaim cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "csiaddons.openshift.io", Kind: "ReclaimSpaceJob"}, - r.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (r *ReclaimSpaceJob) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/csiaddons/v1alpha1/webhook_suite_test.go b/apis/csiaddons/v1alpha1/webhook_suite_test.go deleted file mode 100644 index dfb4c236a..000000000 --- a/apis/csiaddons/v1alpha1/webhook_suite_test.go +++ /dev/null @@ -1,145 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "context" - "crypto/tls" - "fmt" - "net" - "path/filepath" - "testing" - "time" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - admissionv1beta1 "k8s.io/api/admission/v1beta1" - //+kubebuilder:scaffold:imports - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/rest" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - "sigs.k8s.io/controller-runtime/pkg/webhook" -) - -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment -var ctx context.Context -var cancel context.CancelFunc - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecs(t, "Webhook Suite") -} - -var _ = BeforeSuite(func() { - logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - - ctx, cancel = context.WithCancel(context.TODO()) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, - ErrorIfCRDPathMissing: false, - WebhookInstallOptions: envtest.WebhookInstallOptions{ - Paths: []string{filepath.Join("..", "..", "..", "config", "webhook")}, - }, - } - - var err error - // cfg is defined in this file globally. - cfg, err = testEnv.Start() - Expect(err).NotTo(HaveOccurred()) - Expect(cfg).NotTo(BeNil()) - - scheme := runtime.NewScheme() - err = AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - err = admissionv1beta1.AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:scheme - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) - Expect(err).NotTo(HaveOccurred()) - Expect(k8sClient).NotTo(BeNil()) - - // start webhook server using Manager - webhookInstallOptions := &testEnv.WebhookInstallOptions - mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - LeaderElection: false, - Metrics: metricsserver.Options{BindAddress: "0"}, - WebhookServer: webhook.NewServer(webhook.Options{ - Host: webhookInstallOptions.LocalServingHost, - Port: webhookInstallOptions.LocalServingPort, - CertDir: webhookInstallOptions.LocalServingCertDir, - }), - }) - Expect(err).NotTo(HaveOccurred()) - - err = (&ReclaimSpaceJob{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&ReclaimSpaceCronJob{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&NetworkFence{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&CSIAddonsNode{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:webhook - - go func() { - defer GinkgoRecover() - err = mgr.Start(ctx) - Expect(err).NotTo(HaveOccurred()) - }() - - // wait for the webhook server to get ready - dialer := &net.Dialer{Timeout: time.Second} - addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) - Eventually(func() error { - conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return err - } - conn.Close() - return nil - }).Should(Succeed()) - -}, 60) - -var _ = AfterSuite(func() { - cancel() - By("tearing down the test environment") - err := testEnv.Stop() - Expect(err).NotTo(HaveOccurred()) -}) diff --git a/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go b/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go index 57a1000e0..86e250fda 100644 --- a/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go +++ b/apis/csiaddons/v1alpha1/zz_generated.deepcopy.go @@ -24,7 +24,7 @@ package v1alpha1 import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" + runtime "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. diff --git a/apis/replication.storage/v1alpha1/volumereplication_webhook.go b/apis/replication.storage/v1alpha1/volumereplication_webhook.go deleted file mode 100644 index 70cf95a3e..000000000 --- a/apis/replication.storage/v1alpha1/volumereplication_webhook.go +++ /dev/null @@ -1,84 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - "reflect" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var vrLog = logf.Log.WithName("volumereplication-webhook") - -func (v *VolumeReplication) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(v). - Complete() -} - -//+kubebuilder:webhook:path=/validate-replication-storage-openshift-io-v1alpha1-volumereplication,mutating=false,failurePolicy=fail,sideEffects=None,groups=replication.storage.openshift.io,resources=volumereplications,verbs=update,versions=v1alpha1,name=vvolumereplication.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &VolumeReplication{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplication) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplication) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - vrLog.Info("validate update", "name", v.Name) - - oldReplication, ok := old.(*VolumeReplication) - if !ok { - return nil, errors.New("error casting old VolumeReplication object") - } - - var allErrs field.ErrorList - - if !reflect.DeepEqual(oldReplication.Spec.DataSource, v.Spec.DataSource) { - vrLog.Info("invalid request to change the DataSource", "exiting dataSource", oldReplication.Spec.DataSource, "new dataSource", v.Spec.DataSource) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("dataSource"), v.Spec.DataSource, "dataSource cannot be changed")) - } - - if oldReplication.Spec.VolumeReplicationClass != v.Spec.VolumeReplicationClass { - vrLog.Info("invalid request to change the volumeReplicationClass", "exiting volumeReplicationClass", oldReplication.Spec.VolumeReplicationClass, "new volumeReplicationClass", v.Spec.VolumeReplicationClass) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("volumeReplicationClass"), v.Spec.VolumeReplicationClass, "volumeReplicationClass cannot be changed")) - } - - if len(allErrs) != 0 { - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "replication.storage.openshift.io", Kind: "VolumeReplication"}, - v.Name, allErrs) - } - - return nil, nil -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplication) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go b/apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go deleted file mode 100644 index f547eabdd..000000000 --- a/apis/replication.storage/v1alpha1/volumereplicationclass_webhook.go +++ /dev/null @@ -1,84 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "errors" - "reflect" - - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/validation/field" - ctrl "sigs.k8s.io/controller-runtime" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/webhook" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// log is for logging in this package. -var vrcLog = logf.Log.WithName("volumereplicationclass-webhook") - -func (v *VolumeReplicationClass) SetupWebhookWithManager(mgr ctrl.Manager) error { - return ctrl.NewWebhookManagedBy(mgr). - For(v). - Complete() -} - -//+kubebuilder:webhook:path=/validate-replication-storage-openshift-io-v1alpha1-volumereplicationclass,mutating=false,failurePolicy=fail,sideEffects=None,groups=replication.storage.openshift.io,resources=volumereplicationclasses,verbs=update,versions=v1alpha1,name=vvolumereplicationclass.kb.io,admissionReviewVersions=v1 - -var _ webhook.Validator = &VolumeReplicationClass{} - -// ValidateCreate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplicationClass) ValidateCreate() (admission.Warnings, error) { - return nil, nil -} - -// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplicationClass) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { - vrcLog.Info("validate update", "name", v.Name) - - oldReplicationClass, ok := old.(*VolumeReplicationClass) - if !ok { - return nil, errors.New("error casting old VolumeReplicationClass object") - } - - var allErrs field.ErrorList - if oldReplicationClass.Spec.Provisioner != v.Spec.Provisioner { - vrcLog.Info("invalid request to change the provisioner", "exiting provisioner", oldReplicationClass.Spec.Provisioner, "new provisioner", v.Spec.Provisioner) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("provisioner"), v.Spec.Provisioner, "provisioner cannot be changed")) - } - - if !reflect.DeepEqual(oldReplicationClass.Spec.Parameters, v.Spec.Parameters) { - vrcLog.Info("invalid request to change the parameters", "exiting parameters", oldReplicationClass.Spec.Parameters, "new parameters", v.Spec.Parameters) - allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("parameters"), v.Spec.Parameters, "parameters cannot be changed")) - } - - if len(allErrs) == 0 { - return nil, nil - } - - return nil, apierrors.NewInvalid( - schema.GroupKind{Group: "replication.storage.openshift.io", Kind: "VolumeReplicationClass"}, - v.Name, allErrs) - -} - -// ValidateDelete implements webhook.Validator so a webhook will be registered for the type -func (v *VolumeReplicationClass) ValidateDelete() (admission.Warnings, error) { - return nil, nil -} diff --git a/apis/replication.storage/v1alpha1/webhook_suite_test.go b/apis/replication.storage/v1alpha1/webhook_suite_test.go deleted file mode 100644 index cec536a00..000000000 --- a/apis/replication.storage/v1alpha1/webhook_suite_test.go +++ /dev/null @@ -1,139 +0,0 @@ -/* -Copyright 2022 The Kubernetes-CSI-Addons Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "context" - "crypto/tls" - "fmt" - "net" - "path/filepath" - "testing" - "time" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" - - admissionv1beta1 "k8s.io/api/admission/v1beta1" - //+kubebuilder:scaffold:imports - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/client-go/rest" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/envtest" - logf "sigs.k8s.io/controller-runtime/pkg/log" - "sigs.k8s.io/controller-runtime/pkg/log/zap" - metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" - "sigs.k8s.io/controller-runtime/pkg/webhook" -) - -// These tests use Ginkgo (BDD-style Go testing framework). Refer to -// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. - -var cfg *rest.Config -var k8sClient client.Client -var testEnv *envtest.Environment -var ctx context.Context -var cancel context.CancelFunc - -func TestAPIs(t *testing.T) { - RegisterFailHandler(Fail) - - RunSpecs(t, "Webhook Suite") -} - -var _ = BeforeSuite(func() { - logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) - - ctx, cancel = context.WithCancel(context.TODO()) - - By("bootstrapping test environment") - testEnv = &envtest.Environment{ - CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "config", "crd", "bases")}, - ErrorIfCRDPathMissing: false, - WebhookInstallOptions: envtest.WebhookInstallOptions{ - Paths: []string{filepath.Join("..", "..", "..", "config", "webhook")}, - }, - } - - var err error - // cfg is defined in this file globally. - cfg, err = testEnv.Start() - Expect(err).NotTo(HaveOccurred()) - Expect(cfg).NotTo(BeNil()) - - scheme := runtime.NewScheme() - err = AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - err = admissionv1beta1.AddToScheme(scheme) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:scheme - - k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) - Expect(err).NotTo(HaveOccurred()) - Expect(k8sClient).NotTo(BeNil()) - - // start webhook server using Manager - webhookInstallOptions := &testEnv.WebhookInstallOptions - mgr, err := ctrl.NewManager(cfg, ctrl.Options{ - Scheme: scheme, - LeaderElection: false, - Metrics: metricsserver.Options{BindAddress: "0"}, - WebhookServer: webhook.NewServer(webhook.Options{ - Port: webhookInstallOptions.LocalServingPort, - Host: webhookInstallOptions.LocalServingHost, - CertDir: webhookInstallOptions.LocalServingCertDir, - }), - }) - Expect(err).NotTo(HaveOccurred()) - - err = (&VolumeReplicationClass{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - err = (&VolumeReplication{}).SetupWebhookWithManager(mgr) - Expect(err).NotTo(HaveOccurred()) - - //+kubebuilder:scaffold:webhook - - go func() { - defer GinkgoRecover() - err = mgr.Start(ctx) - Expect(err).NotTo(HaveOccurred()) - }() - - // wait for the webhook server to get ready - dialer := &net.Dialer{Timeout: time.Second} - addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) - Eventually(func() error { - conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) - if err != nil { - return err - } - conn.Close() - return nil - }).Should(Succeed()) - -}, 60) - -var _ = AfterSuite(func() { - cancel() - By("tearing down the test environment") - err := testEnv.Stop() - Expect(err).NotTo(HaveOccurred()) -}) diff --git a/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go b/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go index 6cb32c780..cd8fe3777 100644 --- a/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go +++ b/apis/replication.storage/v1alpha1/zz_generated.deepcopy.go @@ -23,7 +23,7 @@ package v1alpha1 import ( "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" + runtime "k8s.io/apimachinery/pkg/runtime" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. diff --git a/cmd/manager/main.go b/cmd/manager/main.go index 20da9de9f..e3d714b11 100644 --- a/cmd/manager/main.go +++ b/cmd/manager/main.go @@ -70,8 +70,8 @@ func main() { metricsAddr string probeAddr string enableLeaderElection bool - enableAdmissionWebhooks bool showVersion bool + enableAdmissionWebhooks bool ctx = context.Background() cfg = util.NewConfig() ) @@ -83,7 +83,7 @@ func main() { flag.DurationVar(&cfg.ReclaimSpaceTimeout, "reclaim-space-timeout", cfg.ReclaimSpaceTimeout, "Timeout for reclaimspace operation") flag.IntVar(&cfg.MaxConcurrentReconciles, "max-concurrent-reconciles", cfg.MaxConcurrentReconciles, "Maximum number of concurrent reconciles") flag.StringVar(&cfg.Namespace, "namespace", cfg.Namespace, "Namespace where the CSIAddons pod is deployed") - flag.BoolVar(&enableAdmissionWebhooks, "enable-admission-webhooks", true, "Enable the admission webhooks") + flag.BoolVar(&enableAdmissionWebhooks, "enable-admission-webhooks", false, "[DEPRECATED] Enable the admission webhooks") flag.BoolVar(&showVersion, "version", false, "Print Version details") opts := zap.Options{ Development: true, @@ -97,6 +97,10 @@ func main() { return } + if enableAdmissionWebhooks { + setupLog.Info("enable-admission-webhooks flag is deprecated and will be removed in a future release") + } + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) kubeConfig := ctrl.GetConfigOrDie() @@ -184,38 +188,6 @@ func main() { os.Exit(1) } - if enableAdmissionWebhooks { - if err = (&replicationstoragev1alpha1.VolumeReplicationClass{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "VolumeReplicationClass") - os.Exit(1) - } - - if err = (&replicationstoragev1alpha1.VolumeReplication{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "VolumeReplication") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.ReclaimSpaceJob{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "ReclaimSpaceJob") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.ReclaimSpaceCronJob{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "ReclaimSpaceCronJob") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.NetworkFence{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "NetworkFence") - os.Exit(1) - } - - if err = (&csiaddonsv1alpha1.CSIAddonsNode{}).SetupWebhookWithManager(mgr); err != nil { - setupLog.Error(err, "unable to create webhook", "webhook", "CSIAddonsNode") - os.Exit(1) - } - } - //+kubebuilder:scaffold:builder if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml deleted file mode 100644 index 5550d6154..000000000 --- a/config/certmanager/certificate.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# The following manifests contain a self-signed issuer CR and a certificate CR. -# More document can be found at https://docs.cert-manager.io -# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: system -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - # this name should match the one appeared in kustomizeconfig.yaml - name: serving-cert - namespace: system -spec: - # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize - dnsNames: - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc - - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local - issuerRef: - kind: Issuer - name: selfsigned-issuer - # this secret will not be prefixed, since it's not managed by kustomize - secretName: webhook-server-cert diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml deleted file mode 100644 index b08880f76..000000000 --- a/config/certmanager/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# Adds namespace to all resources. -namespace: csi-addons-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: csi-addons- - -resources: - - certificate.yaml - -configurations: - - kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml deleted file mode 100644 index 80bde9289..000000000 --- a/config/certmanager/kustomizeconfig.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# This configuration is for teaching kustomize how to update name ref and var substitution -nameReference: - - kind: Issuer - group: cert-manager.io - fieldSpecs: - - kind: Certificate - group: cert-manager.io - path: spec/issuerRef/name - -varReference: - - kind: Certificate - group: cert-manager.io - path: spec/commonName - - kind: Certificate - group: cert-manager.io - path: spec/dnsNames diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index a955dd89f..677e7eae1 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -14,49 +14,49 @@ # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus -patchesStrategicMerge: +# patchesStrategicMerge: # Mount the controller config file for loading manager configurations # through a ComponentConfig type #- manager_config_patch.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - - manager_webhook_patch.yaml + #- manager_webhook_patch.yaml # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection - - webhookcainjection_patch.yaml + #- webhookcainjection_patch.yaml # the following config is for teaching kustomize how to do var substitution -vars: - # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. - - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - fieldref: - fieldpath: metadata.namespace - - name: CERTIFICATE_NAME - objref: - kind: Certificate - group: cert-manager.io - version: v1 - name: serving-cert # this name should match the one in certificate.yaml - - name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace - - name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service +#vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# - name: CERTIFICATE_NAMESPACE # namespace of the certificate CR +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldref: +# fieldpath: metadata.namespace +# - name: CERTIFICATE_NAME +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# - name: SERVICE_NAMESPACE # namespace of the service +# objref: +# kind: Service +# version: v1 +# name: webhook-service +# fieldref: +# fieldpath: metadata.namespace +# - name: SERVICE_NAME +# objref: +# kind: Service +# version: v1 +# name: webhook-service apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization @@ -64,5 +64,3 @@ resources: - ../crd - ../rbac - ../manager - - ../webhook - - ../certmanager diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml deleted file mode 100644 index 4aaf150d2..000000000 --- a/config/default/manager_webhook_patch.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml deleted file mode 100644 index a6a4b2160..000000000 --- a/config/default/webhookcainjection_patch.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# This patch add annotation to admission webhook config and -# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize. ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validating-webhook-configuration - annotations: - cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) diff --git a/config/manager/manager_auth_proxy_patch.yaml b/config/manager/manager_auth_proxy_patch.yaml index 8f4abf76f..f30705fe0 100644 --- a/config/manager/manager_auth_proxy_patch.yaml +++ b/config/manager/manager_auth_proxy_patch.yaml @@ -36,4 +36,3 @@ spec: - "--health-probe-bind-address=:8081" - "--metrics-bind-address=127.0.0.1:8080" - "--leader-elect" - - "--enable-admission-webhooks=true" diff --git a/config/manifests/kustomization.yaml b/config/manifests/kustomization.yaml index 5920ff456..eb52b171d 100644 --- a/config/manifests/kustomization.yaml +++ b/config/manifests/kustomization.yaml @@ -4,23 +4,3 @@ resources: - ../default - ../scorecard - -# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. -# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. -# These patches remove the unnecessary "cert" volume and its manager container volumeMount. -patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: controller-manager - namespace: system - patch: |- - # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. - # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. - - op: remove - path: /spec/template/spec/containers/0/volumeMounts/0 - # Remove the "cert" volume, since OLM will create and mount a set of certs. - # Update the indices in this path if adding or removing volumes in the manager's Deployment. - - op: remove - path: /spec/template/spec/volumes/0 diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml deleted file mode 100644 index 54d4b52e9..000000000 --- a/config/webhook/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# Adds namespace to all resources. -namespace: csi-addons-system - -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: csi-addons- - -resources: - - manifests.yaml - - service.yaml - -configurations: - - kustomizeconfig.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml deleted file mode 100644 index d45f3553b..000000000 --- a/config/webhook/kustomizeconfig.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# the following config is for teaching kustomize where to look at when substituting vars. -# It requires kustomize v2.1.0 or newer to work properly. -nameReference: - - kind: Service - version: v1 - fieldSpecs: - - kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - -namespace: - - kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true - -varReference: - - path: metadata/annotations diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml deleted file mode 100644 index 7299e9eb4..000000000 --- a/config/webhook/manifests.yaml +++ /dev/null @@ -1,120 +0,0 @@ ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode - failurePolicy: Fail - name: vcsiaddonsnode.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - csiaddonsnodes - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-networkfence - failurePolicy: Fail - name: vnetworkfence.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - networkfences - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacecronjob - failurePolicy: Fail - name: vreclaimspacecronjob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacecronjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacejob - failurePolicy: Fail - name: vreclaimspacejob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacejobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplication - failurePolicy: Fail - name: vvolumereplication.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplications - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: webhook-service - namespace: system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplicationclass - failurePolicy: Fail - name: vvolumereplicationclass.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplicationclasses - sideEffects: None diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml deleted file mode 100644 index 80ea703d7..000000000 --- a/config/webhook/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -apiVersion: v1 -kind: Service -metadata: - name: webhook-service - namespace: system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app.kubernetes.io/name: csi-addons diff --git a/deploy/controller/install-all-in-one.yaml b/deploy/controller/install-all-in-one.yaml deleted file mode 100644 index ce7f3b55a..000000000 --- a/deploy/controller/install-all-in-one.yaml +++ /dev/null @@ -1,1564 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/name: csi-addons - name: csi-addons-system ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: csiaddonsnodes.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: CSIAddonsNode - listKind: CSIAddonsNodeList - plural: csiaddonsnodes - singular: csiaddonsnode - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.namespace - name: namespace - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.driver.name - name: DriverName - type: string - - jsonPath: .spec.driver.endpoint - name: Endpoint - type: string - - jsonPath: .spec.driver.nodeID - name: NodeID - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: CSIAddonsNode is the Schema for the csiaddonsnode API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CSIAddonsNodeSpec defines the desired state of CSIAddonsNode - properties: - driver: - description: Driver is the information of the CSI Driver existing - on a node. If the driver is uninstalled, this can become empty. - properties: - endpoint: - description: EndPoint is url that contains the ip-address to which - the CSI-Addons side-car listens to. - type: string - name: - description: 'Name is the name of the CSI driver that this object - refers to. This must be the same name returned by the CSI-Addons - GetIdentity() call for that driver. The name of the driver is - in the format: `example.csi.ceph.com`' - type: string - nodeID: - description: NodeID is the ID of the node to identify on which - node the side-car is running. - type: string - required: - - endpoint - - name - - nodeID - type: object - required: - - driver - type: object - status: - description: CSIAddonsNodeStatus defines the observed state of CSIAddonsNode - properties: - message: - description: Message is a human-readable message indicating details - about why the CSIAddonsNode is in this state. - type: string - reason: - description: Reason is a brief CamelCase string that describes any - failure and is meant for machine parsing and tidy display in the - CLI. - type: string - state: - description: State represents the state of the CSIAddonsNode object. - It informs whether or not the CSIAddonsNode is Connected to the - CSI Driver. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: networkfences.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: NetworkFence - listKind: NetworkFenceList - plural: networkfences - singular: networkfence - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.driver - name: Driver - type: string - - jsonPath: .spec.cidrs - name: Cidrs - type: string - - jsonPath: .spec.fenceState - name: FenceState - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.result - name: Result - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: NetworkFence is the Schema for the networkfences API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NetworkFenceSpec defines the desired state of NetworkFence - properties: - cidrs: - description: Cidrs contains a list of CIDR blocks, which are required - to be fenced. - items: - type: string - type: array - driver: - description: Driver contains the name of CSI driver. - type: string - fenceState: - default: Fenced - description: FenceState contains the desired state for the CIDRs mentioned - in the Spec. i.e. Fenced or Unfenced - enum: - - Fenced - - Unfenced - type: string - parameters: - additionalProperties: - type: string - description: Parameters is used to pass additional parameters to the - CSI driver. - type: object - secret: - description: Secret is a kubernetes secret, which is required to perform - the fence/unfence operation. - properties: - name: - description: Name specifies the name of the secret. - type: string - namespace: - description: Namespace specifies the namespace in which the secret - is located. - type: string - type: object - required: - - cidrs - - driver - - fenceState - type: object - status: - description: NetworkFenceStatus defines the observed state of NetworkFence - properties: - conditions: - description: Conditions are the list of conditions and their status. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: Message contains any message from the NetworkFence operation. - type: string - result: - description: Result indicates the result of Network Fence/Unfence - operation. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: reclaimspacecronjobs.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: ReclaimSpaceCronJob - listKind: ReclaimSpaceCronJobList - plural: reclaimspacecronjobs - singular: reclaimspacecronjob - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.schedule - name: Schedule - type: string - - jsonPath: .spec.suspend - name: Suspend - type: boolean - - jsonPath: .status.active.name - name: Active - type: string - - jsonPath: .status.lastScheduleTime - name: Lastschedule - type: date - - jsonPath: .status.lastSuccessfulTime - name: Lastsuccessfultime - priority: 1 - type: date - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ReclaimSpaceCronJob is the Schema for the reclaimspacecronjobs - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReclaimSpaceCronJobSpec defines the desired state of ReclaimSpaceJob - properties: - concurrencyPolicy: - default: Forbid - description: 'Specifies how to treat concurrent executions of a Job. - Valid values are: - "Forbid" (default): forbids concurrent runs, - skipping next run if previous run hasn''t finished yet; - "Replace": - cancels currently running job and replaces it with a new one' - enum: - - Forbid - - Replace - type: string - failedJobsHistoryLimit: - default: 1 - description: The number of failed finished jobs to retain. Value must - be non-negative integer. Defaults to 1. - format: int32 - maximum: 60 - minimum: 0 - type: integer - jobTemplate: - description: Specifies the job that will be created when executing - a CronJob. - properties: - metadata: - description: 'Standard object''s metadata of the jobs created - from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Specification of the desired behavior of the job. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - backOffLimit: - default: 6 - description: BackOffLimit specifies the number of retries - allowed before marking reclaim space operation as failed. - If not specified, defaults to 6. Maximum allowed value is - 60 and minimum allowed value is 0. - format: int32 - maximum: 60 - minimum: 0 - type: integer - retryDeadlineSeconds: - default: 600 - description: RetryDeadlineSeconds specifies the duration in - seconds relative to the start time that the operation may - be retried; value MUST be positive integer. If not specified, - defaults to 600 seconds. Maximum allowed value is 1800. - format: int64 - maximum: 1800 - minimum: 0 - type: integer - target: - description: Target represents volume target on which the - operation will be performed. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim specifies the target - PersistentVolumeClaim name. - type: string - type: object - timeout: - description: Timeout specifies the timeout in seconds for - the grpc request sent to the CSI driver. If not specified, - defaults to global reclaimspace timeout. Minimum allowed - value is 60. - format: int64 - minimum: 60 - type: integer - required: - - target - type: object - type: object - schedule: - description: The schedule in Cron format, see https://en.wikipedia.org/wiki/Cron. - pattern: .+ - type: string - startingDeadlineSeconds: - description: Optional deadline in seconds for starting the job if - it misses scheduled time for any reason. Missed jobs executions - will be counted as failed ones. - format: int64 - type: integer - successfulJobsHistoryLimit: - default: 3 - description: The number of successful finished jobs to retain. Value - must be non-negative integer. Defaults to 3. - format: int32 - maximum: 60 - minimum: 0 - type: integer - suspend: - description: This flag tells the controller to suspend subsequent - executions, it does not apply to already started executions. Defaults - to false. - type: boolean - required: - - jobTemplate - - schedule - type: object - status: - description: ReclaimSpaceCronJobStatus defines the observed state of ReclaimSpaceJob - properties: - active: - description: A pointer to currently running job. - properties: - apiVersion: - description: API version of the referent. - type: string - fieldPath: - description: 'If referring to a piece of an object instead of - an entire object, this string should contain a valid JSON/Go - field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part of - an object. TODO: this design is not final and this field is - subject to change in the future.' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' - type: string - resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' - type: string - uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' - type: string - type: object - x-kubernetes-map-type: atomic - lastScheduleTime: - description: Information when was the last time the job was successfully - scheduled. - format: date-time - type: string - lastSuccessfulTime: - description: Information when was the last time the job successfully - completed. - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: reclaimspacejobs.csiaddons.openshift.io -spec: - group: csiaddons.openshift.io - names: - kind: ReclaimSpaceJob - listKind: ReclaimSpaceJobList - plural: reclaimspacejobs - singular: reclaimspacejob - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.namespace - name: Namespace - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.retries - name: Retries - type: integer - - jsonPath: .status.result - name: Result - type: string - - jsonPath: .status.reclaimedSpace - name: ReclaimedSpace - priority: 1 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: ReclaimSpaceJob is the Schema for the reclaimspacejobs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ReclaimSpaceJobSpec defines the desired state of ReclaimSpaceJob - properties: - backOffLimit: - default: 6 - description: BackOffLimit specifies the number of retries allowed - before marking reclaim space operation as failed. If not specified, - defaults to 6. Maximum allowed value is 60 and minimum allowed value - is 0. - format: int32 - maximum: 60 - minimum: 0 - type: integer - retryDeadlineSeconds: - default: 600 - description: RetryDeadlineSeconds specifies the duration in seconds - relative to the start time that the operation may be retried; value - MUST be positive integer. If not specified, defaults to 600 seconds. - Maximum allowed value is 1800. - format: int64 - maximum: 1800 - minimum: 0 - type: integer - target: - description: Target represents volume target on which the operation - will be performed. - properties: - persistentVolumeClaim: - description: PersistentVolumeClaim specifies the target PersistentVolumeClaim - name. - type: string - type: object - timeout: - description: Timeout specifies the timeout in seconds for the grpc - request sent to the CSI driver. If not specified, defaults to global - reclaimspace timeout. Minimum allowed value is 60. - format: int64 - minimum: 60 - type: integer - required: - - target - type: object - status: - description: ReclaimSpaceJobStatus defines the observed state of ReclaimSpaceJob - properties: - completionTime: - format: date-time - type: string - conditions: - description: Conditions are the list of conditions and their status. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: Message contains any message from the ReclaimSpaceJob. - type: string - reclaimedSpace: - anyOf: - - type: integer - - type: string - description: ReclaimedSpace indicates the amount of space reclaimed. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - result: - description: Result indicates the result of ReclaimSpaceJob. - type: string - retries: - description: Retries indicates the number of times the operation is - retried. - format: int32 - type: integer - startTime: - format: date-time - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: volumereplicationclasses.replication.storage.openshift.io -spec: - group: replication.storage.openshift.io - names: - kind: VolumeReplicationClass - listKind: VolumeReplicationClassList - plural: volumereplicationclasses - shortNames: - - vrc - singular: volumereplicationclass - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.provisioner - name: provisioner - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: VolumeReplicationClass is the Schema for the volumereplicationclasses - API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VolumeReplicationClassSpec specifies parameters that an underlying - storage system uses when creating a volume replica. A specific VolumeReplicationClass - is used by specifying its name in a VolumeReplication object. - properties: - parameters: - additionalProperties: - type: string - description: Parameters is a key-value map with storage provisioner - specific configurations for creating volume replicas - type: object - provisioner: - description: Provisioner is the name of storage provisioner - type: string - required: - - provisioner - type: object - status: - description: VolumeReplicationClassStatus defines the observed state of - VolumeReplicationClass. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.12.1 - name: volumereplications.replication.storage.openshift.io -spec: - group: replication.storage.openshift.io - names: - kind: VolumeReplication - listKind: VolumeReplicationList - plural: volumereplications - shortNames: - - vr - singular: volumereplication - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.volumeReplicationClass - name: volumeReplicationClass - type: string - - jsonPath: .spec.dataSource.name - name: pvcName - type: string - - jsonPath: .spec.replicationState - name: desiredState - type: string - - jsonPath: .status.state - name: currentState - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: VolumeReplication is the Schema for the volumereplications API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: VolumeReplicationSpec defines the desired state of VolumeReplication. - properties: - autoResync: - default: false - description: AutoResync represents the volume to be auto resynced - when ReplicationState is "secondary" - type: boolean - dataSource: - description: DataSource represents the object associated with the - volume - properties: - apiGroup: - description: APIGroup is the group for the resource being referenced. - If APIGroup is not specified, the specified Kind must be in - the core API group. For any other third-party types, APIGroup - is required. - type: string - kind: - description: Kind is the type of resource being referenced - type: string - name: - description: Name is the name of resource being referenced - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - replicationHandle: - description: replicationHandle represents an existing (but new) replication - id - type: string - replicationState: - description: ReplicationState represents the replication operation - to be performed on the volume. Supported operations are "primary", - "secondary" and "resync" - enum: - - primary - - secondary - - resync - type: string - volumeReplicationClass: - description: VolumeReplicationClass is the VolumeReplicationClass - name for this VolumeReplication resource - type: string - required: - - autoResync - - dataSource - - replicationState - - volumeReplicationClass - type: object - status: - description: VolumeReplicationStatus defines the observed state of VolumeReplication. - properties: - conditions: - description: Conditions are the list of conditions and their status. - items: - description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" - properties: - lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - lastCompletionTime: - format: date-time - type: string - lastStartTime: - format: date-time - type: string - lastSyncBytes: - format: int64 - type: integer - lastSyncDuration: - type: string - lastSyncTime: - format: date-time - type: string - message: - type: string - observedGeneration: - description: observedGeneration is the last generation change the - operator has dealt with - format: int64 - type: integer - state: - description: State captures the latest state of the replication operation. - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: csi-addons-leader-election-role - namespace: csi-addons-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-addons-manager-role -rules: -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - update - - watch -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - persistentvolumeclaims/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - csiaddonsnodes/status - verbs: - - get - - patch - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - networkfences - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - networkfences/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - networkfences/status - verbs: - - get - - patch - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacecronjobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacecronjobs/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacecronjobs/status - verbs: - - get - - patch - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacejobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacejobs/finalizers - verbs: - - update -- apiGroups: - - csiaddons.openshift.io - resources: - - reclaimspacejobs/status - verbs: - - get - - patch - - update -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplicationclasses - verbs: - - get - - list - - watch -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplications - verbs: - - get - - list - - update - - watch -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplications/finalizers - verbs: - - update -- apiGroups: - - replication.storage.openshift.io - resources: - - volumereplications/status - verbs: - - update -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-addons-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-addons-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: csi-addons-leader-election-rolebinding - namespace: csi-addons-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: csi-addons-leader-election-role -subjects: -- kind: ServiceAccount - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: csi-addons-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-addons-manager-role -subjects: -- kind: ServiceAccount - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: csi-addons-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-addons-proxy-role -subjects: -- kind: ServiceAccount - name: csi-addons-controller-manager - namespace: csi-addons-system ---- -apiVersion: v1 -data: - controller_manager_config.yaml: | - --- - apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 - kind: ControllerManagerConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 127.0.0.1:8080 - webhook: - port: 9443 - leaderElection: - leaderElect: true - resourceName: e8cd140a.openshift.io -kind: ConfigMap -metadata: - name: csi-addons-manager-config - namespace: csi-addons-system ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: csi-addons - name: csi-addons-controller-manager-metrics-service - namespace: csi-addons-system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/name: csi-addons ---- -apiVersion: v1 -kind: Service -metadata: - name: csi-addons-webhook-service - namespace: csi-addons-system -spec: - ports: - - port: 443 - protocol: TCP - targetPort: 9443 - selector: - app.kubernetes.io/name: csi-addons ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/name: csi-addons - name: csi-addons-controller-manager - namespace: csi-addons-system -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: csi-addons - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - app.kubernetes.io/name: csi-addons - spec: - containers: - - args: - - --namespace=$(POD_NAMESPACE) - - --health-probe-bind-address=:8081 - - --metrics-bind-address=127.0.0.1:8080 - - --leader-elect - - --enable-admission-webhooks=true - command: - - /csi-addons-manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/csiaddons/k8s-controller:latest - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - allowPrivilegeEscalation: false - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - args: - - --secure-listen-address=0.0.0.0:8443 - - --upstream=http://127.0.0.1:8080/ - - --logtostderr=true - - --v=10 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 - name: kube-rbac-proxy - ports: - - containerPort: 8443 - name: https - protocol: TCP - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - runAsNonRoot: true - serviceAccountName: csi-addons-controller-manager - terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: csi-addons-serving-cert - namespace: csi-addons-system -spec: - dnsNames: - - csi-addons-webhook-service.csi-addons-system.svc - - csi-addons-webhook-service.csi-addons-system.svc.cluster.local - issuerRef: - kind: Issuer - name: csi-addons-selfsigned-issuer - secretName: webhook-server-cert ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: csi-addons-selfsigned-issuer - namespace: csi-addons-system -spec: - selfSigned: {} ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: - cert-manager.io/inject-ca-from: csi-addons-system/csi-addons-serving-cert - name: csi-addons-validating-webhook-configuration -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-csiaddonsnode - failurePolicy: Fail - name: vcsiaddonsnode.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - csiaddonsnodes - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-networkfence - failurePolicy: Fail - name: vnetworkfence.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - networkfences - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacecronjob - failurePolicy: Fail - name: vreclaimspacecronjob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacecronjobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-csiaddons-openshift-io-v1alpha1-reclaimspacejob - failurePolicy: Fail - name: vreclaimspacejob.kb.io - rules: - - apiGroups: - - csiaddons.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - reclaimspacejobs - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplication - failurePolicy: Fail - name: vvolumereplication.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplications - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: csi-addons-webhook-service - namespace: csi-addons-system - path: /validate-replication-storage-openshift-io-v1alpha1-volumereplicationclass - failurePolicy: Fail - name: vvolumereplicationclass.kb.io - rules: - - apiGroups: - - replication.storage.openshift.io - apiVersions: - - v1alpha1 - operations: - - UPDATE - resources: - - volumereplicationclasses - sideEffects: None diff --git a/deploy/controller/setup-controller.yaml b/deploy/controller/setup-controller.yaml index fab5b2aa8..aad6d9f48 100644 --- a/deploy/controller/setup-controller.yaml +++ b/deploy/controller/setup-controller.yaml @@ -61,7 +61,6 @@ spec: - --health-probe-bind-address=:8081 - --metrics-bind-address=127.0.0.1:8080 - --leader-elect - - --enable-admission-webhooks=false command: - /csi-addons-manager env: diff --git a/docs/deploy-controller.md b/docs/deploy-controller.md index 6cb9e25dd..c5fc35954 100644 --- a/docs/deploy-controller.md +++ b/docs/deploy-controller.md @@ -13,7 +13,6 @@ The CSI-Addons Controller can be deployed by different ways: | `--leader-elect` | `false` | Enable leader election for controller manager.| | `--reclaim-space-timeout` | `3m` | Timeout for reclaimspace operation | | `--max-concurrent-reconciles` | 100 | Maximum number of concurrent reconciles | -| `--enable-admission-webhooks` | `true` | Enable the admission webhooks | > Note: Some of the above configuration options can also be configured using [`"csi-addons-config"` configmap](./csi-addons-config.md). @@ -59,48 +58,6 @@ deployment.apps/csi-addons-controller-manager created * The "setup-controller.yaml" creates the csi-addons-controller-manager. -Webhooks are disabled by default in the controller deployment. If you are -looking to install controller with webhooks enabled, a single yaml file is -available in `deploy/controller` which contains all the required RBAC, CRD, -Deployment, Webhooks, Certificates etc. The versioned deployment is possible -with the yaml files that get generated for the [latest -release](https://github.com/csi-addons/kubernetes-csi-addons/releases/latest). -You can download the yaml file from there, or use them directly with kubectl. -This is the recommended and easiest way to deploy the controller with webhooks. - -**Note** The cert-manager need to be available/installed before installing the -controller. Please refer [doc](https://cert-manager.io/docs/installation) for -cert-manager installation. - -```console -$ cd deploy/controller - -$ kubectl create -f install-all-in-one.yaml - -namespace/csi-addons-system created -customresourcedefinition.apiextensions.k8s.io/csiaddonsnodes.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/networkfences.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/reclaimspacecronjobs.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/reclaimspacejobs.csiaddons.openshift.io created -customresourcedefinition.apiextensions.k8s.io/volumereplicationclasses.replication.storage.openshift.io created -customresourcedefinition.apiextensions.k8s.io/volumereplications.replication.storage.openshift.io created -serviceaccount/csi-addons-controller-manager created -role.rbac.authorization.k8s.io/csi-addons-leader-election-role created -clusterrole.rbac.authorization.k8s.io/csi-addons-manager-role created -clusterrole.rbac.authorization.k8s.io/csi-addons-metrics-reader created -clusterrole.rbac.authorization.k8s.io/csi-addons-proxy-role created -rolebinding.rbac.authorization.k8s.io/csi-addons-leader-election-rolebinding created -clusterrolebinding.rbac.authorization.k8s.io/csi-addons-manager-rolebinding created -clusterrolebinding.rbac.authorization.k8s.io/csi-addons-proxy-rolebinding created -configmap/csi-addons-manager-config created -service/csi-addons-controller-manager-metrics-service created -service/csi-addons-webhook-service created -deployment.apps/csi-addons-controller-manager created -certificate.cert-manager.io/csi-addons-serving-cert created -issuer.cert-manager.io/csi-addons-selfsigned-issuer created -validatingwebhookconfiguration.admissionregistration.k8s.io/csi-addons-validating-webhook-configuration created -``` - ## Installation by operator-sdk A CSI-Addons bundle can be used to install the CSI-Addons Controller with the @@ -172,4 +129,4 @@ for the CSI-Addons Controller are as follows: requests: cpu: 10m memory: 64Mi -``` \ No newline at end of file +``` From 2bb55f709780211deb7543778cae471208cdb7ea Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Thu, 21 Sep 2023 12:02:14 +0200 Subject: [PATCH 2/3] add csi-addons.clusterserviceversion to gitignore added csi-addons.clusterserviceversion to gitignore as its not pushed to the repo. Signed-off-by: Madhu Rajanna --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 2ae29cb61..62d97568a 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,9 @@ testbin/* bundle.Dockerfile bundle +# generated csv file. +config/manifests/bases/csi-addons.clusterserviceversion.yaml + # editor and IDE paraphernalia .idea *.swp From 76892422eff98c8137a5a3be3a9eb4830e932d15 Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Thu, 21 Sep 2023 15:03:13 +0200 Subject: [PATCH 3/3] use CEL for validation use CEL to validate the CR fields as it is having multiple advantages over webhooks and also it already beta in 1.25 onwards and going to be GA in 1.29 More details about it at https://kubernetes.io/blog/2022/09/29/\ enforce-immutability-using-cel/ Signed-off-by: Madhu Rajanna --- .../csiaddons/v1alpha1/csiaddonsnode_types.go | 4 ++ apis/csiaddons/v1alpha1/networkfence_types.go | 7 ++++ .../v1alpha1/reclaimspacejob_types.go | 1 + .../v1alpha1/volumereplication_types.go | 2 + .../v1alpha1/volumereplicationclass_types.go | 2 + ...csiaddons.openshift.io_csiaddonsnodes.yaml | 6 +++ .../csiaddons.openshift.io_networkfences.yaml | 15 +++++++ ...ons.openshift.io_reclaimspacecronjobs.yaml | 3 ++ ...iaddons.openshift.io_reclaimspacejobs.yaml | 3 ++ ...openshift.io_volumereplicationclasses.yaml | 6 +++ ...orage.openshift.io_volumereplications.yaml | 6 +++ deploy/controller/crds.yaml | 39 +++++++++++++++++++ 12 files changed, 94 insertions(+) diff --git a/apis/csiaddons/v1alpha1/csiaddonsnode_types.go b/apis/csiaddons/v1alpha1/csiaddonsnode_types.go index 9fef02d12..9db238ca9 100644 --- a/apis/csiaddons/v1alpha1/csiaddonsnode_types.go +++ b/apis/csiaddons/v1alpha1/csiaddonsnode_types.go @@ -36,6 +36,8 @@ type CSIAddonsNodeDriver struct { // This must be the same name returned by the CSI-Addons GetIdentity() // call for that driver. The name of the driver is in the format: // `example.csi.ceph.com` + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable" Name string `json:"name"` // EndPoint is url that contains the ip-address to which the CSI-Addons @@ -44,6 +46,8 @@ type CSIAddonsNodeDriver struct { // NodeID is the ID of the node to identify on which node the side-car // is running. + // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="nodeID is immutable" NodeID string `json:"nodeID"` } diff --git a/apis/csiaddons/v1alpha1/networkfence_types.go b/apis/csiaddons/v1alpha1/networkfence_types.go index 04b1d6bda..8c82b692e 100644 --- a/apis/csiaddons/v1alpha1/networkfence_types.go +++ b/apis/csiaddons/v1alpha1/networkfence_types.go @@ -40,13 +40,18 @@ const ( FencingOperationResultFailed FencingOperationResult = "Failed" ) +// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="secret is immutable" // SecretSpec defines the secrets to be used for the network fencing operation. type SecretSpec struct { // Name specifies the name of the secret. + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable" Name string `json:"name,omitempty"` // Namespace specifies the namespace in which the secret // is located. + // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable" Namespace string `json:"namespace,omitempty"` } @@ -54,6 +59,7 @@ type SecretSpec struct { type NetworkFenceSpec struct { // Driver contains the name of CSI driver. // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="driver is immutable" Driver string `json:"driver"` // FenceState contains the desired state for the CIDRs @@ -71,6 +77,7 @@ type NetworkFenceSpec struct { Secret SecretSpec `json:"secret,omitempty"` // Parameters is used to pass additional parameters to the CSI driver. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="parameters are immutable" Parameters map[string]string `json:"parameters,omitempty"` } diff --git a/apis/csiaddons/v1alpha1/reclaimspacejob_types.go b/apis/csiaddons/v1alpha1/reclaimspacejob_types.go index 892577662..333239b8e 100644 --- a/apis/csiaddons/v1alpha1/reclaimspacejob_types.go +++ b/apis/csiaddons/v1alpha1/reclaimspacejob_types.go @@ -36,6 +36,7 @@ const ( // performed. type TargetSpec struct { // PersistentVolumeClaim specifies the target PersistentVolumeClaim name. + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="persistentVolumeClaim is immutable" PersistentVolumeClaim string `json:"persistentVolumeClaim,omitempty"` } diff --git a/apis/replication.storage/v1alpha1/volumereplication_types.go b/apis/replication.storage/v1alpha1/volumereplication_types.go index 9093b5c32..d9fca40ad 100644 --- a/apis/replication.storage/v1alpha1/volumereplication_types.go +++ b/apis/replication.storage/v1alpha1/volumereplication_types.go @@ -58,6 +58,7 @@ const ( type VolumeReplicationSpec struct { // VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="volumeReplicationClass is immutable" VolumeReplicationClass string `json:"volumeReplicationClass"` // ReplicationState represents the replication operation to be performed on the volume. @@ -67,6 +68,7 @@ type VolumeReplicationSpec struct { // DataSource represents the object associated with the volume // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="dataSource is immutable" DataSource corev1.TypedLocalObjectReference `json:"dataSource"` // AutoResync represents the volume to be auto resynced when diff --git a/apis/replication.storage/v1alpha1/volumereplicationclass_types.go b/apis/replication.storage/v1alpha1/volumereplicationclass_types.go index 4808519e0..274650310 100644 --- a/apis/replication.storage/v1alpha1/volumereplicationclass_types.go +++ b/apis/replication.storage/v1alpha1/volumereplicationclass_types.go @@ -26,10 +26,12 @@ import ( type VolumeReplicationClassSpec struct { // Provisioner is the name of storage provisioner // +kubebuilder:validation:Required + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="provisioner is immutable" Provisioner string `json:"provisioner"` // Parameters is a key-value map with storage provisioner specific configurations for // creating volume replicas // +kubebuilder:validation:Optional + // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="parameters are immutable" Parameters map[string]string `json:"parameters,omitempty"` } diff --git a/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml b/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml index 19b25e58a..e577d22fb 100644 --- a/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml +++ b/config/crd/bases/csiaddons.openshift.io_csiaddonsnodes.yaml @@ -64,10 +64,16 @@ spec: GetIdentity() call for that driver. The name of the driver is in the format: `example.csi.ceph.com`' type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf nodeID: description: NodeID is the ID of the node to identify on which node the side-car is running. type: string + x-kubernetes-validations: + - message: nodeID is immutable + rule: self == oldSelf required: - endpoint - name diff --git a/config/crd/bases/csiaddons.openshift.io_networkfences.yaml b/config/crd/bases/csiaddons.openshift.io_networkfences.yaml index ed416c1ce..3234ca5fd 100644 --- a/config/crd/bases/csiaddons.openshift.io_networkfences.yaml +++ b/config/crd/bases/csiaddons.openshift.io_networkfences.yaml @@ -59,6 +59,9 @@ spec: driver: description: Driver contains the name of CSI driver. type: string + x-kubernetes-validations: + - message: driver is immutable + rule: self == oldSelf fenceState: default: Fenced description: FenceState contains the desired state for the CIDRs mentioned @@ -73,6 +76,9 @@ spec: description: Parameters is used to pass additional parameters to the CSI driver. type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf secret: description: Secret is a kubernetes secret, which is required to perform the fence/unfence operation. @@ -80,11 +86,20 @@ spec: name: description: Name specifies the name of the secret. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf namespace: description: Namespace specifies the namespace in which the secret is located. type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: secret is immutable + rule: self == oldSelf required: - cidrs - driver diff --git a/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml b/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml index 105eb179c..7e5047b91 100644 --- a/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_reclaimspacecronjobs.yaml @@ -113,6 +113,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for diff --git a/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml b/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml index 6cf218ccf..2a71ca267 100644 --- a/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml +++ b/config/crd/bases/csiaddons.openshift.io_reclaimspacejobs.yaml @@ -79,6 +79,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for the grpc diff --git a/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml b/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml index 260ec6514..8e22bd26c 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumereplicationclasses.yaml @@ -49,9 +49,15 @@ spec: description: Parameters is a key-value map with storage provisioner specific configurations for creating volume replicas type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf provisioner: description: Provisioner is the name of storage provisioner type: string + x-kubernetes-validations: + - message: provisioner is immutable + rule: self == oldSelf required: - provisioner type: object diff --git a/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml b/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml index 3ca1d96d3..46f07df85 100644 --- a/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml +++ b/config/crd/bases/replication.storage.openshift.io_volumereplications.yaml @@ -78,6 +78,9 @@ spec: - name type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: dataSource is immutable + rule: self == oldSelf replicationHandle: description: replicationHandle represents an existing (but new) replication id @@ -95,6 +98,9 @@ spec: description: VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource type: string + x-kubernetes-validations: + - message: volumeReplicationClass is immutable + rule: self == oldSelf required: - autoResync - dataSource diff --git a/deploy/controller/crds.yaml b/deploy/controller/crds.yaml index 67127ce7f..ccfe94de4 100644 --- a/deploy/controller/crds.yaml +++ b/deploy/controller/crds.yaml @@ -63,10 +63,16 @@ spec: GetIdentity() call for that driver. The name of the driver is in the format: `example.csi.ceph.com`' type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf nodeID: description: NodeID is the ID of the node to identify on which node the side-car is running. type: string + x-kubernetes-validations: + - message: nodeID is immutable + rule: self == oldSelf required: - endpoint - name @@ -161,6 +167,9 @@ spec: driver: description: Driver contains the name of CSI driver. type: string + x-kubernetes-validations: + - message: driver is immutable + rule: self == oldSelf fenceState: default: Fenced description: FenceState contains the desired state for the CIDRs mentioned @@ -175,6 +184,9 @@ spec: description: Parameters is used to pass additional parameters to the CSI driver. type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf secret: description: Secret is a kubernetes secret, which is required to perform the fence/unfence operation. @@ -182,11 +194,20 @@ spec: name: description: Name specifies the name of the secret. type: string + x-kubernetes-validations: + - message: name is immutable + rule: self == oldSelf namespace: description: Namespace specifies the namespace in which the secret is located. type: string + x-kubernetes-validations: + - message: namespace is immutable + rule: self == oldSelf type: object + x-kubernetes-validations: + - message: secret is immutable + rule: self == oldSelf required: - cidrs - driver @@ -394,6 +415,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for @@ -573,6 +597,9 @@ spec: description: PersistentVolumeClaim specifies the target PersistentVolumeClaim name. type: string + x-kubernetes-validations: + - message: persistentVolumeClaim is immutable + rule: self == oldSelf type: object timeout: description: Timeout specifies the timeout in seconds for the grpc @@ -739,9 +766,15 @@ spec: description: Parameters is a key-value map with storage provisioner specific configurations for creating volume replicas type: object + x-kubernetes-validations: + - message: parameters are immutable + rule: self == oldSelf provisioner: description: Provisioner is the name of storage provisioner type: string + x-kubernetes-validations: + - message: provisioner is immutable + rule: self == oldSelf required: - provisioner type: object @@ -836,6 +869,9 @@ spec: - name type: object x-kubernetes-map-type: atomic + x-kubernetes-validations: + - message: dataSource is immutable + rule: self == oldSelf replicationHandle: description: replicationHandle represents an existing (but new) replication id @@ -853,6 +889,9 @@ spec: description: VolumeReplicationClass is the VolumeReplicationClass name for this VolumeReplication resource type: string + x-kubernetes-validations: + - message: volumeReplicationClass is immutable + rule: self == oldSelf required: - autoResync - dataSource