[FEATURE] - Helm Webhooks (#1525)

* [FEATURE] - Helm Webhooks Adding the ability for the helm charts to manage the deployment of the validating and mutating webhooks * chore: removing the need to copy the webhooks, as it's not all templated * chore: ensuring we are building linux/amd64 for now
appvia · Oct 17, 2024 · be380b3 · be380b3
1 parent 56bbfeb
commit be380b3
Show file tree

Hide file tree

Showing 13 changed files with 335 additions and 32 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -110,6 +110,8 @@ jobs:
 
   controller-image:
     runs-on: ubuntu-latest
+    env:
+      DOCKER_BUILD_PLATFORM: linux/amd64
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -125,6 +127,8 @@ jobs:
 
   executor-image:
     runs-on: ubuntu-latest
+    env:
+      DOCKER_BUILD_PLATFORM: linux/amd64
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/Makefile b/Makefile
@@ -24,7 +24,7 @@ ROOT_DIR=${PWD}
 UNAME := $(shell uname)
 LFLAGS ?= -X github.com/appvia/terranetes-controller/pkg/version.Version=${VERSION} -X github.com/appvia/terranetes-controller/pkg/version.GitCommit=${GIT_SHA}
 VERSION ?= latest
-DOCKER_BUILD_PLATFORM?=linux/amd64
+DOCKER_BUILD_PLATFORM?=linux/amd64,linux/arm64
 
 # IMPORTANT NOTE: On CircleCI RELEASE_TAG will be set to the string '<nil>' if no tag is in use, so
 # use the local RELEASE variable being 'true' to switch on release build logic.
@@ -80,7 +80,7 @@ controller-gen:
 		crd \
 		output:crd:dir=charts/terranetes-controller/crds \
 		webhook \
-		output:webhook:dir=deploy/webhooks
+		output:webhook:dir=deploy/webhooks 
 	@./hack/patch-crd-gen.sh
 	@./hack/gofmt.sh pkg/apis/*/*/zz_generated.deepcopy.go
 

diff --git a/charts/terranetes-controller/templates/_helpers.tpl b/charts/terranetes-controller/templates/_helpers.tpl
@@ -61,3 +61,26 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Generate a signed certificate using `genSignedCert` or include the logic for generating a cert.
+Replace this with the actual logic if using an external tool or script.
+*/}}
+{{- define "webhook.generateCerts" -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.controller.webhooks.caSecret }}
+{{- if $secret }}
+  {{- $_ := set .Values.controller.webhooks "caBundle" (index $secret.data "ca.pem") -}}
+  {{- $_ := set .Values.controller.webhooks "cert" (index $secret.data "tls.pem") -}} 
+  {{- $_ := set .Values.controller.webhooks "key" (index $secret.data "tls-key.pem") -}}
+{{- else }}
+  {{- if not .Values.controller.webhooks.caBundle }}
+    {{ $ca := genCA "terranetes-controller" 7300 }}
+    {{ $dn := printf "controller.%s.svc.cluster.local" .Release.Namespace }}
+    {{ $sn := printf "controller.%s.svc" .Release.Namespace }}
+    {{ $server := genSignedCert "" (list "127.0.0.1") (list "localhost" "controller" $sn $dn) 3650 $ca }}
+    {{- $_ := set .Values.controller.webhooks "caBundle" ($ca.Cert | b64enc) -}}
+    {{- $_ := set .Values.controller.webhooks "cert" ($server.Cert | b64enc) -}}
+    {{- $_ := set .Values.controller.webhooks "key" ($server.Key | b64enc) -}}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/terranetes-controller/templates/ca.yaml b/charts/terranetes-controller/templates/ca.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.controller.webhooks.ca }}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.controller.webhooks.caSecret }}
+{{- include "webhook.generateCerts" . }}
 ---
 apiVersion: v1
 kind: Secret
@@ -9,17 +9,7 @@ metadata:
     {{- include "terranetes-controller.labels" . | nindent 4 }}
 type: Opaque
 data:
-{{- if $secret }}
-  ca.pem: {{ index $secret.data "ca.pem" }}
-  tls.pem: {{ index $secret.data "tls.pem" }}
-  tls-key.pem: {{ index $secret.data "tls-key.pem" }}
-{{- else }}
-{{ $ca := genCA "terranetes-controller" 7300 }}
-{{ $dn := printf "controller.%s.svc.cluster.local" .Release.Namespace }}
-{{ $sn := printf "controller.%s.svc" .Release.Namespace }}
-{{ $server := genSignedCert "" (list "127.0.0.1") (list "localhost" "controller" $sn $dn) 3650 $ca }}
-  ca.pem: {{ $ca.Cert | b64enc }}
-  tls.pem: {{ $server.Cert | b64enc }}
-  tls-key.pem: {{ $server.Key | b64enc }}
-{{- end }}
+  ca.pem: {{ .Values.controller.webhooks.caBundle }}
+  tls.pem: {{ .Values.controller.webhooks.cert }}
+  tls-key.pem: {{ .Values.controller.webhooks.key }}
 {{- end }}
diff --git a/charts/terranetes-controller/templates/deployment.yaml b/charts/terranetes-controller/templates/deployment.yaml
@@ -69,6 +69,7 @@ spec:
             - --enable-terraform-versions={{ .Values.controller.enableTerraformVersions }}
             - --enable-watchers={{ .Values.controller.enableWatchers }}
             - --enable-webhook-prefix={{ .Values.controller.webhooks.prefix }}
+            - --enable-webhooks-registration={{ .Values.controller.enableControllerWebhookRegistration }}
             - --enable-webhooks={{ .Values.controller.webhooks.enabled }}
             - --executor-image={{ .Values.controller.images.executor }}
             {{- range .Values.controller.executorSecrets }}

diff --git a/charts/terranetes-controller/templates/webhooks.yaml b/charts/terranetes-controller/templates/webhooks.yaml
@@ -0,0 +1,233 @@
+{{- if .Values.controller.enableHelmWebhookRegistration }}
+{{- include "webhook.generateCerts" . }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: terranetes-controller
+  labels: 
+    {{- include "terranetes-controller.labels" . | nindent 4 }}
+webhooks:
+  {{- if .Values.controller.enableNamespaceProtection }}
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/namespaces
+    failurePolicy: Fail
+    name: cloudresources.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - DELETE
+        resources:
+          - namespaces
+    sideEffects: None
+  {{- end }}
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/cloudresources
+    failurePolicy: Fail
+    name: cloudresources.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - cloudresources
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/configurations
+    failurePolicy: Fail
+    name: configurations.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - configurations
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/contexts
+    failurePolicy: Fail
+    name: contexts.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - DELETE
+          - UPDATE
+        resources:
+          - contexts
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/policies
+    failurePolicy: Fail
+    name: policies.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - DELETE
+          - UPDATE
+        resources:
+          - policies
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/providers
+    failurePolicy: Fail
+    name: providers.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - providers
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /validate/terraform.appvia.io/revisions
+    failurePolicy: Fail
+    name: revisions.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - DELETE
+          - UPDATE
+        resources:
+          - revisions
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: terranetes-controller
+  labels: 
+    {{- include "terranetes-controller.labels" . | nindent 4 }}
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /mutate/terraform.appvia.io/cloudresources
+    failurePolicy: Fail
+    name: cloudresources.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - cloudresources
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /mutate/terraform.appvia.io/configurations
+    failurePolicy: Fail
+    name: configurations.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - configurations
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      caBundle: {{ .Values.controller.webhooks.caBundle }}
+      service:
+        name: controller
+        namespace: {{ .Release.Namespace }}
+        path: /mutate/terraform.appvia.io/revisions
+    failurePolicy: Fail
+    name: revisions.terraform.appvia.io
+    rules:
+      - apiGroups:
+          - terraform.appvia.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - revisions
+    sideEffects: None
+{{- end }}
diff --git a/charts/terranetes-controller/values.yaml b/charts/terranetes-controller/values.yaml
@@ -71,11 +71,16 @@ controller:
   # indicate we create the watcher jobs in user namespace, these allow users
   # to view the terraform output
   enableWatchers: true
+  ## Indicates we should forgo the controller registering it's own webhooks and allowing
+  ## helm to manage the webhooks for us
+  enableHelmWebhookRegistration: false
+  ## indicates if the controller should register the validation and mutation webhooks
+  ## for the Configuration, Revision and CloudResource resources
+  enableControllerWebhookRegistration: true
   # indicates if namespace deletion should be blocked if the namespace contains one
   # or more Configuration resources, forcing the user to delete correctly
   enableNamespaceProtection: false
-  # indicates if the controller should deny updates to Revisions which are currently
-  # in use
+  # indicates if the controller should deny updates to Revisions which are currently in use
   enableRevisionUpdateProtection: true
   # enableTerraformVersions indicates configurations are permitted to override
   # the terraform version in their spec.
@@ -109,6 +114,13 @@ controller:
     tlsDir: /certs
     # name of the file containing the tls private key
     tlsKey: tls-key.pem
+    # the base64 encoded certificate authority for the webhook
+    caBundle: ""
+    # the base64 encoded certificate for the webhook service
+    cert: ""
+    # the base64 encoded private key for the webhook service
+    key: ""
+
   # extraArgs is used for passing additional command line arguments to the
   # controller.
   extraArgs: