-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ACM-10801] Added Validating Webhook for Discovery #231
Changes from all commits
4903469
2d6dff6
2d1f966
c74c0d7
9b1189f
defe80a
e0b9dee
151a7fd
d63148e
33e7f6e
127dcfb
e77fed7
701f03f
ab71dc9
7a9b7b5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,148 @@ | ||
// Copyright Contributors to the Open Cluster Management project | ||
/* | ||
Copyright 2021. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v1 | ||
|
||
import ( | ||
"errors" | ||
"fmt" | ||
|
||
admissionregistration "k8s.io/api/admissionregistration/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
runtime "k8s.io/apimachinery/pkg/runtime" | ||
ctrl "sigs.k8s.io/controller-runtime" | ||
cl "sigs.k8s.io/controller-runtime/pkg/client" | ||
logf "sigs.k8s.io/controller-runtime/pkg/log" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook/admission" | ||
) | ||
|
||
// log is for logging in this package. | ||
var ( | ||
discoveredclusterLog = logf.Log.WithName("discoveredcluster-resource") | ||
Client cl.Client | ||
|
||
ErrInvalidImportStrategy = errors.New("invalid import-strategy") | ||
) | ||
|
||
// ValidatingWebhook returns the ValidatingWebhookConfiguration used for the discoveredcluster | ||
// linked to a service in the provided namespace | ||
func ValidatingWebhook(namespace string) *admissionregistration.ValidatingWebhookConfiguration { | ||
fail := admissionregistration.Fail | ||
none := admissionregistration.SideEffectClassNone | ||
path := "/validate-discovery-open-cluster-management-io-v1-discoveredcluster" | ||
return &admissionregistration.ValidatingWebhookConfiguration{ | ||
TypeMeta: metav1.TypeMeta{ | ||
APIVersion: "admissionregistration.k8s.io/v1", | ||
Kind: "ValidatingWebhookConfiguration", | ||
}, | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Name: "discovery.open-cluster-management.io", | ||
Annotations: map[string]string{"service.beta.openshift.io/inject-cabundle": "true"}, | ||
}, | ||
Webhooks: []admissionregistration.ValidatingWebhook{ | ||
{ | ||
AdmissionReviewVersions: []string{ | ||
"v1", | ||
"v1beta1", | ||
}, | ||
Name: "discovery.open-cluster-management.io", | ||
ClientConfig: admissionregistration.WebhookClientConfig{ | ||
Service: &admissionregistration.ServiceReference{ | ||
Name: "discovery-operator-webhook-service", | ||
Namespace: namespace, | ||
Path: &path, | ||
}, | ||
}, | ||
FailurePolicy: &fail, | ||
Rules: []admissionregistration.RuleWithOperations{ | ||
{ | ||
Rule: admissionregistration.Rule{ | ||
APIGroups: []string{GroupVersion.Group}, | ||
APIVersions: []string{GroupVersion.Version}, | ||
Resources: []string{"discoveredclusters"}, | ||
}, | ||
Operations: []admissionregistration.OperationType{ | ||
admissionregistration.Create, | ||
admissionregistration.Update, | ||
admissionregistration.Delete, | ||
}, | ||
}, | ||
}, | ||
SideEffects: &none, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func (r *DiscoveredCluster) SetupWebhookWithManager(mgr ctrl.Manager) error { | ||
Client = mgr.GetClient() | ||
return ctrl.NewWebhookManagedBy(mgr). | ||
For(r). | ||
Complete() | ||
} | ||
|
||
var _ webhook.Defaulter = &DiscoveredCluster{} | ||
|
||
// Default implements webhook.Defaulter so a webhook will be registered for the type | ||
func (r *DiscoveredCluster) Default() { | ||
discoveredclusterLog.Info("default", "Name", r.Name) | ||
} | ||
|
||
var _ webhook.Validator = &DiscoveredCluster{} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is there a global variable that's not defined? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Following the |
||
|
||
// ValidateCreate implements webhook.Validator so a webhook will be registered for the type | ||
func (r *DiscoveredCluster) ValidateCreate() (admission.Warnings, error) { | ||
discoveredclusterLog.Info("validate create", "Name", r.Name) | ||
|
||
// Validate resource | ||
if r.Spec.Type != "ROSA" && r.Spec.EnableAutoImport { | ||
return nil, fmt.Errorf( | ||
"cannot create DiscoveredCluster '%s': enableAutoImport is not allowed for clusters of type '%s'. "+ | ||
"Only ROSA type clusters support auto import", | ||
r.Spec.Type, r.Name, | ||
) | ||
} | ||
|
||
return nil, nil | ||
} | ||
|
||
// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type | ||
func (r *DiscoveredCluster) ValidateUpdate(old runtime.Object) (admission.Warnings, error) { | ||
discoveredclusterLog.Info("validate update", "Name", r.Name) | ||
|
||
if r.Annotations == nil { | ||
r.Annotations = make(map[string]string) | ||
} | ||
|
||
oldDiscoveredCluster := old.(*DiscoveredCluster) | ||
if oldDiscoveredCluster.Spec.Type != "ROSA" && r.Spec.EnableAutoImport { | ||
return nil, fmt.Errorf( | ||
"cannot update DiscoveredCluster '%s': enableAutoImport is not allowed for clusters of type '%s'."+ | ||
"Only ROSA type clusters support auto import", | ||
r.Spec.Type, r.Name, | ||
) | ||
} | ||
|
||
return nil, nil | ||
} | ||
|
||
// ValidateDelete implements webhook.Validator so a webhook will be registered for the type | ||
func (r *DiscoveredCluster) ValidateDelete() (admission.Warnings, error) { | ||
discoveredclusterLog.Info("validate delete", "Name", r.Name) | ||
return nil, nil | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
annotations: | ||
service.beta.openshift.io/serving-cert-secret-name: discovery-operator-webhook-service | ||
creationTimestamp: null | ||
name: discovery-operator-webhook-service | ||
spec: | ||
ports: | ||
- port: 443 | ||
targetPort: 9443 | ||
selector: | ||
app: discovery-operator | ||
status: | ||
loadBalancer: {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this doing anything?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just for setting the
default
setting of the webhook. No harm in just having this log for the moment, since this func can be enhanced at a later time.