Merge pull request #821 from jlandowner/template-webhook2

Add Template webhook to check the same name Template and ClusterTemplate is not accepted
cosmo-workspace · May 22, 2024 · a905c8c · a905c8c
2 parents 08fe232 + 5185c55
commit a905c8c
Show file tree

Hide file tree

Showing 30 changed files with 1,638 additions and 87 deletions.
diff --git a/Makefile b/Makefile
@@ -53,6 +53,7 @@ all: manager cosmoctl dashboard
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
 ifeq ($(QUICK_BUILD),no)
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./api/..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./internal/webhooks" output:crd:artifacts:config=config/crd/bases
 endif
 
 .PHONY: generate

diff --git a/charts/Makefile b/charts/Makefile
@@ -2,6 +2,8 @@
 HELM = ../bin/helm
 KUSTOMIZE = ../bin/kustomize
 
+all: crd cosmo-username-headers-addon.yaml webhook.yaml
+
 helm:
 	make -C ../ helm
 
@@ -19,8 +21,6 @@ test: chartsnap helm helm-dependency-update
 test-list:
 	grep -R '{{[-|] if .*}}' cosmo/templates/* | grep .Values | awk -F':' '{print $$2}' | sed -n 's/.*\(.Values[^ ]*\).*/\1/p' | tr -d ')' | sort | uniq | awk -F'.Values.' '{print $$2}' > cosmo/test/if-values.list
 
-update-charts: crd cosmo-username-headers-addon.yaml webhook.yaml
-
 crd:
 	cp ../config/crd/bases/* cosmo/crds/
 
@@ -40,6 +40,6 @@ webhook.yaml:
 	$(KUSTOMIZE) build ../config/webhook-chart \
 		| sed -e 's/namespace: system/namespace: {{ .Release.Namespace }}/g' \
 		| sed -z 's;apiVersion: v1\nkind: Service\nmetadata:\n  name: cosmo-webhook-service\n  namespace: {{ .Release.Namespace }}\nspec:\n  ports:\n  - port: 443\n    targetPort: 9443\n  selector:\n    control-plane: controller-manager\n---;{{ $$tls := fromYaml ( include "cosmo.webhook.gen-certs" . ) }}\n---\n{{- if $$.Values.controllerManager.webhook.enabled }};g' \
-		| sed -z 's;creationTimestamp: null;{{- if $$.Values.certManager.enabled }}\n  annotations:\n    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert\n  {{- end }}\n  labels:\n    {{- include "cosmo.labels" . | nindent 4 }};g' \
+		| sed -z 's;metadata:\n;metadata:\n{{- if $$.Values.certManager.enabled }}\n  annotations:\n    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert\n  {{- end }}\n  labels:\n    {{- include "cosmo.labels" . | nindent 4 }}\n;g' \
 		| sed -z 's;clientConfig:;clientConfig:\n    caBundle: {{ if not $$.Values.certManager.enabled -}}{{ $$tls.caCert }}{{- else -}}Cg=={{ end }};g' > $(WEBHOOK_CHART_YAML)
 	echo '{{- end }}' >> $(WEBHOOK_CHART_YAML)
diff --git a/charts/cosmo/templates/controller-manager/webhook.yaml b/charts/cosmo/templates/controller-manager/webhook.yaml
@@ -4,7 +4,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  {{- if $.Values.certManager.enabled }}
+{{- if $.Values.certManager.enabled }}
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert
   {{- end }}
@@ -22,7 +22,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /mutate-cosmo-workspace-github-io-v1alpha1-instance
   failurePolicy: Fail
-  name: minstance.kb.io
+  name: mclusterinstance.kb.io
   rules:
   - apiGroups:
     - cosmo-workspace.github.io
@@ -32,7 +32,7 @@ webhooks:
     - CREATE
     - UPDATE
     resources:
-    - instances
+    - clusterinstances
   sideEffects: None
 - admissionReviewVersions:
   - v1
@@ -44,7 +44,7 @@ webhooks:
       namespace: {{ .Release.Namespace }}
       path: /mutate-cosmo-workspace-github-io-v1alpha1-instance
   failurePolicy: Fail
-  name: mclusterinstance.kb.io
+  name: minstance.kb.io
   rules:
   - apiGroups:
     - cosmo-workspace.github.io
@@ -54,7 +54,7 @@ webhooks:
     - CREATE
     - UPDATE
     resources:
-    - clusterinstances
+    - instances
   sideEffects: None
 - admissionReviewVersions:
   - v1
@@ -104,7 +104,7 @@ webhooks:
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  {{- if $.Values.certManager.enabled }}
+{{- if $.Values.certManager.enabled }}
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cosmo-webhook-cert
   {{- end }}
@@ -134,6 +134,28 @@ webhooks:
     resources:
     - clusterinstances
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1alpha1
+  clientConfig:
+    caBundle: {{ if not $.Values.certManager.enabled -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
+    service:
+      name: cosmo-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-cosmo-workspace-github-io-v1alpha1-template
+  failurePolicy: Fail
+  name: vclustertemplate.kb.io
+  rules:
+  - apiGroups:
+    - cosmo-workspace.github.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustertemplates
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1alpha1
@@ -156,6 +178,28 @@ webhooks:
     resources:
     - instances
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1alpha1
+  clientConfig:
+    caBundle: {{ if not $.Values.certManager.enabled -}}{{ $tls.caCert }}{{- else -}}Cg=={{ end }}
+    service:
+      name: cosmo-webhook-service
+      namespace: {{ .Release.Namespace }}
+      path: /validate-cosmo-workspace-github-io-v1alpha1-template
+  failurePolicy: Fail
+  name: vtemplate.kb.io
+  rules:
+  - apiGroups:
+    - cosmo-workspace.github.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - templates
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1alpha1

diff --git a/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap b/charts/cosmo/test/__snapshots__/test-certManager-existing-issuer.snap
@@ -294,6 +294,23 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+  - get
+  - list
+  - watch
 ---
 # Source: cosmo/charts/traefik/templates/rbac/clusterrolebinding.yaml
 kind: ClusterRoleBinding
@@ -530,6 +547,10 @@ spec:
     port: 8443
     protocol: TCP
     targetPort: 8443
+  - name: incluster-insecure-server
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
   selector:
     cosmo-workspace.github.io: dashboard
     app.kubernetes.io/instance: chartsnap
@@ -833,6 +854,8 @@ spec:
         - --timeout-seconds=5
         - --tls-key=/app/cert/tls.key
         - --tls-cert=/app/cert/tls.crt
+        - --ca-cert=/app/cert/ca.crt
+        - --incluster-port=8080
         command:
         - /app/dashboard
         image: "ghcr.io/cosmo-workspace/cosmo-dashboard:v1.0.0-rc5"
@@ -922,6 +945,7 @@ metadata:
   name: cosmo-dashboard-cert
   namespace: cosmo-system
 spec:
+  commonName: cosmo-dashboard.cosmo-system.svc.cluster.local
   dnsNames:
   - cosmo-dashboard.cosmo-system.svc
   - cosmo-dashboard.cosmo-system.svc.cluster.local
@@ -1029,7 +1053,7 @@ webhooks:
       namespace: cosmo-system
       path: /mutate-cosmo-workspace-github-io-v1alpha1-instance
   failurePolicy: Fail
-  name: minstance.kb.io
+  name: mclusterinstance.kb.io
   rules:
   - apiGroups:
     - cosmo-workspace.github.io
@@ -1039,7 +1063,7 @@ webhooks:
     - CREATE
     - UPDATE
     resources:
-    - instances
+    - clusterinstances
   sideEffects: None
 - admissionReviewVersions:
   - v1
@@ -1051,7 +1075,7 @@ webhooks:
       namespace: cosmo-system
       path: /mutate-cosmo-workspace-github-io-v1alpha1-instance
   failurePolicy: Fail
-  name: mclusterinstance.kb.io
+  name: minstance.kb.io
   rules:
   - apiGroups:
     - cosmo-workspace.github.io
@@ -1061,7 +1085,7 @@ webhooks:
     - CREATE
     - UPDATE
     resources:
-    - clusterinstances
+    - instances
   sideEffects: None
 - admissionReviewVersions:
   - v1
@@ -1173,6 +1197,28 @@ webhooks:
     resources:
     - clusterinstances
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1alpha1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: cosmo-webhook-service
+      namespace: cosmo-system
+      path: /validate-cosmo-workspace-github-io-v1alpha1-template
+  failurePolicy: Fail
+  name: vclustertemplate.kb.io
+  rules:
+  - apiGroups:
+    - cosmo-workspace.github.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustertemplates
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1alpha1
@@ -1195,6 +1241,28 @@ webhooks:
     resources:
     - instances
   sideEffects: None
+- admissionReviewVersions:
+  - v1
+  - v1alpha1
+  clientConfig:
+    caBundle: Cg==
+    service:
+      name: cosmo-webhook-service
+      namespace: cosmo-system
+      path: /validate-cosmo-workspace-github-io-v1alpha1-template
+  failurePolicy: Fail
+  name: vtemplate.kb.io
+  rules:
+  - apiGroups:
+    - cosmo-workspace.github.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - templates
+  sideEffects: None
 - admissionReviewVersions:
   - v1
   - v1alpha1