Introduce validating admission webhook (experimental)

Makefile

@@ -13,6 +13,7 @@ BUILD_DATE_PATH := github.com/kudobuilder/kudo/pkg/version.buildDate
 DATE_FMT := "%Y-%m-%dT%H:%M:%SZ"
 BUILD_DATE := $(shell date -u -d "@$SOURCE_DATE_EPOCH" "+${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "+${DATE_FMT}" 2>/dev/null || date -u "+${DATE_FMT}")
 LDFLAGS := -X ${GIT_VERSION_PATH}=${GIT_VERSION} -X ${GIT_COMMIT_PATH}=${GIT_COMMIT} -X ${BUILD_DATE_PATH}=${BUILD_DATE}
+ENABLE_WEBHOOKS ?= false
 
 export GO111MODULE=on
 
@@ -67,7 +68,9 @@ manager-clean:
 .PHONY: run
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run:
-	go run -ldflags "${LDFLAGS}" ./cmd/manager/main.go
+    # for local development, webhooks are disabled by default
+    # if you enable them, you have to take care of providing the TLS certs locally
+	ENABLE_WEBHOOKS=${ENABLE_WEBHOOKS} go run -ldflags "${LDFLAGS}" ./cmd/manager/main.go
 
 .PHONY: deploy
 # Install KUDO into a cluster via kubectl kudo init

cmd/manager/main.go

@@ -17,7 +17,21 @@ package main
 
 import (
 	"fmt"
+	"net/http"
+	"net/url"
 	"os"
+	"strings"
+
+	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+
+	"github.com/go-logr/logr"
+	"github.com/kudobuilder/kudo/pkg/apis/kudo/v1beta1"
+	"github.com/kudobuilder/kudo/pkg/util/kudo"
+	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/kudobuilder/kudo/pkg/apis"
 	"github.com/kudobuilder/kudo/pkg/controller/instance"
@@ -34,7 +48,7 @@ import (
 )
 
 func main() {
-	logf.SetLogger(zap.Logger(false))
+	logf.SetLogger(zap.New(zap.UseDevMode(false)))
 	log := logf.Log.WithName("entrypoint")
 
 	// Get version of KUDO
@@ -44,6 +58,7 @@ func main() {
 	log.Info("setting up manager")
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		MapperProvider: util.NewDynamicRESTMapper,
+		CertDir:        "/tmp/cert",
 	})
 	if err != nil {
 		log.Error(err, "unable to start manager")
@@ -93,10 +108,73 @@ func main() {
 		os.Exit(1)
 	}
 
+	if os.Getenv("ENABLE_WEBHOOKS") == "true" {
+		err = registerValidatingWebhook(&v1beta1.Instance{}, mgr, log)
+		if err != nil {
+			log.Error(err, "unable to create webhook")
+			os.Exit(1)
+		}
+	}
+
 	// Start the Cmd
 	log.Info("Starting the Cmd.")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		log.Error(err, "unable to run the manager")
 		os.Exit(1)
 	}
 }
+
+// this is a fork of a code in controller-runtime to be able to pass in our own Validator interface
+// see kudo.Validator docs for more details\
+//
+// ideally in the future we should switch to just simply doing
+// err = ctrl.NewWebhookManagedBy(mgr).
+// For(&v1beta1.Instance{}).
+// Complete()
+//
+// that internally calls this method but using their own internal Validator type
+func registerValidatingWebhook(obj runtime.Object, mgr manager.Manager, log logr.Logger) error {
+	gvk, err := apiutil.GVKForObject(obj, mgr.GetScheme())
+	if err != nil {
+		return err
+	}
+	validator, isValidator := obj.(kudo.Validator)
+	if !isValidator {
+<<<<<<< HEAD
+		log.Info("skip registering a validating webhook, admission.Validator interface is not implemented %v", gvk)
+=======
+		log.Infof("skip registering a validating webhook, kudo.Validator interface is not implemented", "GVK", gvk)
+>>>>>>> fc12fe83516b102f81011da2b2a33c9b93a39dd1
+		return nil
+	}
+	vwh := kudo.WebhookFor(validator)
+	if vwh != nil {
+		path := generateValidatePath(gvk)
+
+		// Checking if the path is already registered.
+		// If so, just skip it.
+		if !isAlreadyHandled(path, mgr) {
+			log.Info("Registering a validating webhook for %v on path %s", gvk, path)
+			mgr.GetWebhookServer().Register(path, vwh)
+		}
+	}
+	return nil
+}
+
+func isAlreadyHandled(path string, mgr manager.Manager) bool {
+	if mgr.GetWebhookServer().WebhookMux == nil {
+		return false
+	}
+	h, p := mgr.GetWebhookServer().WebhookMux.Handler(&http.Request{URL: &url.URL{Path: path}})
+	if p == path && h != nil {
+		return true
+	}
+	return false
+}
+
+// if the strategy to generate this path changes we should update init code and webhook setup
+// right now this is in sync how controller-runtime generates these paths
+func generateValidatePath(gvk schema.GroupVersionKind) string {
+	return "/validate-" + strings.Replace(gvk.Group, ".", "-", -1) + "-" +
+		gvk.Version + "-" + strings.ToLower(gvk.Kind)
+}

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/dustinkirkland/golang-petname v0.0.0-20170921220637-d3c2ba80e75e
 	github.com/gogo/protobuf v1.3.1 // indirect
 	github.com/golangci/golangci-lint v1.21.0
+	github.com/google/martian v2.1.0+incompatible
 	github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf
 	github.com/gophercloud/gophercloud v0.2.0 // indirect
 	github.com/gorilla/context v1.1.1 // indirect

go.sum

@@ -277,6 +277,7 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=

pkg/apis/kudo/v1beta1/instance_validator.go

@@ -0,0 +1,34 @@
+package v1beta1
+
+import (
+	"fmt"
+
+	"github.com/kudobuilder/kudo/pkg/util/kudo"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+var _ kudo.Validator = &Instance{}
+
+// ValidateCreate implements webhookutil.validator (from controller-runtime)
+// we do not enforce any rules upon creation right now
+func (i *Instance) ValidateCreate(req admission.Request) error {
+	return nil
+}
+
+// ValidateUpdate hook called when UPDATE operation is triggered and our admission webhook is triggered
+// ValidateUpdate implements webhookutil.validator (from controller-runtime)
+func (i *Instance) ValidateUpdate(old runtime.Object, req admission.Request) error {
+	if i.Status.AggregatedStatus.Status.IsRunning() && req.RequestSubResource != "status" {
+		// when updating anything else than status, there shouldn't be a running plan
+		return fmt.Errorf("cannot update Instance %s/%s right now, there's plan %s in progress", i.Namespace, i.Name, i.Status.AggregatedStatus.ActivePlanName)
+	}
+	return nil
+}
+
+// ValidateDelete hook called when DELETE operation is triggered and our admission webhook is triggered
+// we don't enforce any validation on DELETE right now
+// ValidateDelete implements webhookutil.validator (from controller-runtime)
+func (i *Instance) ValidateDelete(req admission.Request) error {
+	return nil
+}

pkg/kudoctl/cmd/init.go

@@ -65,6 +65,7 @@ type initCmd struct {
 	crdOnly    bool
 	home       kudohome.Home
 	client     *kube.Client
+	webhooks   string
 }
 
 func newInitCmd(fs afero.Fs, out io.Writer) *cobra.Command {
@@ -98,6 +99,7 @@ func newInitCmd(fs afero.Fs, out io.Writer) *cobra.Command {
 	f.BoolVar(&i.crdOnly, "crd-only", false, "Add only KUDO CRDs to your cluster")
 	f.BoolVarP(&i.wait, "wait", "w", false, "Block until KUDO manager is running and ready to receive requests")
 	f.Int64Var(&i.timeout, "wait-timeout", 300, "Wait timeout to be used")
+	f.StringVar(&i.webhooks, "webhook", "", "List of webhooks exposed, when empty, no webhook server will be started (the only webhook right now is InstanceValidation)")
 
 	return cmd
 }
@@ -118,13 +120,16 @@ func (initCmd *initCmd) validate(flags *flag.FlagSet) error {
 	if flags.Changed("wait-timeout") && !initCmd.wait {
 		return errors.New("wait-timeout is only useful when using the flag '--wait'")
 	}
+	if initCmd.webhooks != "" && initCmd.webhooks != "InstanceValidation" {
+		return errors.New("webhooks can be only empty or contain a single string 'InstanceValidation'. No other webhooks supported right now.")
+	}
 
 	return nil
 }
 
 // run initializes local config and installs KUDO manager to Kubernetes cluster.
 func (initCmd *initCmd) run() error {
-	opts := cmdInit.NewOptions(initCmd.version, initCmd.ns)
+	opts := cmdInit.NewOptions(initCmd.version, initCmd.ns, []string{initCmd.webhooks})
 	// if image provided switch to it.
 	if initCmd.image != "" {
 		opts.Image = initCmd.image
@@ -149,6 +154,14 @@ func (initCmd *initCmd) run() error {
 			}
 			mans = append(mans, prereq...)
 
+			if len(opts.Webhooks) != 0 { // right now there's only 0 or 1 webhook, so this is good enough
+				prereq, err := cmdInit.WebhookManifests(opts.Namespace)
+				if err != nil {
+					return err
+				}
+				mans = append(mans, prereq...)
+			}
+
 			deploy, err := cmdInit.ManagerManifests(opts)
 			if err != nil {
 				return err

pkg/kudoctl/cmd/init/manager.go

@@ -40,10 +40,12 @@ type Options struct {
 	TerminationGracePeriodSeconds int64
 	// Image defines the image to be used
 	Image string
+	// Enable validation
+	Webhooks []string
 }
 
 // NewOptions provides an option struct with defaults
-func NewOptions(v string, ns string) Options {
+func NewOptions(v string, ns string, webhooks []string) Options {
 
 	if v == "" {
 		v = version.Get().GitVersion
@@ -57,28 +59,36 @@ func NewOptions(v string, ns string) Options {
 		Namespace:                     ns,
 		TerminationGracePeriodSeconds: defaultGracePeriod,
 		Image:                         fmt.Sprintf("kudobuilder/controller:v%v", v),
+		Webhooks:                      webhooks,
 	}
 }
 
 // Install uses Kubernetes client to install KUDO.
 func Install(client *kube.Client, opts Options, crdOnly bool) error {
 
-	clog.Printf("✅ installing crds")
 	if err := installCrds(client.ExtClient); err != nil {
 		return err
 	}
+	clog.Printf("✅ installed crds")
 	if crdOnly {
 		return nil
 	}
-	clog.Printf("✅ preparing service accounts and other requirements for controller to run")
 	if err := installPrereqs(client.KubeClient, opts); err != nil {
 		return err
 	}
+	clog.Printf("✅ installed service accounts and other requirements for controller to run")
+
+	if opts.EnableValidation {
+		if err := installWebhook(client.KubeClient, client.DynamicClient, opts.Namespace); err != nil {
+			return err
+		}
+		clog.Printf("✅ installed webhook")
+	}
 
-	clog.Printf("✅ installing kudo controller")
 	if err := installManager(client.KubeClient, opts); err != nil {
 		return err
 	}
+	clog.Printf("✅ installed kudo controller")
 	return nil
 }
 
@@ -184,13 +194,14 @@ func generateDeployment(opts Options) *appsv1.StatefulSet {
 							Env: []v1.EnvVar{
 								{Name: "POD_NAMESPACE", ValueFrom: &v1.EnvVarSource{FieldRef: &v1.ObjectFieldSelector{FieldPath: "metadata.namespace"}}},
 								{Name: "SECRET_NAME", Value: "kudo-webhook-server-secret"},
+								{Name: "ENABLE_WEBHOOKS", Value: enableWebhooks(opts)},
 							},
 							Image:           image,
 							ImagePullPolicy: "Always",
 							Name:            "manager",
 							Ports: []v1.ContainerPort{
 								// name matters for service
-								{ContainerPort: 9876, Name: "webhook-server", Protocol: "TCP"},
+								{ContainerPort: 443, Name: "webhook-server", Protocol: "TCP"},
 							},
 							Resources: v1.ResourceRequirements{
 								Requests: v1.ResourceList{
@@ -214,6 +225,13 @@ func generateDeployment(opts Options) *appsv1.StatefulSet {
 	return d
 }
 
+func enableWebhooks(options Options) string {
+	if options.EnableValidation {
+		return "true"
+	}
+	return "false"
+}
+
 func managerLabels() labels.Set {
 	labels := generateLabels(map[string]string{"control-plane": "controller-manager", "controller-tools.k8s.io": "1.0"})
 	return labels