Skip to content
This repository has been archived by the owner on Apr 7, 2020. It is now read-only.

Commit

Permalink
Add AWS validator for core resources
Browse files Browse the repository at this point in the history
  • Loading branch information
@timuthy
timuthy committed Nov 14, 2019
1 parent f93f3e5 commit b333930
Show file tree
Hide file tree
Showing 24 changed files with 1,061 additions and 6 deletions.
10 changes: 10 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,3 +254,13 @@ start-shoot-cert-service:
--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
--leader-election=$(LEADER_ELECTION) \
--config=./controllers/extension-shoot-cert-service/example/00-config.yaml

.PHONY: start-gardener-validator-aws
start-gardener-validator-aws:
@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
-mod=vendor \
-ldflags $(LD_FLAGS) \
./controllers/provider-aws/cmd/gardener-validator-aws \
--webhook-config-server-host=0.0.0.0 \
--webhook-config-server-port=8443 \
--webhook-config-cert-dir=$(CERT_DIR)
2 changes: 2 additions & 0 deletions controllers/hyper/cmd/gardener-extension-hyper/app/app.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
ubuntu "github.com/gardener/gardener-extensions/controllers/os-ubuntu/cmd/gardener-extension-os-ubuntu/app"
provideralicloud "github.com/gardener/gardener-extensions/controllers/provider-alicloud/cmd/gardener-extension-provider-alicloud/app"
provideraws "github.com/gardener/gardener-extensions/controllers/provider-aws/cmd/gardener-extension-provider-aws/app"
validatoraws "github.com/gardener/gardener-extensions/controllers/provider-aws/cmd/gardener-validator-aws/app"
providerazure "github.com/gardener/gardener-extensions/controllers/provider-azure/cmd/gardener-extension-provider-azure/app"
providergcp "github.com/gardener/gardener-extensions/controllers/provider-gcp/cmd/gardener-extension-provider-gcp/app"
provideropenstack "github.com/gardener/gardener-extensions/controllers/provider-openstack/cmd/gardener-extension-provider-openstack/app"
Expand Down Expand Up @@ -43,6 +44,7 @@ func NewHyperCommand(ctx context.Context) *cobra.Command {
networkcalico.NewControllerManagerCommand(ctx),
dnsservice.NewServiceControllerCommand(ctx),
shootcertservice.NewServiceControllerCommand(ctx),
validatoraws.NewValidatorCommand(ctx),
)

return cmd
Expand Down
5 changes: 5 additions & 0 deletions controllers/provider-aws/charts/validator-aws/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for the Gardener AWS validator
name: gardener-validator-aws
version: 0.1.0
27 changes: 27 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{{- define "name" -}}
gardener-validator-aws
{{- end -}}

{{- define "labels.app.key" -}}
app.kubernetes.io/name
{{- end -}}
{{- define "labels.app.value" -}}
{{ include "name" . }}
{{- end -}}

{{- define "labels" -}}
{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

{{- define "image" -}}
{{- if hasPrefix "sha256:" .Values.image.tag }}
{{- printf "%s@%s" .Values.image.repository .Values.image.tag }}
{{- else }}
{{- printf "%s:%s" .Values.image.repository .Values.image.tag }}
{{- end }}
{{- end }}

{{- define "deploymentversion" -}}
apps/v1
{{- end -}}
66 changes: 66 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "labels" . | indent 4 }}
spec:
revisionHistoryLimit: 0
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{ include "labels" . | indent 6 }}
template:
metadata:
annotations:
checksum/secret-gardener-validator-aws-cert: {{ include (print $.Template.BasePath "/secret-cert.yaml") . | sha256sum }}
{{- if .Values.kubeconfig }}
checksum/gardener-validator-aws-kubeconfig: {{ include (print $.Template.BasePath "/secret-kubeconfig.yaml") . | sha256sum }}
{{- end }}
labels:
{{ include "labels" . | indent 8 }}
spec:
{{- if .Values.kubeconfig }}
automountServiceAccountToken: false
{{- end }}
containers:
- name: {{ include "name" . }}
image: {{ include "image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /gardener-extension-hyper
- gardener-validator-aws
- --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
- --webhook-config-cert-dir=/etc/gardener-validator-aws/srv
{{- if .Values.kubeconfig }}
- --kubeconfig=/etc/gardener-validator-aws/kubeconfig/kubeconfig
{{- end }}
ports:
- name: webhook-server
containerPort: {{ .Values.webhookConfig.serverPort }}
protocol: TCP
livenessProbe:
tcpSocket:
port: {{ .Values.webhookConfig.serverPort }}
initialDelaySeconds: 5
periodSeconds: 10
{{- if .Values.resources }}
resources:
{{ toYaml .Values.resources | nindent 10 }}
{{- end }}
volumeMounts:
- name: gardener-validator-aws-cert
mountPath: /etc/gardener-validator-aws/srv
readOnly: true
{{- if .Values.kubeconfig }}
- name: gardener-validator-aws-kubeconfig
mountPath: /etc/gardener-validator-aws/config
readOnly: true
{{- end }}
serviceAccountName: {{ include "name" . }}
volumes:
- name: gardener-validator-aws-cert
secret:
secretName: gardener-validator-aws-cert
defaultMode: 420
32 changes: 32 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- if not .Values.kubeconfig }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "name" . }}
labels:
{{ include "labels" . | indent 4 }}
rules:
- apiGroups:
- core.gardener.cloud
resources:
- cloudprofiles
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "name" . }}
labels:
{{ include "labels" . | indent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "name" . }}
subjects:
- kind: ServiceAccount
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
15 changes: 15 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/secret-cert.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Secret
metadata:
name: gardener-validator-aws-cert
namespace: {{ .Release.Namespace }}
labels:
app: gardener
role: controller-manager
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
tls.crt: {{ required ".Values.webhookConfig.tls.crt is required" (b64enc .Values.webhookConfig.tls.crt) }}
tls.key: {{ required ".Values.webhookConfig.tls.key is required" (b64enc .Values.webhookConfig.tls.key) }}
14 changes: 14 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/secret-kubeconfig.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{{- if .Values.kubeconfig }}
apiVersion: v1
kind: Secret
metadata:
name: gardener-validator-aws-kubeconfig
namespace: "{{ .Release.Namespace }}"
labels:
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
kubeconfig: {{ .Values.kubeconfig | b64enc }}
{{- end }}
17 changes: 17 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if not .Values.webhookConfig.url }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "labels" . | indent 4 }}
spec:
type: ClusterIP
selector:
{{ include "labels" . | indent 6 }}
ports:
- port: 443
protocol: TCP
targetPort: {{ .Values.webhookConfig.serverPort }}
{{- end }}
7 changes: 7 additions & 0 deletions controllers/provider-aws/charts/validator-aws/templates/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "name" . }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "labels" . | indent 4 }}
27 changes: 27 additions & 0 deletions ...ers/provider-aws/charts/validator-aws/templates/validatingwebhook-controller-manager.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: gardener-validator-aws
webhooks:
- name: validation.aws.provider.extensions.gardener.cloud
rules:
- apiGroups:
- "core.gardener.cloud"
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- shoots
failurePolicy: Fail
clientConfig:
{{- if .Values.webhookConfig.url }}
url: {{ printf "%s/webhooks/validate-shoot-aws" .Values.webhookConfig.url }}
{{- else }}
service:
namespace: {{ .Release.Namespace }}
name: gardener-validator-aws
path: /webhooks/validate-shoot-aws
caBundle: {{ required ".Values.webhookConfig.caBundle is required" (b64enc .Values.webhookConfig.caBundle) }}
{{- end }}
28 changes: 28 additions & 0 deletions controllers/provider-aws/charts/validator-aws/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
image:
repository: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper
tag: latest
pullPolicy: IfNotPresent

replicaCount: 1
resources: {}

# Kubeconfig to the target cluster. In-cluster configuration will be used if not specified.
kubeconfig:

webhookConfig:
serverPort: 443
# URL the webhook is reachable at. A service will be created if no url is specified.
url:
caBundle: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
tls:
crt: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
95 changes: 95 additions & 0 deletions controllers/provider-aws/cmd/gardener-validator-aws/app/app.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
// Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package app

import (
"context"
"fmt"

awsinstall "github.com/gardener/gardener-extensions/controllers/provider-aws/pkg/apis/aws/install"
provideraws "github.com/gardener/gardener-extensions/controllers/provider-aws/pkg/aws"
"github.com/gardener/gardener-extensions/controllers/provider-aws/pkg/validator"
controllercmd "github.com/gardener/gardener-extensions/pkg/controller/cmd"
"github.com/gardener/gardener-extensions/pkg/util"
gardencorev1alpha1 "github.com/gardener/gardener/pkg/apis/core/v1alpha1"
componentbaseconfig "k8s.io/component-base/config"
logf "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/webhook"

"github.com/spf13/cobra"
"sigs.k8s.io/controller-runtime/pkg/manager"
)

var log = logf.Log.WithName("gardener-validator-aws")

// NewValidatorCommand creates a new command for running a AWS shoot validator.
func NewValidatorCommand(ctx context.Context) *cobra.Command {
var (
restOpts = &controllercmd.RESTOptions{}
mgrOpts = &controllercmd.ManagerOptions{
WebhookServerPort: 443,
}
serverOpts = &ServerOptions{}

aggOption = controllercmd.NewOptionAggregator(
restOpts,
mgrOpts,
serverOpts,
)
)

cmd := &cobra.Command{
Use: fmt.Sprintf("gardener-validator-%s", provideraws.Type),

Run: func(cmd *cobra.Command, args []string) {
if err := aggOption.Complete(); err != nil {
controllercmd.LogErrAndExit(err, "Error completing options")
}

util.ApplyClientConnectionConfigurationToRESTConfig(&componentbaseconfig.ClientConnectionConfiguration{
QPS: 100.0,
Burst: 130,
}, restOpts.Completed().Config)

mgr, err := manager.New(restOpts.Completed().Config, mgrOpts.Completed().Options())
if err != nil {
controllercmd.LogErrAndExit(err, "Could not instantiate manager")
}

if err := gardencorev1alpha1.AddToScheme(mgr.GetScheme()); err != nil {
controllercmd.LogErrAndExit(err, "Could not update manager scheme")
}

if err := awsinstall.AddToScheme(mgr.GetScheme()); err != nil {
controllercmd.LogErrAndExit(err, "Could not update manager scheme")
}

log.Info("Setting up webhook server")
hookServer := mgr.GetWebhookServer()
hookServer.CertDir = serverOpts.Completed().CertDir

log.Info("Registering webhooks")
hookServer.Register("/webhooks/validate-shoot-aws", &webhook.Admission{Handler: &validator.Shoot{Logger: log.WithName("shoot-validator")}})

if err := mgr.Start(ctx.Done()); err != nil {
controllercmd.LogErrAndExit(err, "Error running manager")
}
},
}

aggOption.AddFlags(cmd.Flags())

return cmd
}

0 comments on commit b333930

Please sign in to comment.