Add AWS validator for core resources

Makefile

@@ -254,3 +254,13 @@ start-shoot-cert-service:
 		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
 		--leader-election=$(LEADER_ELECTION) \
 		--config=./controllers/extension-shoot-cert-service/example/00-config.yaml
+
+.PHONY: start-gardener-validator-aws
+start-gardener-validator-aws:
+	@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
+		-mod=vendor \
+		-ldflags $(LD_FLAGS) \
+		./controllers/provider-aws/cmd/gardener-validator-aws \
+		--webhook-config-server-host=0.0.0.0 \
+		--webhook-config-server-port=9443 \
+		--webhook-config-cert-dir=./controllers/provider-aws/example/validator-aws-certs

controllers/hyper/cmd/gardener-extension-hyper/app/app.go

@@ -14,6 +14,7 @@ import (
 	ubuntu "github.com/gardener/gardener-extensions/controllers/os-ubuntu/cmd/gardener-extension-os-ubuntu/app"
 	provideralicloud "github.com/gardener/gardener-extensions/controllers/provider-alicloud/cmd/gardener-extension-provider-alicloud/app"
 	provideraws "github.com/gardener/gardener-extensions/controllers/provider-aws/cmd/gardener-extension-provider-aws/app"
+	validatoraws "github.com/gardener/gardener-extensions/controllers/provider-aws/cmd/gardener-validator-aws/app"
 	providerazure "github.com/gardener/gardener-extensions/controllers/provider-azure/cmd/gardener-extension-provider-azure/app"
 	providergcp "github.com/gardener/gardener-extensions/controllers/provider-gcp/cmd/gardener-extension-provider-gcp/app"
 	provideropenstack "github.com/gardener/gardener-extensions/controllers/provider-openstack/cmd/gardener-extension-provider-openstack/app"
@@ -43,6 +44,7 @@ func NewHyperCommand(ctx context.Context) *cobra.Command {
 		networkcalico.NewControllerManagerCommand(ctx),
 		dnsservice.NewServiceControllerCommand(ctx),
 		shootcertservice.NewServiceControllerCommand(ctx),
+		validatoraws.NewValidatorCommand(ctx),
 	)
 
 	return cmd

controllers/provider-aws/charts/validator-aws/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

controllers/provider-aws/charts/validator-aws/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for the Gardener AWS validator
+name: gardener-validator-aws
+version: 0.1.0

controllers/provider-aws/charts/validator-aws/charts/application/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A Helm chart to deploy the Gardener-Validator-AWS application related resources
+name: application
+version: 0.1.0

controllers/provider-aws/charts/validator-aws/charts/application/templates/_helpers.tpl

@@ -0,0 +1 @@
+../../../templates/_helpers.tpl

controllers/provider-aws/charts/validator-aws/charts/application/templates/rbac.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - core.gardener.cloud
+  resources:
+  - cloudprofiles
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}

controllers/provider-aws/charts/validator-aws/charts/application/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}

controllers/provider-aws/charts/validator-aws/charts/application/templates/validatingwebhook-controller-manager.yaml

@@ -0,0 +1,27 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: gardener-validator-aws
+webhooks:
+- name: validation.aws.provider.extensions.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  clientConfig:
+    {{- if .Values.global.virtualGarden.enabled }}
+    url: {{ printf "https://gardener-validator-aws.%s/webhooks/validate-shoot-aws" .Release.Namespace }}
+    {{- else }}
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: gardener-validator-aws
+      path: /webhooks/validate-shoot-aws
+    {{- end }}
+    caBundle: {{ required ".Values.webhookConfig.caBundle is required" (b64enc .Values.global.webhookConfig.caBundle) }}

controllers/provider-aws/charts/validator-aws/charts/application/values.yaml

@@ -0,0 +1,8 @@
+global:
+  virtualGarden:
+    enabled: false  
+  webhookConfig:
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-------

controllers/provider-aws/charts/validator-aws/charts/runtime/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: A Helm chart to deploy the Gardener-Validator-AWS runtime related resources
+name: runtime
+version: 0.1.0

controllers/provider-aws/charts/validator-aws/charts/runtime/templates/_helpers.tpl

@@ -0,0 +1 @@
+../../../templates/_helpers.tpl

controllers/provider-aws/charts/validator-aws/charts/runtime/templates/deployment.yaml

@@ -0,0 +1,72 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+spec:
+  revisionHistoryLimit: 0
+  replicas: {{ .Values.global.replicaCount }}
+  selector:
+    matchLabels:
+{{ include "labels" . | indent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/secret-gardener-validator-aws-cert: {{ include (print $.Template.BasePath "/secret-cert.yaml") . | sha256sum }}
+        {{- if .Values.global.kubeconfig }}
+        checksum/gardener-validator-aws-kubeconfig: {{ include (print $.Template.BasePath "/secret-kubeconfig.yaml") . | sha256sum }}
+        {{- end }}
+      labels:
+{{ include "labels" . | indent 8 }}
+    spec:
+      {{- if .Values.global.kubeconfig }}
+      automountServiceAccountToken: false
+      {{- end }}
+      containers:
+      - name: {{ include "name" . }}
+        image: {{ include "image" .Values.global.image }}
+        imagePullPolicy: {{ .Values.global.image.pullPolicy }}
+        command:
+        - /gardener-extension-hyper
+        - gardener-validator-aws
+        - --webhook-config-server-port={{ .Values.global.webhookConfig.serverPort }}
+        - --webhook-config-cert-dir=/etc/gardener-validator-aws/srv
+        {{- if .Values.global.kubeconfig }}
+        - --kubeconfig=/etc/gardener-validator-aws/kubeconfig/kubeconfig
+        {{- end }}
+        ports:
+        - name: webhook-server
+          containerPort: {{ .Values.global.webhookConfig.serverPort }}
+          protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: {{ .Values.global.webhookConfig.serverPort }}
+          initialDelaySeconds: 5
+          periodSeconds: 10
+{{- if .Values.global.resources }}
+        resources:
+{{ toYaml .Values.global.resources | nindent 10 }}
+{{- end }}
+        volumeMounts:
+        - name: gardener-validator-aws-cert
+          mountPath: /etc/gardener-validator-aws/srv
+          readOnly: true
+        {{- if .Values.global.kubeconfig }}
+        - name: gardener-validator-aws-kubeconfig
+          mountPath: /etc/gardener-validator-aws/kubeconfig
+          readOnly: true
+        {{- end }}
+      serviceAccountName: {{ include "name" . }}
+      volumes:
+      - name: gardener-validator-aws-cert
+        secret:
+          secretName: gardener-validator-aws-cert
+          defaultMode: 420
+      {{- if .Values.global.kubeconfig }}
+      - name: gardener-validator-aws-kubeconfig
+        secret:
+          secretName: gardener-validator-aws-kubeconfig
+          defaultMode: 420
+      {{- end }}

controllers/provider-aws/charts/validator-aws/charts/runtime/templates/secret-cert.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gardener-validator-aws-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: gardener
+    role: controller-manager
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  tls.crt: {{ required ".Values.global.webhookConfig.tls.crt is required" (b64enc .Values.global.webhookConfig.tls.crt) }}
+  tls.key: {{ required ".Values.global.webhookConfig.tls.key is required" (b64enc .Values.global.webhookConfig.tls.key) }}

controllers/provider-aws/charts/validator-aws/charts/runtime/templates/secret-kubeconfig.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.global.kubeconfig }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gardener-validator-aws-kubeconfig
+  namespace: "{{ .Release.Namespace }}"
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  kubeconfig: {{ .Values.global.kubeconfig | b64enc }}
+{{- end }}

controllers/provider-aws/charts/validator-aws/charts/runtime/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+{{ include "labels" . | indent 4 }}
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: {{ .Values.global.webhookConfig.serverPort }}

controllers/provider-aws/charts/validator-aws/charts/runtime/values.yaml

@@ -0,0 +1,20 @@
+global:
+  image:
+    repository: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper
+    tag: latest
+    pullPolicy: IfNotPresent
+  replicaCount: 1
+  resources: {}
+  webhookConfig:
+    serverPort: 443
+    tls:
+      crt: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        ...
+        -----END RSA PRIVATE KEY-----  
+  # Kubeconfig to the target cluster. In-cluster configuration will be used if not specified.
+  kubeconfig:

controllers/provider-aws/charts/validator-aws/templates/_helpers.tpl

@@ -0,0 +1,27 @@
+{{- define "name" -}}
+gardener-validator-aws
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{-  define "image" -}}
+  {{- if hasPrefix "sha256:" .tag }}
+  {{- printf "%s@%s" .repository .tag }}
+  {{- else }}
+  {{- printf "%s:%s" .repository .tag }}
+  {{- end }}
+{{- end }}
+
+{{- define "deploymentversion" -}}
+apps/v1
+{{- end -}}

controllers/provider-aws/charts/validator-aws/values.yaml

@@ -0,0 +1,26 @@
+global:
+  virtualGarden:
+    enabled: false
+  image:
+    repository: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper
+    tag: latest
+    pullPolicy: IfNotPresent
+  replicaCount: 1
+  resources: {}
+  webhookConfig:
+    caBundle: |
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+    serverPort: 443
+    tls:
+      crt: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        ...
+        -----END RSA PRIVATE KEY-----  
+  # Kubeconfig to the target cluster. In-cluster configuration will be used if not specified.
+  kubeconfig: