Add AWS validator for core resources

gardener-attic · Nov 14, 2019 · fe1b66d · fe1b66d
1 parent f93f3e5
commit fe1b66d
Show file tree

Hide file tree

Showing 22 changed files with 974 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -254,3 +254,13 @@ start-shoot-cert-service:
 		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
 		--leader-election=$(LEADER_ELECTION) \
 		--config=./controllers/extension-shoot-cert-service/example/00-config.yaml
+
+.PHONY: start-gardener-validator-aws
+start-gardener-validator-aws:
+	@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
+		-mod=vendor \
+		-ldflags $(LD_FLAGS) \
+		./controllers/provider-aws/cmd/gardener-validator-aws \
+		--webhook-config-server-host=0.0.0.0 \
+		--webhook-config-server-port=8443 \
+		--webhook-config-cert-dir=$(CERT_DIR)
diff --git a/controllers/hyper/cmd/gardener-extension-hyper/app/app.go b/controllers/hyper/cmd/gardener-extension-hyper/app/app.go
@@ -14,6 +14,7 @@ import (
 	ubuntu "github.com/gardener/gardener-extensions/controllers/os-ubuntu/cmd/gardener-extension-os-ubuntu/app"
 	provideralicloud "github.com/gardener/gardener-extensions/controllers/provider-alicloud/cmd/gardener-extension-provider-alicloud/app"
 	provideraws "github.com/gardener/gardener-extensions/controllers/provider-aws/cmd/gardener-extension-provider-aws/app"
+	validatoraws "github.com/gardener/gardener-extensions/controllers/provider-aws/cmd/gardener-validator-aws/app"
 	providerazure "github.com/gardener/gardener-extensions/controllers/provider-azure/cmd/gardener-extension-provider-azure/app"
 	providergcp "github.com/gardener/gardener-extensions/controllers/provider-gcp/cmd/gardener-extension-provider-gcp/app"
 	provideropenstack "github.com/gardener/gardener-extensions/controllers/provider-openstack/cmd/gardener-extension-provider-openstack/app"
@@ -43,6 +44,7 @@ func NewHyperCommand(ctx context.Context) *cobra.Command {
 		networkcalico.NewControllerManagerCommand(ctx),
 		dnsservice.NewServiceControllerCommand(ctx),
 		shootcertservice.NewServiceControllerCommand(ctx),
+		validatoraws.NewValidatorCommand(ctx),
 	)
 
 	return cmd

diff --git a/controllers/provider-aws/charts/validator-aws/Chart.yaml b/controllers/provider-aws/charts/validator-aws/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for the Gardener AWS validator
+name: gardener-validator-aws
+version: 0.1.0
diff --git a/controllers/provider-aws/charts/validator-aws/templates/_helpers.tpl b/controllers/provider-aws/charts/validator-aws/templates/_helpers.tpl
@@ -0,0 +1,27 @@
+{{- define "name" -}}
+gardener-validator-aws
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{-  define "image" -}}
+  {{- if hasPrefix "sha256:" .Values.image.tag }}
+  {{- printf "%s@%s" .Values.image.repository .Values.image.tag }}
+  {{- else }}
+  {{- printf "%s:%s" .Values.image.repository .Values.image.tag }}
+  {{- end }}
+{{- end }}
+
+{{- define "deploymentversion" -}}
+apps/v1
+{{- end -}}
diff --git a/controllers/provider-aws/charts/validator-aws/templates/deployment.yaml b/controllers/provider-aws/charts/validator-aws/templates/deployment.yaml
@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+spec:
+  revisionHistoryLimit: 0
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+{{ include "labels" . | indent 6 }}
+  template:
+    metadata:
+      labels:
+{{ include "labels" . | indent 8 }}
+    spec:
+      containers:
+      - name: {{ include "name" . }}
+        image: {{ include "image" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command:
+        - /gardener-extension-hyper
+        - gardener-validator-aws
+        - --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
+        - --webhook-config-cert-dir=/etc/gardener-validator-aws/srv
+        ports:
+        - name: webhook-server
+          containerPort: {{ .Values.webhookConfig.serverPort }}
+          protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: {{ .Values.webhookConfig.serverPort }}
+          initialDelaySeconds: 5
+          periodSeconds: 10
+{{- if .Values.resources }}
+        resources:
+{{ toYaml .Values.resources | nindent 10 }}
+{{- end }}
+        volumeMounts:
+        - name: gardener-validator-aws-cert
+          mountPath: /etc/gardener-validator-aws/srv
+          readOnly: true
+      serviceAccountName: {{ include "name" . }}
+      volumes:
+      - name: gardener-validator-aws-cert
+        secret:
+          secretName: gardener-validator-aws-cert
+          defaultMode: 420
diff --git a/controllers/provider-aws/charts/validator-aws/templates/rbac.yaml b/controllers/provider-aws/charts/validator-aws/templates/rbac.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - core.gardener.cloud
+  resources:
+  - cloudprofiles
+  verbs:
+  - get
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
diff --git a/controllers/provider-aws/charts/validator-aws/templates/secret-cert.yaml b/controllers/provider-aws/charts/validator-aws/templates/secret-cert.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gardener-validator-aws-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: gardener
+    role: controller-manager
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  tls.crt: {{ required ".Values.webhookConfig.tls.crt is required" (b64enc .Values.webhookConfig.tls.crt) }}
+  tls.key: {{ required ".Values.webhookConfig.tls.key is required" (b64enc .Values.webhookConfig.tls.key) }}
diff --git a/controllers/provider-aws/charts/validator-aws/templates/service.yaml b/controllers/provider-aws/charts/validator-aws/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+spec:
+  type: ClusterIP
+  selector:
+{{ include "labels" . | indent 6 }}
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: {{ .Values.webhookConfig.serverPort }}
diff --git a/controllers/provider-aws/charts/validator-aws/templates/serviceaccount.yaml b/controllers/provider-aws/charts/validator-aws/templates/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
diff --git a/...ers/provider-aws/charts/validator-aws/templates/validatingwebhook-controller-manager.yaml b/...ers/provider-aws/charts/validator-aws/templates/validatingwebhook-controller-manager.yaml
@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: gardener-validator-aws
+webhooks:
+- name: validator-aws.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: gardener-validator-aws
+      path: /webhooks/validate-shoot-aws
+    caBundle: {{ required ".Values.webhookConfig.caBundle is required" (b64enc .Values.webhookConfig.caBundle) }}
diff --git a/controllers/provider-aws/charts/validator-aws/values.yaml b/controllers/provider-aws/charts/validator-aws/values.yaml
@@ -0,0 +1,23 @@
+image:
+  repository: eu.gcr.io/gardener-project/gardener/gardener-extension-hyper
+  tag: latest
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+resources: {}
+
+webhookConfig:
+  serverPort: 443
+  caBundle: |
+    -----BEGIN CERTIFICATE-----
+    ...
+    -----END CERTIFICATE-----
+  tls:
+    crt: |
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+    key: |
+      -----BEGIN RSA PRIVATE KEY-----
+      ...
+      -----END RSA PRIVATE KEY-----
diff --git a/controllers/provider-aws/cmd/gardener-validator-aws/app/app.go b/controllers/provider-aws/cmd/gardener-validator-aws/app/app.go
@@ -0,0 +1,95 @@
+// Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"context"
+	"fmt"
+
+	awsinstall "github.com/gardener/gardener-extensions/controllers/provider-aws/pkg/apis/aws/install"
+	provideraws "github.com/gardener/gardener-extensions/controllers/provider-aws/pkg/aws"
+	"github.com/gardener/gardener-extensions/controllers/provider-aws/pkg/validator"
+	controllercmd "github.com/gardener/gardener-extensions/pkg/controller/cmd"
+	"github.com/gardener/gardener-extensions/pkg/util"
+	corev1alpha1 "github.com/gardener/gardener/pkg/apis/core/v1alpha1"
+	componentbaseconfig "k8s.io/component-base/config"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+)
+
+var log = logf.Log.WithName("gardener-validator-aws")
+
+// NewValidatorCommand creates a new command for running a AWS shoot validator.
+func NewValidatorCommand(ctx context.Context) *cobra.Command {
+	var (
+		restOpts = &controllercmd.RESTOptions{}
+		mgrOpts  = &controllercmd.ManagerOptions{
+			WebhookServerPort: 443,
+		}
+		serverOpts = &ServerOptions{}
+
+		aggOption = controllercmd.NewOptionAggregator(
+			restOpts,
+			mgrOpts,
+			serverOpts,
+		)
+	)
+
+	cmd := &cobra.Command{
+		Use: fmt.Sprintf("gardener-validator-%s", provideraws.Type),
+
+		Run: func(cmd *cobra.Command, args []string) {
+			if err := aggOption.Complete(); err != nil {
+				controllercmd.LogErrAndExit(err, "Error completing options")
+			}
+
+			util.ApplyClientConnectionConfigurationToRESTConfig(&componentbaseconfig.ClientConnectionConfiguration{
+				QPS:   100.0,
+				Burst: 130,
+			}, restOpts.Completed().Config)
+
+			mgr, err := manager.New(restOpts.Completed().Config, mgrOpts.Completed().Options())
+			if err != nil {
+				controllercmd.LogErrAndExit(err, "Could not instantiate manager")
+			}
+
+			if err := corev1alpha1.AddToScheme(mgr.GetScheme()); err != nil {
+				controllercmd.LogErrAndExit(err, "Could not update manager scheme")
+			}
+
+			if err := awsinstall.AddToScheme(mgr.GetScheme()); err != nil {
+				controllercmd.LogErrAndExit(err, "Could not update manager scheme")
+			}
+
+			log.Info("Setting up webhook server")
+			hookServer := mgr.GetWebhookServer()
+			hookServer.CertDir = serverOpts.Completed().CertDir
+
+			log.Info("Registering webhooks")
+			hookServer.Register("/webhooks/validate-shoot-aws", &webhook.Admission{Handler: &validator.Shoot{Logger: log.WithName("shoot-validator")}})
+
+			if err := mgr.Start(ctx.Done()); err != nil {
+				controllercmd.LogErrAndExit(err, "Error running manager")
+			}
+		},
+	}
+
+	aggOption.AddFlags(cmd.Flags())
+
+	return cmd
+}
diff --git a/controllers/provider-aws/cmd/gardener-validator-aws/app/options.go b/controllers/provider-aws/cmd/gardener-validator-aws/app/options.go
@@ -0,0 +1,57 @@
+// Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package app
+
+import (
+	"github.com/spf13/pflag"
+)
+
+const (
+	// CertDirFlag is the name of the command line flag to specify the directory that contains the webhook server key and certificate.
+	CertDirFlag = "webhook-config-cert-dir"
+)
+
+// ServerOptions are command line options that can be set for ServerConfig.
+type ServerOptions struct {
+	// CertDir is the directory that contains the webhook server key and certificate.
+	CertDir string
+
+	config *ServerConfig
+}
+
+// ServerConfig is a completed webhook server configuration.
+type ServerConfig struct {
+	// CertDir is the directory that contains the webhook server key and certificate.
+	CertDir string
+}
+
+// Complete implements Completer.Complete.
+func (w *ServerOptions) Complete() error {
+	w.config = &ServerConfig{
+		CertDir: w.CertDir,
+	}
+
+	return nil
+}
+
+// Completed returns the completed ServerConfig. Only call this if `Complete` was successful.
+func (w *ServerOptions) Completed() *ServerConfig {
+	return w.config
+}
+
+// AddFlags implements Flagger.AddFlags.
+func (w *ServerOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringVar(&w.CertDir, CertDirFlag, w.CertDir, "The directory that contains the webhook server key and certificate.")
+}