KEP-2170: Implement skeleton webhook servers

Signed-off-by: Yuki Iwai <yuki.iwai.tz@gmail.com>

Makefile

@@ -41,8 +41,9 @@ manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and Cust
 		output:crd:artifacts:config=manifests/base/crds \
 		output:rbac:artifacts:config=manifests/base/rbac \
 		output:webhook:artifacts:config=manifests/base/webhook
-	$(CONTROLLER_GEN) "crd:generateEmbeddedObjectMeta=true" paths="./pkg/apis/kubeflow.org/v2alpha1/..." \
-		output:crd:artifacts:config=manifests/v2/base/crds
+	$(CONTROLLER_GEN) "crd:generateEmbeddedObjectMeta=true" "webhook" paths="./pkg/apis/kubeflow.org/v2alpha1/...;./pkg/webhook.v2/..." \
+		output:crd:artifacts:config=manifests/v2/base/crds \
+		output:webhook:artifacts:config=manifests/v2/base/webhook
 
 generate: controller-gen ## Generate apidoc, sdk and code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate/boilerplate.go.txt" paths="./pkg/apis/..."

manifests/v2/base/service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "8080"
+  labels:
+    app: training-operator
+  name: training-operator
+spec:
+  ports:
+    - name: monitoring-port
+      port: 8080
+      targetPort: 8080
+    - name: webhook-server
+      port: 443
+      protocol: TCP
+      targetPort: 9443
+  selector:
+    control-plane: kubeflow-training-operator
+  type: ClusterIP

manifests/v2/base/webhook/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - manifests.yaml

manifests/v2/base/webhook/manifests.yaml

@@ -0,0 +1,129 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-kubeflow-org-v2alpha1-clustertrainingruntime
+  failurePolicy: Fail
+  name: mclustertrainingruntime.training-operator.kubeflow.org
+  rules:
+  - apiGroups:
+    - kubeflow.org
+    apiVersions:
+    - v2alpha1
+    operations:
+    - CREATE
+    resources:
+    - clustertrainingruntimes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-kubeflow-org-v2alpha1-trainingruntime
+  failurePolicy: Fail
+  name: mtrainingruntime.training-operator.kubeflow.org
+  rules:
+  - apiGroups:
+    - kubeflow.org
+    apiVersions:
+    - v2alpha1
+    operations:
+    - CREATE
+    resources:
+    - trainingruntimes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-kubeflow-org-v2alpha1-trainjob
+  failurePolicy: Fail
+  name: mtrainjob.training-operator.kubeflow.org
+  rules:
+  - apiGroups:
+    - kubeflow.org
+    apiVersions:
+    - v2alpha1
+    operations:
+    - CREATE
+    resources:
+    - trainjobs
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-kubeflow-org-v2alpha1-clustertrainingruntime
+  failurePolicy: Fail
+  name: vclustertrainingruntime.training-operator.kubeflow.org
+  rules:
+  - apiGroups:
+    - kubeflow.org
+    apiVersions:
+    - v2alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clustertrainingruntimes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-kubeflow-org-v2alpha1-trainingruntime
+  failurePolicy: Fail
+  name: vtrainingruntime.training-operator.kubeflow.org
+  rules:
+  - apiGroups:
+    - kubeflow.org
+    apiVersions:
+    - v2alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - trainingruntimes
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-kubeflow-org-v2alpha1-trainjob
+  failurePolicy: Fail
+  name: vtrainjob.training-operator.kubeflow.org
+  rules:
+  - apiGroups:
+    - kubeflow.org
+    apiVersions:
+    - v2alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - trainjobs
+  sideEffects: None

pkg/webhook.v2/clustertrainingruntime_webhook.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2024 The Kubeflow Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhookv2
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	kubeflowv2 "github.com/kubeflow/training-operator/pkg/apis/kubeflow.org/v2alpha1"
+)
+
+type ClusterTrainingRuntimeWebhook struct{}
+
+func setupWebhookForClusterTrainingRuntime(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&kubeflowv2.ClusterTrainingRuntime{}).
+		WithDefaulter(&ClusterTrainingRuntimeWebhook{}).
+		WithValidator(&ClusterTrainingRuntimeWebhook{}).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/mutate-kubeflow-org-v2alpha1-clustertrainingruntime,mutating=true,failurePolicy=fail,sideEffects=None,groups=kubeflow.org,resources=clustertrainingruntimes,verbs=create,versions=v2alpha1,name=mclustertrainingruntime.training-operator.kubeflow.org,admissionReviewVersions=v1
+
+var _ webhook.CustomDefaulter = (*ClusterTrainingRuntimeWebhook)(nil)
+
+func (w *ClusterTrainingRuntimeWebhook) Default(context.Context, runtime.Object) error {
+	return nil
+}
+
+// +kubebuilder:webhook:path=/validate-kubeflow-org-v2alpha1-clustertrainingruntime,mutating=false,failurePolicy=fail,sideEffects=None,groups=kubeflow.org,resources=clustertrainingruntimes,verbs=create;update,versions=v2alpha1,name=vclustertrainingruntime.training-operator.kubeflow.org,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = (*ClusterTrainingRuntimeWebhook)(nil)
+
+func (w *ClusterTrainingRuntimeWebhook) ValidateCreate(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *ClusterTrainingRuntimeWebhook) ValidateUpdate(context.Context, runtime.Object, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *ClusterTrainingRuntimeWebhook) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}

pkg/webhook.v2/webhook.go → pkg/webhook.v2/setup.go

@@ -18,6 +18,15 @@ package webhookv2
 
 import ctrl "sigs.k8s.io/controller-runtime"
 
-func Setup(ctrl.Manager) (string, error) {
+func Setup(mgr ctrl.Manager) (string, error) {
+	if err := setupWebhookForClusterTrainingRuntime(mgr); err != nil {
+		return "ClusterTrainingRuntime", err
+	}
+	if err := setupWebhookForTrainingRuntime(mgr); err != nil {
+		return "TrainingRuntime", err
+	}
+	if err := setupWebhookForTrainJob(mgr); err != nil {
+		return "TranJob", err
+	}
 	return "", nil
 }

pkg/webhook.v2/trainingruntime_webhook.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2024 The Kubeflow Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhookv2
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	kubeflowv2 "github.com/kubeflow/training-operator/pkg/apis/kubeflow.org/v2alpha1"
+)
+
+type TrainingRuntimeWebhook struct{}
+
+func setupWebhookForTrainingRuntime(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&kubeflowv2.TrainingRuntime{}).
+		WithDefaulter(&TrainingRuntimeWebhook{}).
+		WithValidator(&TrainingRuntimeWebhook{}).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/mutate-kubeflow-org-v2alpha1-trainingruntime,mutating=true,failurePolicy=fail,sideEffects=None,groups=kubeflow.org,resources=trainingruntimes,verbs=create,versions=v2alpha1,name=mtrainingruntime.training-operator.kubeflow.org,admissionReviewVersions=v1
+
+var _ webhook.CustomDefaulter = (*TrainingRuntimeWebhook)(nil)
+
+func (w *TrainingRuntimeWebhook) Default(context.Context, runtime.Object) error {
+	return nil
+}
+
+// +kubebuilder:webhook:path=/validate-kubeflow-org-v2alpha1-trainingruntime,mutating=false,failurePolicy=fail,sideEffects=None,groups=kubeflow.org,resources=trainingruntimes,verbs=create;update,versions=v2alpha1,name=vtrainingruntime.training-operator.kubeflow.org,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = (*TrainingRuntimeWebhook)(nil)
+
+func (w *TrainingRuntimeWebhook) ValidateCreate(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *TrainingRuntimeWebhook) ValidateUpdate(context.Context, runtime.Object, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *TrainingRuntimeWebhook) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}

pkg/webhook.v2/trainjob_webhook.go

@@ -15,3 +15,48 @@ limitations under the License.
 */
 
 package webhookv2
+
+import (
+	"context"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
+	kubeflowv2 "github.com/kubeflow/training-operator/pkg/apis/kubeflow.org/v2alpha1"
+)
+
+type TrainJobWebhook struct{}
+
+func setupWebhookForTrainJob(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&kubeflowv2.TrainJob{}).
+		WithDefaulter(&TrainJobWebhook{}).
+		WithValidator(&TrainJobWebhook{}).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/mutate-kubeflow-org-v2alpha1-trainjob,mutating=true,failurePolicy=fail,sideEffects=None,groups=kubeflow.org,resources=trainjobs,verbs=create,versions=v2alpha1,name=mtrainjob.training-operator.kubeflow.org,admissionReviewVersions=v1
+
+var _ webhook.CustomDefaulter = (*TrainJobWebhook)(nil)
+
+func (w *TrainJobWebhook) Default(context.Context, runtime.Object) error {
+	return nil
+}
+
+// +kubebuilder:webhook:path=/validate-kubeflow-org-v2alpha1-trainjob,mutating=false,failurePolicy=fail,sideEffects=None,groups=kubeflow.org,resources=trainjobs,verbs=create;update,versions=v2alpha1,name=vtrainjob.training-operator.kubeflow.org,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = (*TrainJobWebhook)(nil)
+
+func (w *TrainJobWebhook) ValidateCreate(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *TrainJobWebhook) ValidateUpdate(context.Context, runtime.Object, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (w *TrainJobWebhook) ValidateDelete(context.Context, runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}