Merge pull request #362 from tenzen-y/add-cert-options-to-component-c…

…onfig Add options for internal cert management to component config
kubernetes-sigs · Sep 9, 2022 · 81ccfdf · 81ccfdf
2 parents 15f63b5 + 33e0459
commit 81ccfdf
Show file tree

Hide file tree

Showing 15 changed files with 409 additions and 76 deletions.
diff --git a/CHANGELOG/CHANGELOG-0.3.md b/CHANGELOG/CHANGELOG-0.3.md
@@ -0,0 +1,13 @@
+## v0.3.0
+
+Changes since `v0.2.1`:
+
+### Features
+
+- Upgrade the `config.kueue.x-k8s.io` API version from `v1alpha1` to `v1alpha2`. `v1alpha1` is no longer supported.
+  `v1alpha2` includes the following changes:
+  - Add Namespace to propagate the namespace where kueue is deployed to the webhook certificate.
+  - Add InternalCertManagement with fields Enable, WebhookServiceName and WebhookSecretName.
+  - Remove EnableInternalCertManagement. Use InternalCertManagement.Enable instead.
+
+### Bug fixes
diff --git a/Makefile b/Makefile
@@ -119,11 +119,11 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: generate fmt vet ## Run tests.
-	$(GO_CMD) test $(GO_TEST_FLAGS) ./pkg/... -coverprofile cover.out
+	$(GO_CMD) test $(GO_TEST_FLAGS) $(shell go list ./... | grep -v -e 'test') -coverprofile cover.out
 
 .PHONY: test-integration
 test-integration: manifests generate fmt vet envtest ginkgo ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" \
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) --arch=amd64 use $(ENVTEST_K8S_VERSION) -p path)" \
 	$(GINKGO) -v $(INTEGRATION_TARGET)
 
 .PHONY: ci-lint

diff --git a/apis/config/v1alpha1/configuration_types.go → apis/config/v1alpha2/configuration_types.go b/apis/config/v1alpha1/configuration_types.go → apis/config/v1alpha2/configuration_types.go
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1alpha2
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -27,6 +27,10 @@ import (
 type Configuration struct {
 	metav1.TypeMeta `json:",inline"`
 
+	// Namespace is the namespace in which kueue is deployed. It is used as part of DNSName of the webhook Service.
+	// Defaults to kueue-system.
+	Namespace *string `json:"namespace,omitempty"`
+
 	// ControllerManagerConfigurationSpec returns the configurations for controllers
 	cfg.ControllerManagerConfigurationSpec `json:",inline"`
 
@@ -39,8 +43,22 @@ type Configuration struct {
 	// unsuspended, they will start immediately.
 	ManageJobsWithoutQueueName bool `json:"manageJobsWithoutQueueName"`
 
-	// EnableInternalCertManagement controls whether to enable internal cert management or not.
+	// InternalCertManagement is configuration for internalCertManagement
+	InternalCertManagement *InternalCertManagement `json:"internalCertManagement,omitempty"`
+}
+
+type InternalCertManagement struct {
+
+	// Enable controls whether to enable internal cert management or not.
 	// Defaults to true. If you want to use a third-party management, e.g. cert-manager,
 	// set it to false. See the user guide for more information.
-	EnableInternalCertManagement *bool `json:"enableInternalCertManagement,omitempty"`
+	Enable *bool `json:"enable,omitempty"`
+
+	// WebhookServiceName is the name of the Service used as part of the DNSName.
+	// Defaults to kueue-webhook-service.
+	WebhookServiceName *string `json:"webhookServiceName,omitempty"`
+
+	// WebhookSecretName is the name of the Secret used to store CA and server certs.
+	// Defaults to kueue-webhook-server-cert.
+	WebhookSecretName *string `json:"webhookSecretName,omitempty"`
 }
diff --git a/apis/config/v1alpha1/defaults.go → apis/config/v1alpha2/defaults.go b/apis/config/v1alpha1/defaults.go → apis/config/v1alpha2/defaults.go
@@ -14,12 +14,17 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1alpha2
 
 import (
-	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
+)
 
-	"sigs.k8s.io/kueue/pkg/util/pointer"
+const (
+	DefaultNamespace          = "kueue-system"
+	DefaultWebhookServiceName = "kueue-webhook-service"
+	DefaultWebhookSecretName  = "kueue-webhook-server-cert"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
@@ -31,7 +36,21 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
 
 // SetDefaults_Configuration sets default values for ComponentConfig.
 func SetDefaults_Configuration(cfg *Configuration) {
-	if cfg.EnableInternalCertManagement == nil {
-		cfg.EnableInternalCertManagement = pointer.Bool(true)
+	if cfg.Namespace == nil {
+		cfg.Namespace = pointer.String(DefaultNamespace)
+	}
+	if cfg.InternalCertManagement == nil {
+		cfg.InternalCertManagement = &InternalCertManagement{}
+	}
+	if cfg.InternalCertManagement.Enable == nil {
+		cfg.InternalCertManagement.Enable = pointer.Bool(true)
+	}
+	if *cfg.InternalCertManagement.Enable {
+		if cfg.InternalCertManagement.WebhookServiceName == nil {
+			cfg.InternalCertManagement.WebhookServiceName = pointer.String(DefaultWebhookServiceName)
+		}
+		if cfg.InternalCertManagement.WebhookSecretName == nil {
+			cfg.InternalCertManagement.WebhookSecretName = pointer.String(DefaultWebhookSecretName)
+		}
 	}
 }
diff --git a/apis/config/v1alpha2/defaults_test.go b/apis/config/v1alpha2/defaults_test.go
@@ -0,0 +1,83 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"k8s.io/utils/pointer"
+)
+
+const overwriteNamespace = "kueue-tenant-a"
+
+func TestSetDefaults_Configuration(t *testing.T) {
+	testCases := map[string]struct {
+		original *Configuration
+		want     *Configuration
+	}{
+		"defaulting namespace": {
+			original: &Configuration{
+				InternalCertManagement: &InternalCertManagement{
+					Enable: pointer.Bool(false),
+				},
+			},
+			want: &Configuration{
+				Namespace: pointer.String(DefaultNamespace),
+				InternalCertManagement: &InternalCertManagement{
+					Enable: pointer.Bool(false),
+				},
+			},
+		},
+		"defaulting InternalCertManagement": {
+			original: &Configuration{
+				Namespace: pointer.String(overwriteNamespace),
+			},
+			want: &Configuration{
+				Namespace: pointer.String(overwriteNamespace),
+				InternalCertManagement: &InternalCertManagement{
+					Enable:             pointer.Bool(true),
+					WebhookServiceName: pointer.String(DefaultWebhookServiceName),
+					WebhookSecretName:  pointer.String(DefaultWebhookSecretName),
+				},
+			},
+		},
+		"should not defaulting InternalCertManagement": {
+			original: &Configuration{
+				Namespace: pointer.String(overwriteNamespace),
+				InternalCertManagement: &InternalCertManagement{
+					Enable: pointer.Bool(false),
+				},
+			},
+			want: &Configuration{
+				Namespace: pointer.String(overwriteNamespace),
+				InternalCertManagement: &InternalCertManagement{
+					Enable: pointer.Bool(false),
+				},
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			SetDefaults_Configuration(tc.original)
+			if diff := cmp.Diff(tc.want, tc.original); diff != "" {
+				t.Errorf("unexpected error (-want,+got):\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/apis/config/v1alpha1/groupversion_info.go → apis/config/v1alpha2/groupversion_info.go b/apis/config/v1alpha1/groupversion_info.go → apis/config/v1alpha2/groupversion_info.go
@@ -14,10 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v1alpha1 contains API Schema definitions for the config v1alpha1 API group
+// Package v1alpha2 contains API Schema definitions for the config v1alpha2 API group
 // +kubebuilder:object:generate=true
 // +groupName=config.x-k8s.io
-package v1alpha1
+package v1alpha2
 
 import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -26,7 +26,7 @@ import (
 
 var (
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "config.kueue.x-k8s.io", Version: "v1alpha1"}
+	GroupVersion = schema.GroupVersion{Group: "config.kueue.x-k8s.io", Version: "v1alpha2"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

diff --git a/.../config/v1alpha1/zz_generated.deepcopy.go → .../config/v1alpha2/zz_generated.deepcopy.go b/.../config/v1alpha1/zz_generated.deepcopy.go → .../config/v1alpha2/zz_generated.deepcopy.go
diff --git a/apis/kueue/webhooks/workload_webhook_test.go b/apis/kueue/webhooks/workload_webhook_test.go
@@ -301,7 +301,6 @@ func TestValidateWorkload(t *testing.T) {
 				Admit(testingutil.MakeAdmission("cluster-queue", "@invalid").Obj()).
 				Obj(),
 			wantErr: field.ErrorList{
-				field.Invalid(specField.Child("admission", "podSetFlavors").Index(0).Child("name"), nil, ""),
 				field.NotFound(specField.Child("admission", "podSetFlavors").Index(0).Child("name"), nil),
 			},
 		},

diff --git a/config/components/manager/controller_manager_config.yaml b/config/components/manager/controller_manager_config.yaml
@@ -1,4 +1,4 @@
-apiVersion: config.kueue.x-k8s.io/v1alpha1
+apiVersion: config.kueue.x-k8s.io/v1alpha2
 kind: Configuration
 health:
   healthProbeBindAddress: :8081
@@ -9,5 +9,9 @@ webhook:
 leaderElection:
   leaderElect: true
   resourceName: c1f6bfd2.kueue.x-k8s.io
-# manageJobsWithoutQueueName: true
-# enableInternalCertManagement: false
+#manageJobsWithoutQueueName: true
+#namespace: ""
+#internalCertManagement:
+#  enable: false
+#  webhookServiceName: ""
+#  webhookSecretName: ""
diff --git a/config/components/webhook/service.yaml b/config/components/webhook/service.yaml
@@ -1,4 +1,3 @@
-
 apiVersion: v1
 kind: Service
 metadata:

diff --git a/docs/setup/install.md b/docs/setup/install.md
@@ -15,7 +15,7 @@ if you don't have your own monitoring system.
 
 The webhook server in kueue uses an internal cert management for provisioning certificates. If you want to use
   a third-party one, e.g. [cert-manager](https://github.com/cert-manager/cert-manager), follow these steps:
-  1. Set `enableInternalCertManagement` to `false` in [config file](#install-a-custom-configured-released-version).
+  1. Set `internalCertManagement.enable` to `false` in [config file](#install-a-custom-configured-released-version).
   2. Comment out the `internalcert` folder in `config/default/kustomization.yaml`.
   3. Enable `cert-manager` in `config/default/kustomization.yaml` and uncomment all sections with 'CERTMANAGER'.
 
@@ -71,6 +71,8 @@ the default Kueue Configuration
 struct ([v1alpha1@v0.2.1](https://pkg.go.dev/sigs.k8s.io/kueue@v0.2.1/apis/config/v1alpha1#Configuration)).
 The contents of the ConfigMap are similar to the following:
 
+__The `namespace` and `internalCertManagement` fields are available in Kueue v0.3.0 and later__
+
 ```yaml
 apiVersion: v1
 kind: ConfigMap
@@ -81,13 +83,18 @@ data:
   controller_manager_config.yaml: |
     apiVersion: config.kueue.x-k8s.io/v1alpha1
     kind: Configuration
+    namespace: kueue-system
     health:
       healthProbeBindAddress: :8081
     metrics:
       bindAddress: :8080
     webhook:
       port: 9443
     manageJobsWithoutQueueName: true
+    internalCertManagement:
+      enable: true
+      webhookServiceName: kueue-webhook-service
+      webhookSecretName: kueue-webhook-server-cert
 ```
 
 3. Apply the customized manifests to the cluster: