Add MachineSet ControlPlane webhooks

cmd/machineset/main.go

@@ -80,21 +80,37 @@ func main() {
 	}
 
 	// Enable defaulting and validating webhooks
-	defaulter, err := v1beta1.NewMachineDefaulter()
+	machineDefaulter, err := v1beta1.NewMachineDefaulter()
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	validator, err := v1beta1.NewMachineValidator()
+	machineValidator, err := v1beta1.NewMachineValidator()
 	if err != nil {
 		log.Fatal(err)
 	}
 
+	machineSetDefaulter, err := v1beta1.NewMachineSetDefaulter()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	machineSetValidator, err := v1beta1.NewMachineSetValidator()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	machineSetCPValidator := v1beta1.NewMachineSetCPValidator()
+
 	if *webhookEnabled {
 		mgr.GetWebhookServer().Port = *webhookPort
 		mgr.GetWebhookServer().CertDir = *webhookCertdir
-		mgr.GetWebhookServer().Register("/mutate-machine-openshift-io-v1beta1-machine", &webhook.Admission{Handler: defaulter})
-		mgr.GetWebhookServer().Register("/validate-machine-openshift-io-v1beta1-machine", &webhook.Admission{Handler: validator})
+		mgr.GetWebhookServer().Register("/mutate-machine-openshift-io-v1beta1-machine", &webhook.Admission{Handler: machineDefaulter})
+		mgr.GetWebhookServer().Register("/validate-machine-openshift-io-v1beta1-machine", &webhook.Admission{Handler: machineValidator})
+		mgr.GetWebhookServer().Register("/mutate-machine-openshift-io-v1beta1-machineset", &webhook.Admission{Handler: machineSetDefaulter})
+		mgr.GetWebhookServer().Register("/validate-machine-openshift-io-v1beta1-machineset", &webhook.Admission{Handler: machineSetValidator})
+		mgr.GetWebhookServer().Register("/validate-machine-openshift-io-v1beta1-machineset-cp-delete", &webhook.Admission{Handler: machineSetCPValidator})
+		mgr.GetWebhookServer().Register("/validate-machine-openshift-io-v1beta1-machineset-cp-update", &webhook.Admission{Handler: machineSetCPValidator})
 	}
 
 	log.Printf("Registering Components.")

go.mod

@@ -39,3 +39,5 @@ replace sigs.k8s.io/cluster-api-provider-aws => github.com/openshift/cluster-api
 replace sigs.k8s.io/cluster-api-provider-azure => github.com/openshift/cluster-api-provider-azure v0.1.0-alpha.3.0.20200529030741-17d4edc5142f
 
 replace sigs.k8s.io/cluster-api-provider-gcp => github.com/openshift/cluster-api-provider-gcp v0.0.1-0.20200528175251-4f2fdeb49fe1
+
+replace sigs.k8s.io/controller-runtime => github.com/mgugino-upstream-stage/controller-runtime v0.6.1-0.20200618201807-9d82bf2a7266

go.sum

@@ -300,6 +300,8 @@ github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hd
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mgugino-upstream-stage/controller-runtime v0.6.1-0.20200618201807-9d82bf2a7266 h1:X0OqO02w1UgHOJsqDdWFGupKeIQtrgYoMYPaUMeo6WU=
+github.com/mgugino-upstream-stage/controller-runtime v0.6.1-0.20200618201807-9d82bf2a7266/go.mod h1:qN/IYzFHXI7mP9qhUiGRN9uDH3fdAAqBTCqP1YkMEtQ=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v1.0.0 h1:6GlHJ/LTGMrIJbwgdqdl2eEH8o+Exx/0m8ir9Gns0u4=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=

install/0000_30_machine-api-operator_08_webhook.yaml

@@ -28,6 +28,26 @@ webhooks:
         resources:
           - machines
     sideEffects: None
+  - clientConfig:
+      service:
+        name: machine-api-operator-webhook
+        namespace: openshift-machine-api
+        path: /mutate-machine-openshift-io-v1beta1-machineset
+    # failurePolicy is ignore so we don't want to block machine lifecycle on the webhook operational aspects.
+    # This would be particularly problematic for chicken egg issues when bootstrapping a cluster.
+    failurePolicy: Ignore
+    matchPolicy: Equivalent
+    name: default.machineset.machine.openshift.io
+    rules:
+      - apiGroups:
+          - machine.openshift.io
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+        resources:
+          - machinesets
+    sideEffects: None
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
@@ -59,3 +79,64 @@ webhooks:
         resources:
           - machines
     sideEffects: None
+  - clientConfig:
+      service:
+        name: machine-api-operator-webhook
+        namespace: openshift-machine-api
+        path: /validate-machine-openshift-io-v1beta1-machineset
+    # failurePolicy is ignore so we don't want to block machine lifecycle on the webhook operational aspects.
+    # This would be particularly problematic for chicken egg issues when bootstrapping a cluster.
+    failurePolicy: Ignore
+    matchPolicy: Equivalent
+    name: validation.machineset.machine.openshift.io
+    rules:
+      - apiGroups:
+          - machine.openshift.io
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - machinesets
+    sideEffects: None
+  - clientConfig:
+      service:
+        name: machine-api-operator-webhook
+        namespace: openshift-machine-api
+        path: /validate-machine-openshift-io-v1beta1-machineset-cp-delete
+    # failurePolicy is Fail so we ensure control plane machinesets are never
+    # deleted.
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: delete.cp.validation.machineset.machine.openshift.io
+    rules:
+      - apiGroups:
+          - machine.openshift.io
+        apiVersions:
+          - v1beta1
+        operations:
+          - DELETE
+        resources:
+          - machinesets
+    sideEffects: None
+  - clientConfig:
+      service:
+        name: machine-api-operator-webhook
+        namespace: openshift-machine-api
+        path: /validate-machine-openshift-io-v1beta1-machineset-cp-update
+    # failurePolicy is Fail so we ensure control plane machinesets are never
+    # made non-CP machinesets.
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    name: update.cp.validation.machineset.machine.openshift.io
+    rules:
+      - apiGroups:
+          - machine.openshift.io
+        apiVersions:
+          - v1beta1
+        operations:
+          - UPDATE
+        resources:
+          - machinesets
+    sideEffects: None