-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #59 from linode/bucket-webhook
Bucket webhook
- Loading branch information
Showing
17 changed files
with
285 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Webhooks | ||
|
||
## Enable Webhooks | ||
- Webhooks are enabled in Crossplane by default from `v1.13` onwards. For previous versions of Crossplane, include the flag `--set webhooks.enabled=true` when [installing Crossplane via Helm](https://docs.crossplane.io/v1.11/software/install/#install-the-crossplane-helm-chart). | ||
- To enable webhooks in Provider Ceph, set the `--enable-webhooks` flag for the Provider Ceph controller. See example below using a controller configuration: | ||
|
||
`Provider` with reference to a `ControllerConfig` (**Note:** package version is omitted): | ||
``` | ||
apiVersion: pkg.crossplane.io/v1 | ||
kind: Provider | ||
metadata: | ||
name: provider-ceph | ||
spec: | ||
package: xpkg.upbound.io/linode/provider-ceph:vX.X.X | ||
controllerConfigRef: | ||
name: provider-ceph | ||
``` | ||
`ControllerConfig` with arguments: | ||
``` | ||
apiVersion: pkg.crossplane.io/v1alpha1 | ||
kind: ControllerConfig | ||
metadata: | ||
name: provider-ceph | ||
spec: | ||
args: | ||
- "--enable-validation-webhooks" | ||
``` | ||
**Note:** `ControllerConfig` has been deprecated, but remains in use until an alternative exists. | ||
|
||
## Bucket Admission Controlling Webhook | ||
Provider Ceph provides Dynamic Admission Control for Buckets. | ||
Create and Update operations on Buckets are blocked by the bucket admission webhook when: | ||
- The Bucket contains one or more providers (`bucket.spec.Providers`) that do not exist (i.e. a `ProviderConfig` of the same name does not exist in the k8s cluster). | ||
|
||
Future Work (not yet implemented): | ||
- Bucket Lifecycle Configurations cannot be validated against a backend. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
/* | ||
Copyright 2023. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package bucket | ||
|
||
import ( | ||
"context" | ||
"fmt" | ||
|
||
"github.com/crossplane/crossplane-runtime/pkg/webhook" | ||
"github.com/linode/provider-ceph/apis/provider-ceph/v1alpha1" | ||
"github.com/linode/provider-ceph/internal/backendstore" | ||
"github.com/linode/provider-ceph/internal/utils" | ||
"github.com/pkg/errors" | ||
"k8s.io/apimachinery/pkg/runtime" | ||
"sigs.k8s.io/controller-runtime/pkg/webhook/admission" | ||
) | ||
|
||
type BucketValidator struct { | ||
validator *webhook.Validator | ||
backendStore *backendstore.BackendStore | ||
} | ||
|
||
func NewBucketValidator(b *backendstore.BackendStore) *BucketValidator { | ||
bucketValidator := &BucketValidator{} | ||
validator := webhook.NewValidator() | ||
|
||
validator.CreationChain = append(validator.CreationChain, bucketValidator.ValidateCreate) | ||
validator.UpdateChain = append(validator.UpdateChain, bucketValidator.ValidateUpdate) | ||
validator.DeletionChain = append(validator.DeletionChain, bucketValidator.ValidateDelete) | ||
|
||
bucketValidator.validator = validator | ||
bucketValidator.backendStore = b | ||
|
||
return bucketValidator | ||
} | ||
|
||
//+kubebuilder:webhook:path=/validate-provider-ceph-ceph-crossplane-io-v1alpha1-bucket,mutating=false,failurePolicy=fail,sideEffects=None,groups=provider-ceph.ceph.crossplane.io,resources=buckets,verbs=create;update,versions=v1alpha1,name=bucket.providerceph.crossplane.io,admissionReviewVersions=v1 | ||
|
||
func (b *BucketValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { | ||
bucket, ok := obj.(*v1alpha1.Bucket) | ||
if !ok { | ||
return nil, errors.New(errNotBucket) | ||
} | ||
|
||
return nil, b.validateCreateOrUpdate(bucket) | ||
} | ||
|
||
func (b *BucketValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) { | ||
bucket, ok := newObj.(*v1alpha1.Bucket) | ||
if !ok { | ||
return nil, errors.New(errNotBucket) | ||
} | ||
|
||
return nil, b.validateCreateOrUpdate(bucket) | ||
} | ||
|
||
func (b *BucketValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) { | ||
return nil, nil | ||
} | ||
|
||
func (b *BucketValidator) validateCreateOrUpdate(bucket *v1alpha1.Bucket) error { | ||
// Ignore validation for health check buckets as they do not | ||
// behave as 'normal' buckets. For example, health check buckets | ||
// need to be updated after their owning ProviderConfig has been deleted. | ||
// This is to remove a finalizer and enable garbage collection. | ||
if v1alpha1.IsHealthCheckBucket(bucket) { | ||
return nil | ||
} | ||
|
||
if len(bucket.Spec.Providers) == 0 { | ||
return nil | ||
} | ||
|
||
missingProviders := utils.MissingStrings(bucket.Spec.Providers, b.backendStore.GetAllActiveBackendNames()) | ||
if len(missingProviders) != 0 { | ||
return errors.New(fmt.Sprintf("providers %v listed in bucket.Spec.Providers cannot be found", missingProviders)) | ||
} | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package utils | ||
|
||
import "k8s.io/utils/strings/slices" | ||
|
||
// MissingStrings returns a slice of all strings that exist | ||
// in sliceA, but not in sliceB. | ||
func MissingStrings(sliceA, sliceB []string) []string { | ||
return slices.Filter(nil, sliceA, func(s string) bool { | ||
return !slices.Contains(sliceB, s) | ||
}) | ||
} |
Oops, something went wrong.