Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Validation and Mutating Webhook support #15

Merged
merged 6 commits into from
Dec 6, 2024

Conversation

raukadah
Copy link
Contributor

@raukadah raukadah commented Nov 26, 2024

This pull-request adds following things based on webhooks doc:

  • Validation and Mutating webhooks for watcher, WatcherAPI, WatcherDecisionengine, WatcherApplier
  • Add run-with-webhook make target for local development with webhook
  • Fixed webhooks error while during docker-build
  • go.mod changes to start a webserver to serve the endpoints for the validating and mutating webhooks.

Jira: https://issues.redhat.com/browse/OSPRH-11933

Copy link

openshift-ci bot commented Nov 26, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/ba9786543d1b477ab2bbe1da7cd6334f

openstack-meta-content-provider FAILURE in 8m 58s
⚠️ watcher-operator-validation SKIPPED Skipped due to failed job openstack-meta-content-provider

@SeanMooney
Copy link
Collaborator

we should also add the maketarget for running with a webhook and the hacking scripts
you can see examples here

https://github.com/openstack-k8s-operators/placement-operator/tree/main/hack
https://github.com/openstack-k8s-operators/placement-operator/blob/main/Makefile#L349-L362

@raukadah
Copy link
Contributor Author

we should also add the maketarget for running with a webhook and the hacking scripts you can see examples here

https://github.com/openstack-k8s-operators/placement-operator/tree/main/hack https://github.com/openstack-k8s-operators/placement-operator/blob/main/Makefile#L349-L362

Thank you @SeanMooney for sending the links, Updated the pr with run-with-webhook target.

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/1e5d782b2e0845dea8118600fef8dab3

openstack-meta-content-provider FAILURE in 8m 23s
⚠️ watcher-operator-validation SKIPPED Skipped due to failed job openstack-meta-content-provider

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/3adf6a259ce1402dbde43ea02d20c073

openstack-meta-content-provider FAILURE in 8m 59s
⚠️ watcher-operator-validation SKIPPED Skipped due to failed job openstack-meta-content-provider

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/ccb0a0d778f146ebb67c6e6e3092b324

openstack-meta-content-provider FAILURE in 8m 32s
⚠️ watcher-operator-validation SKIPPED Skipped due to failed job openstack-meta-content-provider

@raukadah raukadah marked this pull request as ready for review November 27, 2024 09:27
@openshift-ci openshift-ci bot requested review from marios and SeanMooney November 27, 2024 09:27
@raukadah raukadah requested review from amoralej and abays November 27, 2024 09:27
@raukadah raukadah changed the title Webhook Add Validation and Mutating Webhook support Nov 27, 2024
Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e5a842175ea24bafa7fc7da68678c56a

✔️ openstack-meta-content-provider SUCCESS in 1h 24m 37s
watcher-operator-validation FAILURE in 1h 14m 09s

@raukadah raukadah marked this pull request as draft November 27, 2024 11:33
@raukadah
Copy link
Contributor Author

Moving to draft till we make EDPM job passing!

@raukadah
Copy link
Contributor Author

/test functional

@raukadah raukadah force-pushed the webhook branch 3 times, most recently from 2ed29ef to b62f9b9 Compare November 27, 2024 13:30
@raukadah
Copy link
Contributor Author

/test functional
/test precommit-check

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/8c703bd1c7ba4ac4a6976478ed9ac941

✔️ openstack-meta-content-provider SUCCESS in 2h 12m 29s
watcher-operator-validation FAILURE in 1h 20m 34s

@raukadah
Copy link
Contributor Author

Current failure: https://logserver.rdoproject.org/15/15/b62f9b9fb09a97a2a68a111dfb4a1e7ab96f27ba/github-check/watcher-operator-validation/0a57ce1/controller/ci-framework-data/logs/openstack-k8s-operators-openstack-must-gather/namespaces/openstack-operators/all_resources.log

pod/watcher-operator-controller-manager-5cc4b6f59d-nzbx8              1/2     CrashLoopBackOff   7 (10s ago)      11m

From pod log: https://logserver.rdoproject.org/15/15/b62f9b9fb09a97a2a68a111dfb4a1e7ab96f27ba/github-check/watcher-operator-validation/0a57ce1/controller/ci-framework-data/logs/openstack-k8s-operators-openstack-must-gather/namespaces/openstack-operators/pods/watcher-operator-controller-manager-5cc4b6f59d-nzbx8/logs/manager.log

2024-11-27T15:54:00Z	INFO	controller-runtime.metrics	Shutting down metrics server with timeout of 1 minute
2024-11-27T15:54:00Z	INFO	Wait completed, proceeding to shutdown the manager
I1127 15:54:00.093441       1 leaderelection.go:250] attempting to acquire leader lease openstack-operators/5049980f.openstack.org...
2024-11-27T15:54:00Z	ERROR	setup	problem running manager	{"error": "open /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory"}
main.main
	/remote-source/main.go:179
runtime.main
	/usr/lib/golang/src/runtime/proc.go:267

@amoralej
Copy link
Contributor

A high level question. Checking at others operators, i see two different patterns:

  1. Some operators, as barbican and cinder, create webhooks only for the top-level CRD (cinder or babican, i.e.)
  2. Others (nova) creates independent webhooks for all the CRDs.

This PR is implementing (2), but, given that the user should be using only the top-level Watcher, I'd be inclined to go with (1) for simplicity.

What do you think?

I'll do a more detailed review today.

Copy link
Contributor

@amoralej amoralej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug found in patch_webhook_configurations.yaml while testing locally

- CREATE
- UPDATE
resources:
- watcher
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be watchers

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

- CREATE
- UPDATE
resources:
- watcher
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

@amoralej
Copy link
Contributor

/approve

Copy link

openshift-ci bot commented Nov 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amoralej

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

if err = (&watcherv1beta1.WatcherDecisionEngine{}).SetupWebhookWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create webhook", "webhook", "WatcherDecisionEngine")
os.Exit(1)
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is somethign i never got around to optimising in the nova operator but
again i would like to clean this up into a for loop over like we do with

NewReconcilers

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/controllers/watcher_common.go#L56-L79

we have one function that map of reconsiler name to and instance of the object

and then a second function that struct and loops over each setting them up and checking for an error.

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/controllers/watcher_common.go#L81-L91

we should try and avoid having long if chains like this were we can by transforming it into a data-driven flow.

that is escpially true when it all or nothing (if any fails we abort)
and when it needs to be done in two places, main.go and suite_tests.go

Copy link
Contributor Author

@raukadah raukadah Dec 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I refactor these function as a follow up pr?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure lets move forward with this one as is and follow up

Below is the command used to generate the same.
```
operator-sdk create webhook --group watcher --version v1beta1 --kind Watcher --programmatic-validation --defaulting
```

Signed-off-by: Chandan Kumar <[email protected]>
Below is the command used to generate webhook:
```
operator-sdk create webhook --group watcher --version v1beta1 --kind WatcherAPI --programmatic-validation --defaulting
```

Signed-off-by: Chandan Kumar <[email protected]>
Below is the command used to generate the same:
```
operator-sdk create webhook --group watcher --version v1beta1 --kind WatcherDecisionEngine --programmatic-validation --defaulting
```

Signed-off-by: Chandan Kumar <[email protected]>
Below is the command used to generate the same:
```
operator-sdk create webhook --group watcher --version v1beta1 --kind WatcherApplier --programmatic-validation --defaulting
```

Signed-off-by: Chandan Kumar <[email protected]>
It will help to run with webhook.

Signed-off-by: Chandan Kumar <[email protected]>
// log is for logging in this package.
var watcherlog = logf.Log.WithName("watcher-resource")

func (r *Watcher) SetupWebhookWithManager(mgr ctrl.Manager) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this is not really part of the API module

its a method that should be defined on the reconcile base class

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/controllers/watcher_common.go#L81-L92

or factored out into a common class like this

https://github.com/openstack-k8s-operators/nova-operator/blob/main/api/v1beta1/common_webhook.go

there is actually still some technical debt in the nova operator to meve this from being defined on each webhook to webhook to a common subclass so we could proceed with this as is i just want to call out the fac that this will largely be identical for every webhooks so we should try and duplicate this in the futrure

Copy link
Contributor Author

@raukadah raukadah Dec 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @SeanMooney , I have move this method into common_webhook.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

Complete()
}

// TODO(user): EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should proably remove theses TODO comments

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

if err = (&watcherv1beta1.WatcherDecisionEngine{}).SetupWebhookWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create webhook", "webhook", "WatcherDecisionEngine")
os.Exit(1)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is somethign i never got around to optimising in the nova operator but
again i would like to clean this up into a for loop over like we do with

NewReconcilers

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/controllers/watcher_common.go#L56-L79

we have one function that map of reconsiler name to and instance of the object

and then a second function that struct and loops over each setting them up and checking for an error.

https://github.com/openstack-k8s-operators/watcher-operator/blob/main/controllers/watcher_common.go#L81-L91

we should try and avoid having long if chains like this were we can by transforming it into a data-driven flow.

that is escpially true when it all or nothing (if any fails we abort)
and when it needs to be done in two places, main.go and suite_tests.go

tests/functional/suite_test.go Show resolved Hide resolved
@raukadah
Copy link
Contributor Author

raukadah commented Dec 4, 2024

Moving it to Draft, working on existing comment!

Copy link

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/e2220f3d861c4f5da974c84100f44222

✔️ noop SUCCESS in 0s
openstack-meta-content-provider FAILURE in 7m 50s
⚠️ watcher-operator-validation SKIPPED Skipped due to failed job openstack-meta-content-provider

It also fixes:
- Fix admission.Validator value in variable declaration error
- Fix functional tests and pre-commit
- Fix tls.crt no such file or directory
- Use METRICS_PORT to 33080 and HEALTH_PORT to 33081

Signed-off-by: Chandan Kumar <[email protected]>
@raukadah raukadah marked this pull request as ready for review December 6, 2024 10:40
@openshift-ci openshift-ci bot requested a review from cescgina December 6, 2024 10:40
if err = (&watcherv1beta1.WatcherDecisionEngine{}).SetupWebhookWithManager(mgr); err != nil {
setupLog.Error(err, "unable to create webhook", "webhook", "WatcherDecisionEngine")
os.Exit(1)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure lets move forward with this one as is and follow up

@openshift-ci openshift-ci bot added the lgtm label Dec 6, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit b552b28 into openstack-k8s-operators:main Dec 6, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants