Merge pull request #2549 from JoelSpeed/register-mhc-controller

✨ Register MachineHealthCheck controller and add RBAC

config/crd/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - bases/cluster.x-k8s.io_machinesets.yaml
 - bases/cluster.x-k8s.io_machinedeployments.yaml
 - bases/exp.cluster.x-k8s.io_machinepools.yaml
+- bases/cluster.x-k8s.io_machinehealthchecks.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
@@ -16,6 +17,7 @@ patchesStrategicMerge:
 - patches/webhook_in_machines.yaml
 - patches/webhook_in_machinesets.yaml
 - patches/webhook_in_machinedeployments.yaml
+- patches/webhook_in_machinehealthchecks.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
@@ -24,6 +26,7 @@ patchesStrategicMerge:
 - patches/cainjection_in_machines.yaml
 - patches/cainjection_in_machinesets.yaml
 - patches/cainjection_in_machinedeployments.yaml
+- patches/cainjection_in_machinehealthchecks.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

config/crd/patches/cainjection_in_machinehealthchecks.yaml

@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: machinehealthchecks.cluster.x-k8s.io

config/crd/patches/webhook_in_machinehealthchecks.yaml

@@ -0,0 +1,19 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: machinehealthchecks.cluster.x-k8s.io
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1", "v1beta1"]
+      clientConfig:
+        # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+        # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+        caBundle: Cg==
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert

config/kustomization.yaml

@@ -33,3 +33,9 @@ patchesJson6902:
     kind: CustomResourceDefinition
     name: machinesets.cluster.x-k8s.io
   path: patch_crd_webhook_namespace.yaml
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+    name: machinehealthchecks.cluster.x-k8s.io
+  path: patch_crd_webhook_namespace.yaml

config/rbac/role.yaml

@@ -67,6 +67,17 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - cluster.x-k8s.io
+  resources:
+  - machinehealthchecks
+  - machinehealthchecks/status
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - cluster.x-k8s.io
   resources:

controllers/machinehealthcheck_controller.go

@@ -58,6 +58,11 @@ const (
 	EventRemediationRestricted string = "RemediationRestricted"
 )
 
+// +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;delete
+// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks;machinehealthchecks/status,verbs=get;list;watch;update;patch
+
 // MachineHealthCheckReconciler reconciles a MachineHealthCheck object
 type MachineHealthCheckReconciler struct {
 	Client client.Client

main.go

@@ -48,18 +48,19 @@ var (
 	setupLog = ctrl.Log.WithName("setup")
 
 	// flags
-	metricsAddr                  string
-	enableLeaderElection         bool
-	watchNamespace               string
-	profilerAddress              string
-	clusterConcurrency           int
-	machineConcurrency           int
-	machineSetConcurrency        int
-	machineDeploymentConcurrency int
-	machinePoolConcurrency       int
-	syncPeriod                   time.Duration
-	webhookPort                  int
-	healthAddr                   string
+	metricsAddr                   string
+	enableLeaderElection          bool
+	watchNamespace                string
+	profilerAddress               string
+	clusterConcurrency            int
+	machineConcurrency            int
+	machineSetConcurrency         int
+	machineDeploymentConcurrency  int
+	machinePoolConcurrency        int
+	machineHealthCheckConcurrency int
+	syncPeriod                    time.Duration
+	webhookPort                   int
+	healthAddr                    string
 )
 
 func init() {
@@ -102,6 +103,9 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.IntVar(&machinePoolConcurrency, "machinepool-concurrency", 10,
 		"Number of machine pools to process simultaneously")
 
+	fs.IntVar(&machineHealthCheckConcurrency, "machinehealthcheck-concurrency", 10,
+		"Number of machine health checks to process simultaneously")
+
 	fs.DurationVar(&syncPeriod, "sync-period", 10*time.Minute,
 		"The minimum interval at which watched resources are reconciled (e.g. 15m)")
 
@@ -210,6 +214,13 @@ func setupReconcilers(mgr ctrl.Manager) {
 			os.Exit(1)
 		}
 	}
+	if err := (&controllers.MachineHealthCheckReconciler{
+		Client: mgr.GetClient(),
+		Log:    ctrl.Log.WithName("controllers").WithName("MachineHealthCheck"),
+	}).SetupWithManager(mgr, concurrency(machineHealthCheckConcurrency)); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "MachineHealthCheck")
+		os.Exit(1)
+	}
 }
 
 func setupWebhooks(mgr ctrl.Manager) {
@@ -279,6 +290,11 @@ func setupWebhooks(mgr ctrl.Manager) {
 			os.Exit(1)
 		}
 	}
+
+	if err := (&clusterv1alpha3.MachineHealthCheck{}).SetupWebhookWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create webhook", "webhook", "MachineHealthCheck")
+		os.Exit(1)
+	}
 }
 
 func concurrency(c int) controller.Options {