Merge pull request #3088 from sedefsavas/capd-webhook

✨Add CAPD webhooks

Author: k8s-ci-robot

docs/book/src/developer/guide.md

@@ -133,7 +133,7 @@ and
 
 ```
 $EDITOR config/manager/manager_image_patch.yaml
-$EDITOR test/infrastructure/docker/config/default/manager_image_patch.yaml
+$EDITOR test/infrastructure/docker/config/manager/manager_image_patch.yaml
 ```
 
 In both cases, change the `- image:` url to the digest URL mentioned above:

test/infrastructure/docker/Makefile

@@ -122,7 +122,9 @@ generate-manifests: $(CONTROLLER_GEN) ## Generate manifests e.g. CRD, RBAC etc.
 		paths=./controllers/... \
 		crd:crdVersions=v1 \
 		rbac:roleName=manager-role \
-		output:crd:dir=./config/crd/bases
+		output:crd:dir=./config/crd/bases \
+		output:webhook:dir=./config/webhook \
+		webhook
 
 .PHONY: modules
 modules: ## Runs go mod to ensure modules are up to date.
@@ -172,12 +174,12 @@ docker-push-manifest: ## Push the fat manifest docker image.
 .PHONY: set-manifest-image
 set-manifest-image:
 	$(info Updating kustomize image patch file for manager resource)
-	sed -i'' -e 's@image: .*@image: '"${MANIFEST_IMG}:$(MANIFEST_TAG)"'@' ./config/default/manager_image_patch.yaml
+	sed -i'' -e 's@image: .*@image: '"${MANIFEST_IMG}:$(MANIFEST_TAG)"'@' ./config/manager/manager_image_patch.yaml
 
 .PHONY: set-manifest-pull-policy
 set-manifest-pull-policy:
 	$(info Updating kustomize pull policy file for manager resource)
-	sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' ./config/default/manager_pull_policy.yaml
+	sed -i'' -e 's@imagePullPolicy: .*@imagePullPolicy: '"$(PULL_POLICY)"'@' ./config/manager/manager_pull_policy.yaml
 
 ## --------------------------------------
 ## Release

test/infrastructure/docker/api/v1alpha3/dockermachinetemplate_webhook.go

@@ -0,0 +1,55 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"errors"
+	"reflect"
+
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+func (m *DockerMachineTemplate) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(m).
+		Complete()
+}
+
+// +kubebuilder:webhook:verbs=create;update,path=/validate-infrastructure-cluster-x-k8s-io-v1alpha3-dockermachinetemplate,mutating=false,failurePolicy=fail,matchPolicy=Equivalent,groups=infrastructure.cluster.x-k8s.io,resources=dockermachinetemplates,versions=v1alpha3,name=validation.dockermachinetemplate.infrastructure.cluster.x-k8s.io,sideEffects=None
+
+var _ webhook.Validator = &DockerMachineTemplate{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (m *DockerMachineTemplate) ValidateCreate() error {
+	return nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (m *DockerMachineTemplate) ValidateUpdate(old runtime.Object) error {
+	oldCRS := old.(*DockerMachineTemplate)
+	if !reflect.DeepEqual(m.Spec, oldCRS.Spec) {
+		return errors.New("DockerMachineTemplateSpec is immutable")
+	}
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (m *DockerMachineTemplate) ValidateDelete() error {
+	return nil
+}

test/infrastructure/docker/api/v1alpha3/dockermachinetemplate_webhook_test.go

@@ -0,0 +1,63 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha3
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestDockerMachineTemplateInvalid(t *testing.T) {
+	oldTemplate := DockerMachineTemplate{
+		ObjectMeta: metav1.ObjectMeta{},
+		Spec: DockerMachineTemplateSpec{
+			Template: DockerMachineTemplateResource{},
+		},
+	}
+
+	newTemplate := oldTemplate.DeepCopy()
+	newTemplate.Spec.Template.Spec.ExtraMounts = append(newTemplate.Spec.Template.Spec.ExtraMounts, []Mount{{ContainerPath: "/var/run/docker.sock", HostPath: "/var/run/docker.sock"}}...)
+
+	tests := []struct {
+		name        string
+		newTemplate *DockerMachineTemplate
+		oldTemplate *DockerMachineTemplate
+		wantError   bool
+	}{
+		{
+			name:        "return no error if no modification",
+			newTemplate: newTemplate,
+			oldTemplate: newTemplate,
+			wantError:   false,
+		},
+		{
+			name:        "don't allow modification",
+			newTemplate: newTemplate,
+			oldTemplate: &oldTemplate,
+			wantError:   true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.newTemplate.ValidateUpdate(tt.oldTemplate)
+			if (err != nil) != tt.wantError {
+				t.Errorf("unexpected result - wanted %+v, got %+v", tt.wantError, err)
+			}
+		})
+	}
+}

test/infrastructure/docker/api/v1alpha3/zz_generated.deepcopy.go

@@ -1,23 +1,23 @@
 # The following manifests contain a self-signed issuer CR and a certificate CR.
 # More document can be found at https://docs.cert-manager.io
-apiVersion: cert-manager.io/v1alpha1
+apiVersion: cert-manager.io/v1alpha2
 kind: Issuer
 metadata:
   name: selfsigned-issuer
   namespace: system
 spec:
   selfSigned: {}
 ---
-apiVersion: cert-manager.io/v1alpha1
+apiVersion: cert-manager.io/v1alpha2
 kind: Certificate
 metadata:
   name: serving-cert  # this name should match the one appeared in kustomizeconfig.yaml
   namespace: system
 spec:
   # $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
-  commonName: $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
   dnsNames:
-  - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
+    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc
+    - $(SERVICE_NAME).$(SERVICE_NAMESPACE).svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned-issuer

test/infrastructure/docker/config/certmanager/certificate.yaml

@@ -2,11 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: capd-system
 
-patchesStrategicMerge:
-- manager_image_patch.yaml
-- manager_auth_proxy_patch.yaml
-
 resources:
-- namespace.yaml
-- ../rbac
-- ../manager
+  - namespace.yaml
+
+bases:
+  - ../rbac

test/infrastructure/docker/config/default/kustomization.yaml

@@ -6,3 +6,4 @@ commonLabels:
 resources:
 - crd
 - default
+- webhook

test/infrastructure/docker/config/kustomization.yaml

@@ -2,3 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - manager.yaml
+
+patchesStrategicMerge:
+  - manager_image_patch.yaml
+  - manager_auth_proxy_patch.yaml