openshift · openshift-merge-robot · Dec 4, 2020 · Nov 30, 2020 · Nov 30, 2020 · Dec 3, 2020
diff --git a/assets/webhook_deployment.yaml b/assets/webhook_deployment.yaml
@@ -0,0 +1,55 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: csi-snapshot-webhook
+  namespace: openshift-cluster-storage-operator
+spec:
+  serviceName: "csi-snapshot-webhook"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: csi-snapshot-webhook
+  template:
+    metadata:
+      labels:
+        app: csi-snapshot-webhook
+    spec:
+      containers:
+      - name: webhook
+        image: ${WEBHOOK_IMAGE}
+        args:
+          - --tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt
+          - --tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key
+          - "--v=${LOG_LEVEL}"
+          - --port=8443
+        ports:
+        - containerPort: 8443
+        volumeMounts:
+          - name: certs
+            mountPath: /etc/snapshot-validation-webhook/certs
+            readOnly: true
+        imagePullPolicy: IfNotPresent
+        resources:
+          requests:
+            cpu: 10m
+      priorityClassName: "system-cluster-critical"
+      restartPolicy: Always
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      volumes:
+      - name: certs
+        secret:
+          secretName: csi-snapshot-webhook-secret
+      tolerations:
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 120
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: "NoSchedule"
+
diff --git a/manifests/07_deployment.yaml b/manifests/07_deployment.yaml
@@ -33,6 +33,9 @@ spec:
         env:
         - name: OPERAND_IMAGE
           value: quay.io/openshift/origin-csi-snapshot-controller
+        - name: WEBHOOK_IMAGE
+          # TODO: replace with quay.io image
+          value: registry.svc.ci.openshift.org/ocp/4.7:csi-snapshot-validation-webhook
         - name: OPERATOR_IMAGE_VERSION
           value: "0.0.1-snapshot"
         - name: OPERAND_IMAGE_VERSION

diff --git a/manifests/08_webhook_service.yaml b/manifests/08_webhook_service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: csi-snapshot-webhook
+  namespace: openshift-cluster-storage-operator
+  labels:
+    app: csi-snapshot-webhook
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: csi-snapshot-webhook-secret
+    include.release.openshift.io/self-managed-high-availability: "true"
+spec:
+  ports:
+  - name: webhook
+    port: 443
+    targetPort: 8443
+  selector:
+    app: csi-snapshot-webhook
diff --git a/manifests/09_webhook_config.yaml b/manifests/09_webhook_config.yaml
@@ -0,0 +1,24 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: snapshot.storage.k8s.io
+  namespace: csi-snapshot-controller-operator
+  labels:
+    app: csi-snapshot-webhook
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+webhooks:
+  - name: volumesnapshotclasses.snapshot.storage.k8s.io
+    clientConfig:
+      service:
+        name: csi-snapshot-webhook
+        namespace: openshift-cluster-storage-operator
+        path: "/volumesnapshot"
+    rules:
+      - operations: [ "CREATE", "UPDATE" ]
+        apiGroups: ["snapshot.storage.k8s.io"]
+        apiVersions: ["v1", "v1beta1"]
+        resources: ["volumesnapshots", "volumesnapshotcontents"]
+    sideEffects: None
+    failurePolicy: Ignore
diff --git a/manifests/08_clusteroperator.yaml → manifests/10_clusteroperator.yaml b/manifests/08_clusteroperator.yaml → manifests/10_clusteroperator.yaml
diff --git a/manifests/image-references b/manifests/image-references
@@ -10,3 +10,7 @@ spec:
     from:
       kind: DockerImage
       name: quay.io/openshift/origin-csi-snapshot-controller
+  - name: csi-snapshot-validation-webhook
+    from:
+      kind: DockerImage
+      name: registry.svc.ci.openshift.org/ocp/4.7:csi-snapshot-validation-webhook
diff --git a/pkg/generated/bindata.go b/pkg/generated/bindata.go
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	operatorv1 "github.com/openshift/api/operator/v1"
+	"github.com/openshift/cluster-csi-snapshot-controller-operator/pkg/operatorclient"
 	corev1 "k8s.io/api/core/v1"
 	apiextclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	apiextinformersv1 "k8s.io/apiextensions-apiserver/pkg/client/informers/externalversions/apiextensions/v1"
@@ -34,11 +35,11 @@ const (
 	targetName        = "csi-snapshot-controller"
 	targetNamespace   = "openshift-cluster-storage-operator"
 	operatorNamespace = "openshift-cluster-storage-operator"
-	globalConfigName  = "cluster"
 
 	operatorVersionEnvName = "OPERATOR_IMAGE_VERSION"
 	operandVersionEnvName  = "OPERAND_IMAGE_VERSION"
 	operandImageEnvName    = "OPERAND_IMAGE"
+	webhookImageEnvName    = "WEBHOOK_IMAGE"
 
 	maxRetries = 15
 )
@@ -49,7 +50,7 @@ var (
 )
 
 type csiSnapshotOperator struct {
-	client        OperatorClient
+	client        operatorclient.OperatorClient
 	kubeClient    kubernetes.Interface
 	versionGetter status.VersionGetter
 	eventRecorder events.Recorder
@@ -70,7 +71,7 @@ type csiSnapshotOperator struct {
 }
 
 func NewCSISnapshotControllerOperator(
-	client OperatorClient,
+	client operatorclient.OperatorClient,
 	crdInformer apiextinformersv1.CustomResourceDefinitionInformer,
 	crdClient apiextclient.Interface,
 	deployInformer appsinformersv1.DeploymentInformer,
@@ -233,7 +234,7 @@ func (c *csiSnapshotOperator) enqueue(obj interface{}) {
 	}
 	// Sync corresponding CSISnapshotController instance. Since there is only one, sync that one.
 	// It will check all other objects (CRDs, Deployment) and update/overwrite them as needed.
-	c.queue.Add(globalConfigName)
+	c.queue.Add(operatorclient.GlobalConfigName)
 }
 
 func (c *csiSnapshotOperator) eventHandler(kind string) cache.ResourceEventHandler {

diff --git a/pkg/operator/operator_test.go b/pkg/operator/operator_test.go
@@ -11,6 +11,7 @@ import (
 	fakeop "github.com/openshift/client-go/operator/clientset/versioned/fake"
 	opinformers "github.com/openshift/client-go/operator/informers/externalversions"
 	"github.com/openshift/cluster-csi-snapshot-controller-operator/pkg/generated"
+	"github.com/openshift/cluster-csi-snapshot-controller-operator/pkg/operatorclient"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceread"
@@ -113,7 +114,7 @@ func newOperator(test operatorTest) *testContext {
 	// Add global reactors
 	addGenerationReactor(coreClient)
 
-	client := OperatorClient{
+	client := operatorclient.OperatorClient{
 		Client:    operatorClient.OperatorV1(),
 		Informers: operatorInformerFactory,
 	}
@@ -733,9 +734,9 @@ func TestSync(t *testing.T) {
 			}
 			// Check expectedObjects.csiSnapshotController
 			if test.expectedObjects.csiSnapshotController != nil {
-				actualCSISnapshotController, err := ctx.operatorClient.OperatorV1().CSISnapshotControllers().Get(context.TODO(), globalConfigName, metav1.GetOptions{})
+				actualCSISnapshotController, err := ctx.operatorClient.OperatorV1().CSISnapshotControllers().Get(context.TODO(), operatorclient.GlobalConfigName, metav1.GetOptions{})
 				if err != nil {
-					t.Errorf("Failed to get CSISnapshotController %s: %v", globalConfigName, err)
+					t.Errorf("Failed to get CSISnapshotController %s: %v", operatorclient.GlobalConfigName, err)
 				}
 				sanitizeCSISnapshotController(actualCSISnapshotController)
 				sanitizeCSISnapshotController(test.expectedObjects.csiSnapshotController)

diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -13,6 +13,8 @@ import (
 	csisnapshotconfigclient "github.com/openshift/client-go/operator/clientset/versioned"
 	informer "github.com/openshift/client-go/operator/informers/externalversions"
 	"github.com/openshift/cluster-csi-snapshot-controller-operator/pkg/common"
+	"github.com/openshift/cluster-csi-snapshot-controller-operator/pkg/operator/webhookdeployment"
+	"github.com/openshift/cluster-csi-snapshot-controller-operator/pkg/operatorclient"
 	"github.com/openshift/library-go/pkg/controller/controllercmd"
 	"github.com/openshift/library-go/pkg/operator/loglevel"
 	"github.com/openshift/library-go/pkg/operator/management"
@@ -40,7 +42,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 	}
 
 	csiConfigInformers := informer.NewSharedInformerFactoryWithOptions(csiConfigClient, resync,
-		informer.WithTweakListOptions(singleNameListOptions(globalConfigName)),
+		informer.WithTweakListOptions(singleNameListOptions(operatorclient.GlobalConfigName)),
 	)
 
 	configClient, err := configclient.NewForConfig(controllerConfig.KubeConfig)
@@ -50,32 +52,45 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 
 	configInformers := configinformer.NewSharedInformerFactoryWithOptions(configClient, resync)
 
-	operatorClient := &OperatorClient{
-		csiConfigInformers,
-		csiConfigClient.OperatorV1(),
+	operatorClient := &operatorclient.OperatorClient{
+		Informers: csiConfigInformers,
+		Client:    csiConfigClient.OperatorV1(),
+		ExpectedConditions: []string{
+			operatorv1.OperatorStatusTypeAvailable,
+			webhookdeployment.WebhookControllerName + operatorv1.OperatorStatusTypeAvailable,
+		},
 	}
 
+	kubeClient := ctrlctx.ClientBuilder.KubeClientOrDie(targetName)
+
 	versionGetter := status.NewVersionGetter()
 
 	operator := NewCSISnapshotControllerOperator(
 		*operatorClient,
 		ctrlctx.APIExtInformerFactory.Apiextensions().V1().CustomResourceDefinitions(),
 		ctrlctx.ClientBuilder.APIExtClientOrDie(targetName),
 		ctrlctx.KubeNamespacedInformerFactory.Apps().V1().Deployments(),
-		ctrlctx.ClientBuilder.KubeClientOrDie(targetName),
+		kubeClient,
 		versionGetter,
 		controllerConfig.EventRecorder,
 		os.Getenv(operatorVersionEnvName),
 		os.Getenv(operandVersionEnvName),
 		os.Getenv(operandImageEnvName),
 	)
 
+	webhookOperator := webhookdeployment.NewCSISnapshotWebhookController(*operatorClient,
+		ctrlctx.KubeNamespacedInformerFactory.Apps().V1().Deployments(),
+		kubeClient,
+		controllerConfig.EventRecorder,
+		os.Getenv(webhookImageEnvName),
+	)
+
 	clusterOperatorStatus := status.NewClusterOperatorStatusController(
 		targetName,
 		[]configv1.ObjectReference{
 			{Resource: "namespaces", Name: targetNamespace},
 			{Resource: "namespaces", Name: operatorNamespace},
-			{Group: operatorv1.GroupName, Resource: "csisnapshotcontrollers", Name: globalConfigName},
+			{Group: operatorv1.GroupName, Resource: "csisnapshotcontrollers", Name: operatorclient.GlobalConfigName},
 		},
 		configClient.ConfigV1(),
 		configInformers.Config().V1().ClusterOperators(),
@@ -108,6 +123,7 @@ func RunOperator(ctx context.Context, controllerConfig *controllercmd.Controller
 		clusterOperatorStatus,
 		logLevelController,
 		managementStateController,
+		webhookOperator,
 	} {
 		go controller.Run(ctx, 1)
 	}