Admission Controller (Webhook) for Akri Configuration(s)

.github/workflows/build-webhook-configuration.yml

@@ -0,0 +1,36 @@
+name: Build Webhook Configuration
+
+on:
+  push:
+    # branches:
+    #   - main
+    # paths:
+    #   - webhooks/validating/configuration/**
+    #   - version.txt
+
+env:
+  AKRI_COMPONENT: webhook-configuration
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+      - name: setup
+        uses: docker/setup-buildx-action@v1
+      - name: login
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.crUsername }}
+          password: ${{ secrets.crPassword }}
+      - name: build-push
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          build-args: |
+            COMPONENT=${{ matrix.component }}
+          context: .
+          file: ./build/containers/Dockerfile.webhook-configuration
+          tags: ghcr.io/${{ secrets.crUsername }}/${{ env.AKRI_COMPONENT }}:v1

Cargo.toml

@@ -4,4 +4,4 @@
 h2 = { git = "https://github.com/kate-goldenring/h2", branch = "master"}
 
 [workspace]
-members = ["shared", "controller", "agent", "samples/brokers/udev-video-broker"]
+members = ["shared", "controller", "agent", "samples/brokers/udev-video-broker", "webhooks/validating/configuration"]

build/containers/Dockerfile.webhook-configuration

@@ -0,0 +1,54 @@
+ARG WEBHOOK="webhooks/validating/configuration"
+
+FROM rustlang/rust:nightly-slim as builder
+
+ARG WEBHOOK
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    libssl-dev \
+    pkg-config
+
+WORKDIR /akri
+
+# For: akri_shared::akri::configuration::KubeAkriConfig;
+COPY ./shared ./shared
+
+RUN USER=root cargo new --bin ./${WEBHOOK}
+
+# Saves repeatedly building the dependencies
+# Because the project doesn't use main, add it here, purely as a throwaway
+COPY ${WEBHOOK}/Cargo.toml ./${WEBHOOK}/Cargo.toml
+RUN echo "fn main() {}" > ./${WEBHOOK}/src/main.rs
+RUN cargo build --release --manifest-path=./${WEBHOOK}/Cargo.toml
+RUN rm ./${WEBHOOK}/src/*.rs
+RUN rm ./${WEBHOOK}/target/release/deps/webhook_configuration*
+
+COPY ${WEBHOOK}/src/main.rs ./${WEBHOOK}/src
+RUN cargo build --release --manifest-path=./${WEBHOOK}/Cargo.toml
+
+
+FROM debian:buster-slim as runtime
+
+ARG WEBHOOK
+
+LABEL org.label-schema.docker.dockerfile="./Dockerfile" \
+    org.label-schema.url="https://github.com/deislabs/akri/" \
+    org.label-schema.vcs-ref=$VCS_REF \
+    org.label-schema.vcs-url="https://github.com/deislabs/akri.git" \
+    org.label-schema.vcs-type="Git"
+
+WORKDIR /bin
+
+# Copy from builder and rename to 'server'
+COPY --from=builder /akri/${WEBHOOK}/target/release/webhook-configuration /server
+
+RUN apt update \
+    && apt install -y \
+    ca-certificates \
+    libssl-dev \
+    pkg-config \
+    && rm -rf /var/lib/apt/lists/*
+
+ENTRYPOINT ["/server"]
+CMD ["--tls-crt-file=/path/to/crt","--tls-key-file=/path/to/key","--port=8443"]

deployment/helm/templates/webhook-configuration.yaml

@@ -0,0 +1,137 @@
+{{- if .Values.rbac.enabled }}
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: {{ .Values.webhook-configuration.name }}
+    namespace: {{ .Release.Namespace }}
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: {{ .Values.webhook-configuration.name }}
+    namespace: {{ .Release.Namespace }}
+  rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    name: {{ .Values.webhook-configuration.name }}
+    namespace: {{ .Release.Namespace }}
+  roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: {{ .Values.webhook-configuration.name }}
+  subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.webhook-configuration.name }}
+    namespace: {{ .Release.Namespace }}
+- apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    name: {{ .Values.webhook-configuration.name }}
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        app: {{ .Values.webhook-configuration.name }}
+    template:
+      metadata:
+        labels:
+          app: {{ .Values.webhook-configuration.name }}
+      spec:
+        {{- if .Values.rbac.enabled }}
+        serviceAccountName: {{ .Values.webhook-configuration.name }}
+        {{- end }}
+        containers:
+          - name: webhook
+            {{- if .Values.useDevelopmentContainers }}
+            {{- if .Values.useLatestContainers }}
+            image: {{ printf "%s:latest-dev" .Values.webhook-configuration.image.repository | quote }}
+            {{- else }}
+            image: {{ printf "%s:%s" .Values.webhook-configuration.image.repository (default (printf "v%s-dev" .Chart.AppVersion) .Values.webhook-configuration.image.tag) | quote }}
+            {{- end }}
+            {{- else }}
+            {{- if .Values.useLatestContainers }}
+            image: {{ printf "%s:latest" .Values.webhook-configuration.image.repository | quote }}
+            {{- else }}
+            image: {{ printf "%s:%s" .Values.webhook-configuration.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.webhook-configuration.image.tag) | quote }}
+            {{- end }}
+            {{- end }}
+            imagePullPolicy: {{ .Values.webhook-configuration.image.pullPolicy }}
+            args:
+            - --tls-crt-file=/secrets/tls.crt
+            - --tls-key-file=/secrets/tls.key
+            - --port=8443
+            volumeMounts:
+            - name: secrets
+              mountPath: /secrets
+              readOnly: true
+        volumes:
+          - name: secrets
+            secret:
+              secretName: {{ .Values.webhook-configuration.name }}
+        {{- with .Values.imagePullSecrets }}
+        imagePullSecrets:
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        {{- if .Values.webhook-configuration.allowOnControlPlane }}
+        tolerations:
+          {{- /* Allow this pod to run on the master. */}}
+          - key: node-role.kubernetes.io/master
+            effect: NoSchedule
+        {{- end }}
+        {{- if or .Values.webhook-configuration.linuxOnly .Values.webhook-configuration.onlyOnControlPlane .Values.webhook-configuration.nodeSelectors }}
+        nodeSelector:
+          {{- if .Values.webhook-configuration.nodeSelectors }}
+            {{- toYaml .Values.webhook-configuration.nodeSelectors | nindent 8 }}
+          {{- end }}
+          {{- if .Values.webhook-configuration.linuxOnly }}
+          "kubernetes.io/os": linux
+          {{- end }}
+          {{- if .Values.webhook-configuration.onlyOnControlPlane }}
+          node-role.kubernetes.io/master: ""
+          {{- end }}
+        {{- end }}
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: {{ .Values.webhook-configuration.name }}
+  spec:
+    selector:
+      app: {{ .Values.webhook-configuration.name }}
+    ports:
+      - name: http
+        port: 443
+        targetPort: 8443
+- apiVersion: admissionregistration.k8s.io/v1
+  kind: ValidatingWebhookConfiguration
+  metadata:
+    name: {{ .Values.webhook-configuration.name }}
+  webhooks:
+    - name: {{ .Values.webhook-configuration.name }}.{{ .Release.Namespace }}.svc
+      clientConfig:
+        service:
+          name: {{ .Values.webhook-configuration.name }}
+          namespace: {{ .Release.Namespace }}
+          port: 443
+          path: "/validate"
+        caBundle: {{ required "please rerun helm install" .Values.webhook-configuration.caBundle }}
+      rules:
+        - operations:
+            - "CREATE"
+            - "UPDATE"
+          apiGroups:
+            - {{ .Values.crds.group }}
+          apiVersions:
+            - {{ .Values.crds.version }}
+          resources:
+            - "configurations"
+          scope: "*"
+      admissionReviewVersions:
+        - v1
+      sideEffects: None
+{{- end }}

deployment/helm/values.yaml

@@ -298,4 +298,30 @@ udev:
     # targetPort is the service targetPort of the instance service
     targetPort: 8083
     # protocol is the service protocol of the instance service
-    protocol: TCP
+    protocol: TCP
+
+# Admission Controllers (Webhooks)
+webhook-configuration:
+  # enabled defines whether to apply the Akri Admission Controller (Webhook) for Akri Configurations
+  enabled: false
+  # name of the webhook
+  name: akri-webhook-configuration
+  # base64-encoded CA certificate (PEM) used by Kubernetes to validate the Webhook's certificate
+  caBundle: null
+  image:
+    # repository is the Akri Webhook for Configurations image reference
+    repository: ghcr.io/deislabs/akri/webhook-configuration
+    tag:
+    # pullPolicy is the Akri Controller pull policy
+    pullPolicy: Always
+  # onlyOnControlPlane dictates whether the Akri Controller will only run on nodes with 
+  # the label with (key, value) of ("node-role.kubernetes.io/master", "")
+  onlyOnControlPlane: false
+  # allowOnControlPlane dictates whether a toleration will be added to allow to Akri Controller 
+  # to run on the control plane node
+  allowOnControlPlane: true
+  # linuxOnly dictates whether the Akri Controller will only run on a linux node
+  linuxOnly: true
+  # nodeSelectors is the array of nodeSelectors used to target nodes for the Akri Controller to run on
+  # This can be set from the helm command line using `--set controller.nodeSelectors.label="value"`
+  nodeSelectors: {}

webhooks/validating/configuration/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "webhook-configuration"
+version = "0.1.0"
+authors = ["DazWilkin <[email protected]>"]
+edition = "2018"
+
+[dependencies]
+actix = "0.10.0"
+actix-web = { version = "3.3.2", features = ["openssl"] }
+akri-shared = { path = "../../../shared" }
+clap = "3.0.0-beta.2"
+k8s-openapi = { version = "0.10.0", features = ["v1_18"] }
+openapi = { git = "https://github.com/DazWilkin/openapi-admission-v1" }
+openssl = "0.10"
+rustls = "0.18.0"
+serde = { version = "1.0.118", features = ["derive"] }
+serde_json = "1.0.61"

webhooks/validating/configuration/README.md

@@ -0,0 +1,70 @@
+# Akri Admission Controller (Webhook) for validating Akri Configurations
+
+This Admission Controller (Webhook) validates Akri Configuration files.
+
+The HTTP service that implements the Webhook must be configured to use TLS. The Webhook expects its TLS certificate and private key to be stored within a Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets).
+
+It is recommended to use [`cert-manager`](https://cert-manager.io) in Kubernetes. `cert-manager` makes it easy to generate TLS certificates and private keys and, because it's a Kubernetes-native app, `cert-manager` stores these in Kubernetes Secrets. You may use a self-signed (!) CA with `cert-manager` and certificates signed by this CA will work with the Webhook.
+
+If you wish to install the Webhook, before installing the Helm Chart for Akri, you will need to have PEM-encoded versions of CA certificate, Webhook certificate and private key. The Webhook handler expects a Secret, with the same name (!), containing its certificate and private key, to exist in the Namespace where it will be deployed.
+
+If you're using `cert-manager` and have an `Issuer` called `ca`, you may generate a Secret for a Webhook called `${WEBHOOK}` in Namespace `${NAMESPACE}` with the following commands:
+
+```bash
+WEBHOOK="akri-webhook-configuration" # Default name if not provided
+NAMESPACE="default"
+
+echo "
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ${WEBHOOK}
+  namespace: ${NAMESPACE}
+spec:
+  secretName: ${WEBHOOK}
+  duration: 8760h
+  renewBefore: 720h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+  - ${WEBHOOK}.${NAMESPACE}.svc
+  - ${WEBHOOK}.${NAMESPACE}.svc.cluster.local
+  issuerRef:
+    name: ca
+    kind: Issuer
+    group: cert-manager.io
+" | kubectl apply --filename=-
+```
+
+> **NOTE** You must provide the above with a `${NAMESPACE}` even if the value is `default` so that it may construct qualified DNS for the Webhook Service.
+
+
+When Kubernetes is configured to use the Webhook, it requires the base64-encoded PEM certificate of the CA. The CA certificate may be obtained from the Webhook's certificate using:
+
+```bash
+CABUNDLE=$(\
+  kubectl get secret/${WEBHOOK} \
+  --namespace=${NAMESPACE} \
+  --output=jsonpath="{.data.ca\.crt}") && echo ${CABUNDLE}
+```
+
+Now you may proceed to install the Helm Chart for Akri, enabling the Webhook and providing the `CABUNDLE`:
+
+```bash
+WEBHOOK=...
+NAMESPACE=...
+CABUNDLE=...
+
+helm install webhook akri-helm-charts/akri-dev \
+--namespace=${DEFAULT} \
+--set=webhook.enabled=true \
+--set=webhook.name=${WEBHOOK} \
+--set=webhook.caBundle=${CABUNDLE} \
+--set=webhook.image.repository=ghcr.io/deislabs/akri/webhook-configuration \
+--set=webhook.image.tag=v1
+```