Merge pull request #31 from damsien/main

syngit-org · Dec 9, 2024 · 7f756db · 7f756db
2 parents b4a6477 + 60335e1
commit 7f756db
Show file tree

Hide file tree

Showing 26 changed files with 668 additions and 210 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -82,4 +82,6 @@ jobs:
         sudo apt-get install -y make
 
     - name: Run tests
-      run: make test-e2e
+      run: |
+        make kustomize
+        make test-e2e
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,7 @@ RUN go mod download
 # Copy the go source
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
-COPY internal/controller/ internal/controller/
+COPY internal/ internal/
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

diff --git a/Makefile b/Makefile
@@ -128,7 +128,7 @@ build: manifests generate fmt vet ## Build manager binary.
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
-	export MANAGER_NAMESPACE=operator-system DYNAMIC_WEBHOOK_NAME=remotesyncer.syngit.io DEV=true && go run ./cmd/main.go
+	export MANAGER_NAMESPACE=operator-system DYNAMIC_WEBHOOK_NAME=remotesyncer.syngit.io DEV=true && go run cmd/main.go
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.
@@ -221,6 +221,7 @@ kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
 $(KUSTOMIZE): $(LOCALBIN)
 	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION))
 
+
 .PHONY: controller-gen
 controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary.
 $(CONTROLLER_GEN): $(LOCALBIN)

diff --git a/PROJECT b/PROJECT
@@ -179,6 +179,7 @@ resources:
   version: v1beta2
   webhooks:
     conversion: true
+    validation: true
     webhookVersion: v1
 - api:
     crdVersion: v1
@@ -201,5 +202,6 @@ resources:
   version: v1beta2
   webhooks:
     conversion: true
+    validation: true
     webhookVersion: v1
 version: "3"
diff --git a/api/v1beta2/remotesyncer_webhook_test.go b/api/v1beta2/remotesyncer_webhook_test.go
diff --git a/api/v1beta2/remoteuser_webhook.go b/api/v1beta2/remoteuser_webhook.go
diff --git a/api/v1beta2/remoteuser_webhook_test.go b/api/v1beta2/remoteuser_webhook_test.go
diff --git a/api/v1beta2/remoteuserbinding_webhook_test.go b/api/v1beta2/remoteuserbinding_webhook_test.go
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/cmd/main.go b/cmd/main.go
@@ -42,6 +42,7 @@ import (
 	syngitv1beta1 "syngit.io/syngit/api/v1beta1"
 	syngitv1beta2 "syngit.io/syngit/api/v1beta2"
 	"syngit.io/syngit/internal/controller"
+	webhooksyngitv1beta2 "syngit.io/syngit/internal/webhook/v1beta2"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -141,10 +142,6 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "RemoteUser")
 		os.Exit(1)
 	}
-	mgr.GetWebhookServer().Register("/syngit-v1beta2-remoteuser-association", &webhook.Admission{Handler: &controller.RemoteUserWebhookHandler{
-		Client:  mgr.GetClient(),
-		Decoder: admission.NewDecoder(mgr.GetScheme()),
-	}})
 
 	if err = (&controller.RemoteUserBindingReconciler{
 		Client:   mgr.GetClient(),
@@ -163,20 +160,26 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "RemoteSyncer")
 		os.Exit(1)
 	}
+	// nolint:goconst
 	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err = (&syngitv1beta2.RemoteUser{}).SetupWebhookWithManager(mgr); err != nil {
+		if err = webhooksyngitv1beta2.SetupRemoteUserWebhookWithManager(mgr); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "RemoteUser")
 			os.Exit(1)
 		}
-		if err = (&syngitv1beta2.RemoteUserBinding{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "RemoteUserBinding")
+		if err = webhooksyngitv1beta2.SetupRemoteSyncerWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "RemoteSyncer")
 			os.Exit(1)
 		}
-		if err = (&syngitv1beta2.RemoteSyncer{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "RemoteSyncer")
+		if err = webhooksyngitv1beta2.SetupRemoteUserBindingWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create webhook", "webhook", "RemoteUserBinding")
 			os.Exit(1)
 		}
 	}
+	mgr.GetWebhookServer().Register("/syngit-v1beta2-remoteuser-association", &webhook.Admission{Handler: &webhooksyngitv1beta2.RemoteUserWebhookHandler{
+		Client:  mgr.GetClient(),
+		Decoder: admission.NewDecoder(mgr.GetScheme()),
+	}})
+
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -17,9 +17,9 @@ patches:
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-# - path: patches/cainjection_in_remoteusers.yaml
-# - path: patches/cainjection_in_remoteuserbindings.yaml
-# - path: patches/cainjection_in_remotesyncers.yaml
+#- path: patches/cainjection_in_remoteusers.yaml
+#- path: patches/cainjection_in_remotesyncers.yaml
+#- path: patches/cainjection_in_remoteuserbindings.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [WEBHOOK] To enable webhook, uncomment the following section

diff --git a/config/network-policy/allow-metrics-traffic.yaml b/config/network-policy/allow-metrics-traffic.yaml
@@ -0,0 +1,26 @@
+# This NetworkPolicy allows ingress traffic
+# with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those
+# namespaces are able to gathering data from the metrics endpoint.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: output-dir
+    app.kubernetes.io/managed-by: kustomize
+  name: allow-metrics-traffic
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    # This allows ingress traffic from any namespace with the label metrics: enabled
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            metrics: enabled  # Only from namespaces with this label
+      ports:
+        - port: 8443
+          protocol: TCP
diff --git a/config/network-policy/allow-webhook-traffic copy.yaml b/config/network-policy/allow-webhook-traffic copy.yaml
@@ -0,0 +1,26 @@
+# This NetworkPolicy allows ingress traffic to your webhook server running
+# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks
+# will only work when applied in namespaces labeled with 'webhook: enabled'
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: output-dir
+    app.kubernetes.io/managed-by: kustomize
+  name: allow-webhook-traffic
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    # This allows ingress traffic from any namespace with the label webhook: enabled
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            webhook: enabled # Only from namespaces with this label
+      ports:
+        - port: 443
+          protocol: TCP
diff --git a/config/network-policy/allow-webhook-traffic.yaml b/config/network-policy/allow-webhook-traffic.yaml
@@ -0,0 +1,26 @@
+# This NetworkPolicy allows ingress traffic to your webhook server running
+# as part of the controller-manager from specific namespaces and pods. CR(s) which uses webhooks
+# will only work when applied in namespaces labeled with 'webhook: enabled'
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  labels:
+    app.kubernetes.io/name: syngit
+    app.kubernetes.io/managed-by: kustomize
+  name: allow-webhook-traffic
+  namespace: system
+spec:
+  podSelector:
+    matchLabels:
+      control-plane: controller-manager
+  policyTypes:
+    - Ingress
+  ingress:
+    # This allows ingress traffic from any namespace with the label webhook: enabled
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            webhook: enabled # Only from namespaces with this label
+      ports:
+        - port: 443
+          protocol: TCP
diff --git a/config/network-policy/kustomization.yaml b/config/network-policy/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+- allow-webhook-traffic.yaml
+- allow-metrics-traffic.yaml
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -12,7 +12,7 @@ webhooks:
       namespace: system
       path: /validate-syngit-syngit-io-v1beta2-remotesyncer
   failurePolicy: Fail
-  name: vremotesyncer.v1beta2.syngit.io
+  name: vremotesyncer-v1beta2.kb.io
   rules:
   - apiGroups:
     - syngit.syngit.io
@@ -32,7 +32,7 @@ webhooks:
       namespace: system
       path: /validate-syngit-syngit-io-v1beta2-remoteuser
   failurePolicy: Fail
-  name: vremoteuser.v1beta2.syngit.io
+  name: vremoteuser-v1beta2.kb.io
   rules:
   - apiGroups:
     - syngit.syngit.io