Feature: webhook automation (#6)

* feat: deployment webhook automation

Co-authored-by: Luca Terracciano <[email protected]>

.gitignore

@@ -21,3 +21,6 @@ pkg/*/system-controller
 pkg/*/edge-scheduler
 
 .idea/
+pkg/function-deployment-webhook/deploy/server-key.pem
+pkg/function-deployment-webhook/deploy/server-cert.pem
+pkg/function-deployment-webhook/deploy/admission-registration-subst.yaml

config/cluster-conf/kind.conf

@@ -10,3 +10,8 @@ nodes:
 - role: worker
 - role: worker
 - role: worker
+- role: worker
+- role: worker
+- role: worker
+- role: worker
+- role: worker

config/deploy/allocation-algorithm.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
       - name: allocation-algorithm
-        image: systemautoscaler/allocation-algorithm-rest:0.0.1
+        image: systemautoscaler/allocation-algorithm-rest:dev
         imagePullPolicy: Always
         ports:
         - containerPort: 5000

config/deploy/system-controller.yaml

@@ -19,7 +19,7 @@ spec:
       serviceAccountName: system-controller
       containers:
       - name: system-controller
-        image: systemautoscaler/system-controller:0.0.2
+        image: systemautoscaler/system-controller:dev
         imagePullPolicy: Always
         ports:
         - containerPort: 443

config/permissions/community-controller.yaml

@@ -32,7 +32,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: community-controller
-  namespace: openfaas-fn
+  namespace: kube-system
   apiGroup: ""
 roleRef:
   kind: ClusterRole

example/figlet.yaml

@@ -0,0 +1,22 @@
+apiVersion: openfaas.com/v1
+kind: Function
+metadata:
+  creationTimestamp: "2021-07-19T21:22:34Z"
+  generation: 1
+  name: figlet
+  namespace: openfaas-fn
+  resourceVersion: "1689214"
+  selfLink: /apis/openfaas.com/v1/namespaces/openfaas-fn/functions/figlet
+  uid: 21b5f4f5-3315-40d6-a900-25b11bca95bb
+spec:
+  image: ghcr.io/openfaas/figlet:latest
+  labels:
+    com.openfaas.scale.factor: "20"
+    com.openfaas.scale.max: "100"
+    com.openfaas.scale.min: "1"
+    com.openfaas.scale.zero: "false"
+    edgeautoscaler.polimi.it/scheduler: edge-autoscaler
+  name: figlet
+  readOnlyRootFilesystem: false
+  requests:
+    memory: 1M

pkg/function-deployment-webhook/Dockerfile

@@ -3,7 +3,7 @@ FROM gcr.io/distroless/static:nonroot
 LABEL name="Function Deployment Webhook"
 
 COPY function-deployment-webhook /usr/local/bin/
-COPY server-cert.pem .
-COPY server-key.pem .
+COPY ./deploy/server-cert.pem .
+COPY ./deploy/server-key.pem .
 
 CMD ["function-deployment-webhook"]

pkg/function-deployment-webhook/deploy/admission-registration.yaml

@@ -1,9 +1,9 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: "openfaas-fn.function-deployment-custom-scheduler.svc"
+  name: "kube-system.function-deployment-custom-scheduler.svc"
 webhooks:
-  - name: "openfaas-fn.function-deployment-custom-scheduler.svc"
+  - name: "kube-system.function-deployment-custom-scheduler.svc"
     rules:
       - apiGroups:   ["*"]
         apiVersions: ["*"]
@@ -12,11 +12,11 @@ webhooks:
         scope:       "Namespaced"
     clientConfig:
       service:
-        namespace: openfaas-fn
+        namespace: kube-system
         name: function-deployment-custom-scheduler
         path: /mutate
         port: 8443
-      caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EWXhNREUwTlRZMU4xb1hEVE14TURZd09ERTBOVFkxTjFvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSzZuClRTNXdiWFhQM0tiMjVCMnNTUjhvY2IzV0ZqTXdEbXQ0bkNVOHlFZ3R6V05zaWd4d0c2NjF3UjdJYktUQXdyTEEKRHJOOEwyZHZSRlRXbVExMThFZk1FMXB6N2h1Uk5FbUUzclFiaDZTc3RFSlBvVjkxdGJ3ZGNtd2pHTC9xOWlYdAp3Y2ZYN1QxWGVMVG9Ea0ZMZTZwbjRLb05vbFZZRW16WFJ3UFM1VjZLTW9zU0VaaDhaOFQzUFhYOG43WHo1cmJvCi9nWkE4Y1lpOXdVbzRWT0hQL0RCMWxmL3FmeCttaUN0RTd2djRVRmozaE5NOFhqV1N5K3hmK0JKaTRIa0M2QXMKODJmLzFObGRUbWVkUVJRZTdUZVM4MzkzNHNKWEsvbkxIa0JZVFJ6Q0xKZ21jajJCdkNRZm42Ty9Uek9FbUtpUwovZTd6c09EcUpPZkVpSmhYb21FQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGSTByNWRSK2RkN0pFU3lJRFl0Ry9YRFV4VUsKRmtYSVBYK3BJTm9heDhiR1Znd255SjRGaHloclpBWG12b0F3dTVjcUM0bFVvWkJLbUtiUUZuRTZVU3ZwSW9HeAphZVdmOGx1bEFsSkhoUlFOK3lzR09ISG1rSXRrSTQ5cERicnIwRU9zNkV4WEpvRjZWYzV6RFNxcVc5UkJrbmQyCkYwNG95eVRZY0lwMmw4d2MzS1hLem1IdlUzSU9RMkZoRlZ3dUo5QVFONnVEZGdISVhUQi9BSmI1LzR3REtZcU4KZStINjREdmpJUW9DcGJKU0FOcGhVL09idUg2eFJKNVVOTFlNaFpmaS80R0tCbFlPczVjQVJZVXhnaUJyWUhGUQpZdXMxNWovMHZjclFhaXBJYm90ZzV2Ri9IWTdhSE5haGs2S29GRmNMSTBrdkd1R0NDVk5pMm9MWWJERT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+      caBundle: ${CA_BUNDLE}
     admissionReviewVersions: ["v1", "v1beta1"]
-    sideEffects: Some
+    sideEffects: NoneOnDryRun
     timeoutSeconds: 5

pkg/function-deployment-webhook/deploy/deployment.yaml

@@ -1,7 +1,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: openfaas-fn
+  namespace: kube-system
   name: function-deployment-custom-scheduler
 spec:
   selector:

pkg/function-deployment-webhook/deploy/gen-certificates.sh

@@ -125,6 +125,16 @@ kubectl create secret generic ${secret} \
         --dry-run -o yaml |
     kubectl -n ${namespace} apply -f -
 
+
+mv ${tmpdir}/server-key.pem $(dirname "$0")
+mv ${tmpdir}/server-cert.pem $(dirname "$0")
+
+
+chmod 777 $(dirname "$0")/server-key.pem
+chmod 777 $(dirname "$0")/server-cert.pem
+
+
+
 # run this file with
 # the certificates are in a tmp directory
 #./gen-certificates.sh --namespace openfaas-fn --service function-deployment-custom-scheduler --secret function-deployment-custom-scheduler

pkg/function-deployment-webhook/deploy/instructions.sh

@@ -0,0 +1,33 @@
+BASEDIR=$(dirname "$0")
+
+# create cluster
+# kind create cluster --config ./config/cluster-conf/kind.conf --image systemautoscaler/kindest-node:latest
+
+# openfaas
+# kubectl create ns openfaas
+# kubectl create ns openfaas-fn
+# helm install openfaas-kind openfaas/openfaas  --namespace openfaas --set basic_auth=false --set functionNamespace=openfaas-fn --set operator.create=true
+
+# otherwise install with arkade
+# arkade install openfaas --operator
+
+# crd
+# make manifests
+# kubectl apply -f ./config/crd/bases
+
+# generate admission webhook certificates and secret in tmpdir
+chmod +x $BASEDIR/gen-certificates.sh
+$BASEDIR/gen-certificates.sh --namespace kube-system --service function-deployment-custom-scheduler --secret function-deployment-custom-scheduler
+
+# patch new mutitating webhook
+chmod +x  $BASEDIR/patch-manifests.sh
+$BASEDIR/patch-manifests.sh
+
+# build docker image again
+cd  $BASEDIR/..
+make dev
+
+# apply manifests
+kubectl apply -f  $BASEDIR/deployment.yaml
+kubectl apply -f  $BASEDIR/service.yaml
+kubectl apply -f  $BASEDIR/admission-registration-subst.yaml

pkg/function-deployment-webhook/deploy/patch-manifests.yaml → pkg/function-deployment-webhook/deploy/patch-manifests.sh

@@ -8,8 +8,9 @@ set -o pipefail
 
 export CA_BUNDLE=$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')
 
-if command -v envsubst >/dev/null 2>&1; then
-envsubst
+#if command -v envsubst >/dev/null 2>&1; then
+if command -v envsubst; then
+envsubst < $(dirname $0)/admission-registration.yaml > $(dirname $0)/admission-registration-subst.yaml
 else
 sed -e "s|\${CA_BUNDLE}|${CA_BUNDLE}|g"
 fi

pkg/function-deployment-webhook/deploy/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  namespace: openfaas-fn
+  namespace: kube-system
   name: function-deployment-custom-scheduler
   labels:
     app: function-deployment-custom-scheduler

pkg/system-controller/pkg/controller/sync.go

@@ -374,7 +374,7 @@ func NewCommunityController(namespace, name string) *appsv1.Deployment {
 	return &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: namespace,
+			Namespace: "kube-system",
 			Labels: map[string]string{
 				ealabels.CommunityControllerDeploymentLabel: "",
 			},