-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DSC, DSCI: add validating webhook (#711) #322
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: controller-manager | ||
namespace: system | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: manager | ||
ports: | ||
- containerPort: 9443 | ||
name: webhook-server | ||
protocol: TCP | ||
volumeMounts: | ||
- mountPath: /tmp/k8s-webhook-server/serving-certs | ||
name: cert | ||
readOnly: true | ||
volumes: | ||
- name: cert | ||
secret: | ||
defaultMode: 420 | ||
secretName: redhat-ods-operator-controller-webhook-cert |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,5 +22,8 @@ spec: | |
- namespaceSelector: | ||
matchLabels: | ||
opendatahub.io/generated-namespace: "true" | ||
- namespaceSelector: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. try to understand why we would need this one. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As soon as network policy deployed, communication blocks. I remember such discussions on Architecture Forum or something like that. @adelton But correct me if I'm wrong. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. hum, so any downstream offering (self and managed) will have this problem because operator webhook will try to talk to host network? (is that a lot)? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. invite @lburgazzoli to the party There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's about api-server to talk to webhook There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. so the kube-api is in the host-network, and sending admission back to webhook 🤔 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yep |
||
matchLabels: | ||
policy-group.network.openshift.io/host-network: "" | ||
policyTypes: | ||
- Ingress | ||
- Ingress |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
resources: | ||
- manifests.yaml | ||
- service.yaml | ||
|
||
commonAnnotations: | ||
service.beta.openshift.io/inject-cabundle: "true" | ||
|
||
configurations: | ||
- kustomizeconfig.yaml |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# the following config is for teaching kustomize where to look at when substituting vars. | ||
# It requires kustomize v2.1.0 or newer to work properly. | ||
nameReference: | ||
- kind: Service | ||
version: v1 | ||
fieldSpecs: | ||
- kind: MutatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/name | ||
- kind: ValidatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/name | ||
|
||
namespace: | ||
- kind: MutatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/namespace | ||
create: true | ||
- kind: ValidatingWebhookConfiguration | ||
group: admissionregistration.k8s.io | ||
path: webhooks/clientConfig/service/namespace | ||
create: true | ||
|
||
varReference: | ||
- path: metadata/annotations |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: ValidatingWebhookConfiguration | ||
metadata: | ||
creationTimestamp: null | ||
name: validating-webhook-configuration | ||
webhooks: | ||
- admissionReviewVersions: | ||
- v1 | ||
clientConfig: | ||
service: | ||
name: webhook-service | ||
namespace: system | ||
path: /validate-opendatahub-io-v1 | ||
failurePolicy: Fail | ||
name: operator.opendatahub.io | ||
rules: | ||
- apiGroups: | ||
- datasciencecluster.opendatahub.io | ||
- dscinitialization.opendatahub.io | ||
apiVersions: | ||
- v1 | ||
operations: | ||
- CREATE | ||
- UPDATE | ||
resources: | ||
- datascienceclusters | ||
- dscinitializations | ||
sideEffects: None |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
|
||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: service | ||
app.kubernetes.io/instance: webhook-service | ||
app.kubernetes.io/component: webhook | ||
app.kubernetes.io/created-by: rhods-operator | ||
app.kubernetes.io/part-of: rhods-operator | ||
app.kubernetes.io/managed-by: kustomize | ||
name: webhook-service | ||
namespace: system | ||
annotations: | ||
service.beta.openshift.io/serving-cert-secret-name: redhat-ods-operator-controller-webhook-cert | ||
spec: | ||
ports: | ||
- port: 443 | ||
protocol: TCP | ||
targetPort: 9443 | ||
selector: | ||
control-plane: controller-manager |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this DELETE or UPDATE?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch does not contain latest updates. Since it will work they can come after to not mess up with squashing.