[Feature] Webhooks

.golangci.yaml

@@ -129,6 +129,8 @@ linters-settings:
         pkg: k8s.io/api/batch/v1
       - alias: core
         pkg: k8s.io/api/core/v1
+      - alias: admission
+        pkg: k8s.io/api/admission/v1
       - alias: policy
         pkg: k8s.io/api/policy/v1
       - alias: storage

CHANGELOG.md

@@ -33,6 +33,7 @@
 - (Feature) (Scheduler) Shutdown Integration
 - (Feature) CertManager Integration
 - (Feature) (Networking) Gateway Options sync
+- (Feature) Webhooks
 
 ## [1.2.43](https://github.com/arangodb/kube-arangodb/tree/1.2.43) (2024-10-14)
 - (Feature) ArangoRoute CRD

README.md

@@ -195,7 +195,7 @@ Flags:
       --kubernetes.max-batch-size int                          Size of batch during objects read (default 256)
       --kubernetes.qps float32                                 Number of queries per second for k8s API (default 15)
       --log.format string                                      Set log format. Allowed values: 'pretty', 'JSON'. If empty, default format is used (default "pretty")
-      --log.level stringArray                                  Set log levels in format <level> or <logger>=<level>. Possible loggers: action, agency, api-server, assertion, backup-operator, chaos-monkey, crd, deployment, deployment-ci, deployment-reconcile, deployment-replication, deployment-resilience, deployment-resources, deployment-storage, deployment-storage-pc, deployment-storage-service, generic-parent-operator, helm, http, inspector, integration-config-v1, integration-envoy-auth-v3, integration-scheduler-v2, integration-storage-v2, integrations, k8s-client, kubernetes-informer, monitor, networking-route-operator, operator, operator-arangojob-handler, operator-v2, operator-v2-event, operator-v2-worker, panics, platform-chart-operator, platform-pod-shutdown, platform-storage-operator, pod_compare, root, root-event-recorder, scheduler-batchjob-operator, scheduler-cronjob-operator, scheduler-deployment-operator, scheduler-pod-operator, scheduler-profile-operator, server, server-authentication (default [info])
+      --log.level stringArray                                  Set log levels in format <level> or <logger>=<level>. Possible loggers: action, agency, api-server, assertion, backup-operator, chaos-monkey, crd, deployment, deployment-ci, deployment-reconcile, deployment-replication, deployment-resilience, deployment-resources, deployment-storage, deployment-storage-pc, deployment-storage-service, generic-parent-operator, helm, http, inspector, integration-config-v1, integration-envoy-auth-v3, integration-scheduler-v2, integration-storage-v2, integrations, k8s-client, kubernetes-informer, monitor, networking-route-operator, operator, operator-arangojob-handler, operator-v2, operator-v2-event, operator-v2-worker, panics, platform-chart-operator, platform-pod-shutdown, platform-storage-operator, pod_compare, root, root-event-recorder, scheduler-batchjob-operator, scheduler-cronjob-operator, scheduler-deployment-operator, scheduler-pod-operator, scheduler-profile-operator, server, server-authentication, webhook (default [info])
       --log.sampling                                           If true, operator will try to minimize duplication of logging events (default true)
       --memory-limit uint                                      Define memory limit for hard shutdown and the dump of goroutines. Used for testing
       --metrics.excluded-prefixes stringArray                  List of the excluded metrics prefixes

chart/kube-arangodb-arm64/templates/deployment.yaml

@@ -191,6 +191,67 @@ spec:
                           scheme: HTTPS
                       initialDelaySeconds: 5
                       periodSeconds: 10
+{{- end }}
+{{ if .Values.webhooks.enabled }}
+                - name: webhooks
+                  imagePullPolicy: {{ .Values.operator.imagePullPolicy }}
+                  image: {{ .Values.operator.image }}
+                  args:
+                    - webhook
+{{- if .Values.certificate.enabled }}
+                    - --ssl.secret.name={{ template "kube-arangodb.operatorName" . }}-webhook-cert
+                    - --ssl.secret.namespace={{ .Release.Namespace }}
+{{- end -}}
+{{- if .Values.webhooks.args }}
+{{- range .Values.webhooks.args }}
+                    - {{ . | quote }}
+{{- end }}
+{{- end }}
+                  env:
+                      - name: MY_POD_NAMESPACE
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: metadata.namespace
+                      - name: MY_POD_NAME
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: metadata.name
+                      - name: MY_CONTAINER_NAME
+                        value: "webhooks"
+                      - name: MY_POD_IP
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: status.podIP
+                  ports:
+                      - name: webhooks
+                        containerPort: 8828
+                  securityContext:
+                      privileged: false
+                      allowPrivilegeEscalation: false
+                      readOnlyRootFilesystem: true
+                      capabilities:
+                          drop:
+                              - 'ALL'
+{{- if .Values.webhooks.resources }}
+                  resources:
+{{ toYaml .Values.webhooks.resources | indent 22 }}
+{{- end }}
+{{- if not .Values.webhooks.debug }}
+                  livenessProbe:
+                      httpGet:
+                          path: /health
+                          port: 8828
+                          scheme: HTTPS
+                      initialDelaySeconds: 5
+                      periodSeconds: 10
+                  readinessProbe:
+                      httpGet:
+                          path: /ready
+                          port: 8828
+                          scheme: HTTPS
+                      initialDelaySeconds: 5
+                      periodSeconds: 10
+{{- end }}
 {{- end }}
             tolerations:
                 - key: "node.kubernetes.io/unreachable"

chart/kube-arangodb-arm64/templates/service-webhooks.yaml

@@ -0,0 +1,31 @@
+{{ if .Values.webhooks.enabled }}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-webhook
+  namespace: {{ .Release.Namespace }}
+{{- if .Values.operator.annotations }}
+  annotations:
+{{ toYaml .Values.operator.annotations | indent 8 }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  ports:
+    - name: webhooks
+      port: 443
+      protocol: TCP
+      targetPort: webhooks
+  selector:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+  type: ClusterIP
+
+{{- end }}

chart/kube-arangodb-arm64/templates/webhook/certificate.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-webhook-cert
+  duration: {{ .Values.certificate.cert.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}
+  dnsNames:
+    - {{ template "kube-arangodb.operatorName" . }}-webhook
+    - {{ template "kube-arangodb.operatorName" . }}-webhook.{{ .Release.Namespace }}
+    - {{ template "kube-arangodb.operatorName" . }}-webhook.{{ .Release.Namespace }}.svc
+
+{{- end }}

chart/kube-arangodb-arm64/templates/webhook/mutation.yaml

@@ -0,0 +1,42 @@
+{{ if .Values.webhooks.enabled }}
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: "{{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}.operator.arangodb.com"
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kube-arangodb.operatorName" . }}-ca"
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+webhooks:
+  - name: "pods.policies.scheduler.arangodb.com"
+    namespaceSelector:
+      matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: In
+          values:
+            - {{ .Release.Namespace }}
+    objectSelector:
+      matchExpressions:
+        - key: profiles.arangodb.com/deployment
+          operator: Exists
+    rules:
+      - apiGroups:   [""]
+        apiVersions: ["v1"]
+        operations:  ["CREATE"]
+        resources:   ["pods"]
+        scope:       "Namespaced"
+    clientConfig:
+      service:
+        namespace: {{ .Release.Namespace }}
+        name: {{ template "kube-arangodb.operatorName" . }}-webhook
+        path: /webhook/core/v1/pods/policies/mutate
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 5
+
+{{- end }}

chart/kube-arangodb-arm64/templates/webhook/validation.yaml

@@ -0,0 +1,17 @@
+{{ if .Values.webhooks.enabled }}
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "{{ template "kube-arangodb.operatorName" . }}.{{ .Release.Namespace }}.operator.arangodb.com"
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "kube-arangodb.operatorName" . }}-ca"
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+webhooks: []
+
+{{- end }}

chart/kube-arangodb-arm64/values.yaml

@@ -44,6 +44,16 @@ rbac:
     acs: true
     at: true
     debug: false
+webhooks:
+  enabled: false
+  args: []
+  resources:
+    limits:
+      cpu: 1
+      memory: 128Mi
+    requests:
+      cpu: 250m
+      memory: 128Mi
 certificate:
   enabled: false
   ca:

chart/kube-arangodb-enterprise-arm64/templates/deployment.yaml

@@ -191,6 +191,67 @@ spec:
                           scheme: HTTPS
                       initialDelaySeconds: 5
                       periodSeconds: 10
+{{- end }}
+{{ if .Values.webhooks.enabled }}
+                - name: webhooks
+                  imagePullPolicy: {{ .Values.operator.imagePullPolicy }}
+                  image: {{ .Values.operator.image }}
+                  args:
+                    - webhook
+{{- if .Values.certificate.enabled }}
+                    - --ssl.secret.name={{ template "kube-arangodb.operatorName" . }}-webhook-cert
+                    - --ssl.secret.namespace={{ .Release.Namespace }}
+{{- end -}}
+{{- if .Values.webhooks.args }}
+{{- range .Values.webhooks.args }}
+                    - {{ . | quote }}
+{{- end }}
+{{- end }}
+                  env:
+                      - name: MY_POD_NAMESPACE
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: metadata.namespace
+                      - name: MY_POD_NAME
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: metadata.name
+                      - name: MY_CONTAINER_NAME
+                        value: "webhooks"
+                      - name: MY_POD_IP
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: status.podIP
+                  ports:
+                      - name: webhooks
+                        containerPort: 8828
+                  securityContext:
+                      privileged: false
+                      allowPrivilegeEscalation: false
+                      readOnlyRootFilesystem: true
+                      capabilities:
+                          drop:
+                              - 'ALL'
+{{- if .Values.webhooks.resources }}
+                  resources:
+{{ toYaml .Values.webhooks.resources | indent 22 }}
+{{- end }}
+{{- if not .Values.webhooks.debug }}
+                  livenessProbe:
+                      httpGet:
+                          path: /health
+                          port: 8828
+                          scheme: HTTPS
+                      initialDelaySeconds: 5
+                      periodSeconds: 10
+                  readinessProbe:
+                      httpGet:
+                          path: /ready
+                          port: 8828
+                          scheme: HTTPS
+                      initialDelaySeconds: 5
+                      periodSeconds: 10
+{{- end }}
 {{- end }}
             tolerations:
                 - key: "node.kubernetes.io/unreachable"

chart/kube-arangodb-enterprise-arm64/templates/service-webhooks.yaml

@@ -0,0 +1,31 @@
+{{ if .Values.webhooks.enabled }}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-webhook
+  namespace: {{ .Release.Namespace }}
+{{- if .Values.operator.annotations }}
+  annotations:
+{{ toYaml .Values.operator.annotations | indent 8 }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  ports:
+    - name: webhooks
+      port: 443
+      protocol: TCP
+      targetPort: webhooks
+  selector:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+  type: ClusterIP
+
+{{- end }}

chart/kube-arangodb-enterprise-arm64/templates/webhook/certificate.yaml

@@ -0,0 +1,24 @@
+{{ if .Values.certificate.enabled -}}
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kube-arangodb.operatorName" . }}-webhook
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "kube-arangodb.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    release: {{ .Release.Name }}
+spec:
+  secretName: {{ template "kube-arangodb.operatorName" . }}-webhook-cert
+  duration: {{ .Values.certificate.cert.duration }}
+  issuerRef:
+    name: {{ template "kube-arangodb.operatorName" . }}
+  dnsNames:
+    - {{ template "kube-arangodb.operatorName" . }}-webhook
+    - {{ template "kube-arangodb.operatorName" . }}-webhook.{{ .Release.Namespace }}
+    - {{ template "kube-arangodb.operatorName" . }}-webhook.{{ .Release.Namespace }}.svc
+
+{{- end }}