Implemented a self signed certificate generation method for webhooks.
Implemented a validating admission webhook for cluster CR validations.
Also implemented a validation for ensuring unique local cluster CRs based on cluster type (local) and cluster ID (unique).
By default the cluster CR validator webhook is turned on through Helm chart values. Let me know if it should be turned off by default.
Why?
To disallow creating cluster CRs with cluster ID already belonging to an existing local typed cluster CR.
This is an improvement for multi-cluster SDM setups.
Additional context
I based most of the implementation on the banzaicloud/istio-operator#525 PR.
Allowed updating local cluster CR with identical cluster ID and name compared to existing local cluster CR.
# Updating existing local cluster CR with identical cluster ID and name is successful.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
name: pregnor-1
spec:
authInfo:
secretRef:
name: pregnor-1
namespace: cluster-registry
clusterID: 80feb07e-3c69-4b98-a576-f62d5df65566
kubernetesApiEndpoints:
- serverAddress: https://3.72.141.112:6443
Rejected creating local cluster CR with identical cluster ID and different name compared to existing local cluster CR.
# Creating local cluster CR with identical cluster ID and different name than existing local cluster CR is rejected.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
name: pregnor-1-2
spec:
authInfo:
secretRef:
name: pregnor-1-2
namespace: cluster-registry
clusterID: 80feb07e-3c69-4b98-a576-f62d5df65566
kubernetesApiEndpoints:
- serverAddress: https://3.72.141.112:6443
Error from server: error when creating "test_3_failure.yaml": admission webhook "cluster-validator.clusterregistry.k8s.cisco.com" denied the request: validating unique local cluster CR failed: a local cluster CR with name pregnor-1 already exists with the same clusterID 80feb07e-3c69-4b98-a576-f62d5df65566
Allowed creating peer cluster CR with different cluster ID and name compared to existing local cluster CR.
# Creating peer cluster CR with different cluster ID and name compared to existing local cluster CR is successful.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
name: pregnor-2
spec:
authInfo:
secretRef:
name: pregnor-2
namespace: cluster-registry
clusterID: 7aa85423-31c6-4029-98fc-7fff3e440693
kubernetesApiEndpoints:
- serverAddress: https://3.70.12.109:6443
Replaced the ValidatingWebhookConfiguration with a similar MutatingWebhookConfiguration to see if the webhook certifier works with mutating webhooks as well.
Checklist
[X] Implementation tested
~User guide and development docs updated (if needed)~
To Do
[x] todo(@pregnor): clean up unneeded istio(-operator) references and unneeded transported code.
What's in this PR?
By default the cluster CR validator webhook is turned on through Helm chart values. Let me know if it should be turned off by default.
Why?
To disallow creating cluster CRs with cluster ID already belonging to an existing local typed cluster CR. This is an improvement for multi-cluster SDM setups.
Additional context
I based most of the implementation on the banzaicloud/istio-operator#525 PR.
Tested manually with the following scenarios:
ValidatingWebhookConfiguration
with a similarMutatingWebhookConfiguration
to see if the webhook certifier works with mutating webhooks as well.Checklist
To Do