search

cisco-open / cluster-registry-controller

An operator that automatically synchronizes Kubernetes resources across multiple clusters
Apache License 2.0
22 stars 8 forks source link

Added cluster validator webhook with unique local cluster CR validation #22

Closed pregnor closed 2 years ago

pregnor commented 2 years ago
Q A
Bug fix? no
New feature? yes
API breaks? no
Deprecations? no
Related tickets STB-554
License Apache 2.0

What's in this PR?

  1. Implemented a self signed certificate generation method for webhooks.
  2. Implemented a validating admission webhook for cluster CR validations.
  3. Also implemented a validation for ensuring unique local cluster CRs based on cluster type (local) and cluster ID (unique).

By default the cluster CR validator webhook is turned on through Helm chart values. Let me know if it should be turned off by default.

Why?

To disallow creating cluster CRs with cluster ID already belonging to an existing local typed cluster CR. This is an improvement for multi-cluster SDM setups.

Additional context

I based most of the implementation on the banzaicloud/istio-operator#525 PR.

Tested manually with the following scenarios:

  1. Allowed creating local cluster CR successfully.
# Creating local cluster CR is successful.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
  name: pregnor-1
spec:
  authInfo:
    secretRef:
      name: pregnor-1
      namespace: cluster-registry
  clusterID: 80feb07e-3c69-4b98-a576-f62d5df65566
  kubernetesApiEndpoints:
  - serverAddress: https://3.72.141.112:6444
  1. Allowed updating local cluster CR with identical cluster ID and name compared to existing local cluster CR.
# Updating existing local cluster CR with identical cluster ID and name is successful.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
  name: pregnor-1
spec:
  authInfo:
    secretRef:
      name: pregnor-1
      namespace: cluster-registry
  clusterID: 80feb07e-3c69-4b98-a576-f62d5df65566
  kubernetesApiEndpoints:
  - serverAddress: https://3.72.141.112:6443
  1. Rejected creating local cluster CR with identical cluster ID and different name compared to existing local cluster CR.
# Creating local cluster CR with identical cluster ID and different name than existing local cluster CR is rejected.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
  name: pregnor-1-2
spec:
  authInfo:
    secretRef:
      name: pregnor-1-2
      namespace: cluster-registry
  clusterID: 80feb07e-3c69-4b98-a576-f62d5df65566
  kubernetesApiEndpoints:
  - serverAddress: https://3.72.141.112:6443
Error from server: error when creating "test_3_failure.yaml": admission webhook "cluster-validator.clusterregistry.k8s.cisco.com" denied the request: validating unique local cluster CR failed: a local cluster CR with name pregnor-1 already exists with the same clusterID 80feb07e-3c69-4b98-a576-f62d5df65566
  1. Allowed creating peer cluster CR with different cluster ID and name compared to existing local cluster CR.
# Creating peer cluster CR with different cluster ID and name compared to existing local cluster CR is successful.
kind: Cluster
apiVersion: clusterregistry.k8s.cisco.com/v1alpha1
metadata:
  name: pregnor-2
spec:
  authInfo:
    secretRef:
      name: pregnor-2
      namespace: cluster-registry
  clusterID: 7aa85423-31c6-4029-98fc-7fff3e440693
  kubernetesApiEndpoints:
  - serverAddress: https://3.70.12.109:6443
  1. Replaced the ValidatingWebhookConfiguration with a similar MutatingWebhookConfiguration to see if the webhook certifier works with mutating webhooks as well.

Checklist

To Do

pregnor commented 2 years ago

CC: @Laci21 , @waynz0r (as I cannot add reviewers)

pregnor commented 2 years ago

To be cleaned up, there were a couple mistaken cross-references left in from code taken from earlier implementations.