Merge pull request #6 from Vicente-Cheng/add-webhook

Add StorageClass Validator

Author: Vicente-Cheng

.github/workflows/factory.yml

@@ -12,6 +12,7 @@ env:
   repo: "rancher"
   provisionerImageName: "harvester-lvm-provisioner"
   pluginImageName: "harvester-lvm-csi-plugin"
+  webhookImageName: "harvester-lvm-csi-driver-webhook"
 
 jobs:
   dapper-build:
@@ -65,3 +66,13 @@ jobs:
         file: package/Dockerfile.provisioner
         push: ${{ inputs.push }}
         tags: ${{ env.repo }}/${{ env.provisionerImageName }}:${{ inputs.tag }}
+
+    - name: Docker Build (LVM Webhook)
+      uses: docker/build-push-action@v5
+      with:
+        provenance: false
+        context: .
+        platforms: linux/amd64,linux/arm64
+        file: package/Dockerfile.webhook
+        push: ${{ inputs.push }}
+        tags: ${{ env.repo }}/${{ env.webhookImageName }}:${{ inputs.tag }}

cmd/webhook/main.go

@@ -0,0 +1,132 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/harvester/webhook/pkg/config"
+	"github.com/harvester/webhook/pkg/server"
+	"github.com/harvester/webhook/pkg/server/admission"
+	"github.com/rancher/wrangler/pkg/generated/controllers/core"
+	ctlstorage "github.com/rancher/wrangler/v3/pkg/generated/controllers/storage"
+	"github.com/rancher/wrangler/v3/pkg/kubeconfig"
+	"github.com/rancher/wrangler/v3/pkg/signals"
+	"github.com/sirupsen/logrus"
+	"github.com/urfave/cli/v2"
+	"k8s.io/client-go/rest"
+
+	"github.com/harvester/csi-driver-lvm/pkg/webhook/storageclass"
+)
+
+const webhookName = "harvester-csi-driver-lvm-webhook"
+
+func main() {
+	var options config.Options
+	var logLevel string
+
+	flags := []cli.Flag{
+		&cli.StringFlag{
+			Name:        "loglevel",
+			Usage:       "Specify log level",
+			EnvVars:     []string{"LOGLEVEL"},
+			Value:       "info",
+			Destination: &logLevel,
+		},
+		&cli.IntFlag{
+			Name:        "threadiness",
+			EnvVars:     []string{"THREADINESS"},
+			Usage:       "Specify controller threads",
+			Value:       5,
+			Destination: &options.Threadiness,
+		},
+		&cli.IntFlag{
+			Name:        "https-port",
+			EnvVars:     []string{"WEBHOOK_SERVER_HTTPS_PORT"},
+			Usage:       "HTTPS listen port",
+			Value:       8443,
+			Destination: &options.HTTPSListenPort,
+		},
+		&cli.StringFlag{
+			Name:        "namespace",
+			EnvVars:     []string{"NAMESPACE"},
+			Destination: &options.Namespace,
+			Usage:       "The harvester namespace",
+			Value:       "harvester-system",
+			Required:    true,
+		},
+		&cli.StringFlag{
+			Name:        "controller-user",
+			EnvVars:     []string{"CONTROLLER_USER_NAME"},
+			Destination: &options.ControllerUsername,
+			Value:       "harvester-csi-driver-lvm-webhook",
+			Usage:       "The harvester controller username",
+		},
+		&cli.StringFlag{
+			Name:        "gc-user",
+			EnvVars:     []string{"GARBAGE_COLLECTION_USER_NAME"},
+			Destination: &options.GarbageCollectionUsername,
+			Usage:       "The system username that performs garbage collection",
+			Value:       "system:serviceaccount:kube-system:generic-garbage-collector",
+		},
+	}
+
+	cfg, err := kubeconfig.GetNonInteractiveClientConfig(os.Getenv("KUBECONFIG")).ClientConfig()
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	ctx := signals.SetupSignalContext()
+
+	app := cli.NewApp()
+	app.Flags = flags
+	app.Action = func(_ *cli.Context) error {
+		setLogLevel(logLevel)
+		err := runWebhookServer(ctx, cfg, &options)
+		return err
+	}
+
+	if err := app.Run(os.Args); err != nil {
+		logrus.Fatalf("run webhook server failed: %v", err)
+	}
+}
+
+func runWebhookServer(ctx context.Context, cfg *rest.Config, options *config.Options) error {
+	storageFactory, err := ctlstorage.NewFactoryFromConfig(cfg)
+	if err != nil {
+		return err
+	}
+	coreFactory, err := core.NewFactoryFromConfig(cfg)
+	if err != nil {
+		return err
+	}
+	nodeClient := coreFactory.Core().V1().Node()
+	storageclassClient := storageFactory.Storage().V1().StorageClass()
+	webhookServer := server.NewWebhookServer(ctx, cfg, webhookName, options)
+
+	storageclassValidator := storageclass.NewStorageClassValidator(storageclassClient, nodeClient)
+
+	var validators = []admission.Validator{
+		storageclassValidator,
+	}
+
+	if err := webhookServer.RegisterValidators(validators...); err != nil {
+		return err
+	}
+
+	if err := webhookServer.Start(); err != nil {
+		return err
+	}
+
+	<-ctx.Done()
+
+	return nil
+}
+
+func setLogLevel(level string) {
+	ll, err := logrus.ParseLevel(level)
+	if err != nil {
+		ll = logrus.DebugLevel
+	}
+	// set global log level
+	logrus.SetLevel(ll)
+}

deploy/charts/templates/_helpers.tpl

@@ -1,3 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "harvester-csi-driver-lvm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "harvester-csi-driver-lvm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+CSI-plugin labels
+*/}}
+{{- define "harvester-csi-driver-lvm.labels" -}}
+helm.sh/chart: {{ include "harvester-csi-driver-lvm.chart" . }}
+{{ include "harvester-csi-driver-lvm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: storage
+{{- end }}
+
+{{/*
+CSI-plugin Selector labels
+*/}}
+{{- define "harvester-csi-driver-lvm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-csi-driver-lvm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CSI-controller labels
+*/}}
+{{- define "harvester-csi-driver-lvm-controller.labels" -}}
+helm.sh/chart: {{ include "harvester-csi-driver-lvm.chart" . }}
+{{ include "harvester-csi-driver-lvm-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: storage
+{{- end }}
+
+{{/*
+CSI-controller Selector labels
+*/}}
+{{- define "harvester-csi-driver-lvm-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-csi-driver-lvm.name" . }}-controller
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CSI-webhook labels
+*/}}
+{{- define "harvester-csi-driver-lvm-webhook.labels" -}}
+helm.sh/chart: {{ include "harvester-csi-driver-lvm.chart" . }}
+{{ include "harvester-csi-driver-lvm-webhook.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: webhook
+{{- end }}
+
+{{/*
+CSI-webhook Selector labels
+*/}}
+{{- define "harvester-csi-driver-lvm-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-csi-driver-lvm.name" . }}-webhook
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CSI components
+*/}}
 {{- define "externalImages.csiAttacher" -}}
 {{- if .Values.customCSISidecars.enabled -}}
 {{- print .Values.customCSISidecars.attacher -}}

deploy/charts/templates/controller.yaml

@@ -4,28 +4,27 @@ apiVersion: apps/v1
 metadata:
   name: harvester-csi-driver-lvm-controller
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
+     {{- include "harvester-csi-driver-lvm-controller.labels" . | nindent 4 }}
 spec:
   serviceName: harvester-csi-driver-lvm-controller
   replicas: 1
   selector:
     matchLabels:
-      app: harvester-csi-driver-lvm-controller
+      {{- include "harvester-csi-driver-lvm-controller.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app: harvester-csi-driver-lvm-controller
+        {{- include "harvester-csi-driver-lvm-controller.labels" . | nindent 8 }}
     spec:
       affinity:
         podAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
           - labelSelector:
               matchExpressions:
-              - key: app
+              - key: app.kubernetes.io/name
                 operator: In
                 values:
-                - harvester-csi-driver-lvm-plugin
+                - harvester-csi-driver-lvm
             topologyKey: kubernetes.io/hostname
 {{- if .Values.nodeSelector.provisioner }}
       nodeSelector:

deploy/charts/templates/csi.yaml

@@ -4,17 +4,16 @@ kind: DaemonSet
 metadata:
   name: harvester-csi-driver-lvm-plugin
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
+    {{- include "harvester-csi-driver-lvm.labels" . | nindent 4 }}
 spec:
   revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app: harvester-csi-driver-lvm-plugin
+      {{- include "harvester-csi-driver-lvm.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app: harvester-csi-driver-lvm-plugin
+        {{- include "harvester-csi-driver-lvm.labels" . | nindent 8 }}
     spec:
       serviceAccountName: harvester-csi-driver-lvm
 {{- if .Values.tolerations.plugin }}

deploy/charts/templates/rbac.yaml

@@ -49,4 +49,46 @@ roleRef:
   kind: ClusterRole
   name: harvester-csi-driver-lvm
   apiGroup: rbac.authorization.k8s.io
----
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets", "configmaps" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "apiregistration.k8s.io" ]
+    resources: [ "apiservices" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
+    verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: harvester-csi-driver-lvm-webhook
+subjects:
+  - kind: ServiceAccount
+    name: harvester-csi-driver-lvm-webhook
+    namespace: {{ .Release.Namespace }}