common: add build related works for webhook

Signed-off-by: Vicente Cheng <vicente.cheng@suse.com>

Author: Vicente-Cheng

.github/workflows/factory.yml

@@ -12,6 +12,7 @@ env:
   repo: "rancher"
   provisionerImageName: "harvester-lvm-provisioner"
   pluginImageName: "harvester-lvm-csi-plugin"
+  webhookImageName: "harvester-lvm-csi-driver-webhook"
 
 jobs:
   dapper-build:
@@ -65,3 +66,13 @@ jobs:
         file: package/Dockerfile.provisioner
         push: ${{ inputs.push }}
         tags: ${{ env.repo }}/${{ env.provisionerImageName }}:${{ inputs.tag }}
+
+    - name: Docker Build (LVM Webhook)
+      uses: docker/build-push-action@v5
+      with:
+        provenance: false
+        context: .
+        platforms: linux/amd64,linux/arm64
+        file: package/Dockerfile.webhook
+        push: ${{ inputs.push }}
+        tags: ${{ env.repo }}/${{ env.webhookImageName }}:${{ inputs.tag }}

deploy/charts/templates/_helpers.tpl

@@ -1,3 +1,83 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "harvester-csi-driver-lvm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "harvester-csi-driver-lvm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+CSI-plugin labels
+*/}}
+{{- define "harvester-csi-driver-lvm.labels" -}}
+helm.sh/chart: {{ include "harvester-csi-driver-lvm.chart" . }}
+{{ include "harvester-csi-driver-lvm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: storage
+{{- end }}
+
+{{/*
+CSI-plugin Selector labels
+*/}}
+{{- define "harvester-csi-driver-lvm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-csi-driver-lvm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CSI-controller labels
+*/}}
+{{- define "harvester-csi-driver-lvm-controller.labels" -}}
+helm.sh/chart: {{ include "harvester-csi-driver-lvm.chart" . }}
+{{ include "harvester-csi-driver-lvm-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: storage
+{{- end }}
+
+{{/*
+CSI-controller Selector labels
+*/}}
+{{- define "harvester-csi-driver-lvm-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-csi-driver-lvm.name" . }}-controller
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CSI-webhook labels
+*/}}
+{{- define "harvester-csi-driver-lvm-webhook.labels" -}}
+helm.sh/chart: {{ include "harvester-csi-driver-lvm.chart" . }}
+{{ include "harvester-csi-driver-lvm-webhook.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: webhook
+{{- end }}
+
+{{/*
+CSI-webhook Selector labels
+*/}}
+{{- define "harvester-csi-driver-lvm-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "harvester-csi-driver-lvm.name" . }}-webhook
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CSI components
+*/}}
 {{- define "externalImages.csiAttacher" -}}
 {{- if .Values.customCSISidecars.enabled -}}
 {{- print .Values.customCSISidecars.attacher -}}

deploy/charts/templates/controller.yaml

@@ -4,28 +4,27 @@ apiVersion: apps/v1
 metadata:
   name: harvester-csi-driver-lvm-controller
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
+     {{- include "harvester-csi-driver-lvm-controller.labels" . | nindent 4 }}
 spec:
   serviceName: harvester-csi-driver-lvm-controller
   replicas: 1
   selector:
     matchLabels:
-      app: harvester-csi-driver-lvm-controller
+      {{- include "harvester-csi-driver-lvm-controller.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app: harvester-csi-driver-lvm-controller
+        {{- include "harvester-csi-driver-lvm-controller.labels" . | nindent 8 }}
     spec:
       affinity:
         podAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
           - labelSelector:
               matchExpressions:
-              - key: app
+              - key: app.kubernetes.io/name
                 operator: In
                 values:
-                - harvester-csi-driver-lvm-plugin
+                - harvester-csi-driver-lvm
             topologyKey: kubernetes.io/hostname
 {{- if .Values.nodeSelector.provisioner }}
       nodeSelector:

deploy/charts/templates/csi.yaml

@@ -4,17 +4,16 @@ kind: DaemonSet
 metadata:
   name: harvester-csi-driver-lvm-plugin
   labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
+    {{- include "harvester-csi-driver-lvm.labels" . | nindent 4 }}
 spec:
   revisionHistoryLimit: 10
   selector:
     matchLabels:
-      app: harvester-csi-driver-lvm-plugin
+      {{- include "harvester-csi-driver-lvm.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        app: harvester-csi-driver-lvm-plugin
+        {{- include "harvester-csi-driver-lvm.labels" . | nindent 8 }}
     spec:
       serviceAccountName: harvester-csi-driver-lvm
 {{- if .Values.tolerations.plugin }}

deploy/charts/templates/rbac.yaml

@@ -49,4 +49,46 @@ roleRef:
   kind: ClusterRole
   name: harvester-csi-driver-lvm
   apiGroup: rbac.authorization.k8s.io
----
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets", "configmaps" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "*" ]
+  - apiGroups: [ "apiregistration.k8s.io" ]
+    resources: [ "apiservices" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [ "apiextensions.k8s.io" ]
+    resources: [ "customresourcedefinitions" ]
+    verbs: [ "get", "watch", "list" ]
+  - apiGroups: [ "admissionregistration.k8s.io" ]
+    resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
+    verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: harvester-csi-driver-lvm-webhook
+subjects:
+  - kind: ServiceAccount
+    name: harvester-csi-driver-lvm-webhook
+    namespace: {{ .Release.Namespace }}

deploy/charts/templates/webhook.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "harvester-csi-driver-lvm-webhook.labels" . | nindent 4 }}
+  {{- if .Values.webhook.replicas }}
+  # The annotation does not support 0 replicas.
+  annotations:
+    management.cattle.io/scale-available: "{{ .Values.webhook.replicas }}"
+  {{- end }}
+  name: harvester-csi-driver-lvm-webhook
+spec:
+  {{- if not .Values.webhook.replicas }}
+  # Use this field instead of the scale-available annotation when it is 0 replicas.
+  replicas: {{ .Values.webhook.replicas }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "harvester-csi-driver-lvm-webhook.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "harvester-csi-driver-lvm-webhook.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: harvester-csi-driver-lvm-webhook
+{{- if .Values.tolerations.webhook }}
+      tolerations:
+{{ toYaml .Values.tolerations.webhook | indent 8 }}
+{{- end }}
+      containers:
+        - name: harvester-csi-driver-lvm-webhook
+          image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          command:
+            - csi-driver-lvm-webhook
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: harvester-csi-driver-lvm-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    {{- include "harvester-csi-driver-lvm-webhook.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: {{ .Values.webhook.httpsPort }}

deploy/charts/values.yaml

@@ -14,13 +14,24 @@ provisionerImage:
   # Overrides the image tag whose default is the chart appVersion.
   tag: "main-head"
 
+nameOverride: ""
+
 lvm:
   # You will want to change this for read-only filesystems
   # For example, in Talos OS, set this to "/var/etc/lvm"
   hostWritePath: /etc/lvm
 
   driverName: lvm.driver.harvesterhci.io
 
+webhook:
+  replicas: 1
+  image:
+    repository: rancher/harvester-lvm-csi-driver-webhook
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: "main-head"
+  httpsPort: 8443
+
 rbac:
   create: true
 
@@ -86,4 +97,12 @@ tolerations:
   #   effect: NoSchedule
   # - key: node-role.kubernetes.io/control-plane
   #   operator: Exists
-  #   effect: NoSchedule
+  #   effect: NoSchedule
+  webhook:
+  # - key: node-role.kubernetes.io/master
+  #   operator: Exists
+  #   effect: NoSchedule
+  # - key: node-role.kubernetes.io/control-plane
+  #   operator: Exists
+  #   effect: NoSchedule
+  

package/Dockerfile.webhook

@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1.7.0
+
+FROM registry.suse.com/bci/bci-base:15.6
+
+RUN zypper -n rm container-suseconnect && \
+    zypper -n install util-linux-systemd lvm2 e2fsprogs nvme-cli device-mapper xfsprogs && \
+    zypper -n clean -a && rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/*
+
+ARG TARGETPLATFORM
+
+RUN if [ "$TARGETPLATFORM" != "linux/amd64" ] && [ "$TARGETPLATFORM" != "linux/arm64" ]; then \
+    echo "Error: Unsupported TARGETPLATFORM: $TARGETPLATFORM" && \
+    exit 1; \
+    fi
+
+ENV ARCH=${TARGETPLATFORM#linux/}
+
+COPY bin/csi-driver-lvm-webhook-${ARCH} /usr/bin/csi-driver-lvm-webhook
+ENTRYPOINT ["csi-driver-lvm-webhook"]

scripts/build

@@ -24,4 +24,5 @@ for arch in "amd64" "arm64"; do
     fi
     GOARCH="$arch" CGO_ENABLED=1 CC=$CC CGO_CFLAGS=$CGO_CFLAGS CGO_LDFLAGS=$CGO_LDFLAGS go build -ldflags "$LINKFLAGS $OTHER_LINKFLAGS" -o bin/lvmplugin-"$arch"
     GOARCH="$arch" CGO_ENABLED=1 CC=$CC CGO_CFLAGS=$CGO_CFLAGS CGO_LDFLAGS=$CGO_LDFLAGS go build -ldflags "$LINKFLAGS $OTHER_LINKFLAGS" -o bin/csi-lvmplugin-provisioner-"$arch" cmd/provisioner/*.go
+    GOARCH="$arch" CGO_ENABLED=0 go build -ldflags "$LINKFLAGS $OTHER_LINKFLAGS" -o bin/csi-driver-lvm-webhook-"$arch" cmd/webhook/*.go
 done

scripts/package

@@ -2,4 +2,5 @@
 set -e
 
 ./package_lvmplugin
-./package_lvm_provisioner
+./package_lvm_provisioner
+./package_lvm_webhook

scripts/package_lvm_webhook

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+source $(dirname $0)/version
+
+cd $(dirname $0)/..
+
+IMAGE=${REPO}/harvester-lvm-csi-driver-webhook:${TAG}
+DOCKERFILE=package/Dockerfile.webhook
+if [ -e ${DOCKERFILE}.${ARCH} ]; then
+    DOCKERFILE=${DOCKERFILE}.${ARCH}
+fi
+
+buildx build --load -f ${DOCKERFILE} -t ${IMAGE} .
+echo Built ${IMAGE}