From 36da4ad85d2dd3bd753482fa8ea69389e43286b9 Mon Sep 17 00:00:00 2001 From: Kyle Michel Date: Fri, 14 Jun 2024 12:26:18 -0400 Subject: [PATCH] Initial version --- .dockerignore | 3 + .github/actions/build/action.yml | 22 + .github/cr.yml | 1 + .github/workflows/build.yml | 23 + .github/workflows/docker-publish.yml | 60 +++ .github/workflows/helm-chart-release.yml | 28 + .github/workflows/release.yml | 46 ++ .gitignore | 29 + .golangci.yml | 41 ++ .pre-commit-config.yaml | 11 + CONTRIBUTING.md | 19 + Dockerfile | 34 ++ Makefile | 202 +++++++ PROJECT | 19 + README.md | 143 +++++ api/v1/pod_webhook.go | 175 ++++++ api/v1/pod_webhook_test.go | 229 ++++++++ api/v1/webhook_suite_test.go | 153 ++++++ charts/ira-controller/.helmignore | 23 + charts/ira-controller/Chart.yaml | 6 + charts/ira-controller/templates/_helpers.tpl | 62 +++ .../ira-controller/templates/deployment.yaml | 81 +++ .../templates/leader-election-rbac.yaml | 53 ++ .../templates/manager-rbac.yaml | 107 ++++ .../mutating-webhook-configuration.yaml | 37 ++ .../templates/selfsigned-issuer.yaml | 10 + .../templates/serviceaccount.yaml | 8 + .../templates/serving-cert.yaml | 16 + .../templates/webhook-service.yaml | 13 + charts/ira-controller/values.yaml | 26 + cmd/cmd_suite_test.go | 27 + cmd/root.go | 212 ++++++++ cmd/root_test.go | 87 +++ config/certmanager/certificate.yaml | 35 ++ config/certmanager/kustomization.yaml | 5 + config/certmanager/kustomizeconfig.yaml | 8 + config/crd/kustomization.yaml | 23 + config/crd/patches/cainjection_in_pods.yaml | 7 + config/crd/patches/webhook_in_pods.yaml | 16 + config/default/kustomization.yaml | 147 +++++ config/default/manager_metrics_patch.yaml | 4 + config/default/manager_webhook_patch.yaml | 23 + config/default/metrics_service.yaml | 17 + config/default/webhookcainjection_patch.yaml | 25 + config/manager/kustomization.yaml | 8 + config/manager/manager.yaml | 95 ++++ config/prometheus/kustomization.yaml | 2 + config/prometheus/monitor.yaml | 18 + config/rbac/kustomization.yaml | 11 + config/rbac/leader_election_role.yaml | 40 ++ config/rbac/leader_election_role_binding.yaml | 15 + config/rbac/role.yaml | 89 +++ config/rbac/role_binding.yaml | 15 + config/rbac/service_account.yaml | 8 + config/webhook/kustomization.yaml | 10 + config/webhook/kustomizeconfig.yaml | 22 + config/webhook/manifests.yaml | 26 + config/webhook/patches/ignore-self.yaml | 11 + config/webhook/service.yaml | 15 + go.mod | 74 +++ go.sum | 181 +++++++ hack/boilerplate.go.txt | 15 + internal/controller/pod_controller.go | 116 ++++ internal/controller/pod_controller_test.go | 507 ++++++++++++++++++ internal/controller/suite_test.go | 137 +++++ internal/util/certificate.go | 100 ++++ internal/util/config.go | 5 + internal/util/map.go | 23 + internal/util/pod.go | 73 +++ main.go | 7 + 70 files changed, 3939 insertions(+) create mode 100644 .dockerignore create mode 100644 .github/actions/build/action.yml create mode 100644 .github/cr.yml create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/docker-publish.yml create mode 100644 .github/workflows/helm-chart-release.yml create mode 100644 .github/workflows/release.yml create mode 100644 .gitignore create mode 100644 .golangci.yml create mode 100644 .pre-commit-config.yaml create mode 100644 CONTRIBUTING.md create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 PROJECT create mode 100644 README.md create mode 100644 api/v1/pod_webhook.go create mode 100644 api/v1/pod_webhook_test.go create mode 100644 api/v1/webhook_suite_test.go create mode 100644 charts/ira-controller/.helmignore create mode 100644 charts/ira-controller/Chart.yaml create mode 100644 charts/ira-controller/templates/_helpers.tpl create mode 100644 charts/ira-controller/templates/deployment.yaml create mode 100644 charts/ira-controller/templates/leader-election-rbac.yaml create mode 100644 charts/ira-controller/templates/manager-rbac.yaml create mode 100644 charts/ira-controller/templates/mutating-webhook-configuration.yaml create mode 100644 charts/ira-controller/templates/selfsigned-issuer.yaml create mode 100644 charts/ira-controller/templates/serviceaccount.yaml create mode 100644 charts/ira-controller/templates/serving-cert.yaml create mode 100644 charts/ira-controller/templates/webhook-service.yaml create mode 100644 charts/ira-controller/values.yaml create mode 100644 cmd/cmd_suite_test.go create mode 100644 cmd/root.go create mode 100644 cmd/root_test.go create mode 100644 config/certmanager/certificate.yaml create mode 100644 config/certmanager/kustomization.yaml create mode 100644 config/certmanager/kustomizeconfig.yaml create mode 100644 config/crd/kustomization.yaml create mode 100644 config/crd/patches/cainjection_in_pods.yaml create mode 100644 config/crd/patches/webhook_in_pods.yaml create mode 100644 config/default/kustomization.yaml create mode 100644 config/default/manager_metrics_patch.yaml create mode 100644 config/default/manager_webhook_patch.yaml create mode 100644 config/default/metrics_service.yaml create mode 100644 config/default/webhookcainjection_patch.yaml create mode 100644 config/manager/kustomization.yaml create mode 100644 config/manager/manager.yaml create mode 100644 config/prometheus/kustomization.yaml create mode 100644 config/prometheus/monitor.yaml create mode 100644 config/rbac/kustomization.yaml create mode 100644 config/rbac/leader_election_role.yaml create mode 100644 config/rbac/leader_election_role_binding.yaml create mode 100644 config/rbac/role.yaml create mode 100644 config/rbac/role_binding.yaml create mode 100644 config/rbac/service_account.yaml create mode 100644 config/webhook/kustomization.yaml create mode 100644 config/webhook/kustomizeconfig.yaml create mode 100644 config/webhook/manifests.yaml create mode 100644 config/webhook/patches/ignore-self.yaml create mode 100644 config/webhook/service.yaml create mode 100644 go.mod create mode 100644 go.sum create mode 100644 hack/boilerplate.go.txt create mode 100644 internal/controller/pod_controller.go create mode 100644 internal/controller/pod_controller_test.go create mode 100644 internal/controller/suite_test.go create mode 100644 internal/util/certificate.go create mode 100644 internal/util/config.go create mode 100644 internal/util/map.go create mode 100644 internal/util/pod.go create mode 100644 main.go diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..a3aab7a --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file +# Ignore build and test binaries. +bin/ diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml new file mode 100644 index 0000000..e47e1f4 --- /dev/null +++ b/.github/actions/build/action.yml @@ -0,0 +1,22 @@ +name: build +description: builds ira-controller +inputs: + go-version: + description: "the version of golang" + default: '1.22' + codecov_token: + default: true +runs: + using: composite + steps: + - uses: actions/setup-go@v5 + with: + go-version: ${{ inputs.go-version }} + - run: make build test + shell: bash + - uses: codecov/codecov-action@v4 + with: + fail_ci_if_error: true + file: ./cover.out + token: ${{ inputs.codecov_token }} + verbose: true \ No newline at end of file diff --git a/.github/cr.yml b/.github/cr.yml new file mode 100644 index 0000000..9f7b9ab --- /dev/null +++ b/.github/cr.yml @@ -0,0 +1 @@ +release-name-template: "helm-chart-{{ .Name }}-{{ .Version }}" \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..a421caa --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,23 @@ +name: build + +on: [push, pull_request] + +jobs: + lint: + runs-on: ubuntu-latest + name: Lint + steps: + - uses: actions/setup-go@v5 + with: + go-version: '1.22' + - uses: actions/checkout@v4 + - name: golangci-lint + uses: golangci/golangci-lint-action@v4 + build: + runs-on: ubuntu-latest + name: Build + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/build + with: + codecov_token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..b07c823 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,60 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + push: + tags: [ 'v*.*' ] + workflow_dispatch: + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository_owner }}/ira-controller + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=match,pattern=v(\d+.\d+),group=1 + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml new file mode 100644 index 0000000..345532b --- /dev/null +++ b/.github/workflows/helm-chart-release.yml @@ -0,0 +1,28 @@ +name: Release Helm Charts + +on: + push: + branches: + - master + paths: + - "charts/**/Chart.yaml" + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.6.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + with: + config: .github/cr.yaml + mark_as_latest: false \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..6978de0 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,46 @@ +name: release +on: + push: + tags: ['v*.*.*'] + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + ref: master + - run: git fetch --tags + - name: check branch + run: | + br="$(git branch --contains $GITHUB_REF --format '%(refname:short)' master)" + if [[ "$br" != "master" ]]; then + echo "$br != master" + exit 1 + fi + - name: Build + uses: ./.github/actions/build + - name: release-notes + run: 'echo "$(git tag -l --format="%(contents:body)" $GITHUB_REF_NAME)" > RELEASE_NOTES' + - name: version + id: version + run: 'git describe --always --dirty $GITHUB_REF_NAME | sed "s/^v//"' + - uses: actions/create-release@v1 + id: create_release + with: + draft: false + prerelease: false + release_name: ${{ steps.version.outputs.version }} + tag_name: ${{ github.ref }} + body_path: RELEASE_NOTES + env: + GITHUB_TOKEN: ${{ github.token }} + - uses: actions/upload-release-asset@v1 + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ./bin/ira-controller + asset_name: ira-controller + asset_content_type: application/octet-stream + env: + GITHUB_TOKEN: ${{ github.token }} \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..515dbd3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,29 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +bin/* +dist/* +Dockerfile.cross + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out +cover.html + +# Go workspace file +go.work + +# Kubernetes Generated files - skip generated files, except for vendored files +!vendor/**/zz_generated.* + +# editor and IDE paraphernalia +.idea +.vscode +*.swp +*.swo +*~ diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..709ef19 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,41 @@ +run: + timeout: 5m + allow-parallel-runners: true + +issues: + # don't skip warning about doc comments + # don't exclude the default set of lint + exclude-use-default: false + # restore some of the defaults + # (fill in the rest as needed) + exclude-rules: + - path: "api/*" + linters: + - lll + - path: "internal/*" + linters: + - dupl + - lll +linters: + disable-all: true + enable: + - dupl + - errcheck + - exportloopref + - ginkgolinter + - goconst + - gocyclo + - gofmt + - goimports + - gosimple + - govet + - ineffassign + - lll + - misspell + - nakedret + - prealloc + - staticcheck + - typecheck + - unconvert + - unparam + - unused diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..925175f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,11 @@ +repos: + - repo: https://github.com/dnephin/pre-commit-golang + rev: v0.5.1 + hooks: + - id: go-mod-tidy + - id: go-fmt + - id: go-vet + - repo: https://github.com/golangci/golangci-lint + rev: v1.59.1 + hooks: + - id: golangci-lint-full \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..cec6ce6 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,19 @@ +# Contributing guidelines + +## Sign the CLA + +This project requires that you sign a Contributor License Agreement (CLA) before we can accept your pull requests. Please see https://cla-assistant.io/ontariosystems/ira-controller for more info + +## Contributing A Patch + +1. Submit an issue describing your proposed change to the repo in question. +1. The repo owners will respond to your issue. +1. If your proposed change is accepted, and you haven't already done so, sign a Contributor License Agreement (see details above). +1. Fork the desired repo, develop and test your code changes. +1. Submit a pull request. + +### Building +To build the project simply type: `make build` + +### Testing +* To execute all unit tests, run: `make test` diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..b99eb41 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,34 @@ +# Build the manager binary +FROM golang:1.22 AS builder +ARG TARGETOS +ARG TARGETARCH + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the go source +copy main.go main.go +COPY cmd/ cmd/ +COPY api/ api/ +COPY internal/ internal/ + +# Build +# the GOARCH has not a default value to allow the binary be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ira-controller main.go + +# Use distroless as minimal base image to package the manager binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot +WORKDIR / +COPY --from=builder /workspace/ira-controller . +USER 65532:65532 + +ENTRYPOINT ["/ira-controller"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..50be58e --- /dev/null +++ b/Makefile @@ -0,0 +1,202 @@ +# Image URL to use all building/pushing image targets +IMG ?= controller:latest +# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. +ENVTEST_K8S_VERSION = 1.30.0 + +# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) +ifeq (,$(shell go env GOBIN)) +GOBIN=$(shell go env GOPATH)/bin +else +GOBIN=$(shell go env GOBIN) +endif + +# CONTAINER_TOOL defines the container tool to be used for building images. +# Be aware that the target commands are only tested with Docker which is +# scaffolded by default. However, you might want to replace it to use other +# tools. (i.e. podman) +CONTAINER_TOOL ?= docker + +# Setting SHELL to bash allows bash commands to be executed by recipes. +# Options are set to exit when a recipe line exits non-zero or a piped command fails. +SHELL = /usr/bin/env bash -o pipefail +.SHELLFLAGS = -ec + +.PHONY: all +all: build + +##@ General + +# The help target prints out all targets with their descriptions organized +# beneath their categories. The categories are represented by '##@' and the +# target descriptions by '##'. The awk command is responsible for reading the +# entire set of makefiles included in this invocation, looking for lines of the +# file as xyz: ## something, and then pretty-format the target and help. Then, +# if there's a line with ##@ something, that gets pretty-printed as a category. +# More info on the usage of ANSI control characters for terminal formatting: +# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info on the awk command: +# http://linuxcommand.org/lc3_adv_awk.php + +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +.PHONY: clean +clean: + rm -rf cover.out cover.html + +##@ Development + +.PHONY: manifests +manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. + $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + +.PHONY: generate +generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. + $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." + +.PHONY: fmt +fmt: ## Run go fmt against code. + go fmt ./... + +.PHONY: vet +vet: ## Run go vet against code. + go vet ./... + +.PHONY: test +test: manifests generate fmt vet envtest cert-manager-crds ## Run tests. + KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $$(go list ./... | grep -v /test) -coverprofile cover.out + go tool cover -html cover.out -o cover.html + +.PHONY: cert-manager-crds +cert-manager-crds: ## Download newest cert-manager CRDs for testing + curl -sSL -o bin/cert-crds.yaml https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.crds.yaml + +.PHONY: lint +lint: golangci-lint ## Run golangci-lint linter & yamllint + $(GOLANGCI_LINT) run + +.PHONY: lint-fix +lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes + $(GOLANGCI_LINT) run --fix + +##@ Build + +.PHONY: build +build: manifests generate fmt vet ## Build manager binary. + CGO_ENABLED=0 go build -o bin/ira-controller main.go + +.PHONY: run +run: manifests generate fmt vet ## Run a controller from your host. + go run ./main.go + +# If you wish to build the manager image targeting other platforms you can use the --platform flag. +# (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. +# More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +.PHONY: docker-build +docker-build: ## Build docker image with the manager. + $(CONTAINER_TOOL) build -t ${IMG} . + +.PHONY: docker-push +docker-push: ## Push docker image with the manager. + $(CONTAINER_TOOL) push ${IMG} + +# PLATFORMS defines the target platforms for the manager image be built to provide support to multiple +# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: +# - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/ +# - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/ +# - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=> then the export will fail) +# To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. +PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +.PHONY: docker-buildx +docker-buildx: ## Build and push docker image for the manager for cross-platform support + # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile + sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross + - $(CONTAINER_TOOL) buildx create --name ira-controller-builder + $(CONTAINER_TOOL) buildx use ira-controller-builder + - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - $(CONTAINER_TOOL) buildx rm ira-controller-builder + rm Dockerfile.cross + +.PHONY: build-installer +build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment. + mkdir -p dist + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default > dist/install.yaml + +##@ Deployment + +ifndef ignore-not-found + ignore-not-found = false +endif + +.PHONY: install +install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config. + $(KUSTOMIZE) build config/crd | $(KUBECTL) apply -f - + +.PHONY: uninstall +uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. + $(KUSTOMIZE) build config/crd | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - + +.PHONY: deploy +deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. + cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + $(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - + +.PHONY: undeploy +undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. + $(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - + +##@ Dependencies + +## Location to install dependencies to +LOCALBIN ?= $(shell pwd)/bin +$(LOCALBIN): + mkdir -p $(LOCALBIN) + +## Tool Binaries +KUBECTL ?= kubectl +KUSTOMIZE ?= $(LOCALBIN)/kustomize-$(KUSTOMIZE_VERSION) +CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen-$(CONTROLLER_TOOLS_VERSION) +ENVTEST ?= $(LOCALBIN)/setup-envtest-$(ENVTEST_VERSION) +GOLANGCI_LINT = $(LOCALBIN)/golangci-lint-$(GOLANGCI_LINT_VERSION) + +## Tool Versions +KUSTOMIZE_VERSION ?= v5.4.2 +CONTROLLER_TOOLS_VERSION ?= v0.15.0 +ENVTEST_VERSION ?= release-0.18 +GOLANGCI_LINT_VERSION ?= v1.57.2 + +.PHONY: kustomize +kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. +$(KUSTOMIZE): $(LOCALBIN) + $(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION)) + +.PHONY: controller-gen +controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. +$(CONTROLLER_GEN): $(LOCALBIN) + $(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,$(CONTROLLER_TOOLS_VERSION)) + +.PHONY: envtest +envtest: $(ENVTEST) ## Download setup-envtest locally if necessary. +$(ENVTEST): $(LOCALBIN) + $(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest,$(ENVTEST_VERSION)) + +.PHONY: golangci-lint +golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary. +$(GOLANGCI_LINT): $(LOCALBIN) + $(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION}) + +# go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist +# $1 - target path with name of binary (ideally with version) +# $2 - package url which can be installed +# $3 - specific version of package +define go-install-tool +@[ -f $(1) ] || { \ +set -e; \ +package=$(2)@$(3) ;\ +echo "Downloading $${package}" ;\ +GOBIN=$(LOCALBIN) go install $${package} ;\ +mv "$$(echo "$(1)" | sed "s/-$(3)$$//")" $(1) ;\ +} +endef diff --git a/PROJECT b/PROJECT new file mode 100644 index 0000000..d41109d --- /dev/null +++ b/PROJECT @@ -0,0 +1,19 @@ +# Code generated by tool. DO NOT EDIT. +# This file is used to track the info used to scaffold your project +# and allow the plugins properly work. +# More info: https://book.kubebuilder.io/reference/project-config.html +domain: ontsys.com +layout: +- go.kubebuilder.io/v4 +projectName: ira-controller +repo: github.com/ontariosystems/ira-controller +resources: +- controller: true + group: core + kind: Pod + path: k8s.io/api/core/v1 + version: v1 + webhooks: + defaulting: true + webhookVersion: v1 +version: "3" diff --git a/README.md b/README.md new file mode 100644 index 0000000..98ca734 --- /dev/null +++ b/README.md @@ -0,0 +1,143 @@ +# ira-controller +[![Latest Release](https://img.shields.io/github/release/ontariosystems/ira-controller.svg)](https://github.com/ontariosystems/ira-controller/releases) +[![CLA assistant](https://cla-assistant.io/readme/badge/ontariosystems/ira-controller)](https://cla-assistant.io/ontariosystems/ira-controller) +[![Build Status](https://github.com/ontariosystems/ira-controller/actions/workflows/build.yml/badge.svg)](https://github.com/ontariosystems/ira-controller/actions/workflows/build.yml) +[![codecov](https://codecov.io/gh/ontariosystems/ira-controller/graph/badge.svg?token=BKCN24MEUK)](https://codecov.io/gh/ontariosystems/ira-controller) +[![Go Report Card](https://goreportcard.com/badge/github.com/ontariosystems/ira-controller)](https://goreportcard.com/report/github.com/ontariosystems/ira-controller) +[![GoDoc](https://godoc.org/github.com/ontariosystems/ira-controller?status.svg)](https://godoc.org/github.com/ontariosystems/ira-controller) + +`ira-controler` is a mutating webhook and pod controller for Kubernetes, facilitating the use of [aws/rolesanywhere-credential-helper](https://github.com/aws/rolesanywhere-credential-helper) as a sidecar for your application that needs to use [IAM Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/Welcome.html) to access AWS resources. + +## Description +Before you begin using this project you should be familiar with the [concepts](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) of IAM Roles Anywhere and have configured the required AWS resources. + +### Mutating Webhook +The mutating webhook provided by this project is watching the creation/updating of pods and will inject a rolesanywhere credential helper sidecar if the required annotations are provided. +This sidecar will be configured based on the following annotations on the pod. + +| Annotation | Description | +|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ira.ontsys.com/trust-anchor | The ARN of the IAM Roles Anywhere trust anchor to use for obtaining credentials. | +| ira.ontsys.com/profile | The ARN of the IAM Roles Anywhere profile to use for obtaining credentials. This profile must contain the IAM role specified in `ira.ontsys.com/role` | +| ira.ontsys.com/role | The ARN of the IAM role to be assumed to gain credentials. | +| ira.ontsys.com/cert | Either the name of a TLS secret containing a certificate that was issued by the CA configured in trust anchor or when used in conjunction with the controller the optional name to use to create a [cert-manager](https://cert-manager.io/) certificate that will be created by the controller. | + +### Pod Controller +The pod controller is optional and if desired must be turned on using the `--generate-cert` command-line flag. +Once enabled the controller will trigger based on the same annotations as the webhook and create a [certificate resource](https://cert-manager.io/docs/usage/certificate/). +The CA behind the cert-manager issuer needs to be the CA that is configured in the trust anchor in order to successfully obtain credentials. +The TLS secret that is generated from this certificate will then be the one used to by the webhook for authentication. + +| Annotation | Description | +|----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ira.ontsys.com/issuer-kind | The kind of cert-manager issuer that should be used to issue the certificate. If not provided the value of `--default-issuer-kind` will be used. | +| ira.ontsys.com/issuer-name | The name of the issuer that should be used to issue the certificate. If not provided the value of `--default-issuer-name` will be used. | +| ira.ontsys.com/cert | The optional name to use when creating a cert-manager certificate. If not provided the certificate name will be generated based on the controlling resource of the pod. | + +**NOTE:** If neither the `ira.ontsys.com/issuer-name` annotation or the `--default-issuer-name` command line flag are provided then the certificate will fail to be created. + +## Getting Started + +### Prerequisites +- go version v1.22.0+ +- docker version 26.1+. +- kubectl version v1.29.0+. +- helm version v3.15.2+. +- Access to a Kubernetes v1.29.0+ cluster. + +This project may work on older versions but has not been tested. + +### Command Line Options +The command line is self documenting. For a full list of options run `ira-controller --help`. + +The options that start with `credential-helper` are all related to the rolesanywhere-credential-helper that is being injected. +The `--credential-helper-image` flag is required as the project currently doesn't publish an official image. +They have a [GitHub issue](https://github.com/aws/rolesanywhere-credential-helper/issues/51) for discussing the possibility of adding one. + +## To Deploy on the cluster +### Install with helm + +Add the ira-controller Helm repository: +```sh +helm repo add ira-controller https://ontariosystems.github.io/ira-controller +helm repo update +``` + +Then install a release using the chart. The [charts default values file](charts/ira-controller/values.yaml) provides some commented out examples for setting some of the values. There are several required values, but helm should fail with messages that indicate which value is missing. +```sh +helm upgrade --install ira-controller \ + ira-controller/ira-controller --values <>.yaml +``` + +### Build an image and deploy using kustomize + +**Build and push your image to the location specified by `IMG`:** + +```sh +make docker-build docker-push IMG=/ira-controller:tag +``` + +**NOTE:** This image ought to be published in the personal registry you specified. +And it is required to have access to pull the image from the working environment. +Make sure you have the proper permission to the registry if the above commands don’t work. + +**Deploy the Manager to the cluster with the image specified by `IMG`:** + +```sh +make deploy IMG=/ira-controller:tag +``` + +**UnDeploy the controller from the cluster:** + +```sh +make undeploy +``` + +## Project Distribution + +Following are the steps to build the installer and distribute this project to users. + +1. Build the installer for the image built and published in the registry: + +```sh +make build-installer IMG=/ira-controller:tag +``` + +NOTE: The makefile target mentioned above generates an 'install.yaml' +file in the dist directory. This file contains all the resources built +with Kustomize, which are necessary to install this project without +its dependencies. + +2. Using the installer + +Users can just run kubectl apply -f to install the project, i.e.: + +```sh +kubectl apply -f dist/install.yaml +``` + +## Contributing +View our [contributing policy](CONTRIBUTING.md). + + +## Additional Information +**NOTE:** Run `make help` for more information on all potential `make` targets + +More information can be found via the [Kubebuilder Documentation](https://book.kubebuilder.io/introduction.html) + +## License + +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + diff --git a/api/v1/pod_webhook.go b/api/v1/pod_webhook.go new file mode 100644 index 0000000..a54c32c --- /dev/null +++ b/api/v1/pod_webhook.go @@ -0,0 +1,175 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "fmt" + "net/http" + "slices" + + "k8s.io/apimachinery/pkg/api/resource" + + "github.com/ontariosystems/ira-controller/internal/util" + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/json" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/webhook" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" +) + +// log is for logging in this package. +var ( + podlog = logf.Log.WithName("pod-resource") + _ webhook.AdmissionHandler = &podIraInjector{} + CredentialHelperImage string + CredentialHelperCpuRequest string + CredentialHelperMemoryRequest string + CredentialHelperCpuLimit string + CredentialHelperMemoryLimit string + SessionDuration string +) + +// +kubebuilder:webhook:path=/mutate-core-v1-pod,mutating=true,failurePolicy=fail,sideEffects=None,groups=core,resources=pods,verbs=create;update,versions=v1,name=mpod.kb.io,admissionReviewVersions=v1 + +// podIraInjector struct used to handle admission control for Kubernetes pods +type podIraInjector struct { + Client client.Client + decoder admission.Decoder +} + +// NewPodIraInjector initializes and returns a new pod injector to handle webhook calls +func NewPodIraInjector(client client.Client, scheme *runtime.Scheme) admission.Handler { + return &podIraInjector{ + Client: client, + decoder: admission.NewDecoder(scheme), + } +} + +// Handle processes any required mutations to the incoming pod +func (p *podIraInjector) Handle(ctx context.Context, request admission.Request) admission.Response { + + pod := &v1.Pod{} + + err := p.decoder.Decode(request, pod) + if err != nil { + podlog.Error(err, "error occurred while decoding the admission request") + return admission.Errored(http.StatusBadRequest, err) + } + + podlog.Info("handling the pod CREATE/UPDATE event for", "pod name", pod.Name, "pod namespace", pod.Namespace, "pod generate name", pod.GenerateName) + + if !pod.DeletionTimestamp.IsZero() { + podlog.Info("Skipping terminating pod") + return admission.Allowed("pod terminating") + } + + if slices.Contains([]v1.PodPhase{v1.PodFailed, v1.PodSucceeded}, pod.Status.Phase) { + podlog.Info("Skipping finished pod") + return admission.Allowed("pod finished") + } + + if util.MapContains(pod.Annotations, "ira.ontsys.com/trust-anchor") && util.MapContains(pod.Annotations, "ira.ontsys.com/profile") && util.MapContains(pod.Annotations, "ira.ontsys.com/role") { + if pod.Spec.Volumes == nil { + pod.Spec.Volumes = make([]v1.Volume, 0) + } + secretName, _ := util.ControllerNameFromPod(pod) + pod.Spec.Volumes = append(pod.Spec.Volumes, v1.Volume{ + Name: "ira-cert", + VolumeSource: v1.VolumeSource{ + Secret: &v1.SecretVolumeSource{ + SecretName: util.GetCertName(pod.Annotations, secretName), + }, + }, + }) + + for i, c := range pod.Spec.Containers { + if c.Env == nil { + c.Env = make([]v1.EnvVar, 0) + } + c.Env = append(c.Env, v1.EnvVar{ + Name: "AWS_EC2_METADATA_SERVICE_ENDPOINT", + Value: "http://127.0.0.1:9911/", + }) + pod.Spec.Containers[i] = c + } + + restartPolicyAlways := v1.ContainerRestartPolicyAlways + resources := v1.ResourceRequirements{ + Limits: v1.ResourceList{}, + Requests: v1.ResourceList{}, + } + if CredentialHelperCpuRequest != "" { + resources.Requests[v1.ResourceCPU] = resource.MustParse(CredentialHelperCpuRequest) + } + if CredentialHelperCpuLimit != "" { + resources.Limits[v1.ResourceCPU] = resource.MustParse(CredentialHelperCpuLimit) + } + if CredentialHelperMemoryRequest != "" { + resources.Requests[v1.ResourceMemory] = resource.MustParse(CredentialHelperMemoryRequest) + } + if CredentialHelperMemoryLimit != "" { + resources.Limits[v1.ResourceMemory] = resource.MustParse(CredentialHelperMemoryLimit) + } + + pod.Spec.InitContainers = append(pod.Spec.InitContainers, v1.Container{ + Name: "ira", + Image: CredentialHelperImage, + Command: []string{"aws_signing_helper"}, + Args: []string{ + "serve", + "--certificate", + "/ira-cert/tls.crt", + "--private-key", + "/ira-cert/tls.key", + "--trust-anchor-arn", + pod.Annotations["ira.ontsys.com/trust-anchor"], + "--profile-arn", + pod.Annotations["ira.ontsys.com/profile"], + "--role-arn", + pod.Annotations["ira.ontsys.com/role"], + fmt.Sprintf("'--session-duration=%s'", SessionDuration), + }, + RestartPolicy: &restartPolicyAlways, + Resources: resources, + VolumeMounts: []v1.VolumeMount{ + { + Name: "ira-cert", + MountPath: "/ira-cert", + }, + }, + }) + } + + marshaledpod, err := json.Marshal(pod) + + if err != nil { + return admission.Errored(http.StatusInternalServerError, err) + } + + podlog.Info("Attempting to patch pod", "pod", pod.Name, "pod namespace", pod.Namespace, "pod generate name", pod.GenerateName) + + return admission.PatchResponseFromRaw(request.AdmissionRequest.Object.Raw, marshaledpod) +} + +// InjectDecoder injects the decoder. +func (p *podIraInjector) InjectDecoder(d admission.Decoder) error { + p.decoder = d + return nil +} diff --git a/api/v1/pod_webhook_test.go b/api/v1/pod_webhook_test.go new file mode 100644 index 0000000..54f846e --- /dev/null +++ b/api/v1/pod_webhook_test.go @@ -0,0 +1,229 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "time" + + "k8s.io/apimachinery/pkg/api/resource" + "k8s.io/apimachinery/pkg/types" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gbytes" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +var _ = Describe("Pod Webhook", func() { + var buffer *gbytes.Buffer + BeforeEach(func() { + buffer = gbytes.NewBuffer() + GinkgoWriter.TeeTo(buffer) + CredentialHelperImage = "test-image:latest" + CredentialHelperCpuRequest = "250m" + CredentialHelperMemoryRequest = "64Mi" + CredentialHelperMemoryLimit = "128Mi" + SessionDuration = "900" + }) + AfterEach(func() { + GinkgoWriter.ClearTeeWriters() + CredentialHelperCpuLimit = "" + }) + + Context("When creating Pod under Mutating Webhook", func() { + Context("with a pod that is finished", func() { + It("should skip the resource", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "finished", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + Status: v1.PodStatus{Phase: v1.PodSucceeded}, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 10*time.Second, 25*time.Millisecond).Should(gbytes.Say("Skipping finished pod")) + }) + }) + Context("with IRA annotations", func() { + It("should mutate the pod", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Name: "annotated", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Attempting to patch pod")) + + mutatedPod := &v1.Pod{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "annotated", + }, mutatedPod) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(mutatedPod.Spec.Volumes).To(ContainElement(HaveField("Name", Equal("ira-cert")))) + Expect(mutatedPod.Spec.Volumes).To(ContainElement(HaveField("VolumeSource.Secret.SecretName", "annotated-ira"))) + Expect(mutatedPod.Spec.Containers).To(HaveExactElements(HaveField("Env", ContainElement(v1.EnvVar{ + Name: "AWS_EC2_METADATA_SERVICE_ENDPOINT", + Value: "http://127.0.0.1:9911/", + })))) + Expect(mutatedPod.Spec.InitContainers).To(ContainElement(HaveField("Name", Equal("ira")))) + Expect(mutatedPod.Spec.InitContainers).To(ContainElement(HaveField("VolumeMounts", ContainElement(v1.VolumeMount{ + Name: "ira-cert", + MountPath: "/ira-cert", + })))) + Expect(mutatedPod.Spec.InitContainers).To(ContainElement(HaveField("Args", ContainElements("ta", "p", "c")))) + Expect(mutatedPod.Spec.InitContainers).To(ContainElement(HaveField("Resources", v1.ResourceRequirements{ + Limits: v1.ResourceList{ + v1.ResourceMemory: resource.MustParse("128Mi"), + }, + Requests: v1.ResourceList{ + v1.ResourceCPU: resource.MustParse("250m"), + v1.ResourceMemory: resource.MustParse("64Mi"), + }, + }))) + Expect(mutatedPod.Spec.InitContainers).To(Not(ContainElement(HaveField("Resources", v1.ResourceRequirements{ + Limits: v1.ResourceList{ + v1.ResourceCPU: resource.MustParse("500m"), + }, + })))) + }) + Context("when a CPU limit is provided", func() { + It("should use the CPU limit", func() { + CredentialHelperCpuLimit = "500m" + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Name: "limited", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Attempting to patch pod")) + + mutatedPod := &v1.Pod{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "limited", + }, mutatedPod) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(mutatedPod.Spec.InitContainers).To(ContainElement(HaveField("Resources", v1.ResourceRequirements{ + Limits: v1.ResourceList{ + v1.ResourceCPU: resource.MustParse("500m"), + v1.ResourceMemory: resource.MustParse("128Mi"), + }, + Requests: v1.ResourceList{ + v1.ResourceCPU: resource.MustParse("250m"), + v1.ResourceMemory: resource.MustParse("64Mi"), + }, + }))) + }) + }) + Context("using a provided certificate name", func() { + It("should mutate the pod using the provided certificate name", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + "ira.ontsys.com/cert": "cert-name", + }, + Name: "named-cert", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Attempting to patch pod")) + + mutatedPod := &v1.Pod{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "named-cert", + }, mutatedPod) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(mutatedPod.Spec.Volumes).To(ContainElement(HaveField("VolumeSource.Secret.SecretName", "cert-name"))) + }) + }) + }) + }) +}) diff --git a/api/v1/webhook_suite_test.go b/api/v1/webhook_suite_test.go new file mode 100644 index 0000000..f810eb2 --- /dev/null +++ b/api/v1/webhook_suite_test.go @@ -0,0 +1,153 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1 + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "path/filepath" + "runtime" + "testing" + "time" + + "github.com/ontariosystems/ira-controller/internal/util" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + admissionv1 "k8s.io/api/admission/v1" + // +kubebuilder:scaffold:imports + apimachineryruntime "k8s.io/apimachinery/pkg/runtime" + k8sscheme "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var ( + cfg *rest.Config + k8sClient client.Client + testEnv *envtest.Environment + ctx context.Context + cancel context.CancelFunc +) + +func TestAPIs(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Webhook Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.TODO()) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, + ErrorIfCRDPathMissing: false, + + // The BinaryAssetsDirectory is only required if you want to run the tests directly + // without call the makefile target test. If not informed it will look for the + // default path defined in controller-runtime which is /usr/local/kubebuilder/. + // Note that you must have the required binaries setup under the bin directory to perform + // the tests directly. When we run make test it will be setup and used automatically. + BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s", + fmt.Sprintf("1.30.0-%s-%s", runtime.GOOS, runtime.GOARCH)), + + WebhookInstallOptions: envtest.WebhookInstallOptions{ + Paths: []string{filepath.Join("..", "..", "config", "webhook")}, + }, + } + + var err error + // cfg is defined in this file globally. + cfg, err = testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + util.GetConfig = func() *rest.Config { + return cfg + } + + scheme := apimachineryruntime.NewScheme() + err = k8sscheme.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + err = admissionv1.AddToScheme(scheme) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + + // start webhook server using Manager + webhookInstallOptions := &testEnv.WebhookInstallOptions + mgr, err := ctrl.NewManager(cfg, ctrl.Options{ + Scheme: scheme, + WebhookServer: webhook.NewServer(webhook.Options{ + Host: webhookInstallOptions.LocalServingHost, + Port: webhookInstallOptions.LocalServingPort, + CertDir: webhookInstallOptions.LocalServingCertDir, + }), + LeaderElection: false, + Metrics: metricsserver.Options{BindAddress: "0"}, + }) + Expect(err).NotTo(HaveOccurred()) + + podIraInjector := NewPodIraInjector(mgr.GetClient(), mgr.GetScheme()) + mgr.GetWebhookServer().Register("/mutate-core-v1-pod", &webhook.Admission{Handler: podIraInjector}) + + // +kubebuilder:scaffold:webhook + + go func() { + defer GinkgoRecover() + err = mgr.Start(ctx) + Expect(err).NotTo(HaveOccurred()) + }() + + // wait for the webhook server to get ready + dialer := &net.Dialer{Timeout: time.Second} + addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort) + Eventually(func() error { + conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true}) + if err != nil { + return err + } + return conn.Close() + }).Should(Succeed()) + +}) + +var _ = AfterSuite(func() { + cancel() + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) diff --git a/charts/ira-controller/.helmignore b/charts/ira-controller/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/ira-controller/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/ira-controller/Chart.yaml b/charts/ira-controller/Chart.yaml new file mode 100644 index 0000000..de9058f --- /dev/null +++ b/charts/ira-controller/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +appVersion: "1.0.0" +description: A Helm chart for the ira-controller +name: ira-controller +type: application +version: 1.0.0 diff --git a/charts/ira-controller/templates/_helpers.tpl b/charts/ira-controller/templates/_helpers.tpl new file mode 100644 index 0000000..80fd3d0 --- /dev/null +++ b/charts/ira-controller/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ira-controller.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ira-controller.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ira-controller.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ira-controller.labels" -}} +helm.sh/chart: {{ include "ira-controller.chart" . }} +{{ include "ira-controller.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ira-controller.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ira-controller.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ira-controller.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ira-controller.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/ira-controller/templates/deployment.yaml b/charts/ira-controller/templates/deployment.yaml new file mode 100644 index 0000000..0d6eff0 --- /dev/null +++ b/charts/ira-controller/templates/deployment.yaml @@ -0,0 +1,81 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "ira-controller.fullname" . }}-controller-manager + labels: + control-plane: controller-manager + {{- include "ira-controller.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controllerManager.replicas }} + selector: + matchLabels: + control-plane: controller-manager + {{- include "ira-controller.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + control-plane: controller-manager + {{- include "ira-controller.selectorLabels" . | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: manager + spec: + {{- with .Values.controllerManager.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --leader-elect + - --health-probe-bind-address=:8081 + {{- if .Values.controllerManager.manager.useCertManager }} + - --generate-cert + {{- end }} + {{- toYaml .Values.controllerManager.manager.args | nindent 8 }} + command: + - /ira-controller + env: + - name: KUBERNETES_CLUSTER_DOMAIN + value: {{ quote .Values.kubernetesClusterDomain }} + image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + {{- with .Values.controllerManager.manager.resources }} + resources: {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.controllerManager.manager.containerSecurityContext }} + securityContext: {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: {{ include "ira-controller.fullname" . }}-controller-manager + terminationGracePeriodSeconds: 10 + {{- with .Values.controllerManager.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert \ No newline at end of file diff --git a/charts/ira-controller/templates/leader-election-rbac.yaml b/charts/ira-controller/templates/leader-election-rbac.yaml new file mode 100644 index 0000000..b1eb568 --- /dev/null +++ b/charts/ira-controller/templates/leader-election-rbac.yaml @@ -0,0 +1,53 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "ira-controller.fullname" . }}-leader-election-role + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "ira-controller.fullname" . }}-leader-election-rolebinding + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "ira-controller.fullname" . }}-leader-election-role' +subjects: +- kind: ServiceAccount + name: '{{ include "ira-controller.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/charts/ira-controller/templates/manager-rbac.yaml b/charts/ira-controller/templates/manager-rbac.yaml new file mode 100644 index 0000000..424d132 --- /dev/null +++ b/charts/ira-controller/templates/manager-rbac.yaml @@ -0,0 +1,107 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ira-controller.fullname" . }}-manager-role + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +{{- if .Values.controllerManager.manager.useCertManager }} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - get + - list + - update +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ira-controller.fullname" . }}-manager-rolebinding + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "ira-controller.fullname" . }}-manager-role' +subjects: +- kind: ServiceAccount + name: '{{ include "ira-controller.fullname" . }}-controller-manager' + namespace: '{{ .Release.Namespace }}' \ No newline at end of file diff --git a/charts/ira-controller/templates/mutating-webhook-configuration.yaml b/charts/ira-controller/templates/mutating-webhook-configuration.yaml new file mode 100644 index 0000000..bd2b4dc --- /dev/null +++ b/charts/ira-controller/templates/mutating-webhook-configuration.yaml @@ -0,0 +1,37 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "ira-controller.fullname" . }}-mutating-webhook-configuration + {{- if .Values.webhookService.useCertManager }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "ira-controller.fullname" . }}-serving-cert + {{- end }} + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "ira-controller.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /mutate-core-v1-pod + failurePolicy: Fail + name: mpod.kb.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - ira-controller-system + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None \ No newline at end of file diff --git a/charts/ira-controller/templates/selfsigned-issuer.yaml b/charts/ira-controller/templates/selfsigned-issuer.yaml new file mode 100644 index 0000000..1d957c5 --- /dev/null +++ b/charts/ira-controller/templates/selfsigned-issuer.yaml @@ -0,0 +1,10 @@ +{{- if .Values.webhookService.useCertManager }} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "ira-controller.fullname" . }}-selfsigned-issuer + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +spec: + selfSigned: {} +{{- end }} \ No newline at end of file diff --git a/charts/ira-controller/templates/serviceaccount.yaml b/charts/ira-controller/templates/serviceaccount.yaml new file mode 100644 index 0000000..c99b773 --- /dev/null +++ b/charts/ira-controller/templates/serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ira-controller.fullname" . }}-controller-manager + labels: + {{- include "ira-controller.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }} \ No newline at end of file diff --git a/charts/ira-controller/templates/serving-cert.yaml b/charts/ira-controller/templates/serving-cert.yaml new file mode 100644 index 0000000..d341c18 --- /dev/null +++ b/charts/ira-controller/templates/serving-cert.yaml @@ -0,0 +1,16 @@ +{{- if .Values.webhookService.useCertManager }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "ira-controller.fullname" . }}-serving-cert + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +spec: + dnsNames: + - '{{ include "ira-controller.fullname" . }}-webhook-service.{{ .Release.Namespace}}.svc' + - '{{ include "ira-controller.fullname" . }}-webhook-service.{{ .Release.Namespace}}.svc.{{ .Values.kubernetesClusterDomain }}' + issuerRef: + kind: Issuer + name: '{{ include "ira-controller.fullname" . }}-selfsigned-issuer' + secretName: webhook-server-cert +{{- end }} \ No newline at end of file diff --git a/charts/ira-controller/templates/webhook-service.yaml b/charts/ira-controller/templates/webhook-service.yaml new file mode 100644 index 0000000..f4aae73 --- /dev/null +++ b/charts/ira-controller/templates/webhook-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "ira-controller.fullname" . }}-webhook-service + labels: + {{- include "ira-controller.labels" . | nindent 4 }} +spec: + type: {{ .Values.webhookService.type }} + selector: + control-plane: controller-manager + {{- include "ira-controller.selectorLabels" . | nindent 4 }} + ports: + {{- .Values.webhookService.ports | toYaml | nindent 4 }} diff --git a/charts/ira-controller/values.yaml b/charts/ira-controller/values.yaml new file mode 100644 index 0000000..7bfce35 --- /dev/null +++ b/charts/ira-controller/values.yaml @@ -0,0 +1,26 @@ +controllerManager: + affinity: {} + manager: + args: [] + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + image: + repository: ghcr.io/ontariosystems/ira-controller + tag: + resources: [] + useCertManager: false + replicas: 2 + serviceAccount: + annotations: {} + tolerations: {} +kubernetesClusterDomain: cluster.local +webhookService: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + type: ClusterIP + useCertManager: true diff --git a/cmd/cmd_suite_test.go b/cmd/cmd_suite_test.go new file mode 100644 index 0000000..947fe54 --- /dev/null +++ b/cmd/cmd_suite_test.go @@ -0,0 +1,27 @@ +package cmd + +import ( + "testing" + + "github.com/ontariosystems/ira-controller/internal/util" + "k8s.io/client-go/rest" + + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func TestCmd(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Cmd Suite") +} + +var _ = BeforeSuite(func() { + ctrl.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + util.GetConfig = func() *rest.Config { + return &rest.Config{} + } +}) diff --git a/cmd/root.go b/cmd/root.go new file mode 100644 index 0000000..fa9be74 --- /dev/null +++ b/cmd/root.go @@ -0,0 +1,212 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cmd + +import ( + "crypto/tls" + "errors" + "flag" + "fmt" + "os" + "slices" + "strings" + + "github.com/ontariosystems/ira-controller/internal/util" + + "sigs.k8s.io/controller-runtime/pkg/manager" + + cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + + v1 "github.com/ontariosystems/ira-controller/api/v1" + "github.com/ontariosystems/ira-controller/internal/controller" + + // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) + // to ensure that exec-entrypoint and run can make use of them. + _ "k8s.io/client-go/plugin/pkg/client/auth" + + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + // +kubebuilder:scaffold:imports +) + +var ( + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") +) + +type rootFlags struct { + enableHTTP2 bool + enableLeaderElection bool + generateCert bool + metricsAddr string + probeAddr string + secureMetrics bool +} + +func init() { + utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + + // +kubebuilder:scaffold:scheme +} + +func Execute() { + mgr, code := configure(addFlags()) + if code != 0 { + os.Exit(code) + } + + setupLog.Info("starting manager") + if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + setupLog.Error(err, "problem running manager") + os.Exit(1) + } +} + +func configure(f *rootFlags) (manager.Manager, int) { + if v1.CredentialHelperImage == "" { + setupLog.Error(errors.New("rolesanywhere-credential-helper image not provided"), + "Please provide an image to use that contains the rolesanywhere-credential-helper") + return nil, 1 + } + + issuerKinds := []string{cmv1.ClusterIssuerKind, cmv1.IssuerKind} + if !slices.Contains(issuerKinds, controller.DefaultIssuerKind) { + setupLog.Error(errors.New("invalid issuer kind"), + fmt.Sprintf("Please provide a valid issuer kind (%s)", strings.Join(issuerKinds, ","))) + return nil, 1 + } + + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + tlsOpts := []func(*tls.Config){} + if !f.enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + + mgr, err := ctrl.NewManager(util.GetConfig(), ctrl.Options{ + Scheme: scheme, + Metrics: metricsserver.Options{ + BindAddress: f.metricsAddr, + SecureServing: f.secureMetrics, + TLSOpts: tlsOpts, + }, + WebhookServer: webhookServer, + HealthProbeBindAddress: f.probeAddr, + LeaderElection: f.enableLeaderElection, + LeaderElectionID: "fe237894.ontsys.com", + // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily + // when the Manager ends. This requires the binary to immediately end when the + // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + // speeds up voluntary leader transitions as the new leader don't have to wait + // LeaseDuration time first. + // + // In the default scaffold provided, the program ends immediately after + // the manager stops, so would be fine to enable this option. However, + // if you are doing or is intended to do any operation such as perform cleanups + // after the manager stops then its usage might be unsafe. + // LeaderElectionReleaseOnCancel: true, + }) + if err != nil { + setupLog.Error(err, "unable to start manager") + return nil, 1 + } + + if os.Getenv("ENABLE_WEBHOOKS") != "false" { + podIraInjector := v1.NewPodIraInjector(mgr.GetClient(), mgr.GetScheme()) + mgr.GetWebhookServer().Register("/mutate-core-v1-pod", &webhook.Admission{Handler: podIraInjector}) + } + if f.generateCert { + if err = (&controller.PodReconciler{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + }).SetupWithManager(mgr); err != nil { + setupLog.Error(err, "unable to create controller", "controller", "Pod") + return nil, 1 + } + // +kubebuilder:scaffold:builder + } + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up health check") + return nil, 1 + } + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up ready check") + return nil, 1 + } + return mgr, 0 +} + +func addFlags() *rootFlags { + var f rootFlags + flag.StringVar(&f.metricsAddr, "metrics-bind-address", "0", "The address the metric endpoint binds to. "+ + "Use the port :8080. If not set, it will be 0 in order to disable the metrics server") + flag.StringVar(&f.probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&f.enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&f.secureMetrics, "metrics-secure", false, + "If set the metrics endpoint is served securely") + flag.BoolVar(&f.enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") + flag.BoolVar(&f.generateCert, "generate-cert", false, + "Use cert-manager to generate a certificate resource to use for authentication") + flag.StringVar(&v1.CredentialHelperImage, "credential-helper-image", "", + "The image to use for for the rolesanywhere-credential-helper") + flag.StringVar(&v1.CredentialHelperCpuRequest, "credential-helper-cpu-request", "250m", + "The CPU request for the credential-helper") + flag.StringVar(&v1.CredentialHelperMemoryRequest, "credential-helper-memory-request", "64Mi", + "The Memory request for the credential-helper") + flag.StringVar(&v1.CredentialHelperCpuLimit, "credential-helper-cpu-limit", "", + "The CPU limit for the credential-helper") + flag.StringVar(&v1.CredentialHelperMemoryLimit, "credential-helper-memory-limit", "128Mi", + "The Memory limit for the credential-helper") + flag.StringVar(&v1.SessionDuration, "credential-helper-session-duration", "900", + "The number of seconds for which the session is valid") + flag.StringVar(&controller.DefaultIssuerKind, "default-issuer-kind", "ClusterIssuer", + "The kind of the cert-manager issuer to use as a default when generating a certificate if one isn't specified") + flag.StringVar(&controller.DefaultIssuerName, "default-issuer-name", "", + "The name of the cert-manager issuer to use as a default when generating a certificate if one isn't specified") + + opts := zap.Options{ + Development: true, + } + opts.BindFlags(flag.CommandLine) + flag.Parse() + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + + return &f +} diff --git a/cmd/root_test.go b/cmd/root_test.go new file mode 100644 index 0000000..54d6c4d --- /dev/null +++ b/cmd/root_test.go @@ -0,0 +1,87 @@ +package cmd + +import ( + "flag" + "time" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gbytes" + v1 "github.com/ontariosystems/ira-controller/api/v1" + "github.com/ontariosystems/ira-controller/internal/controller" +) + +var _ = Describe("Cmd configure", func() { + var buffer *gbytes.Buffer + BeforeEach(func() { + buffer = gbytes.NewBuffer() + GinkgoWriter.TeeTo(buffer) + }) + AfterEach(func() { + GinkgoWriter.ClearTeeWriters() + v1.CredentialHelperImage = "" + controller.DefaultIssuerKind = "" + }) + Context("When configuring the root command", func() { + Context("without an image provided", func() { + It("should return an error", func() { + mgr, rc := configure(&rootFlags{metricsAddr: "0", probeAddr: ":8081"}) + Expect(mgr).To(BeNil()) + Expect(rc).To(Equal(1)) + }) + }) + Context("with an image provided", func() { + BeforeEach(func() { + v1.CredentialHelperImage = "test:image" + }) + Context("with an invalid issuer kind", func() { + It("should return an error", func() { + mgr, rc := configure(&rootFlags{metricsAddr: "0", probeAddr: ":8081"}) + Expect(mgr).To(BeNil()) + Expect(rc).To(Equal(1)) + }) + }) + Context("with an valid issuer kind", func() { + BeforeEach(func() { + controller.DefaultIssuerKind = "ClusterIssuer" + }) + It("should return the manager", func() { + mgr, rc := configure(&rootFlags{generateCert: true, metricsAddr: "0", probeAddr: ":0"}) + Expect(mgr).ToNot(BeNil()) + Expect(rc).To(Equal(0)) + }) + Context("when provided an invalid health probe address", func() { + It("should log a message", func() { + mgr, rc := configure(&rootFlags{metricsAddr: "0", probeAddr: ":100000"}) + Expect(mgr).To(BeNil()) + Expect(rc).To(Equal(1)) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 10*time.Second, 25*time.Millisecond).Should(gbytes.Say("unable to start manager")) + }) + }) + }) + }) + }) + Context("When adding flags", func() { + It("should add the flags", func() { + f := addFlags() + Expect(f).ToNot(BeNil()) + Expect(flag.Lookup("metrics-bind-address")).To(HaveField("DefValue", "0")) + Expect(flag.Lookup("health-probe-bind-address")).To(HaveField("DefValue", ":8081")) + Expect(flag.Lookup("leader-elect")).To(HaveField("DefValue", "false")) + Expect(flag.Lookup("metrics-secure")).To(HaveField("DefValue", "false")) + Expect(flag.Lookup("enable-http2")).To(HaveField("DefValue", "false")) + Expect(flag.Lookup("generate-cert")).To(HaveField("DefValue", "false")) + Expect(flag.Lookup("credential-helper-image")).To(HaveField("DefValue", "")) + Expect(flag.Lookup("credential-helper-cpu-request")).To(HaveField("DefValue", "250m")) + Expect(flag.Lookup("credential-helper-memory-request")).To(HaveField("DefValue", "64Mi")) + Expect(flag.Lookup("credential-helper-cpu-limit")).To(HaveField("DefValue", "")) + Expect(flag.Lookup("credential-helper-memory-limit")).To(HaveField("DefValue", "128Mi")) + Expect(flag.Lookup("credential-helper-session-duration")).To(HaveField("DefValue", "900")) + Expect(flag.Lookup("default-issuer-kind")).To(HaveField("DefValue", "ClusterIssuer")) + Expect(flag.Lookup("default-issuer-name")).To(HaveField("DefValue", "")) + }) + }) +}) diff --git a/config/certmanager/certificate.yaml b/config/certmanager/certificate.yaml new file mode 100644 index 0000000..5cd17de --- /dev/null +++ b/config/certmanager/certificate.yaml @@ -0,0 +1,35 @@ +# The following manifests contain a self-signed issuer CR and a certificate CR. +# More document can be found at https://docs.cert-manager.io +# WARNING: Targets CertManager v1.0. Check https://cert-manager.io/docs/installation/upgrading/ for breaking changes. +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: selfsigned-issuer + namespace: system +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + app.kubernetes.io/name: certificate + app.kubernetes.io/instance: serving-cert + app.kubernetes.io/component: certificate + app.kubernetes.io/created-by: ira-controller + app.kubernetes.io/part-of: ira-controller + app.kubernetes.io/managed-by: kustomize + name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml + namespace: system +spec: + # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize + dnsNames: + - SERVICE_NAME.SERVICE_NAMESPACE.svc + - SERVICE_NAME.SERVICE_NAMESPACE.svc.cluster.local + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize diff --git a/config/certmanager/kustomization.yaml b/config/certmanager/kustomization.yaml new file mode 100644 index 0000000..bebea5a --- /dev/null +++ b/config/certmanager/kustomization.yaml @@ -0,0 +1,5 @@ +resources: +- certificate.yaml + +configurations: +- kustomizeconfig.yaml diff --git a/config/certmanager/kustomizeconfig.yaml b/config/certmanager/kustomizeconfig.yaml new file mode 100644 index 0000000..cf6f89e --- /dev/null +++ b/config/certmanager/kustomizeconfig.yaml @@ -0,0 +1,8 @@ +# This configuration is for teaching kustomize how to update name ref substitution +nameReference: +- kind: Issuer + group: cert-manager.io + fieldSpecs: + - kind: Certificate + group: cert-manager.io + path: spec/issuerRef/name diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml new file mode 100644 index 0000000..b869a7c --- /dev/null +++ b/config/crd/kustomization.yaml @@ -0,0 +1,23 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/core_pods.yaml +# +kubebuilder:scaffold:crdkustomizeresource + +patches: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +- path: patches/webhook_in_pods.yaml +# +kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- path: patches/cainjection_in_pods.yaml +# +kubebuilder:scaffold:crdkustomizecainjectionpatch + +# [WEBHOOK] To enable webhook, uncomment the following section +# the following config is for teaching kustomize how to do kustomization for CRDs. + +configurations: +- kustomizeconfig.yaml diff --git a/config/crd/patches/cainjection_in_pods.yaml b/config/crd/patches/cainjection_in_pods.yaml new file mode 100644 index 0000000..b1ab830 --- /dev/null +++ b/config/crd/patches/cainjection_in_pods.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME + name: pods.core diff --git a/config/crd/patches/webhook_in_pods.yaml b/config/crd/patches/webhook_in_pods.yaml new file mode 100644 index 0000000..8fa5d25 --- /dev/null +++ b/config/crd/patches/webhook_in_pods.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: pods.core +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml new file mode 100644 index 0000000..0bc9654 --- /dev/null +++ b/config/default/kustomization.yaml @@ -0,0 +1,147 @@ +# Adds namespace to all resources. +namespace: ira-controller-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: ira-controller- + +# Labels to add to all resources and selectors. +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue + +resources: +#- ../crd +- ../rbac +- ../manager +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- ../webhook +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus +# [METRICS] To enable the controller manager metrics service, uncomment the following line. +#- metrics_service.yaml + +# Uncomment the patches line if you enable Metrics, and/or are using webhooks and cert-manager +patches: +# [METRICS] The following patch will enable the metrics endpoint. Ensure that you also protect this endpoint. +# More info: https://book.kubebuilder.io/reference/metrics +# If you want to expose the metric endpoint of your controller-manager uncomment the following line. +#- path: manager_metrics_patch.yaml +# target: +# kind: Deployment + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +- path: manager_webhook_patch.yaml + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. +# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection +- path: webhookcainjection_patch.yaml + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +# Uncomment the following replacements to add the cert-manager CA injection annotations +replacements: + - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.namespace # namespace of the certificate CR + targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 0 + create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true + - source: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert # this name should match the one in certificate.yaml + fieldPath: .metadata.name + targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true + - select: + kind: MutatingWebhookConfiguration + fieldPaths: + - .metadata.annotations.[cert-manager.io/inject-ca-from] + options: + delimiter: '/' + index: 1 + create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true + - source: # Add cert-manager annotation to the webhook Service + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.name # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 0 + create: true + - source: + kind: Service + version: v1 + name: webhook-service + fieldPath: .metadata.namespace # namespace of the service + targets: + - select: + kind: Certificate + group: cert-manager.io + version: v1 + fieldPaths: + - .spec.dnsNames.0 + - .spec.dnsNames.1 + options: + delimiter: '.' + index: 1 + create: true diff --git a/config/default/manager_metrics_patch.yaml b/config/default/manager_metrics_patch.yaml new file mode 100644 index 0000000..6c546ae --- /dev/null +++ b/config/default/manager_metrics_patch.yaml @@ -0,0 +1,4 @@ +# This patch adds the args to allow exposing the metrics endpoint securely +- op: add + path: /spec/template/spec/containers/0/args/0 + value: --metrics-bind-address=:8080 diff --git a/config/default/manager_webhook_patch.yaml b/config/default/manager_webhook_patch.yaml new file mode 100644 index 0000000..738de35 --- /dev/null +++ b/config/default/manager_webhook_patch.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: webhook-server-cert diff --git a/config/default/metrics_service.yaml b/config/default/metrics_service.yaml new file mode 100644 index 0000000..b00a5e3 --- /dev/null +++ b/config/default/metrics_service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + control-plane: controller-manager diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml new file mode 100644 index 0000000..57d52f6 --- /dev/null +++ b/config/default/webhookcainjection_patch.yaml @@ -0,0 +1,25 @@ +# This patch add annotation to admission webhook config and +# CERTIFICATE_NAMESPACE and CERTIFICATE_NAME will be substituted by kustomize +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME +#--- +#apiVersion: admissionregistration.k8s.io/v1 +#kind: ValidatingWebhookConfiguration +#metadata: +# labels: +# app.kubernetes.io/name: validatingwebhookconfiguration +# app.kubernetes.io/instance: validating-webhook-configuration +# app.kubernetes.io/component: webhook +# app.kubernetes.io/created-by: ira-controller +# app.kubernetes.io/part-of: ira-controller +# app.kubernetes.io/managed-by: kustomize +# name: validating-webhook-configuration +# annotations: +# cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml new file mode 100644 index 0000000..40ed6ad --- /dev/null +++ b/config/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: ghcr.io/ontariosystems/ira-controller + newTag: 1.0.0 diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml new file mode 100644 index 0000000..9c4e3ab --- /dev/null +++ b/config/manager/manager.yaml @@ -0,0 +1,95 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 2 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault + containers: + - command: + - /ira-controller + args: + - --leader-elect + - --health-probe-bind-address=:8081 + image: controller:latest + name: manager + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml new file mode 100644 index 0000000..ed13716 --- /dev/null +++ b/config/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml new file mode 100644 index 0000000..9459cc0 --- /dev/null +++ b/config/prometheus/monitor.yaml @@ -0,0 +1,18 @@ +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: http # Ensure this is the name of the port that exposes HTTP metrics + scheme: http + selector: + matchLabels: + control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml new file mode 100644 index 0000000..166fe79 --- /dev/null +++ b/config/rbac/kustomization.yaml @@ -0,0 +1,11 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml new file mode 100644 index 0000000..9a363fd --- /dev/null +++ b/config/rbac/leader_election_role.yaml @@ -0,0 +1,40 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml new file mode 100644 index 0000000..c125310 --- /dev/null +++ b/config/rbac/leader_election_role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml new file mode 100644 index 0000000..39bef70 --- /dev/null +++ b/config/rbac/role.yaml @@ -0,0 +1,89 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: manager-role +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get + - patch + - update +- apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - get + - list + - update diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml new file mode 100644 index 0000000..a115bcf --- /dev/null +++ b/config/rbac/role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 0000000..9ec08f3 --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml new file mode 100644 index 0000000..223df46 --- /dev/null +++ b/config/webhook/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- manifests.yaml +- service.yaml + +configurations: +- kustomizeconfig.yaml +patches: +- path: patches/ignore-self.yaml diff --git a/config/webhook/kustomizeconfig.yaml b/config/webhook/kustomizeconfig.yaml new file mode 100644 index 0000000..206316e --- /dev/null +++ b/config/webhook/kustomizeconfig.yaml @@ -0,0 +1,22 @@ +# the following config is for teaching kustomize where to look at when substituting nameReference. +# It requires kustomize v2.1.0 or newer to work properly. +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + - kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/name + +namespace: +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + path: webhooks/clientConfig/service/namespace + create: true diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml new file mode 100644 index 0000000..e10e880 --- /dev/null +++ b/config/webhook/manifests.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: webhook-service + namespace: system + path: /mutate-core-v1-pod + failurePolicy: Fail + name: mpod.kb.io + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None diff --git a/config/webhook/patches/ignore-self.yaml b/config/webhook/patches/ignore-self.yaml new file mode 100644 index 0000000..b9f0850 --- /dev/null +++ b/config/webhook/patches/ignore-self.yaml @@ -0,0 +1,11 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: + - name: mpod.kb.io + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["ira-controller-system"] \ No newline at end of file diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml new file mode 100644 index 0000000..fbaab30 --- /dev/null +++ b/config/webhook/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: ira-controller + app.kubernetes.io/managed-by: kustomize + name: webhook-service + namespace: system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 9443 + selector: + control-plane: controller-manager diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..6227a7b --- /dev/null +++ b/go.mod @@ -0,0 +1,74 @@ +module github.com/ontariosystems/ira-controller + +go 1.22.0 + +toolchain go1.22.2 + +require ( + github.com/cert-manager/cert-manager v1.15.0 + github.com/google/uuid v1.6.0 + github.com/onsi/ginkgo/v2 v2.17.2 + github.com/onsi/gomega v1.33.1 + k8s.io/api v0.30.1 + k8s.io/apimachinery v0.30.1 + k8s.io/client-go v0.30.1 + sigs.k8s.io/controller-runtime v0.18.2 +) + +require ( + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.12.0 // indirect + github.com/evanphx/json-patch/v5 v5.9.0 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect + github.com/go-logr/zapr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.21.0 // indirect + github.com/go-openapi/swag v0.23.0 // indirect + github.com/go-task/slim-sprig/v3 v3.0.0 // indirect + github.com/gogo/protobuf v1.3.2 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.4 // indirect + github.com/google/gnostic-models v0.6.8 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect + github.com/imdario/mergo v0.3.16 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/mailru/easyjson v0.7.7 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/prometheus/client_golang v1.18.0 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.46.0 // indirect + github.com/prometheus/procfs v0.15.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.27.0 // indirect + golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect + golang.org/x/net v0.25.0 // indirect + golang.org/x/oauth2 v0.20.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect + golang.org/x/time v0.5.0 // indirect + golang.org/x/tools v0.21.0 // indirect + gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect + google.golang.org/protobuf v1.34.1 // indirect + gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/apiextensions-apiserver v0.30.1 // indirect + k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect + sigs.k8s.io/gateway-api v1.1.0 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..a09c423 --- /dev/null +++ b/go.sum @@ -0,0 +1,181 @@ +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cert-manager/cert-manager v1.15.0 h1:xVL8tzdQECMypoYQa9rv4DLjkn2pJXJLTqH4JUsxfko= +github.com/cert-manager/cert-manager v1.15.0/go.mod h1:Vxq6yNKAbgQeMtzu5gqU8n0vXDiZcGTa5LDyCJRbmXE= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= +github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= +github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= +github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= +github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= +github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= +github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= +github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= +github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek= +github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= +golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= +golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= +golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= +golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY= +k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM= +k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws= +k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4= +k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U= +k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= +k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q= +k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f h1:0LQagt0gDpKqvIkAMPaRGcXawNMouPECM1+F9BVxEaM= +k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f/go.mod h1:S9tOR0FxgyusSNR+MboCuiDpVWkAifZvaYI1Q2ubgro= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q= +sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw= +sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= +sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt new file mode 100644 index 0000000..b2c8a09 --- /dev/null +++ b/hack/boilerplate.go.txt @@ -0,0 +1,15 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ \ No newline at end of file diff --git a/internal/controller/pod_controller.go b/internal/controller/pod_controller.go new file mode 100644 index 0000000..ba0f2b4 --- /dev/null +++ b/internal/controller/pod_controller.go @@ -0,0 +1,116 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controller + +import ( + "context" + "fmt" + + "github.com/ontariosystems/ira-controller/internal/util" + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/reconcile" +) + +var ( + DefaultIssuerKind string + DefaultIssuerName string +) + +// PodReconciler reconciles a Pod object +type PodReconciler struct { + client.Client + Scheme *runtime.Scheme +} + +// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups="",resources=pods/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="",resources=pods/finalizers,verbs=update + +// +kubebuilder:rbac:groups=apps,resources=daemonsets,verbs=get;list;watch +// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch +// +kubebuilder:rbac:groups=apps,resources=replicasets,verbs=get;list;watch +// +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch +// +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch +// +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch +// +kubebuilder:rbac:groups=cert-manager.io,resources=certificates,verbs=get;list;create;update + +// Reconcile is part of the main kubernetes reconciliation loop which aims to +// move the current state of the cluster closer to the desired state. +// TODO(user): Modify the Reconcile function to compare the state specified by +// the Pod object against the actual cluster state, and then +// perform operations to make the cluster state reflect the state specified by +// the user. +// +// For more details, check Reconcile and its Result here: +// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.18.2/pkg/reconcile +func (r *PodReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + rlog := log.FromContext(ctx) + + pod := &v1.Pod{} + err := r.Get(ctx, req.NamespacedName, pod) + if errors.IsNotFound(err) { + rlog.Info("Could not find Pod") + return reconcile.Result{}, nil + } + + if err != nil { + return reconcile.Result{}, fmt.Errorf("could not fetch Pod: %+v", err) + } + + if !pod.DeletionTimestamp.IsZero() { + rlog.Info("Skipping terminating pod") + return reconcile.Result{}, nil + } + + rlog.Info("Reconciling Pod") + name, owner := util.ControllerNameFromPod(pod) + if owner == nil { + owner = metav1.NewControllerRef(&v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: pod.Name, + Namespace: pod.Namespace, + UID: pod.UID, + }, + }, schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}) + } + + issuerKind := DefaultIssuerKind + if util.MapContains(pod.Annotations, "ira.ontsys.com/issuer-kind") { + issuerKind = pod.Annotations["ira.ontsys.com/issuer-kind"] + } + + issuerName := DefaultIssuerName + if util.MapContains(pod.Annotations, "ira.ontsys.com/issuer-name") { + issuerName = pod.Annotations["ira.ontsys.com/issuer-name"] + } + + return util.GenerateCertificate(ctx, pod.ObjectMeta.Annotations, name, pod.Namespace, owner, issuerKind, issuerName) +} + +// SetupWithManager sets up the controller with the Manager. +func (r *PodReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&v1.Pod{}). + Complete(r) +} diff --git a/internal/controller/pod_controller_test.go b/internal/controller/pod_controller_test.go new file mode 100644 index 0000000..841890c --- /dev/null +++ b/internal/controller/pod_controller_test.go @@ -0,0 +1,507 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controller + +import ( + "context" + "fmt" + "time" + + cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + "github.com/google/uuid" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gbytes" + appsv1 "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/reconcile" +) + +var _ = Describe("Pod Controller", func() { + var buffer *gbytes.Buffer + t := true + BeforeEach(func() { + buffer = gbytes.NewBuffer() + GinkgoWriter.TeeTo(buffer) + }) + AfterEach(func() { + GinkgoWriter.ClearTeeWriters() + }) + Context("When reconciling a resource", func() { + Context("where the resource is a stand-alone pod", func() { + Context("with a non-existing resource", func() { + It("should not find the resource", func() { + _, err := forceReconcile("no-exist") + Expect(err).ToNot(HaveOccurred()) + Expect(buffer).To(gbytes.Say("Could not find Pod")) + }) + }) + + Context("and it's owner isn't found", func() { + It("should not find the owner", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "no-ower", + Namespace: "default", + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: "apps/v1", + Controller: &t, + Kind: "Deployment", + Name: "no-exist", + UID: types.UID(uuid.New().String()), + }, + }, + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Owner not found")) + }) + }) + + Context("with a resource that is being deleted", func() { + It("should skip the resource", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "deleting", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + Lifecycle: &v1.Lifecycle{ + PreStop: &v1.LifecycleHandler{ + Exec: &v1.ExecAction{ + Command: []string{"sleep", "3"}, + }, + }, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + go func(ctx context.Context, pod *v1.Pod) { + time.Sleep(2 * time.Second) + Expect(k8sClient.Delete(ctx, pod)).To(Succeed()) + }(ctx, pod) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Skipping terminating pod")) + }) + }) + + Context("without IRA annotations", func() { + It("should skip the resource", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "unannotated", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Skipping unannotated resource")) + }) + }) + + Context("with IRA annotations", func() { + Context("when the certificate doesn't exist", func() { + Context("using the generated certificate name", func() { + It("should create the certificate", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Name: "annotated", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Cert doesn't exist: creating")) + + certificate := &cmv1.Certificate{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "annotated-ira", + }, certificate) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(certificate.Name).To(Equal("annotated-ira")) + Expect(certificate.OwnerReferences[0].Kind).To(Equal("Pod")) + Expect(certificate.OwnerReferences[0].Name).To(Equal("annotated")) + }) + Context("when certificate issuer annotations are provided", func() { + It("should use the certificate issuer", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + "ira.ontsys.com/issuer-kind": "Issuer", + "ira.ontsys.com/issuer-name": "i", + }, + Name: "issuer", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Cert doesn't exist: creating")) + + certificate := &cmv1.Certificate{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "issuer-ira", + }, certificate) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(certificate.Name).To(Equal("issuer-ira")) + Expect(certificate.OwnerReferences[0].Kind).To(Equal("Pod")) + Expect(certificate.OwnerReferences[0].Name).To(Equal("issuer")) + Expect(certificate.Spec.IssuerRef.Kind).To(Equal(cmv1.IssuerKind)) + Expect(certificate.Spec.IssuerRef.Name).To(Equal("i")) + }) + }) + }) + Context("using a provided certificate name", func() { + It("should create the certificate", func() { + ctx := context.Background() + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + "ira.ontsys.com/cert": "cert-name", + }, + Name: "named-cert", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Cert doesn't exist: creating")) + + certificate := &cmv1.Certificate{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "cert-name", + }, certificate) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(certificate.Name).To(Equal("cert-name")) + Expect(certificate.OwnerReferences[0].Kind).To(Equal("Pod")) + Expect(certificate.OwnerReferences[0].Name).To(Equal("named-cert")) + + }) + }) + }) + + Context("when the certificate does exist", func() { + It("should update the certificate", func() { + ctx := context.Background() + cert := &cmv1.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Name: "existing-cert-ira", + Namespace: "default", + }, + Spec: cmv1.CertificateSpec{ + CommonName: fmt.Sprintf("IRA exists: %s/%s ", "default", "existing-cert"), + IssuerRef: cmmeta.ObjectReference{ + Name: "cluster-ira-ca", + Kind: cmv1.ClusterIssuerKind, + Group: "cert-manager.io", + }, + SecretName: "existing-cert-ira", + PrivateKey: &cmv1.CertificatePrivateKey{ + Algorithm: cmv1.RSAKeyAlgorithm, + Size: 8192, + }, + }, + } + Expect(k8sClient.Create(ctx, cert)).To(Succeed()) + + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Name: "existing-cert", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Found certificate")) + + certificate := &cmv1.Certificate{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "existing-cert-ira", + }, certificate) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(certificate.Name).To(Equal("existing-cert-ira")) + Expect(certificate.OwnerReferences[0].Kind).To(Equal("Pod")) + Expect(certificate.OwnerReferences[0].Name).To(Equal("existing-cert")) + Expect(certificate.Spec.CommonName).To(Equal(fmt.Sprintf("IRA: %s/%s", "default", "existing-cert"))) + }) + }) + }) + }) + + Context("where the controlling resource is a deployment", func() { + Context("with IRA annotations in the template spec", func() { + It("should create a certificate owned by the deployment", func() { + ctx := context.Background() + deployment := appsv1.Deployment{ + ObjectMeta: metav1.ObjectMeta{ + Name: "deploy", + Namespace: "default", + UID: types.UID(uuid.New().String()), + }, + Spec: appsv1.DeploymentSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "my-app", + }, + }, + Template: v1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Labels: map[string]string{ + "app": "my-app", + }, + Name: "existing-cert", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, &deployment)).To(Succeed()) + + replicaSet := appsv1.ReplicaSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "deploy-76b849fb6c", + Namespace: "default", + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: "apps/v1", + Controller: &t, + Kind: "Deployment", + Name: deployment.Name, + UID: deployment.UID, + }, + }, + UID: types.UID(uuid.New().String()), + }, + Spec: appsv1.ReplicaSetSpec{ + Selector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "app": "my-app", + }, + }, + Template: v1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Labels: map[string]string{ + "app": "my-app", + }, + Name: "existing-cert", + Namespace: "default", + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + }, + }, + } + Expect(k8sClient.Create(ctx, &replicaSet)).To(Succeed()) + + pod := &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + "ira.ontsys.com/trust-anchor": "ta", + "ira.ontsys.com/profile": "p", + "ira.ontsys.com/role": "c", + }, + Labels: map[string]string{ + "app": "my-app", + }, + Name: "deploy-76b849fb6c-dkmgf", + Namespace: "default", + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: "apps/v1", + Controller: &t, + Kind: "ReplicaSet", + Name: replicaSet.Name, + UID: replicaSet.UID, + }, + }, + UID: types.UID(uuid.New().String()), + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "my-container", + Image: "my-image", + }, + }, + }, + } + Expect(k8sClient.Create(ctx, pod)).To(Succeed()) + + Eventually(func() *gbytes.Buffer { + return buffer + }, 5*time.Second, 25*time.Millisecond).Should(gbytes.Say("Cert doesn't exist: creating")) + + certificate := &cmv1.Certificate{} + Eventually(func() bool { + err := k8sClient.Get(ctx, types.NamespacedName{ + Namespace: "default", + Name: "deploy-deployment-ira", + }, certificate) + return err == nil + }, 10*time.Second, 25*time.Millisecond).Should(BeTrue()) + Expect(certificate.Name).To(Equal("deploy-deployment-ira")) + Expect(certificate.OwnerReferences[0].Kind).To(Equal("Deployment")) + Expect(certificate.OwnerReferences[0].Name).To(Equal("deploy")) + }) + }) + }) + }) +}) + +func forceReconcile(podName string) (ctrl.Result, error) { + reconciler := &PodReconciler{ + Client: k8sClient, + } + + return reconciler.Reconcile(ctx, reconcile.Request{ + NamespacedName: types.NamespacedName{ + Namespace: "default", + Name: podName, + }, + }) +} diff --git a/internal/controller/suite_test.go b/internal/controller/suite_test.go new file mode 100644 index 0000000..600cbaf --- /dev/null +++ b/internal/controller/suite_test.go @@ -0,0 +1,137 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controller + +import ( + "context" + "fmt" + "path/filepath" + "runtime" + "testing" + + corev1 "k8s.io/api/core/v1" + + "github.com/ontariosystems/ira-controller/internal/util" + ctrl "sigs.k8s.io/controller-runtime" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/envtest" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + + cmscheme "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned/scheme" + + appsv1 "k8s.io/api/apps/v1" + batchv1 "k8s.io/api/batch/v1" + // +kubebuilder:scaffold:imports +) + +// These tests use Ginkgo (BDD-style Go testing framework). Refer to +// http://onsi.github.io/ginkgo/ to learn more about Ginkgo. + +var ( + cfg *rest.Config + k8sClient client.Client + testEnv *envtest.Environment + ctx context.Context + cancel context.CancelFunc +) + +func TestControllers(t *testing.T) { + RegisterFailHandler(Fail) + + RunSpecs(t, "Controller Suite") +} + +var _ = BeforeSuite(func() { + logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) + + ctx, cancel = context.WithCancel(context.TODO()) + + By("bootstrapping test environment") + testEnv = &envtest.Environment{ + CRDDirectoryPaths: []string{ + filepath.Join("..", "..", "config", "crd", "bases"), + filepath.Join("..", "..", "bin", "cert-crds.yaml"), + }, + ErrorIfCRDPathMissing: false, + + // The BinaryAssetsDirectory is only required if you want to run the tests directly + // without call the makefile target test. If not informed it will look for the + // default path defined in controller-runtime which is /usr/local/kubebuilder/. + // Note that you must have the required binaries setup under the bin directory to perform + // the tests directly. When we run make test it will be setup and used automatically. + BinaryAssetsDirectory: filepath.Join("..", "..", "bin", "k8s", + fmt.Sprintf("1.30.0-%s-%s", runtime.GOOS, runtime.GOARCH)), + } + + var err error + // cfg is defined in this file globally. + cfg, err = testEnv.Start() + Expect(err).NotTo(HaveOccurred()) + Expect(cfg).NotTo(BeNil()) + util.GetConfig = func() *rest.Config { + return cfg + } + + err = corev1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = appsv1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = batchv1.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + err = cmscheme.AddToScheme(scheme.Scheme) + Expect(err).NotTo(HaveOccurred()) + + // +kubebuilder:scaffold:scheme + + k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) + Expect(err).NotTo(HaveOccurred()) + Expect(k8sClient).NotTo(BeNil()) + + k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{ + Scheme: scheme.Scheme, + }) + Expect(err).ToNot(HaveOccurred()) + + err = (&PodReconciler{ + Client: k8sManager.GetClient(), + Scheme: k8sManager.GetScheme(), + }).SetupWithManager(k8sManager) + Expect(err).ToNot(HaveOccurred()) + + go func() { + defer GinkgoRecover() + err = k8sManager.Start(ctx) + Expect(err).ToNot(HaveOccurred(), "failed to run manager") + }() +}) + +var _ = AfterSuite(func() { + cancel() + By("tearing down the test environment") + err := testEnv.Stop() + Expect(err).NotTo(HaveOccurred()) +}) diff --git a/internal/util/certificate.go b/internal/util/certificate.go new file mode 100644 index 0000000..60a93d3 --- /dev/null +++ b/internal/util/certificate.go @@ -0,0 +1,100 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +import ( + "context" + "fmt" + + cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/reconcile" +) + +// GetCertName returns the name that should be used for the certificate/secret based on an annotation on the pod or the root owner of the pod's name +func GetCertName(podAnnotations map[string]string, resourceControllerName string) (certName string) { + if MapContains(podAnnotations, "ira.ontsys.com/cert") { + certName = podAnnotations["ira.ontsys.com/cert"] + } else { + certName = fmt.Sprintf("%s-ira", resourceControllerName) + } + return +} + +// GenerateCertificate creates/updates a certificate resource to be used for authentication +func GenerateCertificate(ctx context.Context, annotations map[string]string, name string, namespace string, ownerReference *metav1.OwnerReference, issuerKind string, issuerName string) (ctrl.Result, error) { + log := log.FromContext(ctx) + if MapContains(annotations, "ira.ontsys.com/trust-anchor") && MapContains(annotations, "ira.ontsys.com/profile") && MapContains(annotations, "ira.ontsys.com/role") { + log.Info("Found resource with annotations", "controller name", name) + certName := GetCertName(annotations, name) + config := GetConfig() + clientset, err := cmclient.NewForConfig(config) + if err != nil { + return reconcile.Result{}, err + } + cmClient := clientset.CertmanagerV1().Certificates(namespace) + + certificate := &cmv1.Certificate{ + ObjectMeta: metav1.ObjectMeta{ + Name: certName, + Namespace: namespace, + }, + Spec: cmv1.CertificateSpec{ + CommonName: fmt.Sprintf("IRA: %s/%s", namespace, name), + IssuerRef: cmmeta.ObjectReference{ + Name: issuerName, + Kind: issuerKind, + Group: "cert-manager.io", + }, + SecretName: certName, + PrivateKey: &cmv1.CertificatePrivateKey{ + Algorithm: cmv1.RSAKeyAlgorithm, + Size: 8192, + }, + }, + } + + if ownerReference != nil { + certificate.ObjectMeta.OwnerReferences = []metav1.OwnerReference{*ownerReference} + } + + foundCertificate, err := cmClient.Get(ctx, certName, metav1.GetOptions{}) + if errors.IsNotFound(err) { + log.Info("Cert doesn't exist: creating", "error", err) + if _, err := cmClient.Create(ctx, certificate, metav1.CreateOptions{}); err != nil { + return reconcile.Result{}, err + } + } else if err != nil { + return reconcile.Result{}, err + } else { + log.Info("Found certificate", "calculated cert name", certName, "found cert", foundCertificate) + certificate.ObjectMeta.SetResourceVersion(foundCertificate.ObjectMeta.GetResourceVersion()) + + if _, err := cmClient.Update(ctx, certificate, metav1.UpdateOptions{}); err != nil { + return reconcile.Result{}, err + } + } + } else { + log.Info("Skipping unannotated resource") + } + return ctrl.Result{}, nil +} diff --git a/internal/util/config.go b/internal/util/config.go new file mode 100644 index 0000000..04eee85 --- /dev/null +++ b/internal/util/config.go @@ -0,0 +1,5 @@ +package util + +import "sigs.k8s.io/controller-runtime/pkg/client/config" + +var GetConfig = config.GetConfigOrDie diff --git a/internal/util/map.go b/internal/util/map.go new file mode 100644 index 0000000..490f258 --- /dev/null +++ b/internal/util/map.go @@ -0,0 +1,23 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +// MapContains check to see if a map of [string]string contains a key +func MapContains(m map[string]string, s string) bool { + _, exists := m[s] + return exists +} diff --git a/internal/util/pod.go b/internal/util/pod.go new file mode 100644 index 0000000..0849dcf --- /dev/null +++ b/internal/util/pod.go @@ -0,0 +1,73 @@ +/* +Copyright 2024 Ontario Systems. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +import ( + "context" + "errors" + "fmt" + "slices" + "strings" + + v1 "k8s.io/api/core/v1" + k8serrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +var plog = logf.Log.WithName("pod utils") + +// ControllerNameFromPod given a pod will return the root controller from the owner references +func ControllerNameFromPod(pod *v1.Pod) (string, *metav1.OwnerReference) { + c, err := client.New(GetConfig(), client.Options{}) + if err != nil { + panic(errors.New("could not get client")) + } + owner := getRootOwner(client.NewNamespacedClient(c, pod.Namespace), pod.OwnerReferences) + if owner != nil { + return fmt.Sprintf("%s-%s", owner.Name, strings.ToLower(owner.Kind)), owner + } + return pod.Name, nil +} + +func getRootOwner(c client.Client, owners []metav1.OwnerReference) *metav1.OwnerReference { + for _, owner := range owners { + plog.Info("Processing owner reference", "owner", owner) + if *owner.Controller && slices.Contains([]string{"CronJob", "DaemonSet", "Deployment", "Job", "ReplicaSet", "StatefulSet"}, owner.Kind) { + u := &unstructured.Unstructured{} + u.SetGroupVersionKind(schema.FromAPIVersionAndKind(owner.APIVersion, owner.Kind)) + if err := c.Get(context.Background(), client.ObjectKey{ + Name: owner.Name, + }, u); k8serrors.IsNotFound(err) { + plog.Info("Owner not found", "owner", owner.Name) + return nil + } else if err != nil { + panic(errors.New("could not get owner")) + } + parent := getRootOwner(c, u.GetOwnerReferences()) + if parent == nil { + return &owner + } else { + return parent + } + } + } + return nil +} diff --git a/main.go b/main.go new file mode 100644 index 0000000..91273a2 --- /dev/null +++ b/main.go @@ -0,0 +1,7 @@ +package main + +import "github.com/ontariosystems/ira-controller/cmd" + +func main() { + cmd.Execute() +}