diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 07457c88..5e8d03ca 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -27,6 +27,7 @@ bases: patchesStrategicMerge: - manager_image_patch_edited.yaml - manager_webhook_patch.yaml +- manager_controller_patch.yaml - webhookcainjection_patch.yaml # Protect the /metrics endpoint by putting it behind auth. diff --git a/spectro/controller/manager_controller_patch.yaml b/config/default/manager_controller_patch.yaml similarity index 85% rename from spectro/controller/manager_controller_patch.yaml rename to config/default/manager_controller_patch.yaml index 26c1455a..3caf2c8c 100644 --- a/spectro/controller/manager_controller_patch.yaml +++ b/config/default/manager_controller_patch.yaml @@ -1,3 +1,4 @@ +# This patch is for controller-only mode - adds --webhook-port=0 to disable webhooks apiVersion: apps/v1 kind: Deployment metadata: @@ -6,14 +7,13 @@ metadata: spec: template: spec: - serviceAccountName: default containers: - name: manager args: - "--leader-elect" - - "--webhook-port=0" - "--diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443}" - "--insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false}" - "--cloudstackcluster-concurrency=${CAPC_CLOUDSTACKCLUSTER_CONCURRENCY:=10}" - "--cloudstackmachine-concurrency=${CAPC_CLOUDSTACKMACHINE_CONCURRENCY:=10}" - - "--enable-cloudstack-cks-sync=${CAPC_CLOUDSTACKMACHINE_CKS_SYNC:=false}" \ No newline at end of file + - "--enable-cloudstack-cks-sync=${CAPC_CLOUDSTACKMACHINE_CKS_SYNC:=false}" + - "--webhook-port=0" diff --git a/spectro/README.md b/spectro/README.md index 98fa3aed..682a79e5 100644 --- a/spectro/README.md +++ b/spectro/README.md @@ -1,117 +1,90 @@ -# Spectro CAPC Manifests +# CAPC Webhook/Controller Separation -This directory contains manifest generation scripts and configurations for running CAPC (Cluster API Provider CloudStack) components separately as controller-only and webhook-only pods. +This directory contains the infrastructure to generate separate webhook and controller manifests for the CloudStack provider (CAPC), following the standardized pattern used by all Spectro CAPI providers. ## Overview -The CAPC application can be run in two modes: +The same CAPC binary can run in two modes: +- **Webhook-only mode** (`--webhook-port=9443`): Handles admission webhooks, includes CRDs, runs in `capi-webhook-system` +- **Controller-only mode** (`--webhook-port=0`): Handles reconciliation only, can be namespace-scoped, uses `serviceAccountName: default` -1. **Controller-only mode** (`--webhook-port=0`): Runs only the reconciliation controllers -2. **Webhook-only mode** (`--webhook-port=9443`): Runs only the webhook server - -Both modes use the same codebase and container image, differentiated by the `webhook-port` CLI flag. - -## Directory Structure - -``` -spectro/ -├── controller/ # Controller-only manifests -│ ├── kustomization.yaml # Kustomize config for controller -│ ├── namespace.yaml # Namespace definition -│ ├── manager_controller_patch.yaml # Controller-specific deployment patch -│ └── kustomizeconfig.yaml # Kustomize configuration -├── webhook/ # Webhook-only manifests -│ ├── kustomization.yaml # Kustomize config for webhook (includes CRDs) -│ ├── namespace.yaml # Namespace definition -│ ├── manager_webhook_patch.yaml # Webhook-specific deployment patch -│ └── kustomizeconfig.yaml # Kustomize configuration -├── generated/ # Generated manifest files (created by scripts) -│ ├── controller-manifests.yaml # Controller-only manifests -│ └── webhook-manifests.yaml # Webhook-only manifests (with CRDs) -├── generate-controller-manifests.sh # Script to generate controller manifests -├── generate-webhook-manifests.sh # Script to generate webhook manifests -├── generate-all-manifests.sh # Script to generate both sets of manifests -└── README.md # This file -``` - -## Usage - -### Generate All Manifests +## Quick Start +Generate both sets of manifests: ```bash +./run.sh +# Or for more verbose output: ./generate-all-manifests.sh ``` -### Generate Controller-Only Manifests +## Generated Files -```bash -./generate-controller-manifests.sh -``` +- **`generated/core-global.yaml`**: Webhook-only manifests with CRDs +- **`generated/core-base.yaml`**: Controller-only manifests -### Generate Webhook-Only Manifests +## Structure -```bash -./generate-webhook-manifests.sh ``` +spectro/ +├── base/ # Controller-only configuration +│ ├── kustomization.yaml # Kustomize config for capc-system namespace +│ ├── patch_service_account.yaml # Sets serviceAccountName: default, --webhook-port=0 +│ └── patch_healthcheck.yaml # Removes health probes +├── global/ # Webhook-only configuration +│ ├── kustomization.yaml # Kustomize config for capi-webhook-system namespace +│ └── patch_service_account.yaml # Removes serviceAccountName (uses default from manager) +├── generated/ # Output directory +└── run.sh # Main generation script +``` + -## Deployment +## Integration with Palette -### Controller-Only Deployment +- **Global deployment**: Palette deploys `core-global.yaml` to `capi-webhook-system` for webhooks +- **Namespaced deployment**: Palette deploys `core-base.yaml` to tenant namespaces with `--namespace=$(NAMESPACE)` for isolation +- **Namespace isolation**: Each controller instance only reconciles objects in its own namespace -The controller-only deployment includes: -- Manager deployment with `--webhook-port=0` -- RBAC permissions for controllers -- No webhook configurations -- No CRDs (should be deployed separately or via webhook deployment) +## Manual Deployment +### Deploy Webhook Server (Global) ```bash -kubectl apply -f generated/controller-manifests.yaml +kubectl apply -f generated/core-global.yaml ``` -### Webhook-Only Deployment - -The webhook-only deployment includes: -- Manager deployment with `--webhook-port=9443` -- CRDs (Custom Resource Definitions) -- Webhook configurations (MutatingWebhookConfiguration and ValidatingWebhookConfiguration) -- Webhook service -- No RBAC for controllers -- No cert-manager configurations (certificates must be managed separately) - +### Deploy Controller (Namespaced) ```bash -kubectl apply -f generated/webhook-manifests.yaml +kubectl create namespace my-tenant-ns +kubectl apply -f generated/core-base.yaml -n my-tenant-ns ``` -## Important Notes - -1. **RBAC**: Only the controller deployment includes RBAC permissions. The webhook deployment does not include RBAC or cert-manager configurations as requested. - -2. **CRDs**: Custom Resource Definitions are included only in the webhook deployment. - -3. **Certificates**: The webhook server requires TLS certificates. You need to create a secret named `capc-webhook-service-cert` with the TLS certificate and key: - - ```bash - kubectl create secret tls capc-webhook-service-cert \ - --cert=tls.crt \ - --key=tls.key \ - -n capc-system - ``` - -4. **Image**: Both deployments use the same container image. Make sure to update the image reference in `config/manager/manager.yaml` or patch files as needed. +## Key Features -5. **Networking**: The webhook service runs on port 9443 and expects the admission controllers to be accessible from the Kubernetes API server. +- **✅ Webhook separation**: Webhooks run centrally in `capi-webhook-system` +- **✅ Namespace isolation**: Controllers only reconcile objects in their namespace +- **✅ Health probe removal**: Controller-only mode removes health probes that conflict with webhook-port=0 +- **✅ Service account**: Controller uses `serviceAccountName: default` for tenant namespaces +- **✅ Standardized naming**: Matches AWS (`capa-`) and Azure (`capz-`) patterns with `capc-` prefix +- **✅ Consistent pattern**: Uses same structure and naming as other Spectro CAPI providers -## Customization +## Validation -To customize the deployments: +### Controller Manifests Should Include: +- `--webhook-port=0` in container args +- `serviceAccountName: default` +- No CRDs or webhook configurations +- Namespace: `capc-system` -1. Modify the patch files in `controller/` or `webhook/` directories -2. Update the kustomization.yaml files to add additional resources or patches -3. Regenerate the manifests using the provided scripts +### Webhook Manifests Should Include: +- CRDs and `ValidatingWebhookConfiguration`/`MutatingWebhookConfiguration` +- All resources in `capi-webhook-system` namespace +- Webhook services pointing to correct namespace -## Labels and Selectors +## Development -- Controller pods use label: `control-plane: capc-controller-manager` -- Webhook pods use label: `control-plane: capc-webhook-manager` +When modifying the configuration: +1. Edit files in `base/` or `global/` +2. Run `./run.sh` to regenerate manifests +3. Test both controller and webhook deployments +4. Verify namespace isolation works correctly -This allows for separate selection and management of the two types of pods. \ No newline at end of file +For more details, see `executedSteps.md` which contains the complete implementation guide for applying this pattern to other CAPI providers. diff --git a/spectro/base/kustomization.yaml b/spectro/base/kustomization.yaml new file mode 100644 index 00000000..48f18653 --- /dev/null +++ b/spectro/base/kustomization.yaml @@ -0,0 +1,34 @@ +namePrefix: capc- +namespace: capc-system + +resources: +- ../../config/manager + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + cluster.x-k8s.io/provider: infrastructure-cloudstack +patches: +- path: patch_service_account.yaml + target: + group: apps + kind: Deployment + name: controller-manager + namespace: system + version: v1 +- path: patch_healthcheck.yaml + target: + group: apps + kind: Deployment + name: controller-manager + namespace: system + version: v1 +- path: ../../config/default/manager_image_patch.yaml + target: + group: apps + kind: Deployment + name: controller-manager + version: v1 + diff --git a/spectro/base/patch_healthcheck.yaml b/spectro/base/patch_healthcheck.yaml new file mode 100644 index 00000000..25d6ac29 --- /dev/null +++ b/spectro/base/patch_healthcheck.yaml @@ -0,0 +1,4 @@ +- op: remove + path: "/spec/template/spec/containers/0/livenessProbe" +- op: remove + path: "/spec/template/spec/containers/0/readinessProbe" diff --git a/spectro/base/patch_service_account.yaml b/spectro/base/patch_service_account.yaml new file mode 100644 index 00000000..d9cd4321 --- /dev/null +++ b/spectro/base/patch_service_account.yaml @@ -0,0 +1,2 @@ +- op: remove + path: "/spec/template/spec/serviceAccountName" diff --git a/spectro/controller/kustomization.yaml b/spectro/controller/kustomization.yaml deleted file mode 100644 index 5fe2a26d..00000000 --- a/spectro/controller/kustomization.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: capc- - -# Labels to add to all resources and selectors. -labels: -- pairs: - cluster.x-k8s.io/provider: "infrastructure-cloudstack" - -resources: - - ../../config/manager -patches: -- path: manager_controller_patch.yaml - diff --git a/spectro/controller/namespace.yaml b/spectro/controller/namespace.yaml deleted file mode 100644 index e85da1f0..00000000 --- a/spectro/controller/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: capc-controller-manager - name: system \ No newline at end of file diff --git a/spectro/executedSteps.md b/spectro/executedSteps.md index 0b35bd78..1c791800 100644 --- a/spectro/executedSteps.md +++ b/spectro/executedSteps.md @@ -1,75 +1,159 @@ -### Single prompt to reproduce all changes - -Use this single prompt: - -- Modify main.go to allow running the same binary as either controller-only or webhook-only based on a new flag: - - Add int flag --webhook-port (default 9443). Behavior: - - If --webhook-port=0: controller-only mode. Do not create a webhook server; register reconcilers only. - - If --webhook-port!=0 (e.g., 9443): webhook-only mode. Create webhook server with that port; register webhooks only (no reconcilers). - - Only set ctrl.Options.WebhookServer when port != 0; keep health/ready probes and existing tlsOptions/metrics handling. - - Keep the existing cert/key flags (webhook-cert-dir/name/key) working. - -- Add a new spectro/ folder with scripts and kustomizations to generate two sets of manifests from the same code/image: - - spectro/controller/ - - kustomization.yaml: - - namePrefix: capc- - - labels: cluster.x-k8s.io/provider: "infrastructure-cloudstack" - - resources: ../../config/manager - - patches: manager_controller_patch.yaml - - Do NOT include namespace, RBAC, webhooks, or cert-manager. - - manager_controller_patch.yaml: - - Set spec.template.spec.serviceAccountName: default - - Container args include: - - --leader-elect - - --webhook-port=0 - - --diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443} - - --insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false} - - --cloudstackcluster-concurrency=${CAPC_CLOUDSTACKCLUSTER_CONCURRENCY:=10} - - --cloudstackmachine-concurrency=${CAPC_CLOUDSTACKMACHINE_CONCURRENCY:=10} - - --enable-cloudstack-cks-sync=${CAPC_CLOUDSTACKMACHINE_CKS_SYNC:=false} - - spectro/webhook/ - - kustomization.yaml: - - namespace: capi-webhook-system - - namePrefix: capc- - - labels: cluster.x-k8s.io/provider: "infrastructure-cloudstack" - - resources: ../../config/crd, ../../config/manager, ../../config/webhook - - patches: manager_webhook_patch.yaml - - vars: - - CERTIFICATE_NAMESPACE: from Service/webhook-service metadata.namespace - - CERTIFICATE_NAME: from Service/webhook-service metadata.name - - SERVICE_NAMESPACE: from Service/webhook-service metadata.namespace - - SERVICE_NAME: from Service/webhook-service metadata.name - - configurations: [kustomizeconfig.yaml] (local file below) - - kustomizeconfig.yaml: - - nameReference: Service v1 → webhooks/clientConfig/service/name in MutatingWebhookConfiguration and ValidatingWebhookConfiguration - - namespace mapping: webhooks/clientConfig/service/namespace (create: true) in both webhook configurations - - varReference: metadata/annotations - - manager_webhook_patch.yaml: - - Label the Deployment/pod template with control-plane: capc-webhook-manager - - Set container args to include --webhook-port=9443 - - Expose container port 9443 named webhook-server - - Mount TLS certs at /tmp/k8s-webhook-server/serving-certs from a Secret named capc-webhook-service-cert - - Do NOT add RBAC or cert-manager - - Scripts (make executable): - - spectro/generate-controller-manifests.sh: kustomize build spectro/controller → spectro/generated/controller-manifests.yaml - - spectro/generate-webhook-manifests.sh: kustomize build spectro/webhook → spectro/generated/webhook-manifests.yaml - - spectro/generate-all-manifests.sh: runs both scripts - - README in spectro/ explaining usage and that: - - Controller-only manifests: no namespace patch, no RBAC, no webhooks, no CRDs, no cert-manager - - Webhook-only manifests: include CRDs and webhook configs, no RBAC, no cert-manager, namespace is capi-webhook-system - - Both use the same image; functionality controlled by --webhook-port - -- Ensure generated outputs meet these checks: - - Controller manifests: - - Include args with --webhook-port=0 - - Use serviceAccountName: default - - Do not contain CRDs or webhook configs - - Webhook manifests: - - Include CRDs and Mutating/ValidatingWebhookConfiguration pointing to Service/webhook-service - - Are in namespace capi-webhook-system - - cert-manager.io/inject-ca-from annotations resolve to capi-webhook-system/capc-webhook-service - - No RBAC or cert-manager resources included - -- Do not add or depend on namespace.yaml; do not include RBAC in controller; do not include cert-manager in webhook. +### Single prompt to implement CAPI provider webhook/controller separation + +I need to implement webhook/controller separation for a CAPI provider following the standardized pattern used by AWS (CAPA), Azure (CAPZ), and CloudStack (CAPC). Please help me: + +1. **Modify main.go** to support running the same binary in two modes: + - Add `--webhook-port` flag (int, provider-specific default) + - If `--webhook-port=0`: controller-only mode (register reconcilers only, no webhook server) + - If `--webhook-port!=0`: webhook-only mode (register webhooks only, no reconcilers) + - Note: Check existing provider defaults - some default to webhook mode, others to controller mode + - Use this pattern: + ```go + if webhookPort == 0 { + registerControllers(ctx, mgr) + } else { + registerWebhooks(mgr) + } + ``` + +2. **Create spectro/ folder structure** with standardized naming: + ``` + spectro/ + ├── base/ # Controller-only manifests + │ ├── kustomization.yaml # Uses namePrefix: cap[X]-, namespace: cap[X]-system + │ ├── patch_service_account.yaml # Sets serviceAccountName: default, --webhook-port=0 + │ └── patch_healthcheck.yaml # Removes health probes + ├── global/ # Webhook-only manifests + │ ├── kustomization.yaml # Uses namespace: capi-webhook-system, includes CRDs + │ └── patch_service_account.yaml # Removes serviceAccountName + ├── generated/ # Output directory + └── run.sh # Generation script + ``` + +3. **Base configuration** (controller-only): + - **kustomization.yaml**: Use kustomize v1beta1 format, include only `../../config/manager` + - **patch_service_account.yaml**: JSON patch to set or remove serviceAccountName as needed. Provider-specific flags (e.g. --webhook-port=0) may be handled in separate patches if required. + - **patch_healthcheck.yaml**: JSON patch to remove liveness/readiness probes + - Target namespace: `cap[provider-prefix]-system` (e.g., `capc-system`) + +4. **Global configuration** (webhook-only): + - **kustomization.yaml**: Include `../../config/crd`, `../../config/manager`, `../../config/webhook`, `../../config/certmanager` + - **patch_service_account.yaml**: JSON patch to remove serviceAccountName entirely + - Target namespace: `capi-webhook-system` + - Apply manager_webhook_patch.yaml and webhookcainjection_patch.yaml from config/default if they exist + - Include configurations section for kustomizeconfig.yaml + - Add vars section for CERTIFICATE_NAMESPACE, CERTIFICATE_NAME, SERVICE_NAMESPACE, SERVICE_NAME + +5. **Generation script** (run.sh): + ```bash + #!/bin/bash + rm -f generated/* + kustomize build --load-restrictor LoadRestrictionsNone global > ./generated/core-global.yaml + kustomize build --load-restrictor LoadRestrictionsNone base > ./generated/core-base.yaml + ``` + +6. **Additional scripts** for compatibility: + - `generate-controller-manifests.sh`: Calls base kustomization → core-base.yaml + - `generate-webhook-manifests.sh`: Calls global kustomization → core-global.yaml + - `generate-all-manifests.sh`: Calls run.sh + +**Requirements:** +- Use JSON patches (RFC 6902) not strategic merge +- Controller manifests: `--webhook-port=0`, `serviceAccountName: default`, no CRDs/webhooks +- Webhook manifests: Include CRDs, webhooks, Certificate, Issuer, and cert-manager CA injection annotations +- Target namespace: `capi-webhook-system` for webhook, `cap[provider-prefix]-system` for controller +- Skip RBAC for both (handled by Palette) +- Use kustomize v1beta1 format with proper labels +- Match naming pattern: prefix should be `cap[X]-` where X is provider abbreviation +- Output files: `core-global.yaml` (webhook), `core-base.yaml` (controller) + +**Global kustomization template:** +```yaml +namespace: capi-webhook-system +namePrefix: cap[provider-prefix]- + +resources: +- ../../config/crd +- ../../config/manager +- ../../config/webhook +- ../../config/certmanager + +configurations: +- ../../config/default/kustomizeconfig.yaml + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + cluster.x-k8s.io/provider: infrastructure-[provider] +patches: +- path: patch_service_account.yaml + target: + group: apps + kind: Deployment + name: controller-manager + namespace: system + version: v1 +- path: ../../config/default/manager_image_patch.yaml + target: + group: apps + kind: Deployment + name: controller-manager + version: v1 +- path: ../../config/default/manager_webhook_patch.yaml + target: + group: apps + kind: Deployment + name: controller-manager + version: v1 +- path: ../../config/default/webhookcainjection_patch.yaml + +vars: +- name: CERTIFICATE_NAMESPACE + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldref: + fieldpath: metadata.name +- name: SERVICE_NAMESPACE + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service +``` + +**Expected webhook manifest contents:** +- Certificate resource: `cap[prefix]-serving-cert` in `capi-webhook-system` +- Issuer resource: `cap[prefix]-selfsigned-issuer` in `capi-webhook-system` +- All CRDs have `cert-manager.io/inject-ca-from: capi-webhook-system/cap[prefix]-serving-cert` +- MutatingWebhookConfiguration has `cert-manager.io/inject-ca-from` annotation +- ValidatingWebhookConfiguration has `cert-manager.io/inject-ca-from` annotation +- DNS names in Certificate match webhook service name and namespace + +**Provider-specific details to customize:** +- Replace `[provider-prefix]` with actual prefix (e.g., `capc` for CloudStack) +- Replace `[provider]` with provider name (e.g., `cloudstack`) +- Add provider-specific controller flags to patch_service_account.yaml +- Add any provider-specific patches if needed (like Azure's CRD webhook namespace patches) +- Ensure config/certmanager and config/default/webhookcainjection_patch.yaml exist + diff --git a/spectro/generate-all-manifests.sh b/spectro/generate-all-manifests.sh index 3bab36a1..8c2826e7 100755 --- a/spectro/generate-all-manifests.sh +++ b/spectro/generate-all-manifests.sh @@ -6,18 +6,14 @@ set -e SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" echo "Generating all CAPC manifests..." - -# Generate controller manifests -"${SCRIPT_DIR}/generate-controller-manifests.sh" - echo "" -# Generate webhook manifests -"${SCRIPT_DIR}/generate-webhook-manifests.sh" +# Use the standardized run.sh approach +"${SCRIPT_DIR}/run.sh" echo "" echo "All manifests generated successfully!" echo "" echo "Generated files:" -echo " - Controller-only: ${SCRIPT_DIR}/generated/controller-manifests.yaml" -echo " - Webhook-only: ${SCRIPT_DIR}/generated/webhook-manifests.yaml" \ No newline at end of file +echo " - Controller-only: ${SCRIPT_DIR}/generated/core-base.yaml" +echo " - Webhook-only: ${SCRIPT_DIR}/generated/core-global.yaml" diff --git a/spectro/generate-controller-manifests.sh b/spectro/generate-controller-manifests.sh index f34e4f9b..c1d82f54 100755 --- a/spectro/generate-controller-manifests.sh +++ b/spectro/generate-controller-manifests.sh @@ -11,11 +11,11 @@ echo "Generating controller-only manifests..." # Create output directory mkdir -p "${SCRIPT_DIR}/generated" -# Generate controller manifests (webhook-port=0) -cd "${SCRIPT_DIR}/controller" -kustomize build . > "${SCRIPT_DIR}/generated/controller-manifests.yaml" +# Generate controller manifests +cd "${SCRIPT_DIR}" +kustomize build --load-restrictor LoadRestrictionsNone base > "${SCRIPT_DIR}/generated/core-base.yaml" -echo "Controller-only manifests generated at: ${SCRIPT_DIR}/generated/controller-manifests.yaml" +echo "Controller-only manifests generated: ${SCRIPT_DIR}/generated/core-base.yaml" echo "" echo "To deploy the controller:" -echo "kubectl apply -f ${SCRIPT_DIR}/generated/controller-manifests.yaml" \ No newline at end of file +echo "kubectl apply -f ${SCRIPT_DIR}/generated/core-base.yaml" diff --git a/spectro/generate-webhook-manifests.sh b/spectro/generate-webhook-manifests.sh index 3a27f560..665ffe34 100755 --- a/spectro/generate-webhook-manifests.sh +++ b/spectro/generate-webhook-manifests.sh @@ -11,14 +11,14 @@ echo "Generating webhook-only manifests..." # Create output directory mkdir -p "${SCRIPT_DIR}/generated" -# Generate webhook manifests (webhook-port=9443) - includes CRDs -cd "${SCRIPT_DIR}/webhook" -kustomize build . > "${SCRIPT_DIR}/generated/webhook-manifests.yaml" +# Generate webhook manifests +cd "${SCRIPT_DIR}" +kustomize build --load-restrictor LoadRestrictionsNone global > "${SCRIPT_DIR}/generated/core-global.yaml" -echo "Webhook-only manifests (with CRDs) generated at: ${SCRIPT_DIR}/generated/webhook-manifests.yaml" +echo "Webhook-only manifests (with CRDs) generated: ${SCRIPT_DIR}/generated/core-global.yaml" echo "" echo "To deploy the webhook server:" -echo "kubectl apply -f ${SCRIPT_DIR}/generated/webhook-manifests.yaml" +echo "kubectl apply -f ${SCRIPT_DIR}/generated/core-global.yaml" echo "" echo "Note: You may need to create TLS certificates for the webhook service." -echo "The webhook expects certificates at /tmp/k8s-webhook-server/serving-certs/ in the container." \ No newline at end of file +echo "The webhook expects certificates at /tmp/k8s-webhook-server/serving-certs/ in the container." diff --git a/spectro/generated/controller-manifests.yaml b/spectro/generated/core-base.yaml similarity index 85% rename from spectro/generated/controller-manifests.yaml rename to spectro/generated/core-base.yaml index 539892c7..8b24b604 100644 --- a/spectro/generated/controller-manifests.yaml +++ b/spectro/generated/core-base.yaml @@ -17,6 +17,7 @@ metadata: labels: cluster.x-k8s.io/provider: infrastructure-cloudstack name: capc-manager-config + namespace: capc-system --- apiVersion: apps/v1 kind: Deployment @@ -25,42 +26,32 @@ metadata: cluster.x-k8s.io/provider: infrastructure-cloudstack control-plane: capc-controller-manager name: capc-controller-manager - namespace: system + namespace: capc-system spec: replicas: 1 selector: matchLabels: + cluster.x-k8s.io/provider: infrastructure-cloudstack control-plane: capc-controller-manager template: metadata: labels: + cluster.x-k8s.io/provider: infrastructure-cloudstack control-plane: capc-controller-manager spec: containers: - args: - --leader-elect - - --webhook-port=0 - --diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443} - --insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false} - --cloudstackcluster-concurrency=${CAPC_CLOUDSTACKCLUSTER_CONCURRENCY:=10} - --cloudstackmachine-concurrency=${CAPC_CLOUDSTACKMACHINE_CONCURRENCY:=10} - --enable-cloudstack-cks-sync=${CAPC_CLOUDSTACKMACHINE_CKS_SYNC:=false} + - --webhook-port=0 command: - /manager image: localhost:5000/cluster-api-provider-cloudstack:latest - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 name: manager - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 resources: limits: cpu: 100m @@ -81,7 +72,6 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: default terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule diff --git a/spectro/generated/webhook-manifests.yaml b/spectro/generated/core-global.yaml similarity index 98% rename from spectro/generated/webhook-manifests.yaml rename to spectro/generated/core-global.yaml index be38c490..fda9eaf1 100644 --- a/spectro/generated/webhook-manifests.yaml +++ b/spectro/generated/core-global.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -202,7 +202,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -736,7 +736,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -1008,7 +1008,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -1298,7 +1298,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -2074,7 +2074,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -2239,7 +2239,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -2917,7 +2917,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - cert-manager.io/inject-ca-from: capi-webhook-system/capc-webhook-service + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert controller-gen.kubebuilder.io/version: v0.16.5 labels: cluster.x-k8s.io/provider: infrastructure-cloudstack @@ -3038,6 +3038,7 @@ spec: protocol: TCP targetPort: 9443 selector: + cluster.x-k8s.io/provider: infrastructure-cloudstack control-plane: capc-controller-manager --- apiVersion: apps/v1 @@ -3045,22 +3046,29 @@ kind: Deployment metadata: labels: cluster.x-k8s.io/provider: infrastructure-cloudstack - control-plane: capc-webhook-manager + control-plane: capc-controller-manager name: capc-controller-manager namespace: capi-webhook-system spec: replicas: 1 selector: matchLabels: - control-plane: capc-webhook-manager + cluster.x-k8s.io/provider: infrastructure-cloudstack + control-plane: capc-controller-manager template: metadata: labels: - control-plane: capc-webhook-manager + cluster.x-k8s.io/provider: infrastructure-cloudstack + control-plane: capc-controller-manager spec: containers: - args: - - --webhook-port=9443 + - --leader-elect + - --diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443} + - --insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false} + - --cloudstackcluster-concurrency=${CAPC_CLOUDSTACKCLUSTER_CONCURRENCY:=10} + - --cloudstackmachine-concurrency=${CAPC_CLOUDSTACKMACHINE_CONCURRENCY:=10} + - --enable-cloudstack-cks-sync=${CAPC_CLOUDSTACKMACHINE_CKS_SYNC:=false} command: - /manager image: localhost:5000/cluster-api-provider-cloudstack:latest @@ -3105,7 +3113,6 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault - serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 tolerations: - effect: NoSchedule @@ -3116,11 +3123,39 @@ spec: - name: cert secret: defaultMode: 420 - secretName: capc-webhook-service-cert + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-cloudstack + name: capc-serving-cert + namespace: capi-webhook-system +spec: + dnsNames: + - capc-webhook-service.capi-webhook-system.svc + - capc-webhook-service.capi-webhook-system.svc.cluster.local + issuerRef: + kind: Issuer + name: capc-selfsigned-issuer + secretName: webhook-server-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + labels: + cluster.x-k8s.io/provider: infrastructure-cloudstack + name: capc-selfsigned-issuer + namespace: capi-webhook-system +spec: + selfSigned: {} --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: + annotations: + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert labels: cluster.x-k8s.io/provider: infrastructure-cloudstack name: capc-mutating-webhook-configuration @@ -3192,6 +3227,8 @@ webhooks: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: + annotations: + cert-manager.io/inject-ca-from: capi-webhook-system/capc-serving-cert labels: cluster.x-k8s.io/provider: infrastructure-cloudstack name: capc-validating-webhook-configuration diff --git a/spectro/global/kustomization.yaml b/spectro/global/kustomization.yaml new file mode 100644 index 00000000..e0334ab4 --- /dev/null +++ b/spectro/global/kustomization.yaml @@ -0,0 +1,74 @@ +namespace: capi-webhook-system + +namePrefix: capc- + +resources: +- ../../config/crd +- ../../config/manager +- ../../config/webhook +- ../../config/certmanager + +configurations: +- ../../config/default/kustomizeconfig.yaml + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + cluster.x-k8s.io/provider: infrastructure-cloudstack +patches: +- path: patch_service_account.yaml + target: + group: apps + kind: Deployment + name: controller-manager + namespace: system + version: v1 +- path: ../../config/default/manager_image_patch.yaml + target: + group: apps + kind: Deployment + name: controller-manager + version: v1 +- path: ../../config/default/manager_webhook_patch.yaml + target: + group: apps + kind: Deployment + name: controller-manager + version: v1 +- path: ../../config/default/webhookcainjection_patch.yaml + +vars: +- name: CERTIFICATE_NAMESPACE + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldref: + fieldpath: metadata.namespace +- name: CERTIFICATE_NAME + objref: + kind: Certificate + group: cert-manager.io + version: v1 + name: serving-cert + fieldref: + fieldpath: metadata.name +- name: SERVICE_NAMESPACE + objref: + kind: Service + version: v1 + name: webhook-service + fieldref: + fieldpath: metadata.namespace +- name: SERVICE_NAME + objref: + kind: Service + version: v1 + name: webhook-service + + + + diff --git a/spectro/global/patch_service_account.yaml b/spectro/global/patch_service_account.yaml new file mode 100644 index 00000000..d9cd4321 --- /dev/null +++ b/spectro/global/patch_service_account.yaml @@ -0,0 +1,2 @@ +- op: remove + path: "/spec/template/spec/serviceAccountName" diff --git a/spectro/run.sh b/spectro/run.sh new file mode 100755 index 00000000..9eccb4b5 --- /dev/null +++ b/spectro/run.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +rm -f generated/* + +kustomize build --load-restrictor LoadRestrictionsNone global > ./generated/core-global.yaml +kustomize build --load-restrictor LoadRestrictionsNone base > ./generated/core-base.yaml diff --git a/spectro/webhook/kustomization.yaml b/spectro/webhook/kustomization.yaml deleted file mode 100644 index 0dc40b74..00000000 --- a/spectro/webhook/kustomization.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# Adds namespace to all resources. -namespace: capi-webhook-system -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. -namePrefix: capc- - -# Labels to add to all resources and selectors. -labels: -- pairs: - cluster.x-k8s.io/provider: "infrastructure-cloudstack" - -resources: - - ../../config/crd - - ../../config/manager - - ../../config/webhook - -# the following config is for teaching kustomize how to do var substitution -vars: -- name: CERTIFICATE_NAMESPACE - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: CERTIFICATE_NAME - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.name -- name: SERVICE_NAMESPACE # namespace of the service - objref: - kind: Service - version: v1 - name: webhook-service - fieldref: - fieldpath: metadata.namespace -- name: SERVICE_NAME - objref: - kind: Service - version: v1 - name: webhook-service - -configurations: - - kustomizeconfig.yaml -patches: -- path: manager_webhook_patch.yaml - - - diff --git a/spectro/webhook/kustomizeconfig.yaml b/spectro/webhook/kustomizeconfig.yaml deleted file mode 100644 index 7299e588..00000000 --- a/spectro/webhook/kustomizeconfig.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# This configuration is for teaching kustomize how to update name ref and var substitution -nameReference: -- kind: Service - version: v1 - fieldSpecs: - - kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - - kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/name - -namespace: -- kind: MutatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true -- kind: ValidatingWebhookConfiguration - group: admissionregistration.k8s.io - path: webhooks/clientConfig/service/namespace - create: true - -varReference: -- path: metadata/annotations - - diff --git a/spectro/webhook/manager_webhook_patch.yaml b/spectro/webhook/manager_webhook_patch.yaml deleted file mode 100644 index 3aa3b84b..00000000 --- a/spectro/webhook/manager_webhook_patch.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - control-plane: capc-webhook-manager -spec: - selector: - matchLabels: - control-plane: capc-webhook-manager - template: - metadata: - labels: - control-plane: capc-webhook-manager - spec: - containers: - - name: manager - args: - - "--webhook-port=9443" - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: capc-webhook-service-cert \ No newline at end of file diff --git a/spectro/webhook/namespace.yaml b/spectro/webhook/namespace.yaml deleted file mode 100644 index e85da1f0..00000000 --- a/spectro/webhook/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: capc-controller-manager - name: system \ No newline at end of file