radondb
diff --git a/‎PROJECT
Lines changed: 3 additions & 0 deletions b/‎PROJECT
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/v1alpha1/mysqlcluster_webhook.go
Lines changed: 82 additions & 0 deletions b/‎api/v1alpha1/mysqlcluster_webhook.go
Lines changed: 82 additions & 0 deletions
diff --git a/‎api/v1alpha1/webhook_suite_test.go
Lines changed: 128 additions & 0 deletions b/‎api/v1alpha1/webhook_suite_test.go
Lines changed: 128 additions & 0 deletions
diff --git a/‎api/v1alpha1/zz_generated.deepcopy.go
Lines changed: 1 addition & 1 deletion b/‎api/v1alpha1/zz_generated.deepcopy.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎charts/mysql-operator/templates/_helpers.tpl
Lines changed: 16 additions & 0 deletions b/‎charts/mysql-operator/templates/_helpers.tpl
Lines changed: 16 additions & 0 deletions
diff --git a/‎charts/mysql-operator/templates/cert.tpl
Lines changed: 38 additions & 0 deletions b/‎charts/mysql-operator/templates/cert.tpl
Lines changed: 38 additions & 0 deletions
diff --git a/‎charts/mysql-operator/templates/cert_manager.yaml
Lines changed: 23 additions & 0 deletions b/‎charts/mysql-operator/templates/cert_manager.yaml
Lines changed: 23 additions & 0 deletions
diff --git a/‎charts/mysql-operator/templates/deployment.yaml
Lines changed: 15 additions & 0 deletions b/‎charts/mysql-operator/templates/deployment.yaml
Lines changed: 15 additions & 0 deletions
@@ -13,6 +13,9 @@ resources:
   kind: MysqlCluster
   path: github.com/radondb/radondb-mysql-kubernetes/api/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 - controller: true
   domain: radondb.com
   group: mysql
 
@@ -0,0 +1,82 @@
+/*
+Copyright 2021 RadonDB.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"fmt"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// log is for logging in this package.
+var mysqlclusterlog = logf.Log.WithName("mysqlcluster-resource")
+
+func (r *MysqlCluster) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+// TODO(user): EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+
+// TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.
+//+kubebuilder:webhook:path=/convert,mutating=false,failurePolicy=fail,sideEffects=None,groups=mysql.radondb.com,resources=mysqlclusters,verbs=create;update,versions=v1alpha1,name=vmysqlcluster.kb.io,admissionReviewVersions=v1
+
+var _ webhook.Validator = &MysqlCluster{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type
+func (r *MysqlCluster) ValidateCreate() error {
+	mysqlclusterlog.Info("validate create", "name", r.Name)
+
+	// TODO(user): fill in your validation logic upon object creation.
+	return nil
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
+func (r *MysqlCluster) ValidateUpdate(old runtime.Object) error {
+	mysqlclusterlog.Info("validate update", "name", r.Name)
+
+	oldCluster, ok := old.(*MysqlCluster)
+	if !ok {
+		return apierrors.NewBadRequest(fmt.Sprintf("expected an MysqlCluster but got a %T", old))
+	}
+	if err := r.validateVolumeSize(*oldCluster); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type
+func (r *MysqlCluster) ValidateDelete() error {
+	mysqlclusterlog.Info("validate delete", "name", r.Name)
+
+	// TODO(user): fill in your validation logic upon object deletion.
+	return nil
+}
+
+func (r *MysqlCluster) validateVolumeSize(old MysqlCluster) error {
+	if r.Spec.Persistence.Size < old.Spec.Persistence.Size {
+		return apierrors.NewForbidden(schema.GroupResource{}, "", fmt.Errorf("volesize can not be decreased"))
+	}
+	return nil
+}
@@ -0,0 +1,128 @@
+/*
+Copyright 2021 RadonDB.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"path/filepath"
+	"testing"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	admissionv1beta1 "k8s.io/api/admission/v1beta1"
+	//+kubebuilder:scaffold:imports
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+// These tests use Ginkgo (BDD-style Go testing framework). Refer to
+// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
+
+var k8sClient client.Client
+var testEnv *envtest.Environment
+var ctx context.Context
+var cancel context.CancelFunc
+
+func TestAPIs(t *testing.T) {
+	RegisterFailHandler(Fail)
+
+	RunSpecs(t, "Webhook Suite")
+}
+
+var _ = BeforeSuite(func() {
+	logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
+
+	ctx, cancel = context.WithCancel(context.TODO())
+
+	By("bootstrapping test environment")
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "config", "crd", "bases")},
+		ErrorIfCRDPathMissing: false,
+		WebhookInstallOptions: envtest.WebhookInstallOptions{
+			Paths: []string{filepath.Join("..", "..", "config", "webhook")},
+		},
+	}
+
+	cfg, err := testEnv.Start()
+	Expect(err).NotTo(HaveOccurred())
+	Expect(cfg).NotTo(BeNil())
+
+	scheme := runtime.NewScheme()
+	err = AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	err = admissionv1beta1.AddToScheme(scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	//+kubebuilder:scaffold:scheme
+
+	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme})
+	Expect(err).NotTo(HaveOccurred())
+	Expect(k8sClient).NotTo(BeNil())
+
+	// start webhook server using Manager
+	webhookInstallOptions := &testEnv.WebhookInstallOptions
+	mgr, err := ctrl.NewManager(cfg, ctrl.Options{
+		Scheme:             scheme,
+		Host:               webhookInstallOptions.LocalServingHost,
+		Port:               webhookInstallOptions.LocalServingPort,
+		CertDir:            webhookInstallOptions.LocalServingCertDir,
+		LeaderElection:     false,
+		MetricsBindAddress: "0",
+	})
+	Expect(err).NotTo(HaveOccurred())
+
+	err = (&MysqlCluster{}).SetupWebhookWithManager(mgr)
+	Expect(err).NotTo(HaveOccurred())
+
+	//+kubebuilder:scaffold:webhook
+
+	go func() {
+		defer GinkgoRecover()
+		err = mgr.Start(ctx)
+		Expect(err).NotTo(HaveOccurred())
+	}()
+
+	// wait for the webhook server to get ready
+	dialer := &net.Dialer{Timeout: time.Second}
+	addrPort := fmt.Sprintf("%s:%d", webhookInstallOptions.LocalServingHost, webhookInstallOptions.LocalServingPort)
+	Eventually(func() error {
+		conn, err := tls.DialWithDialer(dialer, "tcp", addrPort, &tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return err
+		}
+		conn.Close()
+		return nil
+	}).Should(Succeed())
+
+})
+
+var _ = AfterSuite(func() {
+	cancel()
+	By("tearing down the test environment")
+	err := testEnv.Stop()
+	Expect(err).NotTo(HaveOccurred())
+})
@@ -23,6 +23,22 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "validating-webhook-configuration.name" -}}
+    {{ default "radondb-mysql-validation" }}
+{{- end }}
+
+{{- define "certificate.name" -}}
+    {{ default "radondb-mysql-certificate" }}
+{{- end }}
+
+{{- define "issuer.name" -}}
+    {{ default "radondb-mysql-issuer" }}
+{{- end }}
+
+{{- define "webhook.name" -}}
+    {{ default "radondb-mysql-webhook" }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 
@@ -0,0 +1,38 @@
+{{- define "webhook.caBundleCertPEM" -}}
+  {{- if .Values.webhook.caBundlePEM -}}
+    {{- trim .Values.webhook.caBundlePEM -}}
+  {{- else -}}
+    {{- /* Generate ca with CN "radondb-ca" and 5 years validity duration if not exists in the current scope.*/ -}}
+    {{- $caKeypair := .selfSignedCAKeypair | default (genCA "radondb-ca" 1825) -}}
+    {{- $_ := set . "selfSignedCAKeypair" $caKeypair -}}
+    {{- $caKeypair.Cert -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "webhook.certPEM" -}}
+  {{- if .Values.webhook.crtPEM -}}
+    {{- trim .Values.webhook.crtPEM -}}
+  {{- else -}}
+    {{- $webhookDomain := printf "%s.%s.svc" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookDomainLocal := printf "%s.%s.svc.cluster.local" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookCA := required "self-signed CA keypair is requried" .selfSignedCAKeypair -}}
+    {{- /* genSignedCert <CN> <IP> <DNS> <Validity duration> <CA> */ -}}
+    {{- $webhookServerTLSKeypair := .webhookTLSKeypair | default (genSignedCert "radondb-mysql" nil (list $webhookDomain $webhookDomainLocal) 1825 $webhookCA) -}}
+    {{- $_ := set . "webhookTLSKeypair" $webhookServerTLSKeypair -}}
+    {{- $webhookServerTLSKeypair.Cert -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "webhook.keyPEM" -}}
+  {{- if .Values.webhook.keyPEM -}}
+    {{ trim .Values.webhook.keyPEM }}
+  {{- else -}}
+    {{- $webhookDomain := printf "%s.%s.svc" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookDomainLocal := printf "%s.%s.svc.cluster.local" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookCA := required "self-signed CA keypair is requried" .selfSignedCAKeypair -}}
+    {{- /* genSignedCert <CN> <IP> <DNS> <Validity duration> <CA> */ -}}
+    {{- $webhookServerTLSKeypair := .webhookTLSKeypair | default (genSignedCert "radondb-mysql" nil (list $webhookDomain $webhookDomainLocal) 1825 $webhookCA) -}}
+    {{- $_ := set . "webhookTLSKeypair" $webhookServerTLSKeypair -}}
+    {{- $webhookServerTLSKeypair.Key -}}
+  {{- end -}}
+{{- end -}}
@@ -0,0 +1,23 @@
+{{- if .Values.webhook.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "issuer.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "certificate.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - {{ printf "%s.%s.svc" (include "webhook.name" .) .Release.Namespace }}
+  - {{ printf "%s.%s.svc.cluster.local" (include "webhook.name" .) .Release.Namespace }}
+  issuerRef:
+    kind: Issuer
+    name: {{ template "issuer.name" . }}
+  secretName: "{{ template "webhook.name" . }}-certs"
+{{- end }}
@@ -21,6 +21,11 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: "{{ template "webhook.name" . }}-certs"
       containers:
       {{- if .Values.rbacProxy.create }}
       - name: kube-rbac-proxy
@@ -39,6 +44,14 @@ spec:
           name: https
       {{- end }}
       - name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - name: cert
+          mountPath: /tmp/k8s-webhook-server/serving-certs/
+          readOnly: true
         command:
         - /manager
         args:
@@ -54,6 +67,8 @@ spec:
         env:
         - name: IMAGE_PREFIX
           value: {{ .Values.imagePrefix }}
+        - name: ENABLED_WEBHOOKS
+          value: {{ .Values.manager.enabledWebhooks | quote }}
         securityContext:
           allowPrivilegeEscalation: false
         livenessProbe: