chart: Support webhook. #486

1. Use helm generated cert. (Default)
2. Use cert-manager. (Set certManager.enabled to true and make sure that cert-manager has been installed.)
3. Use Specified cert. (Fill in caBundlePEM, crtPEM, keyPEM.)

Author: runkecheng

charts/mysql-operator/templates/_helpers.tpl

@@ -23,6 +23,22 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{- define "validating-webhook-configuration.name" -}}
+    {{ default "radondb-mysql-validation" }}
+{{- end }}
+
+{{- define "certificate.name" -}}
+    {{ default "radondb-mysql-certificate" }}
+{{- end }}
+
+{{- define "issuer.name" -}}
+    {{ default "radondb-mysql-issuer" }}
+{{- end }}
+
+{{- define "webhook.name" -}}
+    {{ default "radondb-mysql-webhook" }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

charts/mysql-operator/templates/cert.tpl

@@ -0,0 +1,38 @@
+{{- define "webhook.caBundleCertPEM" -}}
+  {{- if .Values.webhook.caBundlePEM -}}
+    {{- trim .Values.webhook.caBundlePEM -}}
+  {{- else -}}
+    {{- /* Generate ca with CN "radondb-ca" and 5 years validity duration if not exists in the current scope.*/ -}}
+    {{- $caKeypair := .selfSignedCAKeypair | default (genCA "radondb-ca" 1825) -}}
+    {{- $_ := set . "selfSignedCAKeypair" $caKeypair -}}
+    {{- $caKeypair.Cert -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "webhook.certPEM" -}}
+  {{- if .Values.webhook.crtPEM -}}
+    {{- trim .Values.webhook.crtPEM -}}
+  {{- else -}}
+    {{- $webhookDomain := printf "%s.%s.svc" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookDomainLocal := printf "%s.%s.svc.cluster.local" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookCA := required "self-signed CA keypair is requried" .selfSignedCAKeypair -}}
+    {{- /* genSignedCert <CN> <IP> <DNS> <Validity duration> <CA> */ -}}
+    {{- $webhookServerTLSKeypair := .webhookTLSKeypair | default (genSignedCert "radondb-mysql" nil (list $webhookDomain $webhookDomainLocal) 1825 $webhookCA) -}}
+    {{- $_ := set . "webhookTLSKeypair" $webhookServerTLSKeypair -}}
+    {{- $webhookServerTLSKeypair.Cert -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "webhook.keyPEM" -}}
+  {{- if .Values.webhook.keyPEM -}}
+    {{ trim .Values.webhook.keyPEM }}
+  {{- else -}}
+    {{- $webhookDomain := printf "%s.%s.svc" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookDomainLocal := printf "%s.%s.svc.cluster.local" (include "webhook.name" .) .Release.Namespace -}}
+    {{- $webhookCA := required "self-signed CA keypair is requried" .selfSignedCAKeypair -}}
+    {{- /* genSignedCert <CN> <IP> <DNS> <Validity duration> <CA> */ -}}
+    {{- $webhookServerTLSKeypair := .webhookTLSKeypair | default (genSignedCert "radondb-mysql" nil (list $webhookDomain $webhookDomainLocal) 1825 $webhookCA) -}}
+    {{- $_ := set . "webhookTLSKeypair" $webhookServerTLSKeypair -}}
+    {{- $webhookServerTLSKeypair.Key -}}
+  {{- end -}}
+{{- end -}}

charts/mysql-operator/templates/cert_manager.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.webhook.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "issuer.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "certificate.name" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames:
+  - {{ printf "%s.%s.svc" (include "webhook.name" .) .Release.Namespace }}
+  - {{ printf "%s.%s.svc.cluster.local" (include "webhook.name" .) .Release.Namespace }}
+  issuerRef:
+    kind: Issuer
+    name: {{ template "issuer.name" . }}
+  secretName: "{{ template "webhook.name" . }}-certs"
+{{- end }}

charts/mysql-operator/templates/deployment.yaml

@@ -21,6 +21,11 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: "{{ template "webhook.name" . }}-certs"
       containers:
       {{- if .Values.rbacProxy.create }}
       - name: kube-rbac-proxy
@@ -39,6 +44,14 @@ spec:
           name: https
       {{- end }}
       - name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - name: cert
+          mountPath: /tmp/k8s-webhook-server/serving-certs/
+          readOnly: true
         command:
         - /manager
         args:
@@ -54,6 +67,8 @@ spec:
         env:
         - name: IMAGE_PREFIX
           value: {{ .Values.imagePrefix }}
+        - name: ENABLED_WEBHOOKS
+          value: {{ .Values.manager.enabledWebhooks | quote }}
         securityContext:
           allowPrivilegeEscalation: false
         livenessProbe:

charts/mysql-operator/templates/webhook_configuration.yaml

@@ -0,0 +1,73 @@
+{{- $certManagerEnabled := .Values.webhook.certManager.enabled -}}
+{{- $caCertPEM := include "webhook.caBundleCertPEM" . -}}
+{{- $tlsCertPEM := include "webhook.certPEM" . -}}
+{{- $tlsKeyPEM := include "webhook.keyPEM" . -}}
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: {{ template "validating-webhook-configuration.name" . }}
+  {{- if $certManagerEnabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ template "certificate.name" . }}"
+  {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    {{- if $certManagerEnabled }}
+    caBundle: Cg==
+    {{- else }}
+    caBundle: {{ ternary (b64enc $caCertPEM) (b64enc (trim $tlsCertPEM)) (empty $tlsKeyPEM) }}
+    {{- end }}
+    service:
+      name: {{ template "webhook.name" .}}
+      namespace: {{ .Release.Namespace }}
+      ## path is generated by controller-runtime.
+      ## https://github.com/kubernetes-sigs/controller-runtime/blob/master/pkg/builder/webhook.go#L206
+      path: /validate-mysql-radondb-com-v1alpha1-mysqlcluster
+  failurePolicy: Fail
+  name: vmysqlcluster.kb.io
+  rules:
+  - apiGroups:
+    - mysql.radondb.com
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - mysqlclusters
+  sideEffects: None
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "webhook.name" .}}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 9443
+  selector:
+    app: {{ template "mysql-operator.name" . }}
+
+---
+{{- if not $certManagerEnabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ template "webhook.name" . }}-certs
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "mysql-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: webhook-secret
+type: Opaque
+data:
+  ca.crt: {{ b64enc $caCertPEM }}
+  tls.crt: {{ b64enc $tlsCertPEM }}
+  tls.key: {{ b64enc $tlsKeyPEM }}
+{{- end }}

charts/mysql-operator/values.yaml

@@ -22,6 +22,7 @@ tolerationSeconds: 30
 manager:
   image: radondb/mysql-operator
   tag: v2.2.0
+  enabledWebhooks: true
   resources: {}
     # We usually recommend not to specify default resources and to leave this as a conscious
     # choice for the user. This also increases chances charts run on environments with little
@@ -86,3 +87,14 @@ nfsBackup:
     localPVCapacity: 50G
     hostName: ""
     hostPath: "/mnt/radondb-nfs-backup"
+
+webhook:
+  certManager:
+    # If true, make sure that cert-manager has been installed.
+    enabled: false
+  # If empty and disable certManager, Helm will auto-generate these fields.
+  caBundlePEM: |
+
+  crtPEM: |
+
+  keyPEM: |