SPL-299716: M1/app framework v1 app validation internal

Dockerfile

@@ -19,6 +19,7 @@ RUN go mod download
 COPY cmd/main.go cmd/main.go
 COPY api/ api/
 COPY internal/controller/ internal/controller/
+COPY internal/webhook/ internal/webhook/
 COPY pkg/ pkg/
 COPY tools/ tools/
 COPY hack hack/
@@ -92,4 +93,4 @@ COPY tools/k8_probes/startupProbe.sh /tools/k8_probes/
 USER 1001
 
 # Start the manager
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/manager"]

Makefile

@@ -121,7 +121,7 @@ help: ## Display this help.
 ##@ Development
 
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:webhook:artifacts:config=config/app-webhook
 	rm config/crd/bases/_.yaml
 
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

api/apps/v1alpha1/app_types.go

@@ -49,6 +49,10 @@ type AppSourceRef struct {
 	Name string `json:"name"`
 }
 
+// +kubebuilder:validation:XValidation:rule="self.appID == oldSelf.appID",message="spec.appID is immutable"
+// +kubebuilder:validation:XValidation:rule="self.targetRef == oldSelf.targetRef",message="spec.targetRef is immutable"
+// +kubebuilder:validation:XValidation:rule="self.sourceRef == oldSelf.sourceRef",message="spec.sourceRef is immutable"
+// +kubebuilder:validation:XValidation:rule="self.scope == oldSelf.scope",message="spec.scope is immutable"
 // AppSpec defines the desired state of App.
 type AppSpec struct {
 	// +kubebuilder:validation:Required

cmd/main.go

@@ -50,11 +50,13 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	appsv1alpha1 "github.com/splunk/splunk-operator/api/apps/v1alpha1"
 	enterpriseApiV3 "github.com/splunk/splunk-operator/api/enterprise/v3"
 	enterpriseApi "github.com/splunk/splunk-operator/api/enterprise/v4"
 	appscontroller "github.com/splunk/splunk-operator/internal/controller/apps"
+	webhookappsv1alpha1 "github.com/splunk/splunk-operator/internal/webhook/apps/v1alpha1"
 	//+kubebuilder:scaffold:imports
 	//extapi "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
@@ -64,6 +66,8 @@ var (
 	setupLog = ctrl.Log.WithName("setup")
 )
 
+const appWebhookPort = 9444
+
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(enterpriseApi.AddToScheme(scheme))
@@ -189,6 +193,7 @@ func main() {
 		LeaderElectionID:       "270bec8c.splunk.com",
 		LeaseDuration:          &leaseDuration,
 		RenewDeadline:          &renewDeadline,
+		WebhookServer:          ctrlwebhook.NewServer(ctrlwebhook.Options{Port: appWebhookPort}),
 	}
 
 	// Apply namespace-specific configuration
@@ -333,6 +338,10 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "App")
 		os.Exit(1)
 	}
+	if err := webhookappsv1alpha1.SetupWebhookWithManager(mgr); err != nil {
+		setupLog.Error(err, "unable to create webhook", "webhook", "App")
+		os.Exit(1)
+	}
 	//+kubebuilder:scaffold:builder
 
 	// Register certificate watchers with the manager

config/app-webhook/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- manifests.yaml
+- service.yaml
+
+configurations:
+- kustomizeconfig.yaml

config/app-webhook/kustomizeconfig.yaml

@@ -0,0 +1,16 @@
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: ValidatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+    path: webhooks/clientConfig/service/name
+
+namespace:
+- kind: ValidatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  path: webhooks/clientConfig/service/namespace
+  create: true
+
+varReference:
+- path: metadata/annotations

config/app-webhook/manifests.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-apps-splunk-com-v1alpha1-app
+  failurePolicy: Fail
+  name: vapp-v1alpha1.kb.io
+  rules:
+  - apiGroups:
+    - apps.splunk.com
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - apps
+  sideEffects: None

config/app-webhook/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-service
+  namespace: system
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9444
+  selector:
+    control-plane: controller-manager

config/crd/bases/apps.splunk.com_apps.yaml

@@ -113,6 +113,15 @@ spec:
             - targetRef
             - version
             type: object
+            x-kubernetes-validations:
+            - message: spec.appID is immutable
+              rule: self.appID == oldSelf.appID
+            - message: spec.targetRef is immutable
+              rule: self.targetRef == oldSelf.targetRef
+            - message: spec.sourceRef is immutable
+              rule: self.sourceRef == oldSelf.sourceRef
+            - message: spec.scope is immutable
+              rule: self.scope == oldSelf.scope
           status:
             description: AppStatus defines the observed state of App.
             properties:

config/default-with-webhook/kustomization-cluster.yaml

@@ -1,6 +1,7 @@
 # Adds namespace to all resources.
-# Cluster-scoped deployment WITH webhook enabled (opt-in)
-# Requires cert-manager to be installed in the cluster
+# Cluster-scoped deployment with enterprise validation webhooks enabled (opt-in).
+# The standalone App webhook is enabled by default via config/default.
+# Requires cert-manager to be installed in the cluster.
 namespace: splunk-operator 
 
 # Value of this field is prepended to the
@@ -20,7 +21,7 @@ bases:
 - ../persistent-volume
 - ../service
 - ../manager
-# [WEBHOOK] Enabled for opt-in webhook deployment
+# [WEBHOOK] Enabled for enterprise validation webhooks
 - ../webhook
 # [CERTMANAGER] Required for webhook TLS
 - ../certmanager
@@ -34,7 +35,7 @@ patchesStrategicMerge:
 # through a ComponentConfig type
 #- manager_config_patch.yaml
 
-# [WEBHOOK] Enabled for webhook deployment
+# [WEBHOOK] Enabled for enterprise validation webhooks
 - manager_webhook_patch.yaml
 
 # [CERTMANAGER] Enabled for CA injection in the admission webhooks

config/default-with-webhook/kustomization-namespace.yaml

@@ -1,6 +1,7 @@
 # Adds namespace to all resources.
-# Namespace-scoped deployment WITH webhook enabled (opt-in)
-# Requires cert-manager to be installed in the cluster
+# Namespace-scoped deployment with enterprise validation webhooks enabled (opt-in).
+# The standalone App webhook is enabled by default via config/default.
+# Requires cert-manager to be installed in the cluster.
 namespace: splunk-operator 
 
 # Value of this field is prepended to the
@@ -20,7 +21,7 @@ bases:
 - ../persistent-volume
 - ../service
 - ../manager
-# [WEBHOOK] Enabled for opt-in webhook deployment
+# [WEBHOOK] Enabled for enterprise validation webhooks
 - ../webhook
 # [CERTMANAGER] Required for webhook TLS
 - ../certmanager
@@ -34,7 +35,7 @@ patchesStrategicMerge:
 # through a ComponentConfig type
 #- manager_config_patch.yaml
 
-# [WEBHOOK] Enabled for webhook deployment
+# [WEBHOOK] Enabled for enterprise validation webhooks
 - manager_webhook_patch.yaml
 
 # [CERTMANAGER] Enabled for CA injection in the admission webhooks

config/default-with-webhook/kustomization.yaml

@@ -1,6 +1,7 @@
 # Adds namespace to all resources.
-# Cluster-scoped deployment WITH webhook enabled (opt-in)
-# Requires cert-manager to be installed in the cluster
+# Cluster-scoped deployment with enterprise validation webhooks enabled (opt-in).
+# The standalone App webhook is enabled by default via config/default.
+# Requires cert-manager to be installed in the cluster.
 namespace: splunk-operator 
 
 # Value of this field is prepended to the
@@ -20,7 +21,7 @@ bases:
 - ../persistent-volume
 - ../service
 - ../manager
-# [WEBHOOK] Enabled for opt-in webhook deployment
+# [WEBHOOK] Enabled for enterprise validation webhooks
 - ../webhook
 # [CERTMANAGER] Required for webhook TLS
 - ../certmanager
@@ -34,7 +35,7 @@ patchesStrategicMerge:
 # through a ComponentConfig type
 #- manager_config_patch.yaml
 
-# [WEBHOOK] Enabled for webhook deployment
+# [WEBHOOK] Enabled for enterprise validation webhooks
 - manager_webhook_patch.yaml
 
 # [CERTMANAGER] Enabled for CA injection in the admission webhooks

config/default/kustomization-cluster.yaml

@@ -21,8 +21,9 @@ bases:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml
 #- ../webhook
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
+- ../app-webhook
+# [CERTMANAGER] Required for apps webhook
+- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 #- ../prometheus
 # [METRICS] Expose the controller manager metrics service.
@@ -37,40 +38,37 @@ patchesStrategicMerge:
 # crd/kustomization.yaml
 #- manager_webhook_patch.yaml
 
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-#- webhookcainjection_patch.yaml
+# [CERTMANAGER] Enabled for CA injection in the admission webhooks
+- webhookcainjection_patch.yaml
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: cert-manager.io
-#    version: v1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
+- name: CERTIFICATE_NAMESPACE
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: cert-manager.io
+    version: v1
+    name: serving-cert
+- name: SERVICE_NAMESPACE
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
 
 #patches:
 #- target:
@@ -111,6 +109,10 @@ vars:
 
 # currently patch is set to change deployment environment variables
 patches:
+- path: manager_webhook_patch.yaml
+  target:
+    kind: Deployment
+    name: controller-manager
 - target:
     kind: Deployment
     name: controller-manager
@@ -134,4 +136,4 @@ patches:
 # More info: https://book.kubebuilder.io/reference/metrics
 - path: manager_metrics_patch.yaml
   target:
-    kind: Deployment
+    kind: Deployment