Merge pull request #19 from cybozu-go/add-vap

Add ValidatingAdmissionPolicy for imageprefetch and nodeimageset

Author: zeroalphat

.gitignore

@@ -1,5 +1,6 @@
 # Test binary, build with `go test -c`
 *.test
+!vap.test
 
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out

Makefile

@@ -22,7 +22,7 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=imageprefetch-controller-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=imageprefetch-controller-role crd paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
@@ -58,8 +58,9 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 .PHONY: test
-test: manifests generate fmt vet envtest ginkgo ## Run tests.
+test: manifests generate fmt vet envtest ginkgo kaptest ## Run tests.
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" $(GINKGO) run --skip-file e2e.* -r --coverprofile cover.out -v
+	$(KAPTEST) run config/vap/vap.test/kaptest.yaml
 
 # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
 .PHONY: test-e2e  # Run the e2e tests against a Kind k8s instance that is spun up.
@@ -136,6 +137,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 GINKGO = $(LOCALBIN)/ginkgo
 APPLYCONFIGURATION_GEN = $(LOCALBIN)/applyconfiguration-gen
 MODELS_SCHEMA = $(LOCALBIN)/models-schema
+KAPTEST ?= $(LOCALBIN)/kaptest
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.6.0
@@ -145,6 +147,7 @@ GOLANGCI_LINT_VERSION ?= v2.1.6
 GINKGO_VERSION ?= v2.23.4
 CODE_GENERATOR_VERSION ?= v0.31.1
 MODELS_SCHEMA_VERSION ?= v1.31.1
+KAPTEST_VERSION ?= v0.1.2
 
 .PHONY: kustomize
 kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary.
@@ -186,6 +189,13 @@ applyconfiguration-gen: $(APPLYCONFIGURATION_GEN) ## Download applyconfiguration
 $(APPLYCONFIGURATION_GEN): $(LOCALBIN)
 	$(call go-install-tool,$(APPLYCONFIGURATION_GEN),k8s.io/code-generator/cmd/applyconfiguration-gen,$(CODE_GENERATOR_VERSION))
 
+.PHONY: kaptest
+kaptest: $(KAPTEST) ## Download kaptest locally if necessary.
+$(KAPTEST): $(LOCALBIN)
+	curl -sLO "https://github.com/pfnet/kaptest/releases/download/${KAPTEST_VERSION}/kaptest_Linux_x86_64.tar.gz" && \
+	tar -xzf kaptest_Linux_x86_64.tar.gz -C $(LOCALBIN) kaptest && \
+	rm -f kaptest_Linux_x86_64.tar.gz
+
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary
 # $2 - package url which can be installed

PROJECT

@@ -13,10 +13,6 @@ resources:
   kind: ImagePrefetch
   path: github.com/cybozu-go/ofen/api/v1
   version: v1
-  webhooks:
-    defaulting: true
-    validation: true
-    webhookVersion: v1
 - api:
     crdVersion: v1
   controller: true

cmd/imageprefetch-controller/main.go

@@ -19,7 +19,6 @@ import (
 
 	ofenv1 "github.com/cybozu-go/ofen/api/v1"
 	"github.com/cybozu-go/ofen/internal/controller"
-	webhookofenv1 "github.com/cybozu-go/ofen/internal/webhook/v1"
 	// +kubebuilder:scaffold:imports
 )
 
@@ -141,13 +140,6 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "ImagePrefetch")
 		os.Exit(1)
 	}
-
-	if os.Getenv("ENABLE_WEBHOOKS") != "false" {
-		if err = webhookofenv1.SetupImagePrefetchWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, "unable to create webhook", "webhook", "ImagePrefetch")
-			os.Exit(1)
-		}
-	}
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

config/certmanager/certificate.yaml

@@ -9,17 +9,16 @@ resources:
 patches:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
-- path: patches/webhook_in_imageprefetches.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
-- path: patches/cainjection_in_imageprefetches.yaml
+#- path: patches/cainjection_in_imageprefetches.yaml
 #- path: patches/cainjection_in_nodeimagesets.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # [WEBHOOK] To enable webhook, uncomment the following section
 # the following config is for teaching kustomize how to do kustomization for CRDs.
 
-configurations:
-- kustomizeconfig.yaml
+#configurations:
+#- kustomizeconfig.yaml