Add webhook to chart

Makefile

@@ -45,8 +45,6 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
-YQ=yq
-
 all: manager
 
 # Run tests
@@ -104,50 +102,21 @@ image-push:
 
 # find or download controller-gen
 # download controller-gen if necessary
+CONTROLLER_GEN=$(shell pwd)/bin/controller-gen
 controller-gen:
-ifeq (, $(shell which controller-gen))
-	@{ \
-	set -e ;\
-	if [ "$(GO_MINOR_VERSION)" -ge "17" ]; then \
-		go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.2 ;\
-	else \
-		CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
-		cd $$CONTROLLER_GEN_TMP_DIR ;\
-		go mod init tmp ;\
-		go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.2 ;\
-		rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
-	fi ;\
-	}
-CONTROLLER_GEN=$(GOBIN)/controller-gen
-else
-CONTROLLER_GEN=$(shell which controller-gen)
-endif
+	$(call go-get-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen@v0.6.2)
 
-kustomize:
-ifeq (, $(shell which kustomize))
-	@{ \
-	set -e ;\
-	echo "Installing kustomize..." ;\
-	if [ "$(GO_MINOR_VERSION)" -ge "17" ]; then \
-		echo "Installing kustomize with go install..." ;\
-		go install sigs.k8s.io/kustomize/kustomize/v3@v3.5.4 ;\
-	else \
-		echo "Installing kustomize with go get..." ;\
-		KUSTOMIZE_GEN_TMP_DIR=$$(mktemp -d) ;\
-		cd $$KUSTOMIZE_GEN_TMP_DIR ;\
-		go mod init tmp ;\
-		go get sigs.k8s.io/kustomize/kustomize/v3@v3.5.4 ;\
-		rm -rf $$KUSTOMIZE_GEN_TMP_DIR ;\
-		fi ;\
-	}
-KUSTOMIZE=$(GOBIN)/kustomize
-else
-KUSTOMIZE=$(shell which kustomize)
-endif
+KUSTOMIZE=$(shell pwd)/bin/kustomize
+kustomize: ## Download kustomize locally if necessary.
+	$(call go-get-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v4@v4.5.5)
+
+YQ = $(shell pwd)/bin/yq
+yq: ## Download yq locally if necessary.
+	$(call go-get-tool,$(YQ),github.com/mikefarah/yq/v4@latest)
 
 # Generate bundle manifests and metadata, then validate generated files.
 .PHONY: bundle
-bundle: manifests
+bundle: yq kustomize manifests
 	operator-sdk generate kustomize manifests -q
 	cd config/manager && $(KUSTOMIZE) edit set image controller=$(IMG)
 	$(KUSTOMIZE) build config/manifests | operator-sdk generate bundle -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
@@ -242,4 +211,22 @@ function-mesh-docker-image-name:
 
 # Build the docker image without tests
 docker-build-skip-test:
-	docker build . -t ${IMG}
+	docker build . -t ${IMG}
+
+# go-get-tool will 'go get' any package $2 and install it to $1.
+PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
+define go-get-tool
+	@[ -f $(1) ] || { \
+	set -e ;\
+	echo "Installing $(2)" ;\
+	if [ "$(GO_MINOR_VERSION)" -ge "17" ]; then \
+		GOBIN=$(PROJECT_DIR)/bin go install -v $(2) ;\
+	else \
+		CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
+		cd $$CONTROLLER_GEN_TMP_DIR ;\
+		go mod init tmp ;\
+		GOBIN=$(PROJECT_DIR)/bin go get -v $(2) ;\
+		rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
+	fi ;\
+}
+endef

charts/function-mesh-operator/Chart.yaml

@@ -28,3 +28,7 @@ appVersion: 1.16.0
 home: https://github.com/streamnative/function-mesh
 sources:
   - https://github.com/streamnative/function-mesh
+
+dependencies:
+  - name: admission-webhook
+    condition: admissionWebhook.enabled

charts/function-mesh-operator/charts/admission-webhook/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/function-mesh-operator/charts/admission-webhook/Chart.yaml

@@ -0,0 +1,31 @@
+apiVersion: v2
+name: admission-webhook
+description: function mesh admission webhook Helm chart for Kubernetes
+maintainers:
+  - name: Function Mesh Support
+    email: function-mesh@streamnative.io
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.2.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+home: https://github.com/streamnative/function-mesh
+sources:
+  - https://github.com/streamnative/function-mesh

charts/function-mesh-operator/charts/admission-webhook/templates/NOTES.txt

@@ -0,0 +1,11 @@
+Make sure admission-webhook components are running:
+
+- For checking validating webhook:
+
+    kubectl get mutatingwebhookconfigurations {{ .Release.Name }}-validating-webhook-configuration
+
+- For checking mutating webhook:
+    kubectl get mutatingwebhookconfigurations {{ .Release.Name }}-mutating-webhook-configuration
+
+- For checking certificates:
+    kubectl get secerts --namespace {{ .Release.Namespace }} {{ include "function-mesh-operator.certificate.secret" . }}

charts/function-mesh-operator/charts/admission-webhook/templates/admission-webhook.yaml

@@ -0,0 +1,193 @@
+{{- if .Values.admissionWebhook.enabled }}
+  {{- $caBundle := "" -}}
+  {{- if eq .Values.admissionWebhook.certificate.provider "custom" }}
+    {{- $caSecret := (lookup "v1" "Secret" "default" (include "function-mesh-operator.certificate.caSecret" .)) -}}
+    {{- if $caSecret }}
+      {{- $caCert := (b64dec (get $caSecret.data "tls.crt")) -}}
+      {{- $caBundle = (printf (include "function-mesh-operator.caBundle" .) (b64enc $caCert)) -}}
+    {{- end }}
+  {{- end }}
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  {{- if eq .Values.admissionWebhook.certificate.provider "cert-manager" }}
+  annotations:
+    {{- include "function-mesh-operator.certManager.annotation" . | nindent 4 -}}
+  {{- end }}
+  name: {{ .Release.Name }}-mutating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      {{- if and $caBundle (eq .Values.admissionWebhook.certificate.provider "custom") }}
+        {{ $caBundle | nindent 6 }}
+      {{- end }}
+      service:
+        name: {{ include "function-mesh-operator.webhook.service" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /mutate-compute-functionmesh-io-v1alpha1-function
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy }}
+    name: mfunction.kb.io
+    rules:
+      - apiGroups:
+          - compute.functionmesh.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - functions
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      {{- if and $caBundle (eq .Values.admissionWebhook.certificate.provider "custom") }}
+        {{ $caBundle | nindent 6 }}
+      {{- end }}
+      service:
+        name: {{ include "function-mesh-operator.webhook.service" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /mutate-compute-functionmesh-io-v1alpha1-sink
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy }}
+    name: msink.kb.io
+    rules:
+      - apiGroups:
+          - compute.functionmesh.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - sinks
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      {{- if and $caBundle (eq .Values.admissionWebhook.certificate.provider "custom") }}
+        {{ $caBundle | nindent 6 }}
+      {{- end }}
+      service:
+        name: {{ include "function-mesh-operator.webhook.service" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /mutate-compute-functionmesh-io-v1alpha1-source
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy }}
+    name: msource.kb.io
+    rules:
+      - apiGroups:
+          - compute.functionmesh.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - sources
+    sideEffects: None
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  {{- if eq .Values.admissionWebhook.certificate.provider "cert-manager" }}
+  annotations:
+    {{- include "function-mesh-operator.certManager.annotation" . | nindent 4 -}}
+  {{- end }}
+  name: {{ .Release.Name }}-validating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      {{- if and $caBundle (eq .Values.admissionWebhook.certificate.provider "custom") }}
+        {{ $caBundle | nindent 6 }}
+      {{- end }}
+      service:
+        name: {{ include "function-mesh-operator.webhook.service" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /validate-compute-functionmesh-io-v1alpha1-function
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy }}
+    name: vfunction.kb.io
+    rules:
+      - apiGroups:
+          - compute.functionmesh.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - functions
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      {{- if and $caBundle (eq .Values.admissionWebhook.certificate.provider "custom") }}
+        {{ $caBundle | nindent 6 }}
+      {{- end }}
+      service:
+        name: {{ include "function-mesh-operator.webhook.service" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /validate-compute-functionmesh-io-v1alpha1-sink
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy }}
+    name: vsink.kb.io
+    rules:
+      - apiGroups:
+          - compute.functionmesh.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - sinks
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      {{- if and $caBundle (eq .Values.admissionWebhook.certificate.provider "custom") }}
+        {{ $caBundle | nindent 6 }}
+      {{- end }}
+      service:
+        name: {{ include "function-mesh-operator.webhook.service" . }}
+        namespace: {{ .Release.Namespace }}
+        path: /validate-compute-functionmesh-io-v1alpha1-source
+    failurePolicy: {{ .Values.admissionWebhook.failurePolicy }}
+    name: vsource.kb.io
+    rules:
+      - apiGroups:
+          - compute.functionmesh.io
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - sources
+    sideEffects: None
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "function-mesh-operator.webhook.service" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "function-mesh-operator.labels" . | nindent 4 }}
+spec:
+  ports:
+    - name: webhook
+      port: 443
+      protocol: TCP
+      targetPort: 9443
+  selector:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: controller-manager
+{{- end}}

charts/function-mesh-operator/charts/admission-webhook/templates/certificates.yaml

@@ -0,0 +1,27 @@
+{{- if and .Values.admissionWebhook.enabled (eq .Values.admissionWebhook.certificate.provider "cert-manager") }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "function-mesh-operator.certificate.secret" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "function-mesh-operator.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+    - {{ include "function-mesh-operator.certificate.commonName" . }}
+  issuerRef:
+    kind: Issuer
+    name: function-mesh-selfsigned-issuer
+  secretName: {{ include "function-mesh-operator.certificate.secret" . }}
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: function-mesh-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "function-mesh-operator.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+{{- end }}