add webhook for TargetGroupBinding (#1450)

Author: M00nF1sh

Makefile

@@ -1,8 +1,8 @@
 
 # Image URL to use all building/pushing image targets
 IMG ?= amazon/aws-alb-ingress-controller:v2.0.0-rc1
-# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
-CRD_OPTIONS ?= "crd:trivialVersions=true"
+
+CRD_OPTIONS ?= "crd:trivialVersions=false,crdVersions=v1beta1"
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -41,6 +41,7 @@ deploy: manifests
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=controller-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+	yq w -i config/webhook/manifests.v1beta1.yaml -d'*' "metadata.name" "webhook"
 
 # Run go fmt against code
 fmt:
@@ -70,7 +71,7 @@ ifeq (, $(shell which controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
+	go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.0 ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 CONTROLLER_GEN=$(GOBIN)/controller-gen

apis/elbv2/v1alpha1/targetgroupbinding_types.go

@@ -129,6 +129,10 @@ type TargetGroupBindingStatus struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=all
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="TARGET-TYPE",type="string",JSONPath=".spec.targetType",description="The AWS TargetGroup's TargetType"
+// +kubebuilder:printcolumn:name="ARN",type="string",JSONPath=".spec.targetGroupARN",description="The AWS TargetGroup's Amazon Resource Name"
 
 // TargetGroupBinding is the Schema for the TargetGroupBinding API
 type TargetGroupBinding struct {

config/controller/iam_for_sa_patch.yaml

@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller
+spec:
+  template:
+    spec:
+      securityContext:
+        fsGroup: 1337

config/controller/kustomization.yaml

@@ -1,8 +1,11 @@
 resources:
-  - controller.yaml
+- controller.yaml
+patchesStrategicMerge:
+- iam_for_sa_patch.yaml
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:
 - name: controller
   newName: amazon/aws-alb-ingress-controller
-  newTag: v2.0.0-rc1
+  newTag: v2.0.0-rc1

config/crd/bases/elbv2.k8s.aws_targetgroupbindings.yaml

@@ -4,17 +4,30 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.5
+    controller-gen.kubebuilder.io/version: v0.4.0
   creationTimestamp: null
   name: targetgroupbindings.elbv2.k8s.aws
 spec:
+  additionalPrinterColumns:
+  - JSONPath: .spec.targetType
+    description: The AWS TargetGroup's TargetType
+    name: TARGET-TYPE
+    type: string
+  - JSONPath: .spec.targetGroupARN
+    description: The AWS TargetGroup's Amazon Resource Name
+    name: ARN
+    type: string
   group: elbv2.k8s.aws
   names:
+    categories:
+    - all
     kind: TargetGroupBinding
     listKind: TargetGroupBindingList
     plural: targetgroupbindings
     singular: targetgroupbinding
   scope: Namespaced
+  subresources:
+    status: {}
   validation:
     openAPIV3Schema:
       description: TargetGroupBinding is the Schema for the TargetGroupBinding API

config/default/webhookcainjection_patch.yaml

@@ -7,9 +7,9 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
 ---
-#apiVersion: admissionregistration.k8s.io/v1beta1
-#kind: ValidatingWebhookConfiguration
-#metadata:
-#  name: webhook
-#  annotations:
-#    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: webhook
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

config/webhook/kustomization.yaml

@@ -1,5 +1,5 @@
 resources:
-  - manifests.yaml
+  - manifests.v1beta1.yaml
   - service.yaml
 
 configurations:

config/webhook/manifests.v1beta1.yaml

@@ -0,0 +1,69 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: webhook
+webhooks:
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: webhook-service
+        namespace: system
+        path: /mutate-v1-pod
+    failurePolicy: Fail
+    name: mpod.elbv2.k8s.aws
+    rules:
+      - apiGroups:
+          - ""
+        apiVersions:
+          - v1
+        operations:
+          - CREATE
+        resources:
+          - pods
+    sideEffects: None
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: webhook-service
+        namespace: system
+        path: /mutate-elbv2-k8s-aws-v1alpha1-targetgroupbinding
+    failurePolicy: Fail
+    name: mtargetgroupbinding.elbv2.k8s.aws
+    rules:
+      - apiGroups:
+          - elbv2.k8s.aws
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - targetgroupbindings
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: webhook
+webhooks:
+  - clientConfig:
+      caBundle: Cg==
+      service:
+        name: webhook-service
+        namespace: system
+        path: /validate-elbv2-k8s-aws-v1alpha1-targetgroupbinding
+    failurePolicy: Fail
+    name: vtargetgroupbinding.elbv2.k8s.aws
+    rules:
+      - apiGroups:
+          - elbv2.k8s.aws
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - targetgroupbindings
+    sideEffects: None

config/webhook/manifests.yaml

@@ -35,6 +35,7 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/targetgroupbinding"
 	corewebhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/core"
+	elbv2webhook "sigs.k8s.io/aws-load-balancer-controller/webhooks/elbv2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
@@ -140,6 +141,8 @@ func main() {
 
 	podReadinessGateInjector := inject.NewPodReadinessGate(injectConfig, mgr.GetClient(), ctrl.Log.WithName("pod-readiness-gate-injector"))
 	corewebhook.NewPodMutator(podReadinessGateInjector).SetupWithManager(mgr)
+	elbv2webhook.NewTargetGroupBindingMutator(cloud.ELBV2(), ctrl.Log).SetupWithManager(mgr)
+	elbv2webhook.NewTargetGroupBindingValidator(ctrl.Log).SetupWithManager(mgr)
 	// +kubebuilder:scaffold:builder
 
 	setupLog.Info("starting manager")

main.go

@@ -43,7 +43,7 @@ func (m *podMutator) MutateUpdate(ctx context.Context, obj runtime.Object, oldOb
 	return obj, nil
 }
 
-// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=mpod.elbv2.k8s.aws
+// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=fail,groups="",resources=pods,verbs=create,versions=v1,name=mpod.elbv2.k8s.aws,sideEffects=None,webhookVersions=v1beta1
 
 func (m *podMutator) SetupWithManager(mgr ctrl.Manager) {
 	mgr.GetWebhookServer().Register(apiPathMutatePod, webhook.MutatingWebhookForMutator(m))

webhooks/core/pod_mutator.go

@@ -0,0 +1,91 @@
+package elbv2
+
+import (
+	"context"
+	awssdk "github.com/aws/aws-sdk-go/aws"
+	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
+	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1alpha1"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/webhook"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+const apiPathMutateELBv2TargetGroupBinding = "/mutate-elbv2-k8s-aws-v1alpha1-targetgroupbinding"
+
+// NewTargetGroupBindingMutator returns a mutator for TargetGroupBinding CRD.
+func NewTargetGroupBindingMutator(elbv2Client services.ELBV2, logger logr.Logger) *targetGroupBindingMutator {
+	return &targetGroupBindingMutator{
+		elbv2Client: elbv2Client,
+		logger:      logger,
+	}
+}
+
+var _ webhook.Mutator = &targetGroupBindingMutator{}
+
+type targetGroupBindingMutator struct {
+	elbv2Client services.ELBV2
+	logger      logr.Logger
+}
+
+func (m *targetGroupBindingMutator) Prototype(_ admission.Request) (runtime.Object, error) {
+	return &elbv2api.TargetGroupBinding{}, nil
+}
+
+func (m *targetGroupBindingMutator) MutateCreate(ctx context.Context, obj runtime.Object) (runtime.Object, error) {
+	tgb := obj.(*elbv2api.TargetGroupBinding)
+	if err := m.defaultingTargetType(ctx, tgb); err != nil {
+		return nil, err
+	}
+	return tgb, nil
+}
+
+func (m *targetGroupBindingMutator) MutateUpdate(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
+	return obj, nil
+}
+
+func (m *targetGroupBindingMutator) defaultingTargetType(ctx context.Context, tgb *elbv2api.TargetGroupBinding) error {
+	if tgb.Spec.TargetType != nil {
+		return nil
+	}
+	tgARN := tgb.Spec.TargetGroupARN
+	sdkTargetType, err := m.obtainSDKTargetTypeFromAWS(ctx, tgARN)
+	if err != nil {
+		return errors.Wrap(err, "couldn't determine TargetType")
+	}
+	var targetType elbv2api.TargetType
+	switch sdkTargetType {
+	case elbv2sdk.TargetTypeEnumInstance:
+		targetType = elbv2api.TargetTypeInstance
+	case elbv2sdk.TargetTypeEnumIp:
+		targetType = elbv2api.TargetTypeIP
+	default:
+		return errors.Errorf("unsupported TargetType: %v", sdkTargetType)
+	}
+
+	tgb.Spec.TargetType = &targetType
+	return nil
+}
+
+func (m *targetGroupBindingMutator) obtainSDKTargetTypeFromAWS(ctx context.Context, tgARN string) (string, error) {
+	req := &elbv2sdk.DescribeTargetGroupsInput{
+		TargetGroupArns: awssdk.StringSlice([]string{tgARN}),
+	}
+	tgList, err := m.elbv2Client.DescribeTargetGroupsAsList(ctx, req)
+	if err != nil {
+		return "", err
+	}
+	if len(tgList) != 1 {
+		return "", errors.Errorf("expecting a single targetGroup but got %v", len(tgList))
+	}
+	return awssdk.StringValue(tgList[0].TargetType), nil
+}
+
+// +kubebuilder:webhook:path=/mutate-elbv2-k8s-aws-v1alpha1-targetgroupbinding,mutating=true,failurePolicy=fail,groups=elbv2.k8s.aws,resources=targetgroupbindings,verbs=create;update,versions=v1alpha1,name=mtargetgroupbinding.elbv2.k8s.aws,sideEffects=None,webhookVersions=v1beta1
+
+func (m *targetGroupBindingMutator) SetupWithManager(mgr ctrl.Manager) {
+	mgr.GetWebhookServer().Register(apiPathMutateELBv2TargetGroupBinding, webhook.MutatingWebhookForMutator(m))
+}