| title | authors | reviewers | approvers | creation-date | last-updated | status | |||
|---|---|---|---|---|---|---|---|---|---|
olm-crd-conversion-webhook-support |
|
|
|
2020-06-10 |
2020-07-05 |
implementable |
- Enhancement is
implementable - Design details are appropriately documented from clear requirements
- Test plan is defined
- Graduation criteria for dev preview, tech preview, GA
- User-facing documentation is created in openshift-docs
This enhancement covers the necessary steps to add OLM support for CRD conversion webhooks.
-
Webhook: Webhooks are HTTP callbacks, providing a way for notifications to be delivered to an external web server i.e. a simple event-notification via HTTP POST. Examples: CRD conversion webhooks, validating and mutating admission webhooks.
-
Conversion Webhook: Webhook that can convert an object from one version to another.
When API clients, like kubectl or your controller, request a particular version of your resource, the Kubernetes API server needs to return a result that’s of that version. However, that version might not match the version stored by the API server.
In that case, the API server needs to know how to convert between the desired version and the stored version. Since the conversions aren’t built in for CRDs, the Kubernetes API server calls out to a webhook to do the conversion instead.
Many Operators are shipping conversion webhooks to deliver conversion of an object from one version to another. The CustomResourceDefinition API supports a versions field that is used to support multiple versions of custom resources that have been developed. Versions can have different schemas and a conversion webhook is used to convert custom resources between versions.
OLM needs to support operators with crd conversion webhooks and help manage and rotate corresponding certificates.
- Operator authors can include crd conversion webhooks in their bundle as a part of a CSV.
- Operator author will not need to manage cert rotation for webhooks shipped with their operators.
- This enhancement aims to support AllNamespace/ Global Singleton Operators only.
- Specifying PodDisruptionBudgets with webhooks is out of scope for this enhancement.
Operator authors will be able to:
- Provide a CRD name in the WebhookDescription, and this CRD would have the conversion webhook defined. OLM would update the CRD with correct CA cert.
- The WebhookDescription struct would include one extra field called ‘ConversionCrds’ in the WebhookDescription struct which would hold the CRD names.
type WebhookDescription struct {
.
.
.
// ConversionCrd must match the CustomResourceDefinition name
ConversionCRDs []string `json:"conversionCRDs"`
}
-
Cluster admins will be allowed to install CRD conversion webhooks for only AllNamespace Operators.
CRD conversion webhooks intercept requests for all namespaces, so only AllNamespace operators will ship with conversion webhooks and only those can be installed to leverage these webhooks. Once an AllNamespace operator is installed, it would claim ownership of the API in every namespace, and OLM will not allow installation of any other Operator that claims the same API.
-
There can’t be multiple conversion webhooks on a single cluster for a given CRD.
-
No new resources are added, the Webhook resource is extended to include conversion CRD name.
- If the CRD conversion webhook is removed in a new version of the CSV, the on cluster Webhook should be deleted.
The certificate creation and lifecycle management is planned to utilize the same certs package that is already in OLM managing the certificates for api services.
OLM would:
- Create deployments defined in CSV
- While creating the deployment, OLM would identify that CRD(s) is(/are) conversion webhook CRD(s)
- This conversion webhook CRD would be updated to include proper CA cert.