Add controllers to watch garden and certificate resources on runtime …

…cluster; add webhook to patch sniconfig of virtual kube-apiserver deployment
gardener · Jan 2, 2025 · 0583a16 · 0583a16
1 parent 7b99444
commit 0583a16
Show file tree

Hide file tree

Showing 17 changed files with 1,193 additions and 37 deletions.
diff --git a/cmd/gardener-extension-shoot-cert-service/app/app.go b/cmd/gardener-extension-shoot-cert-service/app/app.go
@@ -12,6 +12,7 @@ import (
 	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
 	"github.com/gardener/gardener/extensions/pkg/controller/heartbeat"
 	"github.com/gardener/gardener/extensions/pkg/util"
+	operatorv1alpha1 "github.com/gardener/gardener/pkg/apis/operator/v1alpha1"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	componentbaseconfig "k8s.io/component-base/config"
@@ -20,8 +21,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 
 	serviceinstall "github.com/gardener/gardener-extension-shoot-cert-service/pkg/apis/service/install"
-	"github.com/gardener/gardener-extension-shoot-cert-service/pkg/controller"
 	"github.com/gardener/gardener-extension-shoot-cert-service/pkg/controller/healthcheck"
+	certificatecontroller "github.com/gardener/gardener-extension-shoot-cert-service/pkg/controller/runtimecluster/certificate"
+	gardencontroller "github.com/gardener/gardener-extension-shoot-cert-service/pkg/controller/runtimecluster/garden"
+	"github.com/gardener/gardener-extension-shoot-cert-service/pkg/controller/shootcertservice"
 )
 
 // NewServiceControllerCommand creates a new command that is used to start the Certificate Service controller.
@@ -88,18 +91,28 @@ func (o *Options) run(ctx context.Context) error {
 		return fmt.Errorf("could not update manager scheme: %s", err)
 	}
 
+	if err := operatorv1alpha1.AddToScheme(mgr.GetScheme()); err != nil {
+		return fmt.Errorf("could not update manager scheme: %s", err)
+	}
+
 	ctrlConfig := o.certOptions.Completed()
 	ctrlConfig.ApplyHealthCheckConfig(&healthcheck.DefaultAddOptions.HealthCheckConfig)
-	ctrlConfig.Apply(&controller.DefaultAddOptions.ServiceConfig)
-	o.controllerOptions.Completed().Apply(&controller.DefaultAddOptions.ControllerOptions)
+	ctrlConfig.Apply(&shootcertservice.DefaultAddOptions.ServiceConfig)
+	o.controllerOptions.Completed().Apply(&shootcertservice.DefaultAddOptions.ControllerOptions)
 	o.healthOptions.Completed().Apply(&healthcheck.DefaultAddOptions.Controller)
-	o.reconcileOptions.Completed().Apply(&controller.DefaultAddOptions.IgnoreOperationAnnotation, &controller.DefaultAddOptions.ExtensionClass)
+	o.reconcileOptions.Completed().Apply(&shootcertservice.DefaultAddOptions.IgnoreOperationAnnotation, &shootcertservice.DefaultAddOptions.ExtensionClass)
 	o.heartbeatOptions.Completed().Apply(&heartbeat.DefaultAddOptions)
+	o.gardenControllerOptions.Completed().Apply(&gardencontroller.DefaultAddOptions)
+	o.certificateControllerOptions.Completed().Apply(&certificatecontroller.DefaultAddOptions)
 
 	if err := o.controllerSwitches.Completed().AddToManager(ctx, mgr); err != nil {
 		return fmt.Errorf("could not add controllers to manager: %s", err)
 	}
 
+	if _, err := o.webhookOptions.Completed().AddToManager(ctx, mgr, mgr); err != nil {
+		return fmt.Errorf("could not add webhooks to manager: %s", err)
+	}
+
 	if err := mgr.Start(ctx); err != nil {
 		return fmt.Errorf("error running manager: %s", err)
 	}

diff --git a/cmd/gardener-extension-shoot-cert-service/app/options.go b/cmd/gardener-extension-shoot-cert-service/app/options.go
@@ -9,6 +9,8 @@ import (
 
 	controllercmd "github.com/gardener/gardener/extensions/pkg/controller/cmd"
 	heartbeatcmd "github.com/gardener/gardener/extensions/pkg/controller/heartbeat/cmd"
+	extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook"
+	extensionscmdwebhook "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
 
 	certificateservicecmd "github.com/gardener/gardener-extension-shoot-cert-service/pkg/cmd"
 )
@@ -18,20 +20,28 @@ const ExtensionName = "extension-shoot-cert-service"
 
 // Options holds configuration passed to the Certificate Service controller.
 type Options struct {
-	generalOptions     *controllercmd.GeneralOptions
-	certOptions        *certificateservicecmd.CertificateServiceOptions
-	restOptions        *controllercmd.RESTOptions
-	managerOptions     *controllercmd.ManagerOptions
-	controllerOptions  *controllercmd.ControllerOptions
-	healthOptions      *controllercmd.ControllerOptions
-	heartbeatOptions   *heartbeatcmd.Options
-	controllerSwitches *controllercmd.SwitchOptions
-	reconcileOptions   *controllercmd.ReconcilerOptions
-	optionAggregator   controllercmd.OptionAggregator
+	generalOptions               *controllercmd.GeneralOptions
+	certOptions                  *certificateservicecmd.CertificateServiceOptions
+	restOptions                  *controllercmd.RESTOptions
+	managerOptions               *controllercmd.ManagerOptions
+	controllerOptions            *controllercmd.ControllerOptions
+	healthOptions                *controllercmd.ControllerOptions
+	heartbeatOptions             *heartbeatcmd.Options
+	gardenControllerOptions      *controllercmd.ControllerOptions
+	certificateControllerOptions *controllercmd.ControllerOptions
+	controllerSwitches           *controllercmd.SwitchOptions
+	reconcileOptions             *controllercmd.ReconcilerOptions
+	optionAggregator             controllercmd.OptionAggregator
+	webhookOptions               *extensionscmdwebhook.AddToManagerOptions
 }
 
 // NewOptions creates a new Options instance.
 func NewOptions() *Options {
+	mode, url := extensionswebhook.ModeService, os.Getenv("WEBHOOK_URL")
+	if v := os.Getenv("WEBHOOK_MODE"); v != "" {
+		mode = v
+	}
+
 	options := &Options{
 		generalOptions: &controllercmd.GeneralOptions{},
 		certOptions:    &certificateservicecmd.CertificateServiceOptions{},
@@ -41,6 +51,9 @@ func NewOptions() *Options {
 			LeaderElection:          true,
 			LeaderElectionID:        controllercmd.LeaderElectionNameID(ExtensionName),
 			LeaderElectionNamespace: os.Getenv("LEADER_ELECTION_NAMESPACE"),
+
+			// These are default values.
+			WebhookServerPort: 10250,
 		},
 		controllerOptions: &controllercmd.ControllerOptions{
 			// This is a default value.
@@ -50,6 +63,14 @@ func NewOptions() *Options {
 			// This is a default value.
 			MaxConcurrentReconciles: 5,
 		},
+		gardenControllerOptions: &controllercmd.ControllerOptions{
+			// This is a default value.
+			MaxConcurrentReconciles: 1,
+		},
+		certificateControllerOptions: &controllercmd.ControllerOptions{
+			// This is a default value.
+			MaxConcurrentReconciles: 1,
+		},
 		heartbeatOptions: &heartbeatcmd.Options{
 			// This is a default value.
 			ExtensionName:        ExtensionName,
@@ -58,6 +79,17 @@ func NewOptions() *Options {
 		},
 		controllerSwitches: certificateservicecmd.ControllerSwitches(),
 		reconcileOptions:   &controllercmd.ReconcilerOptions{},
+		webhookOptions: extensionscmdwebhook.NewAddToManagerOptions(
+			"shoot-cert-service",
+			"",
+			nil,
+			&extensionscmdwebhook.ServerOptions{
+				Mode:        mode,
+				URL:         url,
+				ServicePort: 443,
+				Namespace:   "garden",
+			},
+			certificateservicecmd.WebhookSwitches()),
 	}
 
 	options.optionAggregator = controllercmd.NewOptionAggregator(
@@ -68,8 +100,11 @@ func NewOptions() *Options {
 		options.certOptions,
 		controllercmd.PrefixOption("healthcheck-", options.healthOptions),
 		controllercmd.PrefixOption("heartbeat-", options.heartbeatOptions),
+		controllercmd.PrefixOption("garden-", options.gardenControllerOptions),
+		controllercmd.PrefixOption("certificate-", options.certificateControllerOptions),
 		options.controllerSwitches,
 		options.reconcileOptions,
+		options.webhookOptions,
 	)
 
 	return options

diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml
diff --git a/go.mod b/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	go.uber.org/mock v0.5.0
 	golang.org/x/tools v0.28.0
+	gomodules.xyz/jsonpatch/v2 v2.4.0
 	k8s.io/api v0.31.3
 	k8s.io/apimachinery v0.31.3
 	k8s.io/client-go v0.31.3
@@ -26,13 +27,16 @@ require (
 
 require (
 	dario.cat/mergo v1.0.1 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/andybalholm/brotli v1.1.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cert-manager/cert-manager v1.16.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.4 // indirect
@@ -43,8 +47,14 @@ require (
 	github.com/fluent/fluent-operator/v2 v2.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/gardener/controller-manager-library v0.2.1-0.20241104074533-80cbeddadabc // indirect
 	github.com/gardener/etcd-druid v0.25.0 // indirect
+	github.com/gardener/external-dns-management v0.22.1 // indirect
 	github.com/gardener/machine-controller-manager v0.55.1 // indirect
+	github.com/go-acme/lego/v4 v4.20.4 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.8 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/errors v0.20.4 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -64,7 +74,7 @@ require (
 	github.com/gorilla/websocket v1.5.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -77,6 +87,7 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
@@ -86,6 +97,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.78.2 // indirect
@@ -97,6 +109,7 @@ require (
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
@@ -108,17 +121,16 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20241204233417-43b7b7cde48d // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/oauth2 v0.24.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
 	google.golang.org/protobuf v1.35.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -143,7 +155,9 @@ require (
 	k8s.io/metrics v0.31.3 // indirect
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20231015215740-bf15e44028f9 // indirect
 	sigs.k8s.io/controller-tools v0.16.5 // indirect
+	sigs.k8s.io/gateway-api v1.2.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.3 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.5.0 // indirect
 )