From d3c3f08803b265190110251d812c1a92b8a90d0c Mon Sep 17 00:00:00 2001 From: Kenneth Koski Date: Wed, 19 Jan 2022 09:26:04 -0600 Subject: [PATCH] Update webhook failurePolicy from Ignore to Fail Updates katib-controller webhook for operator and manifests to set failurePolicy to Fail. This allows for greater visibility on errors. --- .../v1beta1/components/webhook/webhooks.yaml | 6 ++--- operators/katib-controller/requirements.txt | 3 ++- operators/katib-controller/src/charm.py | 13 ++++++++- .../src/{webhooks.yaml => webhooks.yaml.j2} | 27 ++++++++++--------- operators/katib-ui/requirements.txt | 2 +- 5 files changed, 33 insertions(+), 18 deletions(-) rename operators/katib-controller/src/{webhooks.yaml => webhooks.yaml.j2} (77%) diff --git a/manifests/v1beta1/components/webhook/webhooks.yaml b/manifests/v1beta1/components/webhook/webhooks.yaml index fb78517270c..f84a5586c56 100644 --- a/manifests/v1beta1/components/webhook/webhooks.yaml +++ b/manifests/v1beta1/components/webhook/webhooks.yaml @@ -5,7 +5,7 @@ metadata: webhooks: - name: validator.experiment.katib.kubeflow.org sideEffects: None - failurePolicy: Ignore + failurePolicy: Fail admissionReviewVersions: - v1 clientConfig: @@ -32,7 +32,7 @@ metadata: webhooks: - name: defaulter.experiment.katib.kubeflow.org sideEffects: None - failurePolicy: Ignore + failurePolicy: Fail admissionReviewVersions: - v1 clientConfig: @@ -53,7 +53,7 @@ webhooks: - experiments - name: mutator.pod.katib.kubeflow.org sideEffects: None - failurePolicy: Ignore + failurePolicy: Fail admissionReviewVersions: - v1 clientConfig: diff --git a/operators/katib-controller/requirements.txt b/operators/katib-controller/requirements.txt index 7ac4380d9f5..0ae9c0dcf38 100644 --- a/operators/katib-controller/requirements.txt +++ b/operators/katib-controller/requirements.txt @@ -1,2 +1,3 @@ -ops==1.2.0 +jinja2<3.1 oci-image==1.0.0 +ops==1.2.0 diff --git a/operators/katib-controller/src/charm.py b/operators/katib-controller/src/charm.py index 961b9cef778..9642ae4913c 100755 --- a/operators/katib-controller/src/charm.py +++ b/operators/katib-controller/src/charm.py @@ -1,10 +1,12 @@ #!/usr/bin/env python3 import logging +from base64 import b64encode from pathlib import Path from subprocess import check_call import yaml +from jinja2 import Environment, FileSystemLoader from oci_image import OCIImageResource, OCIImageResourceError from ops.charm import CharmBase from ops.framework import StoredState @@ -49,7 +51,16 @@ def set_pod_spec(self, event): self.model.unit.status = check_failed.status return - validating, mutating = yaml.safe_load_all(Path("src/webhooks.yaml").read_text()) + ca_bundle = b64encode(self._stored.cert.encode("utf-8")).decode("utf-8") + env = Environment(loader=FileSystemLoader("src")) + t = env.get_template("webhooks.yaml.j2") + rendered = t.render( + ca_bundle=ca_bundle, + name=self.model.app.name, + namespace=self.model.name, + port=self.model.config["webhook-port"], + ) + validating, mutating = yaml.safe_load_all(rendered) self.model.pod.set_spec( { diff --git a/operators/katib-controller/src/webhooks.yaml b/operators/katib-controller/src/webhooks.yaml.j2 similarity index 77% rename from operators/katib-controller/src/webhooks.yaml rename to operators/katib-controller/src/webhooks.yaml.j2 index 382b408795a..146281b9d3c 100644 --- a/operators/katib-controller/src/webhooks.yaml +++ b/operators/katib-controller/src/webhooks.yaml.j2 @@ -5,15 +5,16 @@ metadata: webhooks: - name: validator.experiment.katib.kubeflow.org sideEffects: None - failurePolicy: Ignore + failurePolicy: Fail # TODO (andreyvelich): Migrate to v1 ? admissionReviewVersions: - v1beta1 clientConfig: - caBundle: Cg== + caBundle: {{ ca_bundle }} service: - name: katib-controller - namespace: kubeflow + name: {{ name }} + namespace: {{ namespace }} + port: {{ port }} path: /validate-experiment rules: - apiGroups: @@ -33,14 +34,15 @@ metadata: webhooks: - name: defaulter.experiment.katib.kubeflow.org sideEffects: None - failurePolicy: Ignore + failurePolicy: Fail admissionReviewVersions: - v1beta1 clientConfig: - caBundle: Cg== + caBundle: {{ ca_bundle }} service: - name: katib-controller - namespace: kubeflow + name: {{ name }} + namespace: {{ namespace }} + port: {{ port }} path: /mutate-experiment rules: - apiGroups: @@ -54,14 +56,15 @@ webhooks: - experiments - name: mutator.pod.katib.kubeflow.org sideEffects: None - failurePolicy: Ignore + failurePolicy: Fail admissionReviewVersions: - v1beta1 clientConfig: - caBundle: Cg== + caBundle: {{ ca_bundle }} service: - name: katib-controller - namespace: kubeflow + name: {{ name }} + namespace: {{ namespace }} + port: {{ port }} path: /mutate-pod namespaceSelector: matchLabels: diff --git a/operators/katib-ui/requirements.txt b/operators/katib-ui/requirements.txt index 553a01db83d..4df0e5bed57 100644 --- a/operators/katib-ui/requirements.txt +++ b/operators/katib-ui/requirements.txt @@ -1,3 +1,3 @@ ops==1.2.0 oci-image==1.0.0 -serialized-data-interface==0.2.2 +serialized-data-interface<0.4