Merge pull request #151 from vshn/webhook/deletionprotection

Webhook based deletion protection for backend objects

Makefile

@@ -76,6 +76,8 @@ generate: $(protoc_bin) get-crds generate-stackgres-crds ## Generate code with c
 	find apis/generated/ -exec $(sed) -i ':a;N;$$!ba;s/- =\n/- "="\n/g' {} \;
 	rm -rf crds && cp -r apis/generated crds
 	go run sigs.k8s.io/controller-tools/cmd/controller-gen rbac:roleName=appcat-sli-exporter paths="{./pkg/sliexporter/...}" output:artifacts:config=config/sliexporter/rbac
+	go run sigs.k8s.io/controller-tools/cmd/controller-gen rbac:roleName=appcat-controller paths="{./pkg/controller/...}" output:rbac:stdout > config/controller/cluster-role.yaml
+	go run sigs.k8s.io/controller-tools/cmd/controller-gen webhook paths="{./pkg/controller/...}" output:stdout > config/controller/webhooks.yaml
 
 .PHONY: generate-stackgres-crds
 generate-stackgres-crds:
@@ -176,19 +178,13 @@ webhook_service_name = host.docker.internal
 
 webhook-debug: $(webhook_cert) ## Creates certificates, patches the webhook registrations and applies everything to the given kube cluster
 webhook-debug:
-	kubectl -n syn-appcat scale deployment appcat-controller --replicas 0
 	cabundle=$$(cat .work/webhook/tls.crt | base64) && \
-	HOSTIP=$(webhook_service_name) && \
-	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-pg-validation cert-manager.io/inject-ca-from- && \
-	kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io appcat-pg-validation -oyaml | \
-	yq e "del(.webhooks[0].clientConfig.service) | .webhooks[0].clientConfig.caBundle |= \"$$cabundle\" | .webhooks[0].clientConfig.url |= \"https://$$HOSTIP:9443/validate-vshn-appcat-vshn-io-v1-vshnpostgresql\"" - | \
-	kubectl apply -f - && \
-	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-redis-validation cert-manager.io/inject-ca-from- && \
-	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-pg-validation kubectl.kubernetes.io/last-applied-configuration- && \
-	kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io appcat-redis-validation -oyaml | \
-	yq e "del(.webhooks[0].clientConfig.service) | .webhooks[0].clientConfig.caBundle |= \"$$cabundle\" | .webhooks[0].clientConfig.url |= \"https://$$HOSTIP:9443/validate-vshn-appcat-vshn-io-v1-vshnredis\"" - | \
-	kubectl apply -f - && \
-	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-redis-validation kubectl.kubernetes.io/last-applied-configuration-
+	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-validation kubectl.kubernetes.io/last-applied-configuration- && \
+	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-validation cert-manager.io/inject-ca-from- && \
+	kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io appcat-validation -oyaml | \
+	yq e "with(.webhooks[]; .clientConfig.caBundle = \"$$cabundle\") | with(.webhooks[]; .clientConfig.url = \"https://$(webhook_service_name):9443\" + .clientConfig.service.path) | with(.webhooks[]; del(.clientConfig.service))"  | \
+	kubectl replace -f - && \
+	kubectl annotate validatingwebhookconfigurations.admissionregistration.k8s.io appcat-validation kubectl.kubernetes.io/last-applied-configuration-
 
 .PHONY: clean
 clean:

apis/vshn/v1/groupversion_info.go

@@ -26,17 +26,25 @@ func init() {
 		&VSHNPostgreSQLList{},
 		&XVSHNPostgreSQL{},
 		&XVSHNPostgreSQLList{},
+
 		&VSHNRedis{},
 		&VSHNRedisList{},
-		&VSHNMinio{},
-		&VSHNMinioList{},
 		&XVSHNRedis{},
 		&XVSHNRedisList{},
+
+		&VSHNMinio{},
+		&VSHNMinioList{},
 		&XVSHNMinio{},
 		&XVSHNMinioList{},
+
 		&XVSHNKeycloak{},
 		&XVSHNKeycloakList{},
 		&VSHNKeycloakList{},
 		&VSHNKeycloak{},
+
+		&XVSHNMariaDB{},
+		&XVSHNMariaDBList{},
+		&VSHNMariaDB{},
+		&VSHNMariaDBList{},
 	)
 }

cmd/controller.go

@@ -126,5 +126,15 @@ func setupWebhooks(mgr manager.Manager, withQuota bool) error {
 	if err != nil {
 		return err
 	}
-	return nil
+	err = webhooks.SetupNamespaceDeletionProtectionHandlerWithManager(mgr)
+	if err != nil {
+		return err
+	}
+
+	err = webhooks.SetupObjectbucketCDeletionProtectionHandlerWithManager(mgr)
+	if err != nil {
+		return err
+	}
+
+	return webhooks.SetupPVCDeletionProtectionHandlerWithManager(mgr)
 }

config/controller/cluster-role.yaml

@@ -1,78 +1,94 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: appcat-controller
 rules:
-  - apiGroups:
-      - vshn.appcat.vshn.io
-    resources:
-      - xvshnpostgresqls
-      - xvshnpostgresqls/finalizers
-    verbs:
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - kubernetes.crossplane.io
-    resources:
-      - objects
-    verbs:
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-      - configmaps
-    verbs:
-      - get
-      - update
-      - list
-      - watch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - get
-      - update
-      - list
-      - watch
-      - delete
-      - create
-      - patch
-  - apiGroups:
-      - apps
-    resources:
-      - statefulsets
-    verbs:
-      - get
-  - apiGroups:
-      - cert-manager.io
-    resources:
-      - issuers
-      - certificates
-    verbs:
-      - get
-  - apiGroups:
-      - batch
-    resources:
-      - jobs
-      - cronjobs
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-      - services
-    verbs:
-      - get
-  - apiGroups:
-      - vshn.appcat.vshn.io
-    resources:
-      - "*"
-    verbs:
-      - get
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kubernetes.crossplane.io
+  resources:
+  - objects
+  verbs:
+  - delete
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - '*'
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - xvshnpostgresqls
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - xvshnpostgresqls/status
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - xvshnredis
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - xvshnredis/status
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch