core: start admission controller without any script

finally, admission controller will be enabled default without any script/manual step. But it still requires cert-manager to be installed which I believe is already installed in clusters. **Note** Code doesn't return error it just logs the error since we don't want to stop reconciling if the admission controller fails. We can work on this once the admission controller is stable. Signed-off-by: subhamkrai <[email protected]>
Albe83 · Apr 11, 2022 · f6f03d2 · f6f03d2
1 parent 7adba6c
commit f6f03d2
Show file tree

Hide file tree

Showing 20 changed files with 984 additions and 227 deletions.
diff --git a/Documentation/admission-controller-usage.md b/Documentation/admission-controller-usage.md
diff --git a/Documentation/pre-reqs.md b/Documentation/pre-reqs.md
@@ -36,6 +36,16 @@ lsblk -f
 
 If the `FSTYPE` field is not empty, there is a filesystem on top of the corresponding device. In this example, you can use `vdb` for Ceph and can't use `vda` or its partitions.
 
+## Admission Controller
+
+Enabling the Rook admission controller is recommended to provide an additional level of validation that Rook is configured correctly with the custom resource (CR) settings. An admission controller intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
+
+To deploy the Rook admission controllers, install the cert manager before Rook is installed:
+
+```console
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.7.1/cert-manager.yaml
+```.
+
 ## LVM package
 
 Ceph OSDs have a dependency on LVM in the following scenarios:

diff --git a/build/rbac/rbac.yaml b/build/rbac/rbac.yaml
@@ -481,6 +481,9 @@ rules:
   - apiGroups: [""]
     resources: ["pods/exec"]
     verbs: ["create"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["create", "get"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -863,6 +866,14 @@ rules:
       - persistentvolumeclaims
     verbs:
       - delete
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificates
+      - issuers
+    verbs:
+      - get
+      - create
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/deploy/charts/rook-ceph/templates/clusterrole.yaml b/deploy/charts/rook-ceph/templates/clusterrole.yaml
@@ -18,6 +18,9 @@ rules:
   - apiGroups: [""]
     resources: ["pods/exec"]
     verbs: ["create"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["create", "get", "delete"]
 ---
 # The cluster role for managing all the cluster-specific resources in a namespace
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/deploy/charts/rook-ceph/templates/deployment.yaml b/deploy/charts/rook-ceph/templates/deployment.yaml
@@ -77,6 +77,8 @@ spec:
           value: "{{ .Values.disableDeviceHotplug }}"
         - name: ROOK_ENABLE_DISCOVERY_DAEMON
           value: "{{ .Values.enableDiscoveryDaemon }}"
+        - name: ROOK_DISABLE_ADMISSION_CONTROLLER
+          value: "{{ .Values.disableAdmissionController }}"
 
         - name: NODE_NAME
           valueFrom:

diff --git a/deploy/charts/rook-ceph/templates/role.yaml b/deploy/charts/rook-ceph/templates/role.yaml
@@ -44,6 +44,15 @@ rules:
   - cronjobs
   verbs:
   - delete
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  - issuers
+  verbs:
+  - get
+  - create
+  - delete
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/deploy/charts/rook-ceph/values.yaml b/deploy/charts/rook-ceph/values.yaml
@@ -28,7 +28,7 @@ nodeSelector: {}
 # For more info, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
 #  disktype: ssd
 
-# Tolerations for the rook-ceph-operator to allow it to run on nodes with particular taints
+# Tolerations for the rook-ceph-operator to allow it to run on nodes with particular taints
 tolerations: []
 
 # Delay to use in node.kubernetes.io/unreachable toleration
@@ -329,6 +329,8 @@ cephCommandsTimeoutSeconds: "15"
 # For more details see https://github.com/rook/rook/issues/2417
 enableSelinuxRelabeling: true
 
+disableAdmissionController: false
+
 # Writing to the hostPath is required for the Ceph mon and osd pods. Given the restricted permissions in OpenShift with SELinux,
 # the pod must be running privileged in order to write to the hostPath volume, this must be set to true then.
 hostpathRequiresPrivileged: false

diff --git a/deploy/examples/common.yaml b/deploy/examples/common.yaml
@@ -568,6 +568,9 @@ rules:
   - apiGroups: [""]
     resources: ["pods/exec"]
     verbs: ["create"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations"]
+    verbs: ["create", "get", "delete"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1047,6 +1050,15 @@ rules:
       - cronjobs
     verbs:
       - delete
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificates
+      - issuers
+    verbs:
+      - get
+      - create
+      - delete
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/deploy/examples/operator.yaml b/deploy/examples/operator.yaml
@@ -461,6 +461,9 @@ spec:
             - name: ROOK_UNREACHABLE_NODE_TOLERATION_SECONDS
               value: "5"
 
+            - name: ROOK_DISABLE_ADMISSION_CONTROLLER
+              value: "false"
+
             # The name of the node to pass with the downward API
             - name: NODE_NAME
               valueFrom:

diff --git a/go.mod b/go.mod
@@ -4,17 +4,18 @@ go 1.16
 
 require (
 	github.com/IBM/keyprotect-go-client v0.7.0
-	github.com/aws/aws-sdk-go v1.37.19
+	github.com/aws/aws-sdk-go v1.40.21
 	github.com/banzaicloud/k8s-objectmatcher v1.1.0
 	github.com/ceph/go-ceph v0.12.0
 	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f
 	github.com/go-ini/ini v1.51.1
-	github.com/google/go-cmp v0.5.5
-	github.com/google/uuid v1.1.2
+	github.com/google/go-cmp v0.5.6
+	github.com/google/uuid v1.3.0
 	github.com/hashicorp/vault v1.8.5
 	github.com/hashicorp/vault-plugin-secrets-kv v0.9.0
 	github.com/hashicorp/vault/api v1.1.2-0.20210713235431-1fc8af4c041f
 	github.com/hashicorp/vault/sdk v0.2.2-0.20211101151547-6654f4b913f9
+	github.com/jetstack/cert-manager v1.6.2
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.1.0
 	github.com/kube-object-storage/lib-bucket-provisioner v0.0.0-20220105185820-c1da9586e05b
 	github.com/libopenstorage/secrets v0.0.0-20210709082113-dde442ea20ec
@@ -24,12 +25,12 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.46.0
 	github.com/prometheus-operator/prometheus-operator/pkg/client v0.46.0
-	github.com/spf13/cobra v1.1.3
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
 	github.com/tencentcloud/tencentcloud-sdk-go v3.0.171+incompatible // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	gopkg.in/ini.v1 v1.57.0
+	gopkg.in/ini.v1 v1.62.0
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2