Enable keystone webhooks

Author: dprince

bindata/operator/keystone-operator-webhooks.yaml

@@ -0,0 +1,127 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: webhook-service
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: service
+    app.kubernetes.io/part-of: keystone-operator
+  name: keystone-operator-webhook-service
+  namespace: '{{ .OperatorNamespace }}'
+spec:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  selector:
+    openstack.org/operator-name: keystone
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: serving-cert
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: certificate
+    app.kubernetes.io/part-of: keystone-operator
+  name: keystone-operator-serving-cert
+  namespace: '{{ .OperatorNamespace }}'
+spec:
+  dnsNames:
+  - keystone-operator-webhook-service.{{ .OperatorNamespace }}.svc
+  - keystone-operator-webhook-service.{{ .OperatorNamespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: keystone-operator-selfsigned-issuer
+  secretName: keystone-operator-webhook-server-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  labels:
+    app.kubernetes.io/component: certificate
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: selfsigned-issuer
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: issuer
+    app.kubernetes.io/part-of: keystone-operator
+  name: keystone-operator-selfsigned-issuer
+  namespace: '{{ .OperatorNamespace }}'
+spec:
+  selfSigned: {}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .OperatorNamespace }}/keystone-operator-serving-cert'
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: mutating-webhook-configuration
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: mutatingwebhookconfiguration
+    app.kubernetes.io/part-of: keystone-operator
+  name: keystone-operator-mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  failurePolicy: Fail
+  name: mkeystoneapi.kb.io
+  rules:
+    - apiGroups:
+        - keystone.openstack.org
+      apiVersions:
+      - v1beta2
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - keystoneapis
+  sideEffects: None
+  clientConfig:
+    service:
+      name: keystone-operator-webhook-service
+      namespace: '{{ .OperatorNamespace }}'
+      path: /mutate-keystone-openstack-org-v1beta2-keystoneapi
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .OperatorNamespace }}/keystone-operator-serving-cert'
+  creationTimestamp: null
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: openstack-operator
+    app.kubernetes.io/instance: validating-webhook-configuration
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: validatingwebhookconfiguration
+    app.kubernetes.io/part-of: keystone-operator
+  name: keystone-operator-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  failurePolicy: Fail
+  name: vkeystoneapi.kb.io
+  rules:
+    - apiGroups:
+        - keystone.openstack.org
+      apiVersions:
+      - v1beta2
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - keystoneapis
+  sideEffects: None
+  clientConfig:
+    service:
+      name: keystone-operator-webhook-service
+      namespace: '{{ .OperatorNamespace }}'
+      path: /validate-keystone-openstack-org-v1beta2-keystoneapi

controllers/operator/openstack_controller.go

@@ -394,7 +394,7 @@ func containerImageMatch(instance *operatorv1beta1.OpenStack) bool {
 
 func isWebhookEndpoint(name string) bool {
 	// NOTE: this is a static list for all operators with webhooks enabled
-	endpointNames := []string{"openstack-operator-webhook-service", "infra-operator-webhook-service", "openstack-baremetal-operator-webhook-service"}
+	endpointNames := []string{"openstack-operator-webhook-service", "infra-operator-webhook-service", "keystone-operator-webhook-service", "openstack-baremetal-operator-webhook-service"}
 	for _, prefix := range endpointNames {
 		if strings.HasPrefix(name, prefix) {
 			return true
@@ -594,6 +594,15 @@ func (r *OpenStackReconciler) applyOperator(ctx context.Context, instance *opera
 						Name:  "ENABLE_WEBHOOKS",
 						Value: "true",
 					})
+			case operatorv1beta1.KeystoneOperatorName:
+				// enable webhooks on the keystone-operator
+				serviceOp.Deployment.Manager.Env = append(serviceOp.Deployment.Manager.Env,
+					corev1.EnvVar{
+						Name:  "ENABLE_WEBHOOKS",
+						Value: "true",
+					})
+				serviceOp.Deployment.Manager.Env = append(serviceOp.Deployment.Manager.Env,
+					relatedImagesEnv...)
 			default:
 				// disable webhooks per default
 				serviceOp.Deployment.Manager.Env = append(serviceOp.Deployment.Manager.Env,

hack/sync-bindata.sh

@@ -173,7 +173,7 @@ for X in $(ls manifests/*clusterserviceversion.yaml); do
         CLUSTER_ROLE_RULES=$(cat $X | $LOCAL_BINARIES/yq -r .spec.install.spec.clusterPermissions| sed -e 's|- rules:|rules:|' | sed -e 's|    ||' | sed -e '/  serviceAccountName.*/d'
 )
 
-if [[ "$OPERATOR_NAME" == "infra-operator" || "$OPERATOR_NAME" == "openstack-baremetal-operator" ]]; then
+if [[ "$OPERATOR_NAME" == "infra-operator" || "$OPERATOR_NAME" == "openstack-baremetal-operator" || "$OPERATOR_NAME" == "keystone-operator" ]]; then
     write_webhooks "$X" "$OPERATOR_NAME"
 fi