Added startucpuboost validating webhook (#16)

* Added startucpuboost validating webhook

Author: mikouaj

PROJECT

@@ -17,4 +17,7 @@ resources:
   kind: StartupCPUBoost
   path: github.com/google/kube-startup-cpu-boost/api/v1alpha1
   version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

api/v1alpha1/startupcpuboost_types.go

@@ -60,7 +60,7 @@ type DurationPolicy struct {
 	PodCondition *PodConditionDurationPolicy `json:"podCondition,omitempty"`
 }
 
-// PercentagePolicy defines the policy used to determine the target
+// PercentageIncrease defines the policy used to determine the target
 // resources for a container
 type PercentageIncrease struct {
 	// Value specifies the percentage value

cmd/main.go

@@ -122,6 +122,10 @@ func setupControllers(mgr ctrl.Manager, boostMgr boost.Manager, certsReady chan
 	<-certsReady
 	setupLog.Info("Certificate generation has completed")
 
+	if failedWebhook, err := boostWebhook.Setup(mgr); err != nil {
+		setupLog.Error(err, "Unable to create webhook", "webhook", failedWebhook)
+		os.Exit(1)
+	}
 	cpuBoostWebHook := boostWebhook.NewPodCPUBoostWebHook(boostMgr, scheme)
 	mgr.GetWebhookServer().Register("/mutate-v1-pod", cpuBoostWebHook)
 

config/webhook/manifests.yaml

@@ -23,3 +23,29 @@ webhooks:
     resources:
     - pods
   sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-autoscaling-x-k8s-io-v1alpha1-startupcpuboost
+  failurePolicy: Fail
+  name: vstartupcpuboost.autoscaling.x-k8s.io
+  rules:
+  - apiGroups:
+    - autoscaling.x-k8s.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - startupcpuboosts
+  sideEffects: None

internal/util/cert.go

@@ -23,12 +23,13 @@ import (
 )
 
 const (
-	certDir             = "/tmp/k8s-webhook-server/serving-certs"
-	podBoostWebHookName = "kube-startup-cpu-boost-mutating-webhook-configuration"
-	caName              = "kube-startup-cpu-boost-ca"
-	caOrganization      = "kube-startup-cpu-boost"
-	webhookServiceName  = "kube-startup-cpu-boost-webhook-service"
-	webhookSecretName   = "kube-startup-cpu-boost-webhook-secret"
+	certDir                    = "/tmp/k8s-webhook-server/serving-certs"
+	boostMutatingWebHookName   = "kube-startup-cpu-boost-mutating-webhook-configuration"
+	boostValidatingWebHookName = "kube-startup-cpu-boost-validating-webhook-configuration"
+	caName                     = "kube-startup-cpu-boost-ca"
+	caOrganization             = "kube-startup-cpu-boost"
+	webhookServiceName         = "kube-startup-cpu-boost-webhook-service"
+	webhookSecretName          = "kube-startup-cpu-boost-webhook-secret"
 )
 
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update
@@ -49,7 +50,10 @@ func ManageCerts(mgr ctrl.Manager, namespace string, setupFinished chan struct{}
 		IsReady:        setupFinished,
 		Webhooks: []cert.WebhookInfo{{
 			Type: cert.Mutating,
-			Name: podBoostWebHookName,
+			Name: boostMutatingWebHookName,
+		}, {
+			Type: cert.Validating,
+			Name: boostValidatingWebHookName,
 		}},
 		RequireLeaderElection: false,
 	})

internal/webhook/startupcpuboost_webhook.go

@@ -0,0 +1,95 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package webhook
+
+import (
+	"context"
+	"errors"
+
+	"github.com/google/kube-startup-cpu-boost/api/v1alpha1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/klog/v2"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+type StartupCPUBoostWebhook struct{}
+
+var _ webhook.CustomValidator = &StartupCPUBoostWebhook{}
+
+func setupWebhookForStartupCPUBoost(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(&v1alpha1.StartupCPUBoost{}).
+		WithValidator(&StartupCPUBoostWebhook{}).
+		Complete()
+}
+
+// +kubebuilder:webhook:path=/validate-autoscaling-x-k8s-io-v1alpha1-startupcpuboost,mutating=false,failurePolicy=fail,sideEffects=None,groups=autoscaling.x-k8s.io,resources=startupcpuboosts,verbs=create;update,versions=v1alpha1,name=vstartupcpuboost.autoscaling.x-k8s.io,admissionReviewVersions=v1
+
+// ValidateCreate implements webhook.CustomValidator so a webhook will be registered for the type
+func (w *StartupCPUBoostWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	boost := obj.(*v1alpha1.StartupCPUBoost)
+	log := ctrl.LoggerFrom(ctx).WithName("startupcpuboost-webhook")
+	log.V(5).Info("validating create", "startupcpuboost", klog.KObj(boost))
+	return nil, validate(boost)
+}
+
+// ValidateUpdate implements webhook.CustomValidator so a webhook will be registered for the type
+func (w *StartupCPUBoostWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	boost := newObj.(*v1alpha1.StartupCPUBoost)
+	log := ctrl.LoggerFrom(ctx).WithName("startupcpuboost-webhook")
+	log.V(5).Info("validating update", "startupcpuboost", klog.KObj(boost))
+	return nil, validate(boost)
+}
+
+// ValidateDelete implements webhook.CustomValidator so a webhook will be registered for the type
+func (w *StartupCPUBoostWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+// validate verifies if Startup CPU Boost is valid. This is programmatic
+// validation on a top of declarative API validation
+func validate(boost *v1alpha1.StartupCPUBoost) error {
+	var allErrs field.ErrorList
+	if err := validateDurationPolicy(boost.Spec.DurationPolicy); err != nil {
+		allErrs = append(allErrs, err)
+	}
+	if len(allErrs) > 0 {
+		return apierrors.NewInvalid(
+			schema.GroupKind{Group: "autoscaling.x-k8s.io", Kind: "StartupCPUBoost"},
+			boost.Name, allErrs)
+	}
+	return nil
+}
+
+func validateDurationPolicy(policy v1alpha1.DurationPolicy) *field.Error {
+	var cnt int
+	fldPath := field.NewPath("spec").Child("")
+	if policy.Fixed != nil {
+		cnt++
+	}
+	if policy.PodCondition != nil {
+		cnt++
+	}
+	if cnt != 1 {
+		err := errors.New("one type of duration policy should be defined")
+		return field.Invalid(fldPath, policy, err.Error())
+	}
+	return nil
+}

internal/webhook/startupcpuboost_webhook_test.go

@@ -0,0 +1,97 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package webhook_test
+
+import (
+	"context"
+
+	"github.com/google/kube-startup-cpu-boost/api/v1alpha1"
+	"github.com/google/kube-startup-cpu-boost/internal/webhook"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("StartupCPUBoost webhook", func() {
+	var w webhook.StartupCPUBoostWebhook
+	BeforeEach(func() {
+		w = webhook.StartupCPUBoostWebhook{}
+	})
+
+	When("Validates StartupCPUBoost", func() {
+		var (
+			boost v1alpha1.StartupCPUBoost
+			err   error
+		)
+		When("Startup CPU Boost has no duration policy", func() {
+			BeforeEach(func() {
+				boost = v1alpha1.StartupCPUBoost{
+					Spec: v1alpha1.StartupCPUBoostSpec{
+						DurationPolicy: v1alpha1.DurationPolicy{},
+					},
+				}
+			})
+			It("errors", func() {
+				By("validating create event")
+				_, err = w.ValidateCreate(context.TODO(), &boost)
+				Expect(err).To(HaveOccurred())
+
+				By("validating update event")
+				_, err = w.ValidateUpdate(context.TODO(), nil, &boost)
+				Expect(err).To(HaveOccurred())
+			})
+		})
+		When("Startup CPU Boost has more than one duration policy", func() {
+			BeforeEach(func() {
+				boost = v1alpha1.StartupCPUBoost{
+					Spec: v1alpha1.StartupCPUBoostSpec{
+						DurationPolicy: v1alpha1.DurationPolicy{
+							Fixed:        &v1alpha1.FixedDurationPolicy{},
+							PodCondition: &v1alpha1.PodConditionDurationPolicy{},
+						},
+					},
+				}
+			})
+			It("errors", func() {
+				By("validating create event")
+				_, err = w.ValidateCreate(context.TODO(), &boost)
+				Expect(err).To(HaveOccurred())
+
+				By("validating update event")
+				_, err = w.ValidateUpdate(context.TODO(), nil, &boost)
+				Expect(err).To(HaveOccurred())
+			})
+		})
+		When("Startup CPU Boost has one duration policy", func() {
+			BeforeEach(func() {
+				boost = v1alpha1.StartupCPUBoost{
+					Spec: v1alpha1.StartupCPUBoostSpec{
+						DurationPolicy: v1alpha1.DurationPolicy{
+							PodCondition: &v1alpha1.PodConditionDurationPolicy{},
+						},
+					},
+				}
+			})
+			It("does not error", func() {
+				By("validating create event")
+				_, err = w.ValidateCreate(context.TODO(), &boost)
+				Expect(err).NotTo(HaveOccurred())
+
+				By("validating update event")
+				_, err = w.ValidateUpdate(context.TODO(), nil, &boost)
+				Expect(err).NotTo(HaveOccurred())
+			})
+		})
+	})
+})

internal/webhook/webhooks.go

@@ -0,0 +1,26 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package webhook
+
+import ctrl "sigs.k8s.io/controller-runtime"
+
+// Setup sets up the webhooks for core controllers. It returns the name of the
+// webhook that failed to create and an error, if any.
+func Setup(mgr ctrl.Manager) (string, error) {
+	if err := setupWebhookForStartupCPUBoost(mgr); err != nil {
+		return "StartupCPUBoost", err
+	}
+	return "", nil
+}