ceph: implement controller-runtime for admission controllers

[vbnrh]

moves the admission-controller server to use controller-runtime library for better support, maintainibility of code.

Signed-off-by: Vineet Badrinath vbadrina@redhat.com

Description of your changes:
This is a follow-up PR for #5045
It moves the server logic to use controller-runtime library for webhooks.

This help in better support, maintenance and performance of the code.

[travisn]

What is the difference between serverPort and port? Can't we just re-use serverPort?

[vbnrh]

Removed ! Moved the dir and port to cmd/ceph/admission.go

[travisn]

Are tlsutil.go and controller.go used anymore? Can we remove them? If so, then perhaps this package is so simple we can delete the whole package and move the remaining code under the ceph provider. For example, similar to what was done for the nfs operator in pkg/operator/nfs/webhook.go.

[vbnrh]

This is a draft PR. There are still some issues i am working on. I'll let you know once the updates are done

[vbnrh]

I've removed the tlsutil.go and controller.go

[vbnrh]

@travisn the code from the package (server.go) is meant to be a generic server code that can work for all providers. I think it would make sense to move it under pkg/operator/admission/server.go. May add another file later in this package for the unit tests. WDYT ?

[travisn]

The generic code is so short now that I wonder if it makes sense to have any common code. The controller runtime packages already have the common code.

[vbnrh]

Ok, i've moved the server code under pkg/operator/ceph/server.go

[travisn]

The generic code is so short now that I wonder if it makes sense to have any common code. The controller runtime packages already have the common code.

[travisn]

If we want to implement the admission webhook for multiple CRDs, we would need to start them all here (in separate goroutines, right? I guess they would just each listen on a separate port.

[vbnrh]

Though i havent tested it yet but i think that may not be the right approach as adding new ports means adding more services + validatingwebhookconfigs+ adding each port on the deployment for each of the CRDs to expose the port.

[vbnrh]

I have updated the code to add CephBlockPool validation. I've tried to make the code as generic and easy to change to add more CRDs. Here are the steps i did for cephblockpool which can be used for other ceph CRDs.

1. Implement webhook.Validator interface in pkg/apis/ceph.rook.io/v1/webhook.go for the CRD which needs to be validated
2. Add a ValidatingWebhookConfiguration (copy-paste work) in webhook-config.yaml changing the relevant fields ( name, path, resources) and make sure to note down the path given here.
3. In cmd/ceph/admission.go, Add the above path and map it to the given CRD in pathResourceMap.
4. Done ! Test it out.

[vbnrh]

Similiar approach can be followed for other providers also.

[travisn]

Let's define this pathResourceMap inside the pkg/operator/ceph/server.go file. I don't see a reason to have this in the cmd package.

[vbnrh]

Yes, i'll move it here as it is part of ceph package. We may need to move it out once other providers implement their validations.

[travisn]

If there is a failure we need to exit since the admission controller would fail to start later anyway. See other places where we call

rook.TerminateFatal(err)

[vbnrh]

Done

[travisn]

How about separate source files for different CRDs? For example, validate_cluster.go and validate_pool.go

[vbnrh]

Done

[travisn]

Instead of in, it's more common to use the first letter of the type.

Suggested change

	func (in *CephCluster) ValidateCreate() error {
	func (c *CephCluster) ValidateCreate() error {

[vbnrh]

fixed

[travisn]

p for pool

Suggested change

	func (in *CephBlockPool) ValidateCreate() error {
	func (p *CephBlockPool) ValidateCreate() error {

[vbnrh]

fixed

[travisn]

A couple other checks:

• If either codingChunks or dataChunks are set, then dataChunks must be at least 2 and codingChunks must be at least 1.
• If all of these values are 0, it's an error. You must set either replicated or erasure coded settings.

[vbnrh]

Done !

[travisn]

StartServer() should return an err so that the cmd package can call TerminateFatal() if there is some issue starting the webhook.

Suggested change

	func (a *AdmissionController) StartServer() {
	func (a *AdmissionController) StartServer() error {

[vbnrh]

done

[travisn]

return the err

[vbnrh]

done

[travisn]

return the err

[vbnrh]

done

[travisn]

Defining a separate ValidatingWebhookConfiguration for every CRD is really painful. Can you point to other examples of where this is done in other projects? I would really like to confirm if we can have one definition and watch all CRDs in the apiGroup ceph.rook.io

[vbnrh]

I've updated the code. We can now make do with just one ValidatingWebhookConfiguration but we have to add a webhook in the array for each CRD and make sure that the path is written with the same template

[travisn]

Looks good since it is in the same webhook config and we can use a single endpoint.

[travisn]

Looks good since it is in the same webhook config and we can use a single endpoint.

[travisn]

Do we even need to pass any of these parameters? What if we just define them directly inside StartServer()? It looks like they aren't configurable, so we don't need to expose them here.

[vbnrh]

Moved to server.go

[travisn]

For example, related to my other comment, can we just initialize the scheme, port, and certDir here?

[vbnrh]

I've moved the inits to server.go

[travisn]

This code is in the ceph namespace now, so no need to make it generic.

[vbnrh]

Addressed

[travisn]

Since we don't have an admission controller struct anymore, let's rename the method.

Suggested change

	err := operator.StartServer()
	err := operator.StartAdmissionController()

[vbnrh]

Done

[travisn]

We really should have unit tests for all of these validations. It should be fairly simple to create them, so would be great to have them with this PR.

[vbnrh]

Working on it

[vbnrh]

Updated with unit tests. please review

[travisn]

Instead of assert.Nil(), it's preferred to use assert.NoError()

Suggested change

	assert.Nil(t, err)
	assert.NoError(t, err)

[vbnrh]

fixed

[travisn]

Suggested change

	assert.NotNil(t, err)
	assert.Error(t, err)

[vbnrh]

fixed

[travisn]

Instead of creating yaml and unmarshalling it in the test, let's just use the golang types directly. For example, you should be able to directly declare any of the structs in types.go, change the properties, and then validate them.

[vbnrh]

Done

[travisn]

Much better instead of yaml, thanks. One more point is that there is no need for the test to set all the fields. Just set what is needed for an individual test instead of all the optional fields. With that approach, you likely don't even need a helper to create the struct and you can just create a small struct in each individual test.

[vbnrh]

Well i was thinking about not adding any duplicates in code but I've removed the helper funcs.

[travisn]

You likely don't even need to set the Namespace for the test.

[vbnrh]

removed. I've just kept the name and datadirhostpath

[travisn]

false is the default, no need to set it

[vbnrh]

Oops, it was supposed to be true. I've fixed it

[travisn]

Validation doesn't do anything with the FailureDomain, right? No need to set it for the test.

[vbnrh]

removed

[travisn]

The test changes look good thanks!