Merge pull request #8 from att-cloudnative-labs/admission-webhook-and-kubebuilder-refactor

Refactor project to use kubebuilder framework and make configuration …

Author: gbraxton

.gitignore

@@ -1,2 +1,24 @@
-# kconfig binary
-/kconfig-controller
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Kubernetes Generated files - skip generated files, except for vendored files
+
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
+.idea
+*.swp
+*.swo
+*~

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## Development release
 
+0.8.0-BETA-1
+- Full refactor to kubebuilder framework
+- Environment variables not added to pods directly using admission-controller
+- DeployentBindings, StatefulSetBindings, and KnativeServiceBindings removed and replaced with a single KconfigBinding resource
+- The ability to specify refName and refKey has been removed. All external references (configmap, secrets) are placed in the same resource with the name, kc-(kconfig name)
+- EnvRefsVersion removed. Changes now tracked using KconfigBinding generation and its status' observedGeneration
+
 0.7.0-BETA-1
 
 - KconfigBindings renamed to DeploymentBinding

Dockerfile

@@ -0,0 +1,28 @@
+# Build the manager binary
+FROM golang:1.13 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY api/ api/
+COPY controllers/ controllers/
+COPY webhooks/ webhooks/
+
+# Build
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+USER nonroot:nonroot
+
+ENTRYPOINT ["/manager"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 AT&T Intellectual Property
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -1,51 +1,80 @@
-# Go parameters
-VERSION=v0.7.0-beta-1
-DOCKERIMAGE=docker-registry.aeg.cloud/kconfig-system/kconfig-controller
-GOCMD=go
-GOBUILD=$(GOCMD) build
-GOCLEAN=$(GOCMD) clean
-GOTEST=$(GOCMD) test
-GOGET=$(GOCMD) get
-KCONFIGPKG=github.com/att-cloudnative-labs/kconfig-controller/cmd
-CLIENTSET=pkg/client/clientset/versioned/clientset.go
-BINARY_NAME=kconfig-controller
-BINARY_UNIX=$(BINARY_NAME)_unix
 
-.PHONY: clientgen test build-docker build-local build-local-unix run push deploy clean
+# Image URL to use all building/pushing image targets
+IMG ?= controller:latest
+# Produce CRDs that work back to Kubernetes 1.11 (no version conversion)
+CRD_OPTIONS ?= "crd:trivialVersions=true"
 
-all: clientgen test build-docker
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
 
-clientgen: $(CLIENTSET)
+all: manager
 
-$(CLIENTSET): pkg/apis/kconfigcontroller/v1alpha1/types.go
-	hack/update-codegen.sh
+# Run tests
+test: generate fmt vet manifests
+	go test ./... -coverprofile cover.out
 
-test:
-	$(GOTEST) -v ./...
+# Build manager binary
+manager: generate fmt vet
+	go build -o bin/manager main.go
 
-build-docker: test
-	docker build -f build/Dockerfile -t $(DOCKERIMAGE):$(VERSION) .
+# Run against the configured Kubernetes cluster in ~/.kube/config
+run: generate fmt vet manifests
+	go run ./main.go
 
-build-local: $(BINARY_NAME)
+# Install CRDs into a cluster
+install: manifests
+	kustomize build config/crd | kubectl apply -f -
 
-build-local-unix: $(BINARY_UNIX)
+# Uninstall CRDs from a cluster
+uninstall: manifests
+	kustomize build config/crd | kubectl delete -f -
 
-$(BINARY_NAME): clientgen test **/*.go
-	$(GOBUILD) -o $(BINARY_NAME) -v $(KCONFIGPKG)
+# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
+deploy: manifests
+	cd config/manager && kustomize edit set image controller=${IMG}
+	kustomize build config/default | kubectl apply -f -
 
-$(BINARY_UNIX): clientgen test **/*.go
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(GOBUILD) -o $(BINARY_NAME) -v $(KCONFIGPKG)
+# Generate manifests e.g. CRD, RBAC etc.
+manifests: controller-gen
+	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
-run: build-local
-	./$(BINARY_NAME) -v 5 --kubeconfig ~/.kube/config --logtostderr
+# Run go fmt against code
+fmt:
+	go fmt ./...
 
-push:
-	docker push $(DOCKERIMAGE):$(VERSION)
+# Run go vet against code
+vet:
+	go vet ./...
 
-deploy:
-	kubectl -n common-system replace -f install/
+# Generate code
+generate: controller-gen
+	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./..."
 
-clean:
-	$(GOCLEAN)
-	rm -f $(BINARY_NAME)
-	rm -f $(BINARY_UNIX)
+# Build the docker image
+docker-build: test
+	docker build . -t ${IMG}
+
+# Push the docker image
+docker-push:
+	docker push ${IMG}
+
+# find or download controller-gen
+# download controller-gen if necessary
+controller-gen:
+ifeq (, $(shell which controller-gen))
+	@{ \
+	set -e ;\
+	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
+	cd $$CONTROLLER_GEN_TMP_DIR ;\
+	go mod init tmp ;\
+	go get sigs.k8s.io/controller-tools/cmd/[email protected] ;\
+	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
+	}
+CONTROLLER_GEN=$(GOBIN)/controller-gen
+else
+CONTROLLER_GEN=$(shell which controller-gen)
+endif

PROJECT

@@ -0,0 +1,10 @@
+domain: atteg.com
+repo: github.com/att-cloudnative-labs/kconfig-controller
+resources:
+- group: kconfigcontroller
+  kind: Kconfig
+  version: v1beta1
+- group: kconfigcontroller
+  kind: KconfigBinding
+  version: v1beta1
+version: "2"

README.md

@@ -38,15 +38,19 @@
 
 ----
 
-Kconfig is a Kubernetes Custom-controller and CRD for externalizing configuration of Kubernetes deployments, statefulsets, and knative services. Kconfig allows environment variables to be defined in a single resource that selects the target workload resource based on labels, and inserts the specified environment variables into the target workload resource.
+Kconfig is a Kubernetes custom-controller, admission-webhook, and custom resource definition for externalizing configuration of Kubernetes Pods. Kconfig allows environment variables to be defined in a single resource that selects the target pods based on labels, and inserts the specified environment variables into the target pods.
 
-Multiple Kconfig resources can select a single target resource and the target will have the aggregation of each of those Kconfigs. In addition, Kconfigs have a level field which determines the order, in relation to other Kconfigs that select the same target resource, in which environment variables from multiple Kconfigs are defined in the container environment.
+Multiple Kconfig resources can select the same target labels and the target pods will have the aggregation of each of those Kconfigs. In addition, Kconfigs have a level field which determines the order, in relation to other Kconfigs that select common pods, in which environment variables from multiple Kconfigs are defined in the container environment.
 
 Aside from defining simple key/value pairs, Kconfigs can also define and reference environment variables to be stored in configmaps and/or secrets.
 
-For a target to have its environment variables controlled by Kconfigs, it needs the annotation ```kconfigcontroller.atteg.com/env=true```.
+For a target to have its environment variables controlled by Kconfigs, it needs the annotation ```kconfigcontroller.atteg.com/inject=true```.
 
-Kconfig-controller also has secondary resources, DeploymentBindings, StatefulSetBindings, and KnativeServiceBindings. These resources should not be created/manipulated directly by users and are used by the control loops. These resources serve as a target for Kconfigs to update their changes whereafter, the controller can re-processed the contained environment variables for all Kconfigs that target a particular deployment, statefulset, or knative service. Note that there will always be one of these 'binding resources for each workload resource that contains the kconfig enabled annotation shown above.
+Add the annotation, ```kconfigcontroller.atteg.com/refresh-template=true``` to have updates to a kconfig to trigger a rolling update for deployments, statefulsets of the selected pods.
+
+Kconfig-controller also has a secondary custom resource, KconfigBinding, that is used by the controllers and should not be created/manipulated directly by users. This resources serve as a target for Kconfigs to update their changes whereafter, the admission-controller can import the contained environment variables directly into pods. Note that there is a one-to-one mapping for each kconfig and kconfigbinding.
+
+Build requires Kustomize (https://github.com/kubernetes-sigs/kustomize) locally and cert-manager (https://github.com/jetstack/cert-manager) installed in the kubernetes cluser for the admission-controller's TLS certificates.
 
 ----
 
@@ -66,7 +70,6 @@ spec:
   - type: Secret
     key: PLEASECREATETHIS
     value: shhhhh
-    refName: samplesecret
   - type: Secret
     key: MYSECRETVAR
     secretKeyRef:
@@ -92,23 +95,27 @@ spec:
       app: myapp
 ```
 
-The first envConfig is a 'Value' type. An empty type field implies a 'Value' type envConfig. This definition would apply a simple key and value field to the target deployment's container enviroment variables. The second envConfig is a 'Secret' type. Notice that this envConfig has a value and a refName field. The refName field indicates the name of the secret that this envConfig should be stored in. If the secret does not exist, the kconfig-controller will create it and store the contents of the value field in it. After such an action takes place, the Kconfig is automatically updated with the secretKeyRef to the secret and with the value field removed. The same is true with a 'ConfigMap' type. Notice the final two envConfigs that show how the envConfig appears after a Kconfig is created/updated with a ConfigMap or Secret type envConfig that contains a value. Whenever a get Kconfig is performed, you will never see a value field, as the action is performed immediately on update and the field is automatically removed.
+The first envConfig is a 'Value' type. An empty type field implies a 'Value' type envConfig. This definition would apply a simple key and value field to the target deployment's container environment variables. The second envConfig is a 'Secret' type. Notice that this envConfig has a value and a refName field. The refName field indicates the name of the secret that this envConfig should be stored in. If the secret does not exist, the kconfig-controller will create it and store the contents of the value field in it. After such an action takes place, the Kconfig is automatically updated with the secretKeyRef to the secret and with the value field removed. The same is true with a 'ConfigMap' type. Notice the final two envConfigs that show how the envConfig appears after a Kconfig is created/updated with a ConfigMap or Secret type envConfig that contains a value. Whenever a get Kconfig is performed, you will never see a value field, as the action is performed immediately on update and the field is automatically removed.
 
-## Build
+## Build and Push
 
 ```bash
-docker build -f build/Dockerfile -t docker-registry.aeg.cloud/kconfig-system/kconfig-controller:v0.7.0-beta-1 .
+make docker-build IMG=your-registry.com/kconfig-controller-system/kconfig-controller:v1beta1
+make docker-push IMG=your-registry.com/kconfig-controller-system/kconfig-controller:v1beta1
 ```
 
 ## Installation
 
 ```bash
-kubectl apply -f install/
+make deploy IMG=your-registry.com/kconfig-controller-system/kconfig-controller:v1beta1
 ```
 
 ## Roadmap
 
-* Ability to select the container configs apply to. Currently the configs are only placed in the first container in a pod template
+* Ability to select the container configs apply to. Currently the configs are only placed in the first container in a pod spec
 * Validate that all existing configmap/secret references in a Kconfig exists and if not, removed them from the Kconfig
-* Support for files form and mount locations for files through Kconfigs
-* Possible move to injecting the environment variables directly to pods through a custom admission controller
+* Support for creating files and mount locations for files through Kconfigs
+
+---
+
+*Developed using the Kubebuilder Framework, https://github.com/kubernetes-sigs/kubebuilder

api/v1beta1/groupversion_info.go

@@ -0,0 +1,35 @@
+/*
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta1 contains API Schema definitions for the kconfigcontroller v1beta1 API group
+// +kubebuilder:object:generate=true
+// +groupName=kconfigcontroller.atteg.com
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "kconfigcontroller.atteg.com", Version: "v1beta1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)