Merge pull request #10106 from k8s-infra-cherrypick-robot/cherry-pick…

…-10097-to-release-1.6 [release-1.6] 🌱 Use manager in test extension
kubernetes-sigs · Feb 6, 2024 · 15cc1a0 · 15cc1a0
2 parents 224cd76 + 8842db6
commit 15cc1a0
Show file tree

Hide file tree

Showing 17 changed files with 324 additions and 125 deletions.
diff --git a/Makefile b/Makefile
@@ -265,7 +265,7 @@ help:  # Display this help
 
 ##@ generate:
 
-ALL_GENERATE_MODULES = core kubeadm-bootstrap kubeadm-control-plane docker-infrastructure in-memory-infrastructure
+ALL_GENERATE_MODULES = core kubeadm-bootstrap kubeadm-control-plane docker-infrastructure in-memory-infrastructure test-extension
 
 .PHONY: generate
 generate: ## Run all generate-manifests-*, generate-go-deepcopy-*, generate-go-conversions-* and generate-go-openapi targets
@@ -365,6 +365,13 @@ generate-manifests-in-memory-infrastructure: $(CONTROLLER_GEN) ## Generate manif
 		output:webhook:dir=./config/webhook \
 		webhook
 
+.PHONY: generate-manifests-test-extension
+generate-manifests-test-extension: $(CONTROLLER_GEN) ## Generate manifests e.g. RBAC for test-extension provider
+	cd ./test/extension; $(CONTROLLER_GEN) \
+		paths=./... \
+		output:rbac:dir=./config/rbac \
+		rbac:roleName=manager-role
+
 .PHONY: generate-go-deepcopy
 generate-go-deepcopy:  ## Run all generate-go-deepcopy-* targets
 	$(MAKE) $(addprefix generate-go-deepcopy-,$(ALL_GENERATE_MODULES))
@@ -415,6 +422,9 @@ generate-go-deepcopy-in-memory-infrastructure: $(CONTROLLER_GEN) ## Generate dee
 		paths=./api/... \
         paths=./internal/cloud/api/...
 
+.PHONY: generate-go-deepcopy-test-extension
+generate-go-deepcopy-test-extension: $(CONTROLLER_GEN) ## Generate deepcopy go code for test-extension
+
 .PHONY: generate-go-conversions
 generate-go-conversions: ## Run all generate-go-conversions-* targets
 	$(MAKE) $(addprefix generate-go-conversions-,$(ALL_GENERATE_MODULES))
@@ -505,6 +515,9 @@ generate-go-conversions-docker-infrastructure: $(CONVERSION_GEN) ## Generate con
 generate-go-conversions-in-memory-infrastructure: $(CONVERSION_GEN) ## Generate conversions go code for in-memory infrastructure provider
 	cd $(CAPIM_DIR)
 
+.PHONY: generate-go-conversions-test-extension
+generate-go-conversions-test-extension: $(CONVERSION_GEN) ## Generate conversions go code for in-memory infrastructure provider
+
 # The tmp/sigs.k8s.io/cluster-api symlink is a workaround to make this target run outside of GOPATH
 .PHONY: generate-go-openapi
 generate-go-openapi: $(OPENAPI_GEN) $(CONTROLLER_GEN) ## Generate openapi go code for runtime SDK

diff --git a/exp/runtime/server/server.go b/exp/runtime/server/server.go
@@ -43,8 +43,8 @@ var DefaultPort = 9443
 
 // Server is a runtime webhook server.
 type Server struct {
+	webhook.Server
 	catalog  *runtimecatalog.Catalog
-	server   webhook.Server
 	handlers map[string]ExtensionHandler
 }
 
@@ -53,20 +53,26 @@ type Options struct {
 	// Catalog is the catalog used to handle requests.
 	Catalog *runtimecatalog.Catalog
 
-	// Port is the port that the webhook server serves at.
-	// It is used to set webhook.Server.Port.
-	Port int
-
-	// Host is the hostname that the webhook server binds to.
+	// Host is the address that the server will listen on.
+	// Defaults to "" - all addresses.
 	// It is used to set webhook.Server.Host.
 	Host string
 
+	// Port is the port number that the server will serve.
+	// It will be defaulted to 9443 if unspecified.
+	// It is used to set webhook.Server.Port.
+	Port int
+
 	// CertDir is the directory that contains the server key and certificate.
 	// If not set, webhook server would look up the server key and certificate in
 	// {TempDir}/k8s-webhook-server/serving-certs. The server key and certificate
 	// must be named tls.key and tls.crt, respectively.
 	// It is used to set webhook.Server.CertDir.
 	CertDir string
+
+	// TLSOpts is used to allow configuring the TLS config used for the server.
+	// This also allows providing a certificate via GetCertificate.
+	TLSOpts []func(*tls.Config)
 }
 
 // New creates a new runtime webhook server based on the given Options.
@@ -88,18 +94,14 @@ func New(options Options) (*Server, error) {
 			CertDir:    options.CertDir,
 			CertName:   "tls.crt",
 			KeyName:    "tls.key",
+			TLSOpts:    options.TLSOpts,
 			WebhookMux: http.NewServeMux(),
-			TLSOpts: []func(*tls.Config){
-				func(cfg *tls.Config) {
-					cfg.MinVersion = tls.VersionTLS13
-				},
-			},
 		},
 	)
 
 	return &Server{
+		Server:   webhookServer,
 		catalog:  options.Catalog,
-		server:   webhookServer,
 		handlers: map[string]ExtensionHandler{},
 	}, nil
 }
@@ -232,10 +234,10 @@ func (s *Server) Start(ctx context.Context) error {
 		handler := h
 
 		wrappedHandler := s.wrapHandler(handler)
-		s.server.Register(handlerPath, http.HandlerFunc(wrappedHandler))
+		s.Server.Register(handlerPath, http.HandlerFunc(wrappedHandler))
 	}
 
-	return s.server.Start(ctx)
+	return s.Server.Start(ctx)
 }
 
 // discoveryHandler generates a discovery handler based on a list of handlers.

diff --git a/test/e2e/config/docker.yaml b/test/e2e/config/docker.yaml
@@ -229,6 +229,9 @@ providers:
   versions:
     - name: v1.6.99 # next; use manifest from source files
       value: ../../../test/extension/config/default
+      replacements:
+      - old: "--leader-elect"
+        new: "--leader-elect\n        - --logging-format=json"
       files:
       - sourcePath: "../data/shared/main/metadata.yaml"
 

diff --git a/test/extension/config/default/kustomization.yaml b/test/extension/config/default/kustomization.yaml
@@ -10,13 +10,10 @@ resources:
 - namespace.yaml
 - manager.yaml
 - service.yaml
-- service_account.yaml
-# Note: resources specific of the CAPI test-extension, other Runtime extensions provider might want to drop this
-- role.yaml
-- rolebinding.yaml
 
 bases:
 - ../certmanager
+- ../rbac
 
 patchesStrategicMerge:
 # Enable webhook with corresponding certificate mount.

diff --git a/test/extension/config/default/manager.yaml b/test/extension/config/default/manager.yaml
@@ -2,7 +2,10 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: manager
+  name: controller-manager
+  namespace: system
+  labels:
+    app: test-extension-manager
 spec:
   selector:
     matchLabels:
@@ -16,8 +19,27 @@ spec:
       containers:
         - command:
             - /manager
+          args:
+            - "--leader-elect"
+            - "--diagnostics-address=${CAPI_DIAGNOSTICS_ADDRESS:=:8443}"
+            - "--insecure-diagnostics=${CAPI_INSECURE_DIAGNOSTICS:=false}"
           image: controller:latest
           name: manager
+          ports:
+            - containerPort: 9440
+              name: healthz
+              protocol: TCP
+            - containerPort: 8443
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: healthz
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: healthz
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:

diff --git a/test/extension/config/default/manager_image_patch.yaml b/test/extension/config/default/manager_image_patch.yaml
@@ -1,7 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: manager
+  name: controller-manager
+  namespace: system
 spec:
   template:
     spec:

diff --git a/test/extension/config/default/manager_pull_policy.yaml b/test/extension/config/default/manager_pull_policy.yaml
@@ -1,7 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: manager
+  name: controller-manager
+  namespace: system
 spec:
   template:
     spec:

diff --git a/test/extension/config/default/manager_webhook_patch.yaml b/test/extension/config/default/manager_webhook_patch.yaml
@@ -1,7 +1,8 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: manager
+  name: controller-manager
+  namespace: system
 spec:
   template:
     spec:

diff --git a/test/extension/config/default/role.yaml b/test/extension/config/default/role.yaml
diff --git a/test/extension/config/rbac/kustomization.yaml b/test/extension/config/rbac/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+- role.yaml
+- role_binding.yaml
+- service_account.yaml
diff --git a/test/extension/config/rbac/leader_election_role.yaml b/test/extension/config/rbac/leader_election_role.yaml
@@ -0,0 +1,25 @@
+
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
diff --git a/test/extension/config/rbac/leader_election_role_binding.yaml b/test/extension/config/rbac/leader_election_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: manager
+  namespace: system
diff --git a/test/extension/config/rbac/role.yaml b/test/extension/config/rbac/role.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
diff --git a/...extension/config/default/rolebinding.yaml → test/extension/config/rbac/role_binding.yaml b/...extension/config/default/rolebinding.yaml → test/extension/config/rbac/role_binding.yaml
@@ -3,11 +3,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  creationTimestamp: null
   name: manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: manager-role
 subjects:
-  - kind: ServiceAccount
-    name: manager
+- kind: ServiceAccount
+  name: manager
+  namespace: system
diff --git a/...nsion/config/default/service_account.yaml → ...xtension/config/rbac/service_account.yaml b/...nsion/config/default/service_account.yaml → ...xtension/config/rbac/service_account.yaml
@@ -2,3 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: manager
+  namespace: system
diff --git a/test/extension/handlers/topologymutation/handler.go b/test/extension/handlers/topologymutation/handler.go
@@ -49,6 +49,8 @@ var (
 	cgroupDriverPatchVersionCeiling = semver.Version{Major: 1, Minor: 24}
 )
 
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;patch;update;create
+
 // ExtensionHandlers provides a common struct shared across the topology mutation hooks handlers;
 // this is convenient because in Cluster API's E2E tests all of them are using a decoder for working with typed
 // API objects, which makes code easier to read and less error prone than using unstructured or working with raw json/yaml.