setup optional webhook-admission-support (#148)

charts/pyrra/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 0.11.1
+version: 0.12.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/pyrra/README.md

@@ -1,13 +1,17 @@
 # pyrra
 
-![Version: 0.11.1](https://img.shields.io/badge/Version-0.11.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.2](https://img.shields.io/badge/AppVersion-v0.7.2-informational?style=flat-square)
+![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.2](https://img.shields.io/badge/AppVersion-v0.7.2-informational?style=flat-square)
 
 SLO manager and alert generator
 
 ## Prometheus settings
 Pyrra needs prometheus to work. You will need to specify that via prometheusUrl variable - default assumes you have default [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) deployed to "monitoring" namespace.
 Additionaly, you (most likely) will need to specify prometheusExternalUrl with URL to public-facing prometheus UI (ingress or whatever you're using), otherwise pyrra links to graphs will be broken
 
+## Webhook Admissions Controller Validations (Optional)
+Pyrra can be configured to validate SLOs and SLO groups using a webhook admission controller. This is an optional feature that can be enabled by setting the `validatingWebhookConfiguration.enabled` value to `true`. The webhook admission controller will validate SLOs when they are created or updated.
+If the SLO object is invalid, the admission controller will reject the request and provide a reason for the failure. This requires cert-manager to be installed in the cluster. If cert-manager is not installed, the webhook admission controller will not be created.
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -46,7 +50,8 @@ Additionaly, you (most likely) will need to specify prometheusExternalUrl with U
 | serviceMonitor.enabled | bool | `false` | enables servicemonitor for server monitoring |
 | serviceMonitor.labels | object | `{}` | Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator |
 | tolerations | object | `{}` | tolerations for scheduling server pod |
+| validatingWebhookConfiguration.enabled | bool | `false` | enables admission webhook for server to validate SLOs, this requires cert-manager to be installed |
 
 ## Upgrading
 
-A major chart version change indicates that there is an incompatible breaking change needing manual actions.
+A major chart version change indicates that there is an incompatible breaking change needing manual actions.

charts/pyrra/README.md.gotmpl

@@ -12,8 +12,12 @@
 Pyrra needs prometheus to work. You will need to specify that via prometheusUrl variable - default assumes you have default [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) deployed to "monitoring" namespace.
 Additionaly, you (most likely) will need to specify prometheusExternalUrl with URL to public-facing prometheus UI (ingress or whatever you're using), otherwise pyrra links to graphs will be broken
 
+## Webhook Admissions Controller Validations (Optional)
+Pyrra can be configured to validate SLOs and SLO groups using a webhook admission controller. This is an optional feature that can be enabled by setting the `validatingWebhookConfiguration.enabled` value to `true`. The webhook admission controller will validate SLOs when they are created or updated.
+If the SLO object is invalid, the admission controller will reject the request and provide a reason for the failure. This requires cert-manager to be installed in the cluster. If cert-manager is not installed, the webhook admission controller will not be created.
+
 {{ template "chart.valuesSection" . }}
 
 ## Upgrading
 
-A major chart version change indicates that there is an incompatible breaking change needing manual actions.
+A major chart version change indicates that there is an incompatible breaking change needing manual actions.

charts/pyrra/templates/admissionvalidation.yaml

@@ -0,0 +1,48 @@
+{{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "pyrra.fullname" . }}-selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "pyrra.fullname" . }}-webhook-validation
+spec:
+  dnsNames:
+  -  {{ include "pyrra.fullname" . }}.{{ .Release.Namespace }}.svc
+  issuerRef:
+    name: {{ include "pyrra.fullname" . }}-selfsigned
+  secretName: {{ include "pyrra.fullname" . }}-webhook-validation
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "pyrra.fullname" . }}-webhook-validation
+  name: {{ include "pyrra.fullname" . }}-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "pyrra.fullname" . }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-pyrra-dev-v1alpha1-servicelevelobjective
+      port: 9443
+  failurePolicy: Fail
+  name: slo.pyrra.dev-servicelevelobjectives
+  rules:
+  - apiGroups:
+    - pyrra.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - servicelevelobjectives
+  sideEffects: None
+{{- end }}

charts/pyrra/templates/deployment.yaml

@@ -35,11 +35,19 @@ spec:
             {{- if .Values.genericRules.enabled }}
             - --generic-rules
             {{- end }}
+            {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+            - --disable-webhooks=false
+            {{- end }}
             {{- with .Values.extraKubernetesArgs }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+          volumeMounts:
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: certs
+          {{- end }}
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
@@ -70,3 +78,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.validatingWebhookConfiguration.enabled ($.Capabilities.APIVersions.Has "cert-manager.io/v1") }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "pyrra.fullname" . }}-webhook-validation
+      {{- end }}

charts/pyrra/values.yaml

@@ -102,3 +102,7 @@ serviceMonitor:
 genericRules:
   # -- enables generate Pyrra generic recording rules. Pyrra generates metrics with the same name for each SLO.
   enabled: false
+
+validatingWebhookConfiguration:
+  # -- enables admission webhook for server to validate SLOs, this requires cert-manager to be installed
+  enabled: false