fixup! feat: Add stable cluster UUID annotation

Author: jimmidyson

.golangci.yml

@@ -108,3 +108,17 @@ issues:
     - text: "hugeParam: holderRef is heavy"
       linters:
         - gocritic
+    # Admission request interface is defined by k8s
+    - path: pkg/webhook
+      text: "hugeParam: req is heavy"
+      linters:
+        - gocritic
+    # This is not a problem in tests
+    - path: internal/test/envtest
+      text: "hugeParam: webhookInstallOptions is heavy"
+      linters:
+        - gocritic
+    - path: internal/test/envtest
+      text: "hugeParam: input is heavy"
+      linters:
+        - gocritic

api/v1alpha1/constants.go

@@ -32,4 +32,6 @@ const (
 	GlobalMirrorVariableName = "globalImageRegistryMirror"
 	// ImageRegistriesVariableName is the image registries patch variable name.
 	ImageRegistriesVariableName = "imageRegistries"
+
+	ClusterUUIDAnnotationKey = APIGroup + "/cluster-uuid"
 )

charts/cluster-api-runtime-extensions-nutanix/templates/admission-service.yaml

@@ -0,0 +1,26 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{- with .Values.service.annotations }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: {{ template "chart.name" . }}-admission
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: {{.Values.service.type}}
+  ports:
+  - name: https
+    port: {{ .Values.service.port }}
+    protocol: TCP
+    targetPort: admission
+    {{- if and .Values.service.nodePort (eq "NodePort" .Values.service.type) }}
+    nodePort: {{ .Values.service.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "chart.selectorLabels" . | nindent 4 }}

charts/cluster-api-runtime-extensions-nutanix/templates/certificates.yaml

@@ -16,3 +16,19 @@ spec:
     kind: {{ .Values.certificates.issuer.kind }}
     name: {{ template "chart.issuerName" . }}
   secretName: {{ template "chart.name" . }}-runtimehooks-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "chart.name" . }}-admission-tls
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+    - {{ template "chart.name" . }}-admission.{{ .Release.Namespace }}.svc
+    - {{ template "chart.name" . }}-admission.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: {{ .Values.certificates.issuer.kind }}
+    name: {{ template "chart.issuerName" . }}
+  secretName: {{ template "chart.name" . }}-admission-tls

charts/cluster-api-runtime-extensions-nutanix/templates/cluster-autoscaler/manifests/helm-addon-installation.yaml

@@ -9,7 +9,7 @@ metadata:
 data:
   values.yaml: |-
     ---
-    fullnameOverride: "cluster-autoscaler-{{ `{{ md5sum (printf "%s/%s" .Cluster.Namespace .Cluster.Name) }}` }}"
+    fullnameOverride: "cluster-autoscaler-{{ `{{ index .Cluster.Annotations "caren.nutanix.com/cluster-uuid" }}` }}"
 
     cloudProvider: clusterapi
 

charts/cluster-api-runtime-extensions-nutanix/templates/deployment.yaml

@@ -44,6 +44,7 @@ spec:
         {{- range $k, $v := .Values.hooks.ccm.aws.k8sMinorVersionToCCMVersion }}
         - --ccm.aws.aws-ccm-versions={{ $k }}={{ $v }}
         {{- end }}
+        - --admission-webhook-cert-dir=/admission-certs/
         {{- range $key, $value := .Values.extraArgs }}
         - --{{ $key }}={{ $value }}
         {{- end }}
@@ -57,6 +58,9 @@ spec:
         - containerPort: 9443
           name: runtimehooks
           protocol: TCP
+        - containerPort: 9444
+          name: admission
+          protocol: TCP
         - containerPort: 8080
           name: metrics
           protocol: TCP
@@ -76,6 +80,9 @@ spec:
         - mountPath: /runtimehooks-certs
           name: runtimehooks-cert
           readOnly: true
+        - mountPath: /admission-certs
+          name: admission-cert
+          readOnly: true
         livenessProbe:
           httpGet:
             port: probes
@@ -96,3 +103,7 @@ spec:
         secret:
           defaultMode: 420
           secretName: {{ template "chart.name" . }}-runtimehooks-tls
+      - name: admission-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ template "chart.name" . }}-admission-tls

charts/cluster-api-runtime-extensions-nutanix/templates/role.yaml

@@ -4,106 +4,106 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "chart.name" . }}-manager-role
+  name: '{{ include "chart.name" . }}-manager-role'
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - addons.cluster.x-k8s.io
-  resources:
-  - clusterresourcesets
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - addons.cluster.x-k8s.io
-  resources:
-  - helmchartproxies
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - bootstrap.cluster.x-k8s.io
-  - controlplane.cluster.x-k8s.io
-  - infrastructure.cluster.x-k8s.io
-  resources:
-  - '*'
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-- apiGroups:
-  - cluster.x-k8s.io
-  resources:
-  - clusterclasses
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-- apiGroups:
-  - cluster.x-k8s.io
-  resources:
-  - clusters
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - storage.k8s.io
-  resources:
-  - storageclasses
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - addons.cluster.x-k8s.io
+    resources:
+      - clusterresourcesets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - addons.cluster.x-k8s.io
+    resources:
+      - helmchartproxies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - bootstrap.cluster.x-k8s.io
+      - controlplane.cluster.x-k8s.io
+      - infrastructure.cluster.x-k8s.io
+    resources:
+      - '*'
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusterclasses
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusters
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - storage.k8s.io
+    resources:
+      - storageclasses
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update

charts/cluster-api-runtime-extensions-nutanix/templates/service.yaml renamed to charts/cluster-api-runtime-extensions-nutanix/templates/runtimehooks-service.yaml

@@ -0,0 +1,58 @@
+# Copyright 2024 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: '{{ include "chart.name" . }}-mutating-webhook-configuration'
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace}}/{{ template "chart.name" . }}-admission-tls'
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: '{{ include "chart.name" . }}-admission'
+        namespace: '{{ .Release.Namespace }}'
+        path: /mutate-v1beta1-cluster
+    failurePolicy: Fail
+    name: cluster-defaulter.caren.nutanix.com
+    rules:
+      - apiGroups:
+          - cluster.x-k8s.io
+        apiVersions:
+          - '*'
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clusters
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: '{{ include "chart.name" . }}-validating-webhook-configuration'
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace}}/{{ template "chart.name" . }}-admission-tls'
+webhooks:
+  - admissionReviewVersions:
+      - v1
+    clientConfig:
+      service:
+        name: '{{ include "chart.name" . }}-admission'
+        namespace: '{{ .Release.Namespace }}'
+        path: /validate-v1beta1-cluster
+    failurePolicy: Fail
+    name: cluster-validator.caren.nutanix.com
+    rules:
+      - apiGroups:
+          - cluster.x-k8s.io
+        apiVersions:
+          - '*'
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - clusters
+    sideEffects: None