🌱 Add feature-gate kustomize files, docs, and demo for webhook support feature (#1996)

* Add webhook support featuregate kustomize overlay

Signed-off-by: Per Goncalves da Silva <[email protected]>

* Add webhook support demo

Signed-off-by: Per Goncalves da Silva <[email protected]>

* Add docs

Signed-off-by: Per Goncalves da Silva <[email protected]>

* Fix featuregate kustomization.yaml comments

Signed-off-by: Per Goncalves da Silva <[email protected]>

---------

Signed-off-by: Per Goncalves da Silva <[email protected]>
Co-authored-by: Per Goncalves da Silva <[email protected]>

Author: perdasilva

config/overlays/featuregate/synthetic-user-permissions/kustomization.yaml

@@ -1,4 +1,4 @@
-# kustomization file for secure OLMv1
+# kustomization file for OLMv1 support for synthetic auth
 # DO NOT ADD A NAMESPACE HERE
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

config/overlays/featuregate/webhook-provider-certmanager/kustomization.yaml

@@ -0,0 +1,15 @@
+# kustomization file for cert-manager backed OLMv1 support for installation of bundles with webhooks
+# DO NOT ADD A NAMESPACE HERE
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../base/operator-controller
+  - ../../../base/common
+components:
+  - ../../../components/tls/operator-controller
+
+patches:
+ - target:
+      kind: Deployment
+      name: operator-controller-controller-manager
+   path: patches/enable-featuregate.yaml

config/overlays/featuregate/webhook-provider-certmanager/patches/enable-featuregate.yaml

@@ -0,0 +1,4 @@
+# enable cert-manager backed webhook support feature gate
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--feature-gates=WebhookProviderCertManager=true"

config/overlays/featuregate/webhook-provider-openshift-serviceca/kustomization.yaml

@@ -0,0 +1,15 @@
+# kustomization file for openshift-serviceca backed OLMv1 support for installation of bundles with webhooks
+# DO NOT ADD A NAMESPACE HERE
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../base/operator-controller
+  - ../../../base/common
+components:
+  - ../../../components/tls/operator-controller
+
+patches:
+ - target:
+      kind: Deployment
+      name: operator-controller-controller-manager
+   path: patches/enable-featuregate.yaml

config/overlays/featuregate/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml

@@ -0,0 +1,4 @@
+# enable openshift-serviceca backed webhook support feature gate
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--feature-gates=WebhookProviderOpenshiftServiceCA=true"

docs/draft/howto/enable-webhook-support.md

@@ -0,0 +1,62 @@
+## Installation of Bundles containing Webhooks
+
+!!! note
+This feature is still in *alpha*. Either the `WebhookProviderCertManager`, or the `WebhookProviderOpenshiftServiceCA`, feature-gate 
+must be enabled to make use of it. See the instructions below on how to enable the feature-gate.
+
+OLMv1 currently does not support the installation of bundles containing webhooks. The webhook support feature enables this capability.
+Webhooks, or more concretely Admission Webhooks, are part of Kuberntes' [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
+feature. Webhooks run as services called by the kube-apiservice in due course of processing a resource related request. They can be used to validate resources, ensure reasonable default values,
+are set, or aid in the migration to new CustomResourceDefinition schema. The communication with the webhook service is secured by TLS. In OLMv1, the TLS certificate is managed by a 
+certificate provider. Currently, two certificate providers are supported: CertManager and Openshift-ServiceCA. The certificate provider to use given by the feature-gate:
+
+- `WebhookProviderCertManager` for [CertManager](https://cert-manager.io/)
+- `WebhookProviderOpenshiftServiceCA` for [Openshift-ServiceCA](https://github.com/openshift/service-ca-operator)
+
+As CertManager is already installed with OLMv1, we suggest using `WebhookProviderCertManager`.
+
+### Update OLM to enable Feature
+
+```terminal title=Enable WebhookProviderCertManager feature
+kubectl kustomize config/overlays/featuregate/webhook-provider-certmanager | kubectl apply -f -
+```
+
+Or,
+
+```terminal title=Enable WebhookProviderOpenshiftServiceCA feature
+kubectl kustomize config/overlays/featuregate/webhook-provider-openshift-serviceca | kubectl apply -f -
+```
+
+Then,
+
+```terminal title=Wait for rollout to complete
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager 
+```
+
+### Notes on the generated certificate
+
+#### CertManager
+
+The generated certificate maintains a high-level of parity with the certificate generated by OLMv0:
+- Self-signed
+- Two validity period, rotating 24h before expiry
+- Valid for the webhook service's DNSNames:
+  - <service-name>.<namespace>
+  - <service-name>.<namespace>.svc
+  - <service-name>.<namespace>.svc.cluster.local
+
+#### Openshift-ServiceCA
+
+Generation and rotation are completely governed by [Openshift-ServiceCA](https://github.com/openshift/service-ca-operator)
+
+### How does it work?
+
+There's no change in the installation flow. Just install a bundle containing webhooks as you would any other.
+
+### Demo
+
+!!! note
+As there is no difference in usage or experience between the CertManager and Openshift-ServiceCA variants, only
+the cert-manager variant is demoed.
+
+[![asciicast](https://asciinema.org/a/GyjsB129GkUadeuxFhNuG4FcS.svg)](https://asciinema.org/a/GyjsB129GkUadeuxFhNuG4FcS)

hack/demo/resources/webhook-provider-certmanager/mutating-webhook-test.yaml

@@ -0,0 +1,7 @@
+apiVersion: webhook.operators.coreos.io/v1
+kind: webhooktest
+metadata:
+  namespace: webhook-operator
+  name: mutating-webhook-test
+spec:
+  valid: true

hack/demo/resources/webhook-provider-certmanager/validating-webhook-test.yaml

@@ -0,0 +1,7 @@
+apiVersion: webhook.operators.coreos.io/v1
+kind: webhooktest
+metadata:
+  namespace: webhook-operator
+  name: validating-webhook-test
+spec:
+  valid: false

hack/demo/resources/webhook-provider-certmanager/webhook-operator-catalog.yaml

@@ -0,0 +1,9 @@
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterCatalog
+metadata:
+  name: webhook-operator-catalog
+spec:
+  source:
+    type: Image
+    image:
+      ref: quay.io/operator-framework/webhook-operator-index:0.0.3

hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml

@@ -0,0 +1,15 @@
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: webhook-operator
+spec:
+  namespace: webhook-operator
+  serviceAccount:
+    name: webhook-operator-installer
+  source:
+    catalog:
+      packageName: webhook-operator
+      version: 0.0.1
+      selector: {}
+      upgradeConstraintPolicy: CatalogProvided
+    sourceType: Catalog

hack/demo/webhook-provider-certmanager-demo.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+#
+# Welcome to the webhook support with CertManager demo
+#
+trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT
+
+# enable 'WebhookProviderCertManager' feature
+kubectl kustomize config/overlays/featuregate/webhook-provider-certmanager | kubectl apply -f -
+
+# wait for operator-controller to become available
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+
+# create webhook-operator catalog
+cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-catalog.yaml
+kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-catalog.yaml
+
+# wait for catalog to be serving
+kubectl wait --for=condition=Serving clustercatalog/webhook-operator-catalog --timeout="60s"
+
+# create install namespace
+kubectl create ns webhook-operator
+
+# create installer service account
+kubectl create serviceaccount -n webhook-operator webhook-operator-installer
+
+# give installer service account admin privileges
+kubectl create clusterrolebinding webhook-operator-installer-crb --clusterrole=cluster-admin --serviceaccount=webhook-operator:webhook-operator-installer
+
+# install webhook operator clusterextension
+cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-extension.yaml
+
+# apply cluster extension
+kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-extension.yaml
+
+# wait for cluster extension installation to succeed
+kubectl wait --for=condition=Installed clusterextension/webhook-operator --timeout="60s"
+
+# wait for webhook-operator deployment to become available and back the webhook service
+kubectl wait --for=condition=Available -n webhook-operator deployments/webhook-operator-webhook
+
+# demonstrate working validating webhook
+cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/validating-webhook-test.yaml
+
+# resource creation should be rejected by the validating webhook due to bad attribute value
+kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/validating-webhook-test.yaml
+
+# demonstrate working mutating webhook
+cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/mutating-webhook-test.yaml
+
+# apply resource
+kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/mutating-webhook-test.yaml
+
+# get webhooktest resource in v1 schema - resource should have new .spec.mutate attribute
+kubectl get webhooktest.v1.webhook.operators.coreos.io -n webhook-operator mutating-webhook-test -o yaml
+
+# demonstrate working conversion webhook by getting webhook test resource in v2 schema - the .spec attributes should now be under the .spec.conversion stanza
+kubectl get webhooktest.v2.webhook.operators.coreos.io -n webhook-operator mutating-webhook-test -o yaml
+
+# this concludes the webhook support demo - Thank you!