Adds the ability to set custom ports for Webhook.

This commit also adds helm unittest and updates integration-test to run K3s without Rancher.
rancher · Jul 19, 2023 · 851f4cb · 851f4cb
1 parent 2f10923
commit 851f4cb
Show file tree

Hide file tree

Showing 18 changed files with 336 additions and 38 deletions.
diff --git a/Dockerfile.dapper b/Dockerfile.dapper
@@ -3,12 +3,18 @@ FROM registry.suse.com/bci/golang:1.19
 ARG DAPPER_HOST_ARCH
 ENV ARCH $DAPPER_HOST_ARCH
 
+ENV HELM_VERSION v3.12.1
+ENV HELM_UNITTEST_VERSION 0.3.2
+
 RUN zypper -n install git docker vim less file curl wget awk
+
+RUN curl -sL https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz | tar xvzf - -C /usr/local/bin --strip-components=1
+
 RUN if [ "${ARCH}" = "amd64" ]; then \
         curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.52.2; \
+        helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${HELM_UNITTEST_VERSION}>/out.txt 2>&1; \
     fi
-ENV HELM_VERSION v3.12.1
-RUN curl -sL https://get.helm.sh/helm-${HELM_VERSION}-linux-${ARCH}.tar.gz | tar xvzf - -C /usr/local/bin --strip-components=1
+
 RUN GOBIN=/usr/local/bin go install github.com/golang/mock/mockgen@v1.6.0
 
 ENV DAPPER_ENV REPO TAG DRONE_TAG CROSS

diff --git a/charts/rancher-webhook/charts/capi/templates/service.yaml b/charts/rancher-webhook/charts/capi/templates/service.yaml
@@ -8,6 +8,6 @@ spec:
   ports:
   - name: https
     port: 443
-    targetPort: 8777
+    targetPort: {{ .Values.port | default 8777 }}
   selector:
     app: rancher-webhook
diff --git a/charts/rancher-webhook/templates/deployment.yaml b/charts/rancher-webhook/templates/deployment.yaml
@@ -36,6 +36,10 @@ spec:
           value: "{{.Values.capi.enabled}}"
         - name: ENABLE_MCM
           value: "{{.Values.mcm.enabled}}"
+        - name: CATTLE_PORT
+          value: {{.Values.port | default 9443 | quote}}
+        - name: CATTLE_CAPI_PORT
+          value: {{.Values.capi.port | default 8777 | quote}}
         - name: NAMESPACE
           valueFrom:
             fieldRef:
@@ -45,9 +49,9 @@ spec:
         imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
         ports:
         - name: https
-          containerPort: 9443
+          containerPort: {{ .Values.port | default 9443 }}
         - name: capi-https
-          containerPort: 8777
+          containerPort: {{ .Values.capi.port | default 8777}}
         startupProbe:
           httpGet:
             path: "/healthz"
@@ -66,7 +70,14 @@ spec:
         - name: tls
           mountPath: /tmp/k8s-webhook-server/serving-certs
         {{- end }}
+        {{- if .Values.capNetBindService }}
+        securityContext:
+          capabilities:
+            add:
+            - NET_BIND_SERVICE 
+        {{- end }}
       serviceAccountName: rancher-webhook
       {{- if .Values.priorityClassName }}
       priorityClassName: "{{.Values.priorityClassName}}"
       {{- end }}
+
diff --git a/charts/rancher-webhook/templates/service.yaml b/charts/rancher-webhook/templates/service.yaml
@@ -6,7 +6,7 @@ metadata:
 spec:
   ports:
   - port: 443
-    targetPort: 9443
+    targetPort: {{ .Values.port | default 9443 }}
     protocol: TCP
     name: https
   selector:

diff --git a/charts/rancher-webhook/tests/README.md b/charts/rancher-webhook/tests/README.md
@@ -0,0 +1,16 @@
+
+## local dev testing instructions
+
+Option 1: Full chart CI run with a live cluster
+
+```bash
+./scripts/charts/ci 
+```
+
+Option 2: Test runs against the chart only 
+
+```bash
+# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git
+bash dev-scripts/helm-unittest.sh
+```
+
diff --git a/charts/rancher-webhook/tests/capi-service_test.yaml b/charts/rancher-webhook/tests/capi-service_test.yaml
@@ -0,0 +1,20 @@
+suite: Test Service
+templates:
+  - charts/capi/templates/service.yaml
+tests:
+  - it: should set webhook default port values
+    set:
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 8777
+
+  - it: should set updated target port
+    set:
+      capi.port: 2319
+      capi.enabled: true
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/tests/deployment_test.yaml b/charts/rancher-webhook/tests/deployment_test.yaml
@@ -0,0 +1,62 @@
+suite: Test Deployment
+templates:
+  - deployment.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 9443
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 8777
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "9443"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "8777"
+
+  - it: should set updated webhook port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[0].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_PORT
+            value: "2319"
+
+  - it: should set updated capi port
+    set:
+      capi.port: 2319
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].ports[1].containerPort
+          value: 2319
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: CATTLE_CAPI_PORT
+            value: "2319"
+
+  - it: should not set capabilities by default.
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].securityContext
+
+  - it: should set net capabilities when capNetBindService is true.
+    set:
+      capNetBindService: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].securityContext.capabilities.add
+          content: NET_BIND_SERVICE
diff --git a/charts/rancher-webhook/tests/service_test.yaml b/charts/rancher-webhook/tests/service_test.yaml
@@ -0,0 +1,18 @@
+suite: Test Service
+templates:
+  - service.yaml
+
+tests:
+  - it: should set webhook default port values
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 9443
+
+  - it: should set updated target port
+    set:
+      port: 2319
+    asserts:
+      - equal:
+          path: spec.ports[0].targetPort
+          value: 2319
diff --git a/charts/rancher-webhook/values.yaml b/charts/rancher-webhook/values.yaml
@@ -10,6 +10,7 @@ global:
 
 capi:
   enabled: false
+  port: 8777
 
 mcm:
   enabled: true
@@ -20,3 +21,6 @@ nodeSelector: {}
 
 ## PriorityClassName assigned to deployment.
 priorityClassName: ""
+
+# port assigns which port to use when running rancher-webhook
+port: 9443
diff --git a/dev-scripts/helm-unittest.sh b/dev-scripts/helm-unittest.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+cd $(dirname $0)/..
+./scripts/package-helm
+./scripts/test-helm
diff --git a/pkg/capi/capi.go b/pkg/capi/capi.go
@@ -4,8 +4,10 @@ package capi
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"os"
 	"path/filepath"
+	"strconv"
 
 	controllerruntime "github.com/rancher/lasso/controller-runtime"
 	"github.com/rancher/webhook/pkg/clients"
@@ -43,13 +45,23 @@ func init() {
 	_ = apiextensionsv1.AddToScheme(schemes.All)
 }
 
-var (
-	tlsCert  = filepath.Join(os.TempDir(), "k8s-webhook-server", "serving-certs", "tls.crt")
-	capiPort = 8777
+const (
+	defaultCapiPort = 8777
+	capiPortEnvKey  = "CATTLE_CAPI_PORT"
 )
 
+var tlsCert = filepath.Join(os.TempDir(), "k8s-webhook-server", "serving-certs", "tls.crt")
+
 // Register registers a new CAPI webhook server and returns a start function.
 func Register(clients *clients.Clients, tlsOpts ...func(*tls.Config)) (func(ctx context.Context) error, error) {
+	capiPort := defaultCapiPort
+	if portStr := os.Getenv(capiPortEnvKey); portStr != "" {
+		var err error
+		capiPort, err = strconv.Atoi(portStr)
+		if err != nil {
+			return nil, fmt.Errorf("failed to decode CAPI port value '%s': %w", portStr, err)
+		}
+	}
 	mgr, err := ctrl.NewManager(clients.RESTConfig, ctrl.Options{
 		MetricsBindAddress: "0",
 		NewCache: controllerruntime.NewNewCacheFunc(clients.SharedControllerFactory.SharedCacheFactory(),

diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -6,6 +6,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"os"
+	"strconv"
 	"time"
 
 	"github.com/gorilla/mux"
@@ -25,20 +26,18 @@ import (
 )
 
 const (
-	serviceName      = "rancher-webhook"
-	namespace        = "cattle-system"
-	tlsName          = "rancher-webhook.cattle-system.svc"
-	certName         = "cattle-webhook-tls"
-	caName           = "cattle-webhook-ca"
-	webhookHTTPPort  = 0 // value of 0 indicates we do not want to use http.
-	webhookHTTPSPort = 9443
-)
-
-var (
-	// These strings have to remain as vars since we need the address below.
-	validationPath = "/v1/webhook/validation"
-	mutationPath   = "/v1/webhook/mutation"
-	clientPort     = int32(443)
+	serviceName             = "rancher-webhook"
+	namespace               = "cattle-system"
+	tlsName                 = "rancher-webhook.cattle-system.svc"
+	certName                = "cattle-webhook-tls"
+	caName                  = "cattle-webhook-ca"
+	validationPath          = "/v1/webhook/validation"
+	mutationPath            = "/v1/webhook/mutation"
+	clientPort              = int32(443)
+	webhookHTTPPort         = 0 // value of 0 indicates we do not want to use http.
+	defaultWebhookHTTPSPort = 9443
+	webhookPortEnvKey       = "CATTLE_PORT"
+	webhookURLEnvKey        = "CATTLE_WEBHOOK_URL"
 )
 
 // tlsOpt option function applied to all webhook servers.
@@ -150,7 +149,14 @@ func listenAndServe(ctx context.Context, clients *clients.Clients, validators []
 
 	tlsConfig := &tls.Config{}
 	tlsOpt(tlsConfig)
-
+	webhookHTTPSPort := defaultWebhookHTTPSPort
+	if portStr := os.Getenv(webhookPortEnvKey); portStr != "" {
+		var err error
+		webhookHTTPSPort, err = strconv.Atoi(portStr)
+		if err != nil {
+			return fmt.Errorf("failed to decode webhook port value '%s': %w", portStr, err)
+		}
+	}
 	return server.ListenAndServe(ctx, webhookHTTPSPort, webhookHTTPPort, router, &server.ListenOpts{
 		Secrets:       clients.Core.Secret(),
 		CertNamespace: namespace,
@@ -188,8 +194,8 @@ func (s *secretHandler) sync(_ string, secret *corev1.Secret) (*corev1.Secret, e
 		Service: &v1.ServiceReference{
 			Namespace: namespace,
 			Name:      serviceName,
-			Path:      &validationPath,
-			Port:      &clientPort,
+			Path:      admission.Ptr(validationPath),
+			Port:      admission.Ptr(clientPort),
 		},
 		CABundle: secret.Data[corev1.TLSCertKey],
 	}
@@ -198,12 +204,12 @@ func (s *secretHandler) sync(_ string, secret *corev1.Secret) (*corev1.Secret, e
 		Service: &v1.ServiceReference{
 			Namespace: namespace,
 			Name:      serviceName,
-			Path:      &mutationPath,
-			Port:      &clientPort,
+			Path:      admission.Ptr(mutationPath),
+			Port:      admission.Ptr(clientPort),
 		},
 		CABundle: secret.Data[corev1.TLSCertKey],
 	}
-	if devURL, ok := os.LookupEnv("CATTLE_WEBHOOK_URL"); ok {
+	if devURL, ok := os.LookupEnv(webhookURLEnvKey); ok {
 		validationURL := devURL + validationPath
 		mutationURL := devURL + mutationPath
 		validationClientConfig = v1.WebhookClientConfig{

diff --git a/scripts/ci b/scripts/ci
@@ -8,3 +8,4 @@ cd $(dirname $0)
 ./validate
 ./validate-ci
 ./package
+./test-helm