diff --git a/config/overlays/featuregate/synthetic-user-permissions/kustomization.yaml b/config/overlays/featuregate/synthetic-user-permissions/kustomization.yaml index 01e3a6d0e..e5e8b3314 100644 --- a/config/overlays/featuregate/synthetic-user-permissions/kustomization.yaml +++ b/config/overlays/featuregate/synthetic-user-permissions/kustomization.yaml @@ -1,4 +1,4 @@ -# kustomization file for secure OLMv1 +# kustomization file for OLMv1 support for synthetic auth # DO NOT ADD A NAMESPACE HERE apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization diff --git a/config/overlays/featuregate/webhook-provider-certmanager/kustomization.yaml b/config/overlays/featuregate/webhook-provider-certmanager/kustomization.yaml new file mode 100644 index 000000000..3898bbc9e --- /dev/null +++ b/config/overlays/featuregate/webhook-provider-certmanager/kustomization.yaml @@ -0,0 +1,15 @@ +# kustomization file for cert-manager backed OLMv1 support for installation of bundles with webhooks +# DO NOT ADD A NAMESPACE HERE +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../base/operator-controller + - ../../../base/common +components: + - ../../../components/tls/operator-controller + +patches: + - target: + kind: Deployment + name: operator-controller-controller-manager + path: patches/enable-featuregate.yaml diff --git a/config/overlays/featuregate/webhook-provider-certmanager/patches/enable-featuregate.yaml b/config/overlays/featuregate/webhook-provider-certmanager/patches/enable-featuregate.yaml new file mode 100644 index 000000000..ba47fa37c --- /dev/null +++ b/config/overlays/featuregate/webhook-provider-certmanager/patches/enable-featuregate.yaml @@ -0,0 +1,4 @@ +# enable cert-manager backed webhook support feature gate +- op: add + path: /spec/template/spec/containers/0/args/- + value: "--feature-gates=WebhookProviderCertManager=true" diff --git a/config/overlays/featuregate/webhook-provider-openshift-serviceca/kustomization.yaml b/config/overlays/featuregate/webhook-provider-openshift-serviceca/kustomization.yaml new file mode 100644 index 000000000..de31bef57 --- /dev/null +++ b/config/overlays/featuregate/webhook-provider-openshift-serviceca/kustomization.yaml @@ -0,0 +1,15 @@ +# kustomization file for openshift-serviceca backed OLMv1 support for installation of bundles with webhooks +# DO NOT ADD A NAMESPACE HERE +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../../base/operator-controller + - ../../../base/common +components: + - ../../../components/tls/operator-controller + +patches: + - target: + kind: Deployment + name: operator-controller-controller-manager + path: patches/enable-featuregate.yaml diff --git a/config/overlays/featuregate/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml b/config/overlays/featuregate/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml new file mode 100644 index 000000000..e1fa435cd --- /dev/null +++ b/config/overlays/featuregate/webhook-provider-openshift-serviceca/patches/enable-featuregate.yaml @@ -0,0 +1,4 @@ +# enable openshift-serviceca backed webhook support feature gate +- op: add + path: /spec/template/spec/containers/0/args/- + value: "--feature-gates=WebhookProviderOpenshiftServiceCA=true" diff --git a/docs/draft/howto/enable-webhook-support.md b/docs/draft/howto/enable-webhook-support.md new file mode 100644 index 000000000..b21290a57 --- /dev/null +++ b/docs/draft/howto/enable-webhook-support.md @@ -0,0 +1,62 @@ +## Installation of Bundles containing Webhooks + +!!! note +This feature is still in *alpha*. Either the `WebhookProviderCertManager`, or the `WebhookProviderOpenshiftServiceCA`, feature-gate +must be enabled to make use of it. See the instructions below on how to enable the feature-gate. + +OLMv1 currently does not support the installation of bundles containing webhooks. The webhook support feature enables this capability. +Webhooks, or more concretely Admission Webhooks, are part of Kuberntes' [Dynamic Admission Control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) +feature. Webhooks run as services called by the kube-apiservice in due course of processing a resource related request. They can be used to validate resources, ensure reasonable default values, +are set, or aid in the migration to new CustomResourceDefinition schema. The communication with the webhook service is secured by TLS. In OLMv1, the TLS certificate is managed by a +certificate provider. Currently, two certificate providers are supported: CertManager and Openshift-ServiceCA. The certificate provider to use given by the feature-gate: + +- `WebhookProviderCertManager` for [CertManager](https://cert-manager.io/) +- `WebhookProviderOpenshiftServiceCA` for [Openshift-ServiceCA](https://github.com/openshift/service-ca-operator) + +As CertManager is already installed with OLMv1, we suggest using `WebhookProviderCertManager`. + +### Update OLM to enable Feature + +```terminal title=Enable WebhookProviderCertManager feature +kubectl kustomize config/overlays/featuregate/webhook-provider-certmanager | kubectl apply -f - +``` + +Or, + +```terminal title=Enable WebhookProviderOpenshiftServiceCA feature +kubectl kustomize config/overlays/featuregate/webhook-provider-openshift-serviceca | kubectl apply -f - +``` + +Then, + +```terminal title=Wait for rollout to complete +kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager +``` + +### Notes on the generated certificate + +#### CertManager + +The generated certificate maintains a high-level of parity with the certificate generated by OLMv0: +- Self-signed +- Two validity period, rotating 24h before expiry +- Valid for the webhook service's DNSNames: + - . + - ..svc + - ..svc.cluster.local + +#### Openshift-ServiceCA + +Generation and rotation are completely governed by [Openshift-ServiceCA](https://github.com/openshift/service-ca-operator) + +### How does it work? + +There's no change in the installation flow. Just install a bundle containing webhooks as you would any other. + +### Demo + +!!! note +As there is no difference in usage or experience between the CertManager and Openshift-ServiceCA variants, only +the cert-manager variant is demoed. + +[![asciicast](https://asciinema.org/a/GyjsB129GkUadeuxFhNuG4FcS.svg)](https://asciinema.org/a/GyjsB129GkUadeuxFhNuG4FcS) diff --git a/hack/demo/resources/webhook-provider-certmanager/mutating-webhook-test.yaml b/hack/demo/resources/webhook-provider-certmanager/mutating-webhook-test.yaml new file mode 100644 index 000000000..571940204 --- /dev/null +++ b/hack/demo/resources/webhook-provider-certmanager/mutating-webhook-test.yaml @@ -0,0 +1,7 @@ +apiVersion: webhook.operators.coreos.io/v1 +kind: webhooktest +metadata: + namespace: webhook-operator + name: mutating-webhook-test +spec: + valid: true diff --git a/hack/demo/resources/webhook-provider-certmanager/validating-webhook-test.yaml b/hack/demo/resources/webhook-provider-certmanager/validating-webhook-test.yaml new file mode 100644 index 000000000..227ab8417 --- /dev/null +++ b/hack/demo/resources/webhook-provider-certmanager/validating-webhook-test.yaml @@ -0,0 +1,7 @@ +apiVersion: webhook.operators.coreos.io/v1 +kind: webhooktest +metadata: + namespace: webhook-operator + name: validating-webhook-test +spec: + valid: false diff --git a/hack/demo/resources/webhook-provider-certmanager/webhook-operator-catalog.yaml b/hack/demo/resources/webhook-provider-certmanager/webhook-operator-catalog.yaml new file mode 100644 index 000000000..ff325c064 --- /dev/null +++ b/hack/demo/resources/webhook-provider-certmanager/webhook-operator-catalog.yaml @@ -0,0 +1,9 @@ +apiVersion: olm.operatorframework.io/v1 +kind: ClusterCatalog +metadata: + name: webhook-operator-catalog +spec: + source: + type: Image + image: + ref: quay.io/operator-framework/webhook-operator-index:0.0.3 diff --git a/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml b/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml new file mode 100644 index 000000000..19b7eceb0 --- /dev/null +++ b/hack/demo/resources/webhook-provider-certmanager/webhook-operator-extension.yaml @@ -0,0 +1,15 @@ +apiVersion: olm.operatorframework.io/v1 +kind: ClusterExtension +metadata: + name: webhook-operator +spec: + namespace: webhook-operator + serviceAccount: + name: webhook-operator-installer + source: + catalog: + packageName: webhook-operator + version: 0.0.1 + selector: {} + upgradeConstraintPolicy: CatalogProvided + sourceType: Catalog diff --git a/hack/demo/webhook-provider-certmanager-demo.sh b/hack/demo/webhook-provider-certmanager-demo.sh new file mode 100755 index 000000000..ba723ca6a --- /dev/null +++ b/hack/demo/webhook-provider-certmanager-demo.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash + +# +# Welcome to the webhook support with CertManager demo +# +trap "trap - SIGTERM && kill -- -$$" SIGINT SIGTERM EXIT + +# enable 'WebhookProviderCertManager' feature +kubectl kustomize config/overlays/featuregate/webhook-provider-certmanager | kubectl apply -f - + +# wait for operator-controller to become available +kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager + +# create webhook-operator catalog +cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-catalog.yaml +kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-catalog.yaml + +# wait for catalog to be serving +kubectl wait --for=condition=Serving clustercatalog/webhook-operator-catalog --timeout="60s" + +# create install namespace +kubectl create ns webhook-operator + +# create installer service account +kubectl create serviceaccount -n webhook-operator webhook-operator-installer + +# give installer service account admin privileges +kubectl create clusterrolebinding webhook-operator-installer-crb --clusterrole=cluster-admin --serviceaccount=webhook-operator:webhook-operator-installer + +# install webhook operator clusterextension +cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-extension.yaml + +# apply cluster extension +kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/webhook-operator-extension.yaml + +# wait for cluster extension installation to succeed +kubectl wait --for=condition=Installed clusterextension/webhook-operator --timeout="60s" + +# wait for webhook-operator deployment to become available and back the webhook service +kubectl wait --for=condition=Available -n webhook-operator deployments/webhook-operator-webhook + +# demonstrate working validating webhook +cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/validating-webhook-test.yaml + +# resource creation should be rejected by the validating webhook due to bad attribute value +kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/validating-webhook-test.yaml + +# demonstrate working mutating webhook +cat ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/mutating-webhook-test.yaml + +# apply resource +kubectl apply -f ${DEMO_RESOURCE_DIR}/webhook-provider-certmanager/mutating-webhook-test.yaml + +# get webhooktest resource in v1 schema - resource should have new .spec.mutate attribute +kubectl get webhooktest.v1.webhook.operators.coreos.io -n webhook-operator mutating-webhook-test -o yaml + +# demonstrate working conversion webhook by getting webhook test resource in v2 schema - the .spec attributes should now be under the .spec.conversion stanza +kubectl get webhooktest.v2.webhook.operators.coreos.io -n webhook-operator mutating-webhook-test -o yaml + +# this concludes the webhook support demo - Thank you!