Add sriov dp admission controller to dpu operator

Makefile

@@ -219,11 +219,12 @@ REGISTRY ?= $(shell hostname)
 # development.
 DPU_OPERATOR_IMAGE := $(REGISTRY):5000/dpu-operator:dev
 DPU_DAEMON_IMAGE := $(REGISTRY):5000/dpu-daemon:dev
+ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT := $(shell kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 --w=0)
 MARVELL_VSP_IMAGE := $(REGISTRY):5000/mrvl-vsp:dev
 
 .PHONY: local-deploy-prep
 prep-local-deploy: tools
- ./bin/config -registry-url $(REGISTRY) -template-file config/dev/local-images-template.yaml -output-file bin/local-images.yaml
+ ./bin/config -registry-url $(REGISTRY) -admissions-controllers-ca-crt $(ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT) template-file config/dev/local-images-template.yaml -output-file bin/local-images.yaml
  cp config/dev/kustomization.yaml bin
 
 .PHONY: local-deploy

cmd/main.go

@@ -112,7 +112,12 @@ func main() {
  os.Exit(1)
  }
 
- b := controller.NewDpuOperatorConfigReconciler(mgr.GetClient(), mgr.GetScheme(), dpuDaemonImage, vspImages)
+ injectorWebhookCA := os.Getenv("ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT")
+ if injectorWebhookCA == "" {
+ setupLog.Error(err, "Failed to set ADMISSION_CONTROLLERS_CERTIFICATES_INJECTOR_CA_CRT env var")
+ }
+
+ b := controller.NewDpuOperatorConfigReconciler(mgr.GetClient(), mgr.GetScheme(), dpuDaemonImage, vspImages, injectorWebhookCA)
 
  if value, ok := os.LookupEnv("IMAGE_PULL_POLICIES"); ok {
  b = b.WithImagePullPolicy(value)

config/dev/local-images-template.yaml

@@ -22,6 +22,10 @@ spec:
  value: {{ .RegistryURL }}:5000/dpu-daemon:dev
  - name: IntelVspImage
  value: {{ .RegistryURL }}:5000/intel_vsp:dev
+ - name: DPU_WEBHOOK
+ value: {{ .RegistryURL }}:5000/dpu-webhook:dev
+ - name: ADMISSION_CONTROLLERS_CA_CRT
+ value: {{ .AdmissionControllersCaCrt }}
  - name: IMAGE_PULL_POLICIES
  value: Always
  image: {{ .RegistryURL }}:5000/dpu-operator:dev

internal/controller/bindata/webhook/auth.yaml

@@ -0,0 +1,163 @@
+# Copyright (c) 2019 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ namespace: openshift-dpu-operator
+ name: network-resources-injector-sa
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: network-resources-injector-sa-secret
+ namespace: openshift-dpu-operator
+ annotations:
+ kubernetes.io/service-account.name: network-resources-injector-sa
+type: kubernetes.io/service-account-token
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: network-resources-injector
+rules:
+- apiGroups:
+ - ""
+ - k8s.cni.cncf.io
+ - extensions
+ - apps
+ resources:
+ - replicationcontrollers
+ - replicasets
+ - daemonsets
+ - statefulsets
+ - pods
+ - network-attachment-definitions
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: network-resources-injector-secrets
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: network-resources-injector-webhook-configs
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ - validatingwebhookconfigurations
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: network-resources-injector-service
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: network-resources-injector-configmaps
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - 'get'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: network-resources-injector-role-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: network-resources-injector
+subjects:
+- kind: ServiceAccount
+ name: network-resources-injector-sa
+ namespace: openshift-dpu-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: network-resources-injector-secrets-role-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: network-resources-injector-secrets
+subjects:
+- kind: ServiceAccount
+ name: network-resources-injector-sa
+ namespace: openshift-dpu-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: network-resources-injector-webhook-configs-role-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: network-resources-injector-webhook-configs
+subjects:
+- kind: ServiceAccount
+ name: network-resources-injector-sa
+ namespace: openshift-dpu-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: network-resources-injector-service-role-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: network-resources-injector-service
+subjects:
+- kind: ServiceAccount
+ name: network-resources-injector-sa
+ namespace: openshift-dpu-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: network-resources-injector-configmaps-role-binding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: network-resources-injector-configmaps
+subjects:
+- kind: ServiceAccount
+ name: network-resources-injector-sa
+ namespace: openshift-dpu-operator
+

internal/controller/bindata/webhook/secret.yaml

@@ -0,0 +1,6 @@
+kind: Secret
+metadata:
+ name: network-resources-injector-secret
+ namespace: openshift-dpu-operator
+type: Opaque
+

internal/controller/bindata/webhook/server.yaml

@@ -0,0 +1,100 @@
+# Copyright (c) 2019 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: network-resources-injector
+ name: network-resources-injector
+ namespace: openshift-dpu-operator
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app: network-resources-injector
+ template:
+ metadata:
+ labels:
+ app: network-resources-injector
+ spec:
+ serviceAccount: network-resources-injector-sa
+ containers:
+ - name: webhook-server
+ image: quay.io/vpunj/sriov-dp-admission-controller:latest
+ imagePullPolicy: IfNotPresent
+ command:
+ - webhook
+ args:
+ - -bind-address=0.0.0.0
+ - -port=8443
+ - -tls-private-key-file=/etc/tls/tls.key
+ - -tls-cert-file=/etc/tls/tls.crt
+ - -health-check-port=8444
+ - -logtostderr
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ securityContext:
+ runAsUser: 10000
+ runAsGroup: 10000
+ capabilities:
+ drop:
+ - ALL
+ add: ["NET_BIND_SERVICE"]
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ volumeMounts:
+ - mountPath: /etc/tls
+ name: tls
+ resources:
+ requests:
+ memory: "50Mi"
+ cpu: "250m"
+ limits:
+ memory: "200Mi"
+ cpu: "500m"
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8444
+ initialDelaySeconds: 10
+ periodSeconds: 5
+ initContainers:
+ - name: installer
+ image: quay.io/vpunj/sriov-dp-admission-controller:latest
+ imagePullPolicy: IfNotPresent
+ command:
+ - installer
+ args:
+ - -name=network-resources-injector
+ - -namespace=openshift-dpu-operator
+ - -alsologtostderr
+ securityContext:
+ runAsUser: 10000
+ runAsGroup: 10000
+ volumeMounts:
+ - name: tls
+ mountPath: /etc/tls
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ volumes:
+ - name: tls
+ secret:
+ secretName: network-resources-injector-secret

internal/controller/bindata/webhook/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: network-resources-injector-service
+ namespace: openshift-dpu-operator
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: network-resources-injector-secret
+spec:
+ ports:
+ - port: 443
+ targetPort: 8443
+ selector:
+ app: network-resources-injector

internal/controller/bindata/webhook/webhook.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: network-resources-injector-config
+ namespace: {{.Namespace}}
+ annotations:
+ service.beta.openshift.io/inject-cabundle: "true"
+webhooks:
+ - name: network-resources-injector-config.k8s.io
+ sideEffects: None
+ admissionReviewVersions: ["v1", "v1beta1"]
+ clientConfig:
+ service:
+ name: network-resources-injector-service
+ namespace: {{.Namespace}}
+ path: "/mutate"
+ caBundle: {{ .injectorWebhookCA }}
+ namespaceSelector:
+ matchExpressions:
+ - key: "kubernetes.io/metadata.name"
+ operator: "NotIn"
+ values:
+ - "openshift-dpu-operator"
+ rules:
+ - operations: [ "CREATE" ]
+ apiGroups: ["apps", ""]
+ apiVersions: ["v1"]
+ resources: ["pods"]