This webhook is used to validate licensing requirements on ROSA to ensure that windows virtual machines do not exceed the total capacity of the windows nodes provided.
WARN this was created as a proof-of-concept only. Please use at your own risk.
There are several known limitations to the webhook:
- Only accounts for
CREATE
requests and notUPDATE
requests - Logic between
domain.cpu
andrequests/limits
has not yet been determined (see #1) - For simplicity, only
VirtualMachineInstance
types are validatedVirtualMachine
objects may also be validated but the logic was beyond a simple proof-of-concept. The result of this means that users who submit aVirtualMachine
to the API will be successful, but the subordinateVirutalMachineInstance
object will fail creation, much like the relationship betweenDeployments
andReplicaSets
andPods
.- There may also be more objects to be validated beyond
VirtualMachine
andVirtualMachineInstance
objects.
- Depends on node labels via
WEBHOOK_NODE_LABEL_KEY
andWEBHOOK_NODE_LABEL_VALUES
input. If nodes are missing labels, they will not be used to calculate the total capacity for windows nodes in the cluster. This is defaulted in the standard installation process in this README. - Validation happens prior to scheduling.
- Test manifests exist in the
manifests/test
directory.
WARN be advised that the test manifests contain passwords in cleartext for testing only. This in not intended to be for production use and was simply used to validate the proof-of-concept.
This is simple usage for the webhook. Please review the manifests/deploy.yaml
file for accuracy for your
environment. You will need to clone this repository and change to the cloned repository directory to run
through these instructions.
- Webhooks need their own set of certificates in order to properly function. You can create your own with a simple script provided in this repository:
make certs
If you do not use the script, be sure to create the following files:
- CA Certificate -
tmp/ca.crt
- The CA certificate used to sign the webhook web certificate. - Webhook Key -
tmp/server.key
- The webhook server key. - Webhook Cert -
tmp/server.crt
- The webhook server certificate, signed by thetmp/ca.crt
file (above). It should be noted that the certificate must be requested withwindows-overcommit-webhook.windows-overcommit-webhook.svc
as the common name and/or subject alternative name, as this is the name the Kubernetes API expects. Please see thescripts/gen-certs.sh
for an example.
- Create the webhook in the ROSA cluster. This step assumes you have a functioning ROSA cluster and your
KUBECONFIG
configured to run commands against the cluster:
make create
- Once you have installed OpenShift Virtualization (see https://cloud.redhat.com/experts/rosa/ocp-virt/with-fsx/
for a quick start) your requests for
VirtualMachine
andVirtualMachineInstances
will be successfully validated by the webhook.
- To cleanup the webhook configuration, and the deployment, namespace and certificates, simply run:
make destroy