dazwilkin / akri-webhook Goto Github PK

/cc: @bfjelds

The new de|reserialization loses the solution to part of the original problem: project-akri/akri#180

Namely, that the omission of .brokerPodSpec.containers[*].resources creates Instances without environment variables.

With the ValidatingAdmissionWebhookController applied:

apiVersion: akri.sh/v0
kind: Configuration
metadata:
  name: zeroconf
spec:
  protocol:
    zeroconf:
      kind: "_rust._tcp"
      port: 8888
      txtRecords:
        project: akri
        protocol: zeroconf
        component: avahi-publish
  capacity: 1
  brokerPodSpec:
    imagePullSecrets: # Container Registry secret
      - name: ghcr
    containers:
      - name: zeroconf-broker
        image: ghcr.io/dazwilkin/zeroconf-broker@sha256:993e5b8d....
#       resources:
#              limits: 
#                "{{PLACEHOLDER}}": "1"

Applying the above, creates 1 Instance:

kubectl get instances
NAME               CONFIG      SHARED   NODES      AGE
webthings-8bcaf2   webthings   true     ["akri"]   2s

But, the Pod will not work correctly and won't include environment variables:

INSTANCE=$(kubectl get instances --output=jsonpath="{.items[*].metadata.name}")

kubectl get pod/akri-${INSTANCE}-pod \
--output=jsonpath="{.spec.containers[*].resources}" | jq .

yields:

{}

Whereas, including the resources section and reapplying:

{
  "limits": {
    "akri.sh/webthings-8bcaf2": "1"
  },
  "requests": {
    "akri.sh/webthings-8bcaf2": "1"
  }
}

Struggling with certificates.k8s.io/v1

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${SERVICE}.${NAMESPACE}
spec:
  groups:
  - system:authenticated
  request: $(cat ${FILENAME}.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/legacy-unknown
  usages:
  - digital signature
  - key encipherment
  - server auth

Without signerName, it errors:

error: error validating "STDIN":
error validating data: ValidationError(CertificateSigningRequest.spec):
missing required field "signerName" in io.k8s.api.certificates.v1.CertificateSigningRequestSpec;
if you choose to ignore these errors, turn validation off with --validate=false

So, it's clear where the signerName goes and I was hoping to use kubernetes.io/kubelet-serving (see docs) because, this one includes:

Permitted key usages - exactly ["key encipherment", "digital signature", "server auth"].

Which matches the spec above (particularly server auth) but it doesn't work:

kubectl certificate approve ${SERVICE}.${NAMESPACE}
certificatesigningrequest.certificates.k8s.io/feriton.akri approved

kubectl get csr ${SERVICE}.${NAMESPACE}
NAME           AGE     SIGNERNAME                      REQUESTOR   CONDITION
feriton.akri   2m32s   kubernetes.io/kubelet-serving   admin       Approved,Failed

So, have reverted to v1beta1 for the time being.

Suggestion by @bjfelds to consider using JSONPath to validate against CRD schema.

Should provide some|more dynamism than using code and matches nicely with kubectl's use of JSONPath.

See: Kubernetes' JSONPath

Akri is written in Rust although Kubernetes is written in Golang.

The Webhook examples were all written in Golang and the libraries and types (e.g. AdmissionReview) are available in Golang.

The majority of the effort has been in the configuration and this does not change rewriting in Rust.

.... Once it's working!

Would it be possible to generalize the use of JSONPath such that multiple filters could be provided?

The challenge is that JSONPath is a filter mechanism but does not (!?) contain predicates.

We can do e.g.:

{.spec.brokerPodSpec.containers[*].resources.limits}
{.spec.brokerPodSpec.protocol}
...

But would want e.g.:

Perhaps providing the filters as configuration to the Deployment too:

        - name: webhook
          image: ghcr.io/dazwilkin/akri-webhook@...
          imagePullPolicy: Always
          args:
            - --filter="{.spec.brokerPodSpec.containers[*].resources.limits}"
            - --filter="{.spec.protocol.zeroconfg}"
            - --tls-crt-file=/secrets/tls.crt
            - --tls-key-file=/secrets/tls.key
            - --port=8443
            - --logtostderr
            - -v=2
          volumeMounts:
            - name: secrets
              mountPath: /secrets
              readOnly: true
      volumes:
        - name: secrets
          secret:
            secretName: SERVICE

Certificate generation should (!) be namespace friendly:

DIR=${PWD}/secrets
SERVICE="wednesday"
NAMESPACE="default"

FILENAME="${DIR}/${SERVICE}.${NAMESPACE}"

But confirm that this is so by using a ${NAMESPACE} other than default.