github.com/giantswarm/apiextensions/v6@v6.6.0/hack/patches.go (about) 1 package main 2 3 import ( 4 "github.com/giantswarm/to" 5 v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 6 7 "github.com/giantswarm/apiextensions/v6/pkg/crd" 8 ) 9 10 const ( 11 Azure = "azure" 12 InjectCaFromCertificateLegacy = "giantswarm/cluster-api-core-cert" 13 ) 14 15 func patchCAPICoreWebhook(provider string, crd *v1.CustomResourceDefinition) { 16 port := int32(9443) 17 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 18 if provider == Azure { 19 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/capi-serving-cert" 20 } else { 21 crd.Annotations["cert-manager.io/inject-ca-from"] = InjectCaFromCertificateLegacy 22 } 23 } 24 25 webhookServiceName := "cluster-api-core" 26 if provider == Azure { 27 webhookServiceName = "capi-webhook-service" 28 port = int32(443) 29 } 30 31 crd.Spec.Conversion = &v1.CustomResourceConversion{ 32 Strategy: v1.WebhookConverter, 33 Webhook: &v1.WebhookConversion{ 34 ClientConfig: &v1.WebhookClientConfig{ 35 Service: &v1.ServiceReference{ 36 Namespace: "giantswarm", 37 Name: webhookServiceName, 38 Path: to.StringP("/convert"), 39 Port: &port, 40 }, 41 CABundle: []byte("\n"), 42 }, 43 ConversionReviewVersions: []string{ 44 "v1", 45 "v1beta1", 46 }, 47 }, 48 } 49 } 50 51 // Keep in sync with https://github.com/giantswarm/cluster-api-bootstrap-provider-kubeadm-app/tree/main/helm/cluster-api-bootstrap-provider-kubeadm/templates 52 func patchCAPIKubeadmBootstrapWebhook(provider string, crd *v1.CustomResourceDefinition) { 53 port := int32(9443) 54 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 55 if provider == Azure { 56 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/capi-kubeadm-bootstrap-serving-cert" 57 } else { 58 crd.Annotations["cert-manager.io/inject-ca-from"] = InjectCaFromCertificateLegacy 59 } 60 } 61 62 webhookServiceName := "cluster-api-bootstrap" 63 if provider == Azure { 64 webhookServiceName = "capi-kubeadm-bootstrap-webhook-service" 65 port = int32(443) 66 } 67 68 crd.Spec.Conversion = &v1.CustomResourceConversion{ 69 Strategy: v1.WebhookConverter, 70 Webhook: &v1.WebhookConversion{ 71 ClientConfig: &v1.WebhookClientConfig{ 72 Service: &v1.ServiceReference{ 73 Namespace: "giantswarm", 74 Name: webhookServiceName, 75 Path: to.StringP("/convert"), 76 Port: &port, 77 }, 78 CABundle: []byte("\n"), 79 }, 80 ConversionReviewVersions: []string{ 81 "v1", 82 "v1beta1", 83 }, 84 }, 85 } 86 } 87 88 // Keep in sync with https://github.com/giantswarm/cluster-api-control-plane-app/tree/main/helm/cluster-api-control-plane/templates 89 func patchCAPIControlPlaneWebhook(provider string, crd *v1.CustomResourceDefinition) { 90 port := int32(9443) 91 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 92 if provider == Azure { 93 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/capi-kubeadm-control-plane-serving-cert" 94 } else { 95 crd.Annotations["cert-manager.io/inject-ca-from"] = InjectCaFromCertificateLegacy 96 } 97 } 98 99 webhookServiceName := "cluster-api-controlplane" 100 if provider == Azure { 101 webhookServiceName = "capi-kubeadm-control-plane-webhook-service" 102 port = int32(443) 103 } 104 105 crd.Spec.Conversion = &v1.CustomResourceConversion{ 106 Strategy: v1.WebhookConverter, 107 Webhook: &v1.WebhookConversion{ 108 ClientConfig: &v1.WebhookClientConfig{ 109 Service: &v1.ServiceReference{ 110 Namespace: "giantswarm", 111 Name: webhookServiceName, 112 Path: to.StringP("/convert"), 113 Port: &port, 114 }, 115 CABundle: []byte("\n"), 116 }, 117 ConversionReviewVersions: []string{ 118 "v1", 119 "v1beta1", 120 }, 121 }, 122 } 123 } 124 125 // Keep in sync with https://github.com/giantswarm/cluster-api-provider-aws-app/tree/master/helm/cluster-api-provider-aws/templates 126 func patchCAPAWebhook(provider string, crd *v1.CustomResourceDefinition) { 127 port := int32(9443) 128 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 129 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/cluster-api-provider-aws-webhook" 130 } 131 crd.Spec.Conversion = &v1.CustomResourceConversion{ 132 Strategy: v1.WebhookConverter, 133 Webhook: &v1.WebhookConversion{ 134 ClientConfig: &v1.WebhookClientConfig{ 135 Service: &v1.ServiceReference{ 136 Namespace: "giantswarm", 137 Name: "cluster-api-provider-aws-webhook", 138 Path: to.StringP("/convert"), 139 Port: &port, 140 }, 141 CABundle: []byte("\n"), 142 }, 143 ConversionReviewVersions: []string{ 144 "v1", 145 "v1beta1", 146 }, 147 }, 148 } 149 } 150 151 // Keep in sync with https://github.com/giantswarm/cluster-api-provider-vsphere-app/tree/master/helm/cluster-api-provider-vsphere/templates 152 func patchCAPVWebhook(provider string, crd *v1.CustomResourceDefinition) { 153 port := int32(9443) 154 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 155 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/cluster-api-provider-vsphere-webhook" 156 } 157 crd.Spec.Conversion = &v1.CustomResourceConversion{ 158 Strategy: v1.WebhookConverter, 159 Webhook: &v1.WebhookConversion{ 160 ClientConfig: &v1.WebhookClientConfig{ 161 Service: &v1.ServiceReference{ 162 Namespace: "giantswarm", 163 Name: "cluster-api-provider-vsphere-webhook", 164 Path: to.StringP("/convert"), 165 Port: &port, 166 }, 167 CABundle: []byte("\n"), 168 }, 169 ConversionReviewVersions: []string{ 170 "v1", 171 "v1beta1", 172 }, 173 }, 174 } 175 } 176 177 // Keep in sync with https://github.com/giantswarm/cluster-api-provider-azure-app/tree/master/helm/cluster-api-provider-azure/templates 178 func patchCAPZWebhook(provider string, crd *v1.CustomResourceDefinition) { 179 port := int32(443) 180 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok || crd.Name == "azureclusteridentities.infrastructure.cluster.x-k8s.io" { 181 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/capz-serving-cert" 182 } 183 184 if crd.Spec.Conversion != nil || crd.Name == "azureclusteridentities.infrastructure.cluster.x-k8s.io" { 185 crd.Spec.Conversion = &v1.CustomResourceConversion{ 186 Strategy: v1.WebhookConverter, 187 Webhook: &v1.WebhookConversion{ 188 ClientConfig: &v1.WebhookClientConfig{ 189 Service: &v1.ServiceReference{ 190 Namespace: "giantswarm", 191 Name: "capz-webhook-service", 192 Path: to.StringP("/convert"), 193 Port: &port, 194 }, 195 CABundle: []byte("\n"), 196 }, 197 ConversionReviewVersions: []string{ 198 "v1", 199 "v1beta1", 200 }, 201 }, 202 } 203 } 204 } 205 206 // Keep in sync with https://github.com/giantswarm/cluster-api-provider-aws-app/tree/master/helm/cluster-api-provider-aws/templates/eks/control-plane 207 func patchEKSControlPlaneWebhook(provider string, crd *v1.CustomResourceDefinition) { 208 port := int32(9443) 209 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 210 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/cluster-api-provider-aws-eks-control-plane-webhook" 211 } 212 crd.Spec.Conversion = &v1.CustomResourceConversion{ 213 Strategy: v1.WebhookConverter, 214 Webhook: &v1.WebhookConversion{ 215 ClientConfig: &v1.WebhookClientConfig{ 216 Service: &v1.ServiceReference{ 217 Namespace: "giantswarm", 218 Name: "cluster-api-provider-aws-eks-control-plane-webhook", 219 Path: to.StringP("/convert"), 220 Port: &port, 221 }, 222 CABundle: []byte("\n"), 223 }, 224 ConversionReviewVersions: []string{ 225 "v1", 226 "v1beta1", 227 }, 228 }, 229 } 230 } 231 232 // Keep in sync with https://github.com/giantswarm/cluster-api-provider-aws-app/tree/master/helm/cluster-api-provider-aws/templates/eks/bootstrap 233 func patchEKSConfigWebhook(provider string, crd *v1.CustomResourceDefinition) { 234 port := int32(9443) 235 if _, ok := crd.Annotations["cert-manager.io/inject-ca-from"]; ok { 236 crd.Annotations["cert-manager.io/inject-ca-from"] = "giantswarm/cluster-api-provider-aws-eks-bootstrap-webhook" 237 } 238 crd.Spec.Conversion = &v1.CustomResourceConversion{ 239 Strategy: v1.WebhookConverter, 240 Webhook: &v1.WebhookConversion{ 241 ClientConfig: &v1.WebhookClientConfig{ 242 Service: &v1.ServiceReference{ 243 Namespace: "giantswarm", 244 Name: "cluster-api-provider-aws-eks-bootstrap-webhook", 245 Path: to.StringP("/convert"), 246 Port: &port, 247 }, 248 CABundle: []byte("\n"), 249 }, 250 ConversionReviewVersions: []string{ 251 "v1", 252 "v1beta1", 253 }, 254 }, 255 } 256 } 257 258 // Kubebuilder comments can't add validation to metadata properties, so we manually specify the validation for release names here. 259 func patchReleaseValidation(provider string, crd *v1.CustomResourceDefinition) { 260 for i := range crd.Spec.Versions { 261 crd.Spec.Versions[i].Schema.OpenAPIV3Schema.Properties["metadata"] = v1.JSONSchemaProps{ 262 Type: "object", 263 Properties: map[string]v1.JSONSchemaProps{ 264 "name": { 265 Pattern: "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(-[\\.0-9a-zA-Z]*)?$", 266 Type: "string", 267 }, 268 }, 269 } 270 } 271 } 272 273 // Upstream CRD contains a string which gitleaks detects as a leak. Applies the normal patchCAPAWebhook patch and then 274 // edits the description to avoid the false positive. 275 func patchAWSClusterStaticIdentities(provider string, crd *v1.CustomResourceDefinition) { 276 patchCAPAWebhook(provider, crd) 277 version := crd.Spec.Versions[0] 278 schema := version.Schema.OpenAPIV3Schema 279 secretRef := schema.Properties["spec"].Properties["secretRef"] 280 secretRef.Description = "Reference to a secret containing the credentials. The secret should contain the following data keys: AccessKeyID: <access key id> SecretAccessKey: <secret access key> SessionToken: Optional" 281 schema.Properties["spec"].Properties["secretRef"] = secretRef 282 crd.Spec.Versions[0] = version 283 } 284 285 var patches = map[string]crd.Patch{ 286 // capi 287 "clusterclasses.cluster.x-k8s.io": patchCAPICoreWebhook, 288 "clusters.cluster.x-k8s.io": patchCAPICoreWebhook, 289 "kubeadmcontrolplanes.controlplane.cluster.x-k8s.io": patchCAPIControlPlaneWebhook, 290 "kubeadmconfigs.bootstrap.cluster.x-k8s.io": patchCAPIKubeadmBootstrapWebhook, 291 "kubeadmconfigtemplates.bootstrap.cluster.x-k8s.io": patchCAPIKubeadmBootstrapWebhook, 292 "machinedeployments.cluster.x-k8s.io": patchCAPICoreWebhook, 293 "machinepools.cluster.x-k8s.io": patchCAPICoreWebhook, 294 "machinehealthchecks.cluster.x-k8s.io": patchCAPICoreWebhook, 295 "machines.cluster.x-k8s.io": patchCAPICoreWebhook, 296 "machinesets.cluster.x-k8s.io": patchCAPICoreWebhook, 297 // capa 298 "awsclustercontrolleridentities.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 299 "awsclusterroleidentities.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 300 "awsclusters.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 301 "awsclusterstaticidentities.infrastructure.cluster.x-k8s.io": patchAWSClusterStaticIdentities, 302 "awsfargateprofiles.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 303 "awsmachinepools.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 304 "awsmachines.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 305 "awsmachinetemplates.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 306 "awsmanagedclusters.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 307 "awsmanagedcontrolplanes.controlplane.cluster.x-k8s.io": patchEKSControlPlaneWebhook, 308 "awsmanagedmachinepools.infrastructure.cluster.x-k8s.io": patchCAPAWebhook, 309 "eksconfigs.bootstrap.cluster.x-k8s.io": patchEKSConfigWebhook, 310 "eksconfigtemplates.bootstrap.cluster.x-k8s.io": patchEKSConfigWebhook, 311 // capz 312 "azureclusteridentities.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 313 "azureidentities.aadpodidentity.k8s.io": patchCAPZWebhook, 314 "azureidentitybindings.aadpodidentity.k8s.io": patchCAPZWebhook, 315 "azurepodidentityexceptions.aadpodidentity.k8s.io": patchCAPZWebhook, 316 "azureassignedidentities.aadpodidentity.k8s.io": patchCAPZWebhook, 317 "azureclusters.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 318 "azuremachines.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 319 "azuremachinetemplates.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 320 "azuremachinepoolmachines.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 321 "azuremachinepools.exp.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 322 "azuremachinepools.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 323 "azuremanagedclusters.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 324 "azuremanagedcontrolplanes.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 325 "azuremanagedmachinepools.infrastructure.cluster.x-k8s.io": patchCAPZWebhook, 326 // giantswarm 327 "releases.release.giantswarm.io": patchReleaseValidation, 328 // capv 329 "vsphereclusters.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 330 "vsphereclustertemplates.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 331 "vspheredeploymentzones.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 332 "vspherefailuredomains.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 333 "vspheremachines.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 334 "vspheremachinetemplates.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 335 "vspherevms.infrastructure.cluster.x-k8s.io": patchCAPVWebhook, 336 }