Skip to content

Latest commit

 

History

History
64 lines (44 loc) · 4.42 KB

hypershift.md

File metadata and controls

64 lines (44 loc) · 4.42 KB

managed-cluster-validating-webhooks on Hypershift

How it works

Managed Cluster Validating Webhooks (MCVW) is deployed into Hypershift environments via several different components.

  • The webhook admission service is deployed into each hosted control plane (HCP) namespace on Hypershift management clusters, via package-operator
  • The ValidatingWebhookConfiguration resources are deployed directly onto Hypershift hosted clusters.

The above components are both installed via a package operator (PKO) package. The package is distributed to Hypershift Management Clusters via an Advanced Cluster Management policy. These resources will be discussed in the section below.

Package Operator package

The PKO package consists of:

  • a manifest which lists the phases involved in the package installation, any availability and promotion tests.
  • a resource bundle which contains all the resources needed for MCVW to run in the HCP namespace, as well as the ValidatingWebhookConfigurations installed on the hosted cluster. This bundle is dynamically generated by resources.go. Each resource is annotated with a phase so that PKO knows during which phase the resource should be installed.
  • a Containerfile which builds the PKO package image.

Building a package

You can manually rebuild or generate the resource bundle by running:

make package

You can manually build the PKO package image by running:

make IMG_ORG=<username> build-package-image

Note that the resulting package image will follow the naming convention quay.io/$USER/managed-cluster-validating-webhooks-hs-package and can be pushed to Quay for testing if needed.

Testing a package

Once a package has been built (and pushed to a public image repository) it can be manually installed on a PKO-running cluster by creating a simple Package spec:

apiVersion: package-operator.run/v1alpha1
kind: Package
metadata:
  name: validation-webhook
  namespace: validation-webhook
spec:
  image: quay.io/$USER/managed-cluster-validating-webhooks-hs-package:$TAG

ACM Policy for Package distribution

On Hypershift, the Package resource is distributed to all HCP Namespaces via a SelectorSyncSet containing ACM Policy.

The application of the SelectorSyncSet to Hive clusters (in turn distributing it to the Hypershift service clusters) is performed by app-interface.

How the CI/CD process works

This section describes the main steps that enable a CI/CD flow for managed-cluster-validating-webhooks:

  • A new commit is merged to the MCVW repository.
  • This triggers app-interface to call the MCVW build_deploy.sh script.
  • The build_deploy.sh script builds a new MCVW image and a new PKO package. Each are tagged with the same git short hash representing the commit that was just merged.
  • The managed-cluster-validating-webhooks-hypershift SaaS resource template in app-interface will roll out the latest templated SelectorSyncSet to staging/integration Hive shards. The IMAGE_DIGEST value will be replaced by the git short hash of the latest commit; therefore, the PKO image referenced will be the one built by the earlier step.
  • Because the ACM Policy has changed, the Policy will be updated on all Hypershift Management Clusters. This will result in the Package resource updating in every HCP Namespace to reference the new PKO image.
  • PKO will download that PKO image and install or update the resources contained within.