README
¶
kubevirt-template-validator
kubevirt-template-validator is a kubevirt addon to check the annotations on templates and reject them if unvalid.
It is implemented using a validating webhook.
License
Apache v2
Dependencies
Building
VERSION=devel make binary
tests
unit tests
make unittests
functional tests
Requirements:
- OKD/OCP cluster >= 3.11
- jq
- oc (origin client tools)
You also need access to a running OCP/OKD >= 3.11 cluster. Example scripts are provided to set up
a minishift cluster from scratch.
Make sure you have the minishift binary on the testing system, then run
./hack/tests/setup.sh
Once the environment is up and running, you can run the tests themselves with
make functests
Installation - K8S
PLEASE NOTE: vanilla kubernetes does not support openshift templates so the webhook cannot function properly. Anyway, if you want to install it in your kubernetes cluster anyway, follow these steps:
- Create and deploy the certificates in a Kubernetes Secret, to be used in the following steps:
./cluster/k8s/webhook-create-signed-cert.sh
- [OPTIONAL] Check that the secret exists:
kubectl get secret -n kubevirt kubevirt-template-validator-certs
NAME TYPE DATA AGE
kubevirt-template-validator-certs Opaque 2 1h
- Deploy the service:
kubectl create -f ./cluster/k8s/manifests/service.yaml
- Register the webhook. In order to set up the webhook, we need a CA bundle. We can reuse the one from the certs we create from the step #1.
cat ./cluster/k8s/manifests/validating-webhook.yaml | ./cluster/k8s/extract-ca.sh | kubectl apply -f -
Done!
installation on OKD/OCP
- Make sure the validating webhooks are enabled. You either need to configure the platform when you install it or to use OKD/OCP >= 4.0. See:
- https://github.com/openshift/origin/issues/20842
- https://github.com/openshift/openshift-ansible/issues/7983
- Then, make sure you have the
template:viewcluster role binding in your cluster. If not, add it:
oc create -f ./cluster/okd/manifests/template-view-role.yaml
- Deploy the service:
kubectl create -f ./cluster/okd/manifests/service.yaml
OKD can automatically generate the TLS certificates thanks to the annotation in the provided manifests. So, unlike the steps for kubernetes#1, you don't have to do this manually.
- Register the webhook. Like for Kubernetes, we need to set up the CA bundle
./cluster/okd/extract-ca.sh ./cluster/okd/manifests/validating-webhook.yaml | oc apply -f -
Disable the webhook
To disable the webhook, just de-register it from the apiserver:
$KUBECTL delete -f ./cluster/$PLATFORM/manifests/validating-webhook.yaml
Caveats & Gotchas
There is no automation to tear down the minishift cluster for functests. You need to do it manually.
Directories