<p>operator中的webhook也是很重要的一塊功能吟宦。也是相對比較獨立的模塊厦滤，所以放在后面講片任。</p><p>webhook是一個callback逗概，注冊到k8s的api-server上。當某個特定的時間發(fā)生時箕宙，api server就會查詢注冊的webhook嚎朽，并根據一些邏輯確認轉發(fā)消息給某個webhook</p><p>在k8s中，有3類webhook柬帕，admission webhook, authorization webhook 和 CRD conversion webhook.</p><p>在kubebuilder的底層controller-runtime框架里哟忍，支持admission webhooks and CRD conversion webhooks狡门。</p><p>這篇筆記講的是admission webhook。（以下的webhook就是指admission webhook）锅很。CRD conversion webhooks用于多版本api轉換時其馏，目前入門階段先不討論這個話題。</p><p>admission webhook又可以分成2類爆安。</p><p>一種是校驗類的webhook叛复，只讀取信息，做校驗判斷扔仓，不會改變消息褐奥，稱為validating類型。這里的校驗就可以寫復雜的業(yè)務了翘簇，前面的代碼里我們也配置過簡單的validation校驗撬码。</p> // +kubebuilder:validation:Required
Image string json:"image,omitempty"
<p>另一種就是可修改對象的webhook，比如設置默認值功能版保，稱為mutating類型耍群。</p><h3><span/><span>執(zhí)行順序</span><span/></h3><p>先執(zhí)行mutating webhook，后執(zhí)行validating webhook</p><p>就是說先設置找筝，后校驗。不需要擔心慷吊，校驗完了之后袖裕，另一個webhook又修改了值。</p><h2><span/><span>工作流</span><span/><span> </span></h2><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-5f394d00fc3a39c9.jpeg" img-data="{"format":"jpeg","size":52646,"width":797,"height":680,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>
<ol><li>用戶創(chuàng)建一個CRD的實例</li><li>k8s api-server將這個請求轉發(fā)給對應的webhook</li><li>webhook完成默認的參數配置操作溉瓶，并進行一些參數校驗操作急鳄。成功之后將cr返回給api-server。api-server進行落庫</li><li>我們編寫的controller的在后臺監(jiān)控cr,拉取cr內容堰酿，并執(zhí)行我們編寫的邏輯</li><li>cr的執(zhí)行結果同步回api-server</li></ol><h2><span/><span>創(chuàng)建webhook</span><span/><span> </span></h2><p>和創(chuàng)建api一樣疾宏，webhook也由kubebuilder創(chuàng)建腳手架代碼。</p><p>我們在之前的代碼框架上繼續(xù)操作触创。</p>kubebuilder create webhook --group tutorial --version v1 --kind Demo --defaulting --programmatic-validation
<p>--defaulting 是會創(chuàng)建配置默認值的webhook</p><p>--programmatic-validation 創(chuàng)建有校驗功能的webhook</p><p>kubebuilder的參數</p>Flags:
--conversion if set, scaffold the conversion webhook
--defaulting if set, scaffold the defaulting webhook
--force attempt to create resource even if it already exists
--group string resource Group
-h, --help help for webhook
--kind string resource Kind
--plural string resource irregular plural form
--programmatic-validation if set, scaffold the validating webhook
--version string resource Version
<p>--conversion 就是創(chuàng)建CRD conversion webhooks坎藐。用于多版本api轉換時，現在先不用管哼绑。</p><p>執(zhí)行完之后岩馍，看看生成的代碼</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-cfb0ad97e36dcf91.jpeg" img-data="{"format":"jpeg","size":62312,"width":702,"height":447,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318145925949<p>查看main.go</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-9c2a5a672a3373c9.jpeg" img-data="{"format":"jpeg","size":38740,"width":1080,"height":282,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318151327123<p>作用就是在manager中注冊了我們的webhook</p><h2><span/><span>業(yè)務代碼</span><span/><span> </span></h2><p>更重要的文件是生成的這個webhook文件，我們的業(yè)務代碼是寫在這里的</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-bde194c5b912078e.jpeg" img-data="{"format":"jpeg","size":30559,"width":837,"height":301,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318152519441<div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-567af7fa2cf7e552.jpeg" img-data="{"format":"jpeg","size":23639,"width":907,"height":259,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318154234686<p>我們的Demo實現了webhook.Defaulter接口抖韩。即擁有了配置crd的默認值的能力蛀恩。</p><p>稍后我們在這個Default()方法里編寫配置默認值的操作。</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-74c2c02fd90d5bd2.jpeg" img-data="{"format":"jpeg","size":69320,"width":916,"height":713,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318154438377<p>我們的Demo實現了webhook.Validator接口茂浮，在crd進行增刪改時可以進行驗證操作</p><p>簡單實現幾個方法</p>func (r *Demo) Default() {
demolog.Info("default", "name", r.Name)

// TODO(user): fill in your defaulting logic.
if r.Spec.Replicas == nil {
r.Spec.Replicas = new(int32)
*r.Spec.Replicas = 1
demolog.Info("配置默認值", "replicas", *r.Spec.Replicas)
}
}
// 創(chuàng)建和更新調一下validate方法
func (r *Demo) ValidateCreate() error {
demolog.Info("validate create", "name", r.Name)

// TODO(user): fill in your validation logic upon object creation.
// 調用 r.validate() 方法双谆，來驗證對象的合法性壳咕。
return r.validate()
}

func (r *Demo) validate() error {
var allErrs field.ErrorList
if *r.Spec.Replicas > 10 {
err := field.Invalid(field.NewPath("spec").Child("replicas"),
*r.Spec.Replicas,
"副本數不能大于10")

allErrs = append(allErrs, err)
}

if len(allErrs) == 0 {
demolog.Info("參數合法")
return nil
}

return apierrors.NewInvalid(schema.GroupKind{
Group: "tutorial",
Kind: "Demo"},
r.Name, allErrs)
}
<p>在部署webhook前，還需要修改下配置</p><p>在config/default/kustomization.yaml中</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-54741a5c8abf0c4c.jpeg" img-data="{"format":"jpeg","size":98683,"width":875,"height":875,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318173558821<p>注釋全都放開</p><p>在config/crd/kustomization.yaml中</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-f981ba6a40e8b1c7.jpeg" img-data="{"format":"jpeg","size":49407,"width":789,"height":454,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318173642764<p>注釋放開</p><h2><span/><span>部署前準備</span><span/><span> </span></h2><h3><span/><span>安裝cert-manager</span><span/></h3><p>因為api-server是通過https調用webhook顽馋，所以需要部署cert-manager來自動管理證書谓厘。</p><p>這也是kubebuilder官方建議的方案</p>kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.3/cert-manager.yaml
<div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-4db757040873b8e6.jpeg" img-data="{"format":"jpeg","size":35791,"width":818,"height":388,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320171742770<p>因為我的測試環(huán)境是1.18的k8s，所以選擇1.7版本的cert manager趣避。</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-49bf1e133c502df7.jpeg" img-data="{"format":"jpeg","size":81232,"width":965,"height":415,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320171848151<h3><span/><span>清理環(huán)境</span><span/></h3><p>先把之前測試的資源全部刪除</p><p>刪除測試demo</p>kubectl delete -f config/samples/tutorial_v1_demo.yaml
<p>刪除operator</p>kubectl delete -f demo-operator.yaml
<p>刪除crd</p>make uninstall
<h2><span/><span>部署</span><span/><span> </span></h2>make install
make docker-build docker-push IMG=harbor-test.xxx.net/paas/demo-operator:2.0
make deploy IMG=harbor-test.xxx.net/paas/demo-operator:2.0
<div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-2f74dc04c60458dd.jpeg" img-data="{"format":"jpeg","size":43717,"width":1080,"height":248,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320173017108<h2><span/><span>測試</span><span/><span> </span></h2><h3><span/><span>測試默認值功能</span><span/></h3><p>修改一下之前的yaml,去掉replicas字段</p>apiVersion: tutorial.demo.com/v1
kind: Demo
metadata:
namespace: demo
name: demo-sample
spec:
image: nginx:1.22
svcName: demo-ng
<p>查看manager的日志</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-5c582dbfe61fc025.jpeg" img-data="{"format":"jpeg","size":23010,"width":1080,"height":85,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320173733830<p>調用了配置默認值的代碼</p><h3><span/><span>測試參數校驗功能</span><span/></h3><p>將yaml中的replicas字段設置為15庞呕，超過我們的最大值</p>[root@paas-m-k8s-master-1 demo-operator]# kubectl apply -f config/samples/tutorial_v1_demo.yaml
The Demo "demo-sample" is invalid: spec.replicas: Invalid value: 15: 副本數不能大于10
<p>直接報錯</p><p>查看日志</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-40c16b6727df715e.jpeg" img-data="{"format":"jpeg","size":12993,"width":1080,"height":59,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320174235546<p>進行了校驗</p><p>
</p>