<p>operator中的webhook也是很重要的一块功能。也是相对比较独立的模块，所以放在后面讲。</p><p>webhook是一个callback，注册到k8s的api-server上。当某个特定的时间发生时，api server就会查询注册的webhook，并根据一些逻辑确认转发消息给某个webhook</p><p>在k8s中，有3类webhook，admission webhook, authorization webhook 和 CRD conversion webhook.</p><p>在kubebuilder的底层controller-runtime框架里，支持admission webhooks and CRD conversion webhooks。</p><p>这篇笔记讲的是admission webhook。（以下的webhook就是指admission webhook）。CRD conversion webhooks用于多版本api转换时，目前入门阶段先不讨论这个话题。</p><p>admission webhook又可以分成2类。</p><p>一种是校验类的webhook，只读取信息，做校验判断，不会改变消息，称为validating类型。这里的校验就可以写复杂的业务了，前面的代码里我们也配置过简单的validation校验。</p> // +kubebuilder:validation:Required
Image string json:"image,omitempty"
<p>另一种就是可修改对象的webhook，比如设置默认值功能，称为mutating类型。</p><h3><span/><span>执行顺序</span><span/></h3><p>先执行mutating webhook，后执行validating webhook</p><p>就是说先设置，后校验。不需要担心，校验完了之后，另一个webhook又修改了值。</p><h2><span/><span>工作流</span><span/><span> </span></h2><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-5f394d00fc3a39c9.jpeg" img-data="{"format":"jpeg","size":52646,"width":797,"height":680,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>
<ol><li>用户创建一个CRD的实例</li><li>k8s api-server将这个请求转发给对应的webhook</li><li>webhook完成默认的参数配置操作，并进行一些参数校验操作。成功之后将cr返回给api-server。api-server进行落库</li><li>我们编写的controller的在后台监控cr,拉取cr内容，并执行我们编写的逻辑</li><li>cr的执行结果同步回api-server</li></ol><h2><span/><span>创建webhook</span><span/><span> </span></h2><p>和创建api一样，webhook也由kubebuilder创建脚手架代码。</p><p>我们在之前的代码框架上继续操作。</p>kubebuilder create webhook --group tutorial --version v1 --kind Demo --defaulting --programmatic-validation
<p>--defaulting 是会创建配置默认值的webhook</p><p>--programmatic-validation 创建有校验功能的webhook</p><p>kubebuilder的参数</p>Flags:
--conversion if set, scaffold the conversion webhook
--defaulting if set, scaffold the defaulting webhook
--force attempt to create resource even if it already exists
--group string resource Group
-h, --help help for webhook
--kind string resource Kind
--plural string resource irregular plural form
--programmatic-validation if set, scaffold the validating webhook
--version string resource Version
<p>--conversion 就是创建CRD conversion webhooks。用于多版本api转换时，现在先不用管。</p><p>执行完之后，看看生成的代码</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-cfb0ad97e36dcf91.jpeg" img-data="{"format":"jpeg","size":62312,"width":702,"height":447,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318145925949<p>查看main.go</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-9c2a5a672a3373c9.jpeg" img-data="{"format":"jpeg","size":38740,"width":1080,"height":282,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318151327123<p>作用就是在manager中注册了我们的webhook</p><h2><span/><span>业务代码</span><span/><span> </span></h2><p>更重要的文件是生成的这个webhook文件，我们的业务代码是写在这里的</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-bde194c5b912078e.jpeg" img-data="{"format":"jpeg","size":30559,"width":837,"height":301,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318152519441<div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-567af7fa2cf7e552.jpeg" img-data="{"format":"jpeg","size":23639,"width":907,"height":259,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318154234686<p>我们的Demo实现了webhook.Defaulter接口。即拥有了配置crd的默认值的能力。</p><p>稍后我们在这个Default()方法里编写配置默认值的操作。</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-74c2c02fd90d5bd2.jpeg" img-data="{"format":"jpeg","size":69320,"width":916,"height":713,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318154438377<p>我们的Demo实现了webhook.Validator接口，在crd进行增删改时可以进行验证操作</p><p>简单实现几个方法</p>func (r *Demo) Default() {
demolog.Info("default", "name", r.Name)

// TODO(user): fill in your defaulting logic.
if r.Spec.Replicas == nil {
r.Spec.Replicas = new(int32)
*r.Spec.Replicas = 1
demolog.Info("配置默认值", "replicas", *r.Spec.Replicas)
}
}
// 创建和更新调一下validate方法
func (r *Demo) ValidateCreate() error {
demolog.Info("validate create", "name", r.Name)

// TODO(user): fill in your validation logic upon object creation.
// 调用 r.validate() 方法，来验证对象的合法性。
return r.validate()
}

func (r *Demo) validate() error {
var allErrs field.ErrorList
if *r.Spec.Replicas > 10 {
err := field.Invalid(field.NewPath("spec").Child("replicas"),
*r.Spec.Replicas,
"副本数不能大于10")

allErrs = append(allErrs, err)
}

if len(allErrs) == 0 {
demolog.Info("参数合法")
return nil
}

return apierrors.NewInvalid(schema.GroupKind{
Group: "tutorial",
Kind: "Demo"},
r.Name, allErrs)
}
<p>在部署webhook前，还需要修改下配置</p><p>在config/default/kustomization.yaml中</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-54741a5c8abf0c4c.jpeg" img-data="{"format":"jpeg","size":98683,"width":875,"height":875,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318173558821<p>注释全都放开</p><p>在config/crd/kustomization.yaml中</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-f981ba6a40e8b1c7.jpeg" img-data="{"format":"jpeg","size":49407,"width":789,"height":454,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240318173642764<p>注释放开</p><h2><span/><span>部署前准备</span><span/><span> </span></h2><h3><span/><span>安装cert-manager</span><span/></h3><p>因为api-server是通过https调用webhook，所以需要部署cert-manager来自动管理证书。</p><p>这也是kubebuilder官方建议的方案</p>kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.3/cert-manager.yaml
<div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-4db757040873b8e6.jpeg" img-data="{"format":"jpeg","size":35791,"width":818,"height":388,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320171742770<p>因为我的测试环境是1.18的k8s，所以选择1.7版本的cert manager。</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-49bf1e133c502df7.jpeg" img-data="{"format":"jpeg","size":81232,"width":965,"height":415,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320171848151<h3><span/><span>清理环境</span><span/></h3><p>先把之前测试的资源全部删除</p><p>删除测试demo</p>kubectl delete -f config/samples/tutorial_v1_demo.yaml
<p>删除operator</p>kubectl delete -f demo-operator.yaml
<p>删除crd</p>make uninstall
<h2><span/><span>部署</span><span/><span> </span></h2>make install
make docker-build docker-push IMG=harbor-test.xxx.net/paas/demo-operator:2.0
make deploy IMG=harbor-test.xxx.net/paas/demo-operator:2.0
<div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-2f74dc04c60458dd.jpeg" img-data="{"format":"jpeg","size":43717,"width":1080,"height":248,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320173017108<h2><span/><span>测试</span><span/><span> </span></h2><h3><span/><span>测试默认值功能</span><span/></h3><p>修改一下之前的yaml,去掉replicas字段</p>apiVersion: tutorial.demo.com/v1
kind: Demo
metadata:
namespace: demo
name: demo-sample
spec:
image: nginx:1.22
svcName: demo-ng
<p>查看manager的日志</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-5c582dbfe61fc025.jpeg" img-data="{"format":"jpeg","size":23010,"width":1080,"height":85,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320173733830<p>调用了配置默认值的代码</p><h3><span/><span>测试参数校验功能</span><span/></h3><p>将yaml中的replicas字段设置为15，超过我们的最大值</p>[root@paas-m-k8s-master-1 demo-operator]# kubectl apply -f config/samples/tutorial_v1_demo.yaml
The Demo "demo-sample" is invalid: spec.replicas: Invalid value: 15: 副本数不能大于10
<p>直接报错</p><p>查看日志</p><div class="image-package"><img src="https://upload-images.jianshu.io/upload_images/5149787-40c16b6727df715e.jpeg" img-data="{"format":"jpeg","size":12993,"width":1080,"height":59,"space":"srgb","channels":3,"depth":"uchar","density":72,"chromaSubsampling":"4:2:0","isProgressive":false,"hasProfile":false,"hasAlpha":false}" contenteditable="false" class="uploaded-img" style="min-height:200px;min-width:200px;" width="auto" height="auto"/>
</div>image-20240320174235546<p>进行了校验</p><p>
</p>