Provide conversion webhook for CRDs (#49)

Webhook is called, whenever a CR is requested in a specific version.
This is enabled from these versions:
- `AppDefintion.v1beta8`
- `Session.v1beta6`
- `Workspace.v1beta3`
Older versions are deprecated and no longer in the definition.

Move status like fields to status:
- `Session.v1beta7`: Move `url`, `lastActivity` and `error` fields from
the spec to the status.
- `Workspace.v1beta4`: Move the `error` field from the spec to the status.
Also add the `error` field to `Workspace.v1beta3` as it was missing

Remove `timeout.strategy` from AppDefinition
- `AppDefinition.v1beta9`: Removed `timeout.strategy` and `timeout.limit`
is now just `timeout`. This was done, as there is only one Strategy left.

Contributed on behalf of STMicroelectronics
Co-authored-by: Johannes Faltermeier <[email protected]>

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 ## [0.10.0] - estimated 2024-04
 
+- [theia-cloud-crds] Provide conversion webhook for newer versions of CRDs [#49](https://github.com/eclipsesource/theia-cloud-helm/pull/49) | [#283](https://github.com/eclipsesource/theia-cloud/pull/283) - contributed on behalf of STMicroelectronics
+  - This webhook is called, whenever a resource is requested in a specific version
+  - This is enabled from these versions: `AppDefintion.v1beta8`, `Session.v1beta6` and `Workspace.v1beta3`
+  - Older versions are deprecated and no longer in the definition
+- [theia-cloud-crds] Move status like fields to status [#](https://github.com/eclipsesource/theia-cloud-helm/pull/49) | [#283](https://github.com/eclipsesource/theia-cloud/pull/283) - contributed on behalf of STMicroelectronics
+  - `Session.v1beta7`: Move `url`, `lastActivity` and `error` fields from the spec to the status.
+  - `Workspace.v1beta4`: Move the `error` field from the spec to the status. Also add the `error` field to `Workspace.v1beta3` as it was missing
+- [theia-cloud-crds] Remove `timeout.strategy` from AppDefinition [#](https://github.com/eclipsesource/theia-cloud-helm/pull/49) | [#283](https://github.com/eclipsesource/theia-cloud/pull/283) - contributed on behalf of STMicroelectronics
+  - `AppDefinition.v1beta9`: Removed `timeout.strategy` and `timeout.limit` is now just `timeout`. This was done, as there is only one Strategy left.
+
 ## [0.9.0] - 2024-01-23
 
 - [All charts] Align [versioning](https://github.com/eclipsesource/theia-cloud-helm#versioning) between all components and introduce changelog [#45](https://github.com/eclipsesource/theia-cloud-helm/pull/45) | [#258](https://github.com/eclipsesource/theia-cloud/pull/258) - contributed on behalf of STMicroelectronics

charts/theia-cloud-crds/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0-next.0
+version: 0.10.0-next.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia-cloud-crds/README.md

@@ -0,0 +1,16 @@
+# theia-cloud-crds
+
+![Version: 0.10.0-next.1](https://img.shields.io/badge/Version-0.10.0--next.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.10.0-next](https://img.shields.io/badge/AppVersion-0.10.0--next-informational?style=flat-square)
+
+A Helm chart for the custom resource definitions (CRDs) of Theia Cloud
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| clusterIssuer | string | `"theia-cloud-selfsigned-issuer"` | The cluster issuer to use for the certificate |
+| conversion.certMountPath | string | `"/etc/webhook/certs"` | The location of where the certificates are mounted into the container (needs to match with application.properties) |
+| conversion.image | string | `"theiacloud/theia-cloud-conversion-webhook:0.10.0-next"` | The image of the webhook container |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/theia-cloud-crds/templates/appdefinition-spec-resource.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: appdefinitions.theia.cloud
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/conversion-webhook-certificate
 spec:
   group: theia.cloud
   names:
@@ -11,7 +13,7 @@ spec:
     singular: appdefinition
   scope: Namespaced
   versions:
-    - name: v1beta8
+    - name: v1beta9
       served: true
       storage: true
       # subresources describes the subresources for custom resources.
@@ -51,13 +53,7 @@ spec:
                 maxInstances:
                   type: integer
                 timeout:
-                  type: object
-                  properties:
-                    strategy:
-                      type: string
-                      enum: ["FIXEDTIME"]
-                    limit:
-                      type: integer
+                  type: integer
                 requestsMemory:
                   type: string
                 requestsCpu:
@@ -105,7 +101,7 @@ spec:
                   type: string
           required:
             - spec
-    - name: v1beta7
+    - name: v1beta8
       served: true
       storage: false
       # subresources describes the subresources for custom resources.
@@ -178,3 +174,13 @@ spec:
                   type: string
                 operatorMessage:
                   type: string
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1"]
+      clientConfig:
+        service:
+          namespace: {{ .Release.Namespace }}
+          name: conversion-webhook-service
+          port: 443
+          path: /convert/appdefinition

charts/theia-cloud-crds/templates/conversion-webhook-certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: conversion-webhook-certificate
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: crd.conversion.cert
+  secretName: conversion-webhook-cert-secret
+  dnsNames:
+    - "conversion-webhook-service.{{ .Release.Namespace }}.svc"
+  issuerRef:
+    name: {{ .Values.clusterIssuer }}
+    kind: ClusterIssuer

charts/theia-cloud-crds/templates/conversion-webhook-deployment.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: conversion-webhook
+  labels:
+    app: conversion-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: conversion-webhook
+  template:
+    metadata:
+      labels:
+        app: conversion-webhook
+    spec:
+      containers:
+        - name: conversion-webhook-container
+          image: {{ .Values.conversion.image }}
+          ports:
+            - name: tls
+              containerPort: 443
+          volumeMounts:
+            - name: certificates
+              mountPath: {{ .Values.conversion.certMountPath }}
+              readOnly: true
+      volumes:
+        - name: certificates
+          secret:
+            secretName: conversion-webhook-cert-secret

charts/theia-cloud-crds/templates/conversion-webhook-service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: conversion-webhook-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: tls
+      port: 443
+      targetPort: 8443
+  selector:
+    app: conversion-webhook
+  type: ClusterIP

charts/theia-cloud-crds/templates/session-spec-resource.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: sessions.theia.cloud
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/conversion-webhook-certificate
 spec:
   group: theia.cloud
   names:
@@ -11,7 +13,7 @@ spec:
     singular: session
   scope: Namespaced
   versions:
-    - name : v1beta6
+    - name : v1beta7
       served: true
       storage: true
       # subresources describes the subresources for custom resources.
@@ -35,14 +37,8 @@ spec:
                   pattern: '^[a-z0-9A-Z-_]+$'
                 user: # cached from workspace
                   type: string
-                url:
-                  type: string
-                error:
-                  type: string
                 sessionSecret:
                   type: string
-                lastActivity:
-                  type: integer
                 envVars:
                   type: object
                   additionalProperties:
@@ -66,9 +62,15 @@ spec:
                   type: string
                 operatorMessage:
                   type: string
+                url:
+                  type: string
+                error:
+                  type: string
+                lastActivity:
+                  type: integer
           required:
             - spec
-    - name : v1beta5
+    - name : v1beta6
       served: true
       storage: false
       # subresources describes the subresources for custom resources.
@@ -84,10 +86,12 @@ spec:
               properties:
                 name:
                   type: string
+                  pattern: '^[a-z0-9A-Z-_]+$'
                 workspace:
                   type: string
                 appDefinition: # cached from workspace
                   type: string
+                  pattern: '^[a-z0-9A-Z-_]+$'
                 user: # cached from workspace
                   type: string
                 url:
@@ -110,10 +114,26 @@ spec:
                   type: array
                   items:
                     type: string
+              required:
+                - name
+                - user
+                - appDefinition
             status:
               type: object
               properties:
                 operatorStatus:
                   type: string
                 operatorMessage:
                   type: string
+          required:
+            - spec
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1"]
+      clientConfig:
+        service:
+          namespace: {{ .Release.Namespace }}
+          name: conversion-webhook-service
+          port: 443
+          path: /convert/session

charts/theia-cloud-crds/templates/workspace-spec-resource.yaml

@@ -2,6 +2,8 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   name: workspaces.theia.cloud
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/conversion-webhook-certificate
 spec:
   group: theia.cloud
   names:
@@ -11,7 +13,7 @@ spec:
     singular: workspace
   scope: Namespaced
   versions:
-    - name : v1beta3
+    - name : v1beta4
       served: true
       storage: true
       # subresources describes the subresources for custom resources.
@@ -61,9 +63,11 @@ spec:
                       type: string
                     message:
                       type: string
+                error:
+                  type: string
           required:
             - spec
-    - name : v1beta2
+    - name : v1beta3
       served: true
       storage: false
       # subresources describes the subresources for custom resources.
@@ -79,14 +83,21 @@ spec:
               properties:
                 name:
                   type: string
+                  pattern: '^[a-z0-9A-Z-_]+$'
                 label:
                   type: string
                 appDefinition: # last app definition that ran on this workspace
                   type: string
+                  pattern: '^[a-z0-9A-Z-_]+$'
                 user:          # user who created the workspace
                   type: string
                 storage:
                   type: string
+                error:
+                  type: string
+              required:
+                - name
+                - user
             status:
               type: object
               properties:
@@ -108,3 +119,15 @@ spec:
                       type: string
                     message:
                       type: string
+          required:
+            - spec
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions: ["v1"]
+      clientConfig:
+        service:
+          namespace: {{ .Release.Namespace }}
+          name: conversion-webhook-service
+          port: 443
+          path: /convert/workspace

charts/theia-cloud-crds/values.yaml

@@ -0,0 +1,8 @@
+conversion:
+  # -- The image of the webhook container
+  image: theiacloud/theia-cloud-conversion-webhook:0.10.0-next
+  # -- The location of where the certificates are mounted into the container (needs to match with application.properties)
+  certMountPath: /etc/webhook/certs
+
+# -- The cluster issuer to use for the certificate
+clusterIssuer: theia-cloud-selfsigned-issuer

charts/theia.cloud/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.0-next.0
+version: 0.10.0-next.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/theia.cloud/README.md

@@ -1,6 +1,6 @@
 # theia-cloud
 
-![Version: 0.10.0-next.0](https://img.shields.io/badge/Version-0.10.0--next.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.10.0-next](https://img.shields.io/badge/AppVersion-0.10.0--next-informational?style=flat-square)
+![Version: 0.10.0-next.1](https://img.shields.io/badge/Version-0.10.0--next.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.10.0-next](https://img.shields.io/badge/AppVersion-0.10.0--next-informational?style=flat-square)
 
 A Helm chart for Theia.cloud
 
@@ -31,8 +31,7 @@ A Helm chart for Theia.cloud
 | image.imagePullPolicy | string | `nil` | Optional: Override the imagePullPolicy for the main application's docker image. If this is omitted or empty, the root at .Values.imagePullPolicy is used. |
 | image.name | string | `"theiacloud/theia-cloud-demo:0.10.0-next"` | The name of docker image to be used |
 | image.pullSecret | string | `""` | the image pull secret. Leave empty if registry is public |
-| image.timeoutLimit | string | `"30"` | Limit in minutes |
-| image.timeoutStrategy | string | `"FIXEDTIME"` | Configures how sessions will be stopped. This defines the strategy and the limit in minutes and will override any specification from an appDefinition. Possible values for strategy: - FIXEDTIME   Sessions will be stopped after a fixed limit |
+| image.timeout | string | `"30"` | Limit in minutes |
 | imagePullPolicy | string | `"Always"` | The default imagePullPolicy for containers of theia cloud. Can be overridden for individual components by specifying the imagePullPolicy variable there. Possible values: - Always - IfNotPresent - Never |
 | ingress | object | (see details below) | Values to influence the ingresses |
 | ingress.clusterIssuer | string | `"letsencrypt-prod"` | The cluster issuer to use |
@@ -41,8 +40,6 @@ A Helm chart for Theia.cloud
 | ingress.theiaCloudCommonName | bool | `false` | When set to true the cert-manager.io/common-name annotation will be set. This is only required when the issued certificate by the cert-manager misses a common-name |
 | issuer | object | (see details below) | Values related to certificates/Cert-manager |
 | issuer.email | string | `"[email protected]"` | EMail address of the certificate issuer. |
-| issuerprod.name | string | `"letsencrypt-prod"` |  |
-| issuerstaging.name | string | `"theia-cloud-selfsigned-issuer"` |  |
 | keycloak | object | (see details below) | Values related to Keycloak |
 | keycloak.authUrl | string | `"https://keycloak.url/auth/"` | Key cloak auth URL. Only has to be specified when enable: true |
 | keycloak.clientId | string | `"theia-cloud"` | The client-id. Only has to be specified when enable: true |
@@ -90,4 +87,4 @@ A Helm chart for Theia.cloud
 | servicerole.name | string | `"service-api-access"` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.3](https://github.com/norwoodj/helm-docs/releases/v1.11.3)
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)

charts/theia.cloud/templates/theia-appdefinition-spec.yaml

@@ -1,4 +1,4 @@
-apiVersion: theia.cloud/v1beta8
+apiVersion: theia.cloud/v1beta9
 kind: AppDefinition
 metadata:
   name: theia-cloud-demo
@@ -12,9 +12,7 @@ spec:
   ingressname: {{ tpl (.Values.ingress.instanceName | toString) . }}
   minInstances: 0
   maxInstances: 10
-  timeout:
-    limit: {{ tpl (.Values.image.timeoutLimit | toString) . }}
-    strategy: {{ tpl (.Values.image.timeoutStrategy | toString) . }}
+  timeout: {{ tpl (.Values.image.timeout | toString) . }}
   requestsMemory: 1000M
   limitsMemory: 1200M
   requestsCpu: "100m"