adding support for webhook-admission validation

charts/pyrra/README.md

@@ -8,11 +8,16 @@ SLO manager and alert generator
 Pyrra needs prometheus to work. You will need to specify that via prometheusUrl variable - default assumes you have default [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) deployed to "monitoring" namespace.
 Additionaly, you (most likely) will need to specify prometheusExternalUrl with URL to public-facing prometheus UI (ingress or whatever you're using), otherwise pyrra links to graphs will be broken
 
+## Webhook Admissions Controller Validations (Optional)
+Pyrra can be configured to validate SLOs and SLO groups using a webhook admission controller. This is an optional feature that can be enabled by setting the `validatingWebhookConfiguration.enabled` value to `true`. The webhook admission controller will validate SLOs when they are created or updated.
+If the SLO object is invalid, the admission controller will reject the request and provide a reason for the failure. This requires cert-manager to be installed in the cluster. If cert-manager is not installed, the webhook admission controller will not be created.
+
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` |  |
+| admissionWebhook.enabled | bool | `false` | enables admission webhook for server to validate SLOs, this requires cert-manager to be installed |
 | extraApiArgs | list | `[]` | Extra args for Pyrra's API container |
 | extraKubernetesArgs | list | `[]` | Extra args for Pyrra's Kubernetes container |
 | fullnameOverride | string | `""` | Overrides helm-generated chart fullname |

charts/pyrra/README.md.gotmpl

@@ -12,6 +12,10 @@
 Pyrra needs prometheus to work. You will need to specify that via prometheusUrl variable - default assumes you have default [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack) deployed to "monitoring" namespace.
 Additionaly, you (most likely) will need to specify prometheusExternalUrl with URL to public-facing prometheus UI (ingress or whatever you're using), otherwise pyrra links to graphs will be broken
 
+## Webhook Admissions Controller Validations (Optional)
+Pyrra can be configured to validate SLOs and SLO groups using a webhook admission controller. This is an optional feature that can be enabled by setting the `validatingWebhookConfiguration.enabled` value to `true`. The webhook admission controller will validate SLOs when they are created or updated.
+If the SLO object is invalid, the admission controller will reject the request and provide a reason for the failure. This requires cert-manager to be installed in the cluster. If cert-manager is not installed, the webhook admission controller will not be created.
+
 {{ template "chart.valuesSection" . }}
 
 ## Upgrading

charts/pyrra/templates/admissionvalidation.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.validatingWebhookConfiguration.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "pyrra.fullname" . }}-selfsigned
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "pyrra.fullname" . }}-webhook-validation
+spec:
+  dnsNames:
+  -  {{ include "pyrra.fullname" . }}.{{ .Release.Namespace }}.svc
+  issuerRef:
+    name: selfsigned
+  secretName: {{ include "pyrra.fullname" . }}-webhook-validation
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "pyrra.fullname" . }}-webhook-validation
+  name: {{ include "pyrra.fullname" . }}-validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "pyrra.fullname" . }}
+      path: /validate-pyrra-dev-v1alpha1-servicelevelobjective
+      port: 9443
+  failurePolicy: Fail
+  name: slo.pyrra.dev-servicelevelobjectives
+  rules:
+  - apiGroups:
+    - pyrra.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - servicelevelobjectives
+  sideEffects: None
+{{- end }}

charts/pyrra/templates/deployment.yaml

@@ -35,6 +35,9 @@ spec:
             {{- if .Values.genericRules.enabled }}
             - --generic-rules
             {{- end }}
+            {{- if .Values.validatingWebhookConfiguration.enabled }}
+            - --disable-webhooks=false
+            {{- end }}
             {{- with .Values.extraKubernetesArgs }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -58,6 +61,11 @@ spec:
           ports:
           - name: http
             containerPort: 9099
+          {{- if .Values.validatingWebhookConfiguration.enabled }}
+          volumeMounts:
+          - mountPath: /tmp/k8s-webhook-server/serving-certs
+            name: certs
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -70,3 +78,9 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.validatingWebhookConfiguration.enabled }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "pyrra.fullname" . }}-webhook-validation
+      {{- end }}

charts/pyrra/values.yaml

@@ -100,3 +100,7 @@ serviceMonitor:
 genericRules:
   # -- enables generate Pyrra generic recording rules. Pyrra generates metrics with the same name for each SLO.
   enabled: false
+
+validatingWebhookConfiguration:
+  # -- enables admission webhook for server to validate SLOs, this requires cert-manager to be installed
+  enabled: false