port to AppWrapper controller using cert-controller

Author: dgrove-oss

Diff for: .github/workflows/e2e_tests.yaml

@@ -55,6 +55,10 @@ jobs:
       - name: Setup and start KinD cluster
         uses: ./common/github-actions/kind
 
+      - name: Deploy Kueue
+        run: |
+          make kueue-e2e
+
       - name: Deploy CodeFlare stack
         id: deploy
         run: |

Diff for: .github/workflows/olm_tests.yaml

@@ -54,6 +54,10 @@ jobs:
       - name: Setup and start KinD cluster
         uses: ./common/github-actions/kind
 
+      - name: Deploy Kueue
+        run: |
+          make kueue-e2e
+
       - name: Install OLM
         run: |
           kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/${OLM_VERSION}/crds.yaml

Diff for: Makefile

@@ -12,11 +12,14 @@ VERSION ?= v0.0.0-dev
 BUNDLE_VERSION ?= $(VERSION:v%=%)
 
 # APPWRAPPER_VERSION defines the default version of the AppWrapper controller
-APPWRAPPER_VERSION ?= v0.6.4
+APPWRAPPER_VERSION ?= v0.7.0
 APPWRAPPER_REPO ?= github.com/project-codeflare/appwrapper
 # Upstream AppWrapper is currently only creating release tags of the form `vX.Y.Z` (i.e the version)
 APPWRAPPER_CRD ?= ${APPWRAPPER_REPO}/config/crd?ref=${APPWRAPPER_VERSION}
 
+# KUEUE_VERSION defines the default version of Kueue (used for testing)
+KUEUE_VERSION ?= v0.6.1
+
 # KUBERAY_VERSION defines the default version of the KubeRay operator (used for testing)
 KUBERAY_VERSION ?= v1.0.0
 
@@ -375,6 +378,10 @@ test-e2e: manifests fmt vet ## Run e2e tests.
 kind-e2e: ## Set up e2e KinD cluster
 	test/e2e/kind.sh
 
+.PHONY: kueue-e2e
+kueue-e2e: ## Deploy Kueue
+	KUEUE_VERSION=$(KUEUE_VERSION) test/e2e/kueue.sh
+
 .PHONY: setup-e2e
 setup-e2e: ## Set up e2e tests.
 	KUBERAY_VERSION=$(KUBERAY_VERSION) test/e2e/setup.sh

Diff for: README.md

@@ -33,6 +33,8 @@ The e2e tests can be executed locally by running the following commands:
     ```bash
     # Create a KinD cluster
     make kind-e2e
+    # Deploy Kueue
+    make kueue-e2e
     # Install the CRDs
     make install
     ```

Diff for: config/crd/appwrapper/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- github.com/project-codeflare/appwrapper/config/crd?ref=v0.6.4
+- github.com/project-codeflare/appwrapper/config/crd?ref=v0.7.0

Diff for: config/crd/crd-appwrapper.yml

@@ -2,7 +2,6 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME
     controller-gen.kubebuilder.io/version: v0.14.0
   name: appwrappers.workload.codeflare.dev
 spec:
@@ -212,6 +211,10 @@ spec:
                 phase:
                   description: Phase of the AppWrapper object
                   type: string
+                resettingCount:
+                  description: Retries counts the number of times the AppWrapper has entered the Resetting Phase
+                  format: int32
+                  type: integer
               type: object
           type: object
       served: true

Diff for: config/crd/kustomization.yaml

@@ -5,3 +5,15 @@ resources:
 - crd-appwrapper.yml
 
 #+kubebuilder:scaffold:crdkustomizeresource
+
+patches:
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
+# patches here are for enabling the conversion webhook for each CRD
+- path: patches/webhook_in_appwrappers.yaml
+#+kubebuilder:scaffold:crdkustomizewebhookpatch
+
+# [WEBHOOK] To enable webhook, uncomment the following section
+# the following config is for teaching kustomize how to do kustomization for CRDs.
+
+configurations:
+- kustomizeconfig.yaml

Diff for: config/crd/kustomizeconfig.yaml

@@ -0,0 +1,19 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: CustomResourceDefinition
+    version: v1
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+  version: v1
+  group: apiextensions.k8s.io
+  path: spec/conversion/webhook/clientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations

Diff for: config/crd/patches/webhook_in_appwrappers.yaml

@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: appwrappers.workload.codeflare.dev
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1

Diff for: config/default/kustomization.yaml

@@ -17,8 +17,17 @@ bases:
 - ../crd
 - ../rbac
 - ../manager
+- ../internalcert
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+- ../webhook
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
 # - ../prometheus
 
+patches:
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+- path: manager_webhook_patch.yaml
+
 resources:
 - metrics_service.yaml

Diff for: config/default/manager_webhook_patch.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: manager
+  namespace: system
+spec:
+  template:
+    spec:
+      containers:
+      - name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert

Diff for: config/internalcert/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+- secret.yaml

Diff for: config/internalcert/secret.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: webhook-server-cert
+  namespace: system

Diff for: config/manager/manager.yaml

@@ -47,9 +47,6 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          # TODO: Disabling webhooks is a temporary hack.  Webhooks are required for Kueue integration.
-          - name: ENABLE_WEBHOOKS
-            value: "false"
         ports:
           - containerPort: 8080
             protocol: TCP

Diff for: config/rbac/role.yaml

@@ -19,16 +19,21 @@ rules:
   - update
   - watch
 - apiGroups:
-  - batch
+  - admissionregistration.k8s.io
   resources:
-  - jobs
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
   verbs:
-  - create
-  - delete
+  - get
   - list
-  - patch
   - update
   - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - list
 - apiGroups:
   - apps
   resources:
@@ -55,6 +60,17 @@ rules:
   - subjectaccessreviews
   verbs:
   - create
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - config.openshift.io
   resources:
@@ -157,6 +173,41 @@ rules:
   - create
   - patch
   - update
+- apiGroups:
+  - kueue.x-k8s.io
+  resources:
+  - resourceflavors
+  - workloadpriorityclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kueue.x-k8s.io
+  resources:
+  - workloads
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kueue.x-k8s.io
+  resources:
+  - workloads/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - kueue.x-k8s.io
+  resources:
+  - workloads/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - machine.openshift.io
   resources:
@@ -182,6 +233,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - scheduling.k8s.io
+  resources:
+  - priorityclasses
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - storage.k8s.io
   resources:

Diff for: config/webhook/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+- manifests.yaml
+- service.yaml
+
+configurations:
+- kustomizeconfig.yaml

Diff for: config/webhook/kustomizeconfig.yaml

@@ -0,0 +1,22 @@
+# the following config is for teaching kustomize where to look at when substituting nameReference.
+# It requires kustomize v2.1.0 or newer to work properly.
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: MutatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+    path: webhooks/clientConfig/service/name
+  - kind: ValidatingWebhookConfiguration
+    group: admissionregistration.k8s.io
+    path: webhooks/clientConfig/service/name
+
+namespace:
+- kind: MutatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  path: webhooks/clientConfig/service/namespace
+  create: true
+- kind: ValidatingWebhookConfiguration
+  group: admissionregistration.k8s.io
+  path: webhooks/clientConfig/service/namespace
+  create: true

Diff for: config/webhook/manifests.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /mutate-workload-codeflare-dev-v1beta2-appwrapper
+  failurePolicy: Fail
+  name: mappwrapper.kb.io
+  rules:
+  - apiGroups:
+    - workload.codeflare.dev
+    apiVersions:
+    - v1beta2
+    operations:
+    - CREATE
+    resources:
+    - appwrappers
+  sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /validate-workload-codeflare-dev-v1beta2-appwrapper
+  failurePolicy: Fail
+  name: vappwrapper.kb.io
+  rules:
+  - apiGroups:
+    - workload.codeflare.dev
+    apiVersions:
+    - v1beta2
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - appwrappers
+  sideEffects: None