Skip to content

Commit

Permalink
operator: remove CRD conversion code
Browse files Browse the repository at this point in the history 
The upcoming change of renaming the Deployment API kind to
PmemCSIDeployment breaks the API backward compatibility and we can not
support 'v1alpha1' API version and thus the conversion webhook also not
needed. Hence dropping the code from the tree. Kept the webhook
kustomization parts as assuming that would be useful for the upcoming 'v1'
release.
  • Loading branch information
@avalluri
avalluri committed Jan 5, 2021
1 parent 83644bb commit 224b1ec
Show file tree
Hide file tree
Showing 5 changed files with 4 additions and 414 deletions.
152 changes: 0 additions & 152 deletions docs/install.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1356,158 +1356,6 @@ deployment is in the `Failed` state, then one can look into the event(s) using
> driver could run can be configured by using `nodeSelector` property of
> [`DeploymentSpec`](#deployment-crd-api).

## PMEM-CSI operator API conversion webhook

The operator release v0.9.0 is based on the new `v1beta1` [deployment API](#pmem-csi-deployment-crd).
The older `v1alpha` API version is still supported via on-the-fly conversion
to `v1beta` by the Kubernetes API server. This conversion is handled by the
Kubernetes API server according to the conversion strategy set in the
[deployment CRD specification](#pmem-csi-deployment-crd).

If no conversion strategy is chosen in the CRD, the API server itself
implements the conversion. This default conversion works for all fields
which are supported in both API versions that are involved in the
conversion. Other fields are silently ignored, like for example
`nodeResources` when converting from `v1alpha1` to `v1beta1`:

```console
$ kubectl get crd deployments.pmem-csi.intel.com -o jsonpath='{.spec.conversion}{"\n"}'
{"strategy":"None"}
```

```ShellSession
$ kubectl create -f - << EOF
apiVersion: pmem-csi.intel.com/v1alpha1
kind: Deployment
metadata:
name: pmem-csi.intel.com
spec:
deviceMode: lvm
EOF
```

```console
$ kubectl get deployments.pmem-csi.intel.com pmem-csi.intel.com -o jsonpath='{.apiVersion}{"\n"}{.spec}{"\n"}'
pmem-csi.intel.com/v1beta1
{"deviceMode":"lvm"}
```

```ShellSession
$ kubectl create -f - << EOF
apiVersion: pmem-csi.intel.com/v1alpha1
kind: Deployment
metadata:
name: pmem-csi.intel.com
spec:
deviceMode: lvm
nodeResources:
limits:
cpu: "500m"
memory: "250Mi"
controllerResources:
limits:
cpu: "400m"
memory: "150Mi"
EOF
```

```console
# nodeResources is dropped when accessing as v1beta1:
$ kubectl get deployments.pmem-csi.intel.com pmem-csi.intel.com -o jsonpath='{.apiVersion}{"\n"}{.spec}{"\n"}'
pmem-csi.intel.com/v1beta1
{"deviceMode":"lvm"}

# nodeResources still exists and can be seen when using v1alpha1:
$ kubectl get deployments.v1alpha1.pmem-csi.intel.com pmem-csi.intel.com -o jsonpath='{.apiVersion}{"\n"}{.spec}{"\n"}'
pmem-csi.intel.com/v1alpha1
{"controllerResources":{"limits":{"cpu":"400m","memory":"150Mi"}},"deviceMode":"lvm","nodeResources":{"limits":{"cpu":"500m","memory":"250Mi"}}}
```

Better conversion can be achieved when deploying the operator
with the built-in CRD [conversion webhook](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/)
enabled. By default, the PMEM-CSI operator starts an HTTPS server at port number 9443 and serves
requests on path `/convert`. The conversion service is exposed via a Kubernetes
service named `pmem-csi-operator-service` in the operator's namespace.

To secure the communication between the Kubernetes APIserver and the conversion
webhook, the server must be configured with an appropriate private key and a TLS
certificate. The TLS certificate must be signed for the above-mentioned service
name suffixed with '.svc', i.e `pmem-csi-operator-service.svc`, and exposed as Kubernetes Secret
object named `pmem-csi-operator-service-cert` in the operator's namespace. Also
make sure that the `spec.conversion.webhook.caBundle` field of the
`deployments.pmem-csi.intel.com` CRD is set to the CA bundle
used for signing the certificate in base64 encoding.

The provided [operator deployment yaml](/deploy/operator/pmem-csi-operator-webhook.yaml)
uses [`cert-manager`](https://cert-manager.io/docs/) for providing the certificates
and injecting the CA bundle into the CRD.

Follow the below steps to install the operator with conversion webhook:

- **Install the `cert-manger`**
```console
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
```

- **Install the deployment CRD with webhook support**
```console
$ kubectl apply -f https://github.com/intel/pmem-csi/devel/deploy/crd/pmem-csi.intel.com_deployments_webhook.yaml
```

- **Install the PMEM-CSI operator**
```console
$ kubectl apply -f https://github.com/intel/pmem-csi/raw/devel/deploy/operator/pmem-csi-operator-webhook.yaml
```

With the above setup, the `nodeResources` and `controllerResources` of
the `v1alpha1` API are converted to the equivalent `v1beta1` API
fields, i.e.`nodeDriverResources` and `controllerDriverResources`
respectively. `provisionerResources` and `nodeRegistrarResources` are
left unset.

```console
$ kubectl get crd deployments.pmem-csi.intel.com -o jsonpath='{.spec.conversion}{"\n"}'
{"strategy":"Webhook","webhook":{"clientConfig":{"caBundle":"LS0tLS1CRUdJTiBDRV...","service":{"name":"pmem-csi-operator-service","namespace":"default","path":"/convert","port":9443}},"conversionReviewVersions":["v1beta1","v1alpha1"]}}
```

```ShellSession
$ kubectl create -f - << EOF
apiVersion: pmem-csi.intel.com/v1alpha1
kind: Deployment
metadata:
name: pmem-csi.intel.com
spec:
deviceMode: lvm
nodeResources:
limits:
cpu: "500m"
memory: "250Mi"
controllerResources:
limits:
cpu: "400m"
memory: "150Mi"
EOF
```

```console
$ kubectl get deployments.pmem-csi.intel.com pmem-csi.intel.com -o jsonpath='{.apiVersion}{"\n"}{.spec}{"\n"}'
pmem-csi.intel.com/v1beta1
{"controllerDriverResources":{"limits":{"cpu":"400m","memory":"150Mi"}},"deviceMode":"lvm","nodeDriverResources":{"limits":{"cpu":"500m","memory":"250Mi"}}}

$ kubectl get deployments.v1alpha1.pmem-csi.intel.com pmem-csi.intel.com -o jsonpath='{.apiVersion}{"\n"}{.spec}{"\n"}'
pmem-csi.intel.com/v1alpha1
{"controllerResources":{"limits":{"cpu":"400m","memory":"150Mi"}},"deviceMode":"lvm","nodeResources":{"limits":{"cpu":"500m","memory":"250Mi"}}}
```

**NOTE**: Conversion webhooks are [not currently
supported](https://github.com/operator-framework/enhancements/blob/master/enhancements/olm-crd-conversion-webhooks.md)
for installation of operators via the [Operator Lifecycle
Manager](https://olm.operatorframework.io/). If CRs exist with
deprecated API fields and no webhook is enabled, then cluster
administrators have to update those CRs manually to the latest API
version and ensure that the newer fields are set as intended.

## Filing issues and contributing

Report a bug by [filing a new issue](https://github.com/intel/pmem-csi/issues).
Expand Down
137 changes: 0 additions & 137 deletions pkg/apis/pmemcsi/v1alpha1/deployment_conversion.go
View file

This file was deleted.

Loading

0 comments on commit 224b1ec

Please sign in to comment.