add admission webhook

Author: DockToFuture

.github/workflows/build-and-test.yaml

@@ -111,16 +111,39 @@ jobs:
       packages: write
       id-token: write
     uses: gardener/cc-utils/.github/workflows/helmchart-ocm.yaml@master
+    strategy:
+      matrix:
+        args:
+          - name: gardener-extension-shoot-traefik
+            dir: charts/gardener-extension-shoot-traefik
+            oci-repository: charts/gardener/extensions
+            ocm-mappings:
+              - ref: ocm-resource:gardener-extension-shoot-traefik.repository
+                attribute: image.repository
+              - ref: ocm-resource:gardener-extension-shoot-traefik.tag
+                attribute: image.tag
+          - name: admission-shoot-traefik-application
+            dir: charts/gardener-extension-admission-traefik/charts/application
+            oci-repository: charts/gardener/extensions
+            ocm-mappings:
+              - ref: ocm-resource:gardener-extension-shoot-traefik.repository
+                attribute: image.repository
+              - ref: ocm-resource:gardener-extension-shoot-traefik.tag
+                attribute: image.tag
+          - name: admission-shoot-traefik-runtime
+            dir: charts/gardener-extension-admission-traefik/charts/runtime
+            oci-repository: charts/gardener/extensions
+            ocm-mappings:
+              - ref: ocm-resource:gardener-extension-shoot-traefik.repository
+                attribute: image.repository
+              - ref: ocm-resource:gardener-extension-shoot-traefik.tag
+                attribute: image.tag
     with:
-      name: gardener-extension-shoot-traefik
-      dir: charts
+      name: ${{ matrix.args.name }}
+      dir: ${{ matrix.args.dir }}
       oci-registry: ${{ needs.prepare.outputs.oci-registry }}
-      oci-repository: charts/gardener/extensions
-      ocm-mappings: |
-        [
-          {"ref": "ocm-resource:gardener-extension-shoot-traefik.repository", "attribute": "image.repository"},
-          {"ref": "ocm-resource:gardener-extension-shoot-traefik.tag", "attribute": "image.tag"}
-        ]
+      oci-repository: ${{ matrix.args.oci-repository }}
+      ocm-mappings: ${{ toJSON(matrix.args.ocm-mappings) }}
 
   build-only:
     if: inputs.mode == ''

Makefile

@@ -232,8 +232,18 @@ generate-operator-extension:  ## Generate operator extension example resources.
 
 .PHONY: check-helm
 check-helm:  ## Lint helm charts and validate rendered templates.
-	@$(GO_TOOL) helm lint $(SRC_ROOT)/charts
-	@$(GO_TOOL) helm template $(SRC_ROOT)/charts | \
+	@$(GO_TOOL) helm lint $(SRC_ROOT)/charts/gardener-extension-shoot-traefik
+	@$(GO_TOOL) helm template $(SRC_ROOT)/charts/gardener-extension-shoot-traefik | \
+		$(GO_TOOL) kubeconform \
+			$(KUBECONFORM_OPTS) \
+			-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
+	@$(GO_TOOL) helm lint $(SRC_ROOT)/charts/gardener-extension-admission-traefik/charts/runtime
+	@$(GO_TOOL) helm template $(SRC_ROOT)/charts/gardener-extension-admission-traefik/charts/runtime | \
+		$(GO_TOOL) kubeconform \
+			$(KUBECONFORM_OPTS) \
+			-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
+	@$(GO_TOOL) helm lint $(SRC_ROOT)/charts/gardener-extension-admission-traefik/charts/application
+	@$(GO_TOOL) helm template $(SRC_ROOT)/charts/gardener-extension-admission-traefik/charts/application | \
 		$(GO_TOOL) kubeconform \
 			$(KUBECONFORM_OPTS) \
 			-schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json'
@@ -260,22 +270,34 @@ kind-load-image:  ## Load extension images to target cluster.
 
 .PHONY: helm-load-chart
 helm-load-chart:  ## Load helm chart to local registry.
-	@$(GO_TOOL) helm package $(SRC_ROOT)/charts --version $(VERSION)
+	@$(GO_TOOL) helm package $(SRC_ROOT)/charts/gardener-extension-shoot-traefik --version $(VERSION)
 	@$(GO_TOOL) helm push --plain-http $(EXTENSION_NAME)-$(VERSION).tgz oci://$(LOCAL_REGISTRY)/helm-charts
 	@rm -f $(EXTENSION_NAME)-$(VERSION).tgz
+	@$(GO_TOOL) helm package $(SRC_ROOT)/charts/gardener-extension-admission-traefik/charts/runtime --version $(VERSION)
+	@$(GO_TOOL) helm push --plain-http admission-traefik-runtime-$(VERSION).tgz oci://$(LOCAL_REGISTRY)/helm-charts
+	@rm -f admission-traefik-runtime-$(VERSION).tgz
+	@$(GO_TOOL) helm package $(SRC_ROOT)/charts/gardener-extension-admission-traefik/charts/application --version $(VERSION)
+	@$(GO_TOOL) helm push --plain-http admission-traefik-application-$(VERSION).tgz oci://$(LOCAL_REGISTRY)/helm-charts
+	@rm -f admission-traefik-application-$(VERSION).tgz
 
 .PHONY: update-version-tags
 update-version-tags:  ## Update version tags in helm charts and example resources based on VERSION file.
 	@env version=$(VERSION) \
-		$(GO_TOOL) yq -i '.version = env(version)' $(SRC_ROOT)/charts/Chart.yaml
+		$(GO_TOOL) yq -i '.version = env(version)' $(SRC_ROOT)/charts/gardener-extension-shoot-traefik/Chart.yaml
 	@env image=$(IMAGE) tag=$(VERSION) \
-		$(GO_TOOL) yq -i '(.image.repository = env(image)) | (.image.tag = env(tag))' $(SRC_ROOT)/charts/values.yaml
+		$(GO_TOOL) yq -i '(.image.repository = env(image)) | (.image.tag = env(tag))' $(SRC_ROOT)/charts/gardener-extension-shoot-traefik/values.yaml
 	@env oci_charts=$(LOCAL_REGISTRY)/helm-charts/$(EXTENSION_NAME):$(VERSION) \
 		$(GO_TOOL) yq -i '.helm.ociRepository.ref = env(oci_charts)' $(SRC_ROOT)/examples/dev-setup/controllerdeployment.yaml
 	@env oci_charts=$(LOCAL_REGISTRY)/helm-charts/$(EXTENSION_NAME):$(VERSION) \
 		$(GO_TOOL) yq -i '.spec.deployment.extension.helm.ociRepository.ref = env(oci_charts)' $(SRC_ROOT)/examples/operator-extension/base/extension.yaml
+	@env oci_charts=$(LOCAL_REGISTRY)/helm-charts/admission-traefik-runtime:$(VERSION) \
+		$(GO_TOOL) yq -i '.spec.deployment.admission.runtimeCluster.helm.ociRepository.ref = env(oci_charts)' $(SRC_ROOT)/examples/operator-extension/base/extension.yaml
+	@env oci_charts=$(LOCAL_REGISTRY)/helm-charts/admission-traefik-application:$(VERSION) \
+		$(GO_TOOL) yq -i '.spec.deployment.admission.virtualCluster.helm.ociRepository.ref = env(oci_charts)' $(SRC_ROOT)/examples/operator-extension/base/extension.yaml
 	@env image=$(IMAGE) tag=$(VERSION) \
 		$(GO_TOOL) yq -i '(.spec.deployment.extension.values.image.repository = env(image)) | (.spec.deployment.extension.values.image.tag = env(tag))' $(SRC_ROOT)/examples/operator-extension/patches/extension.yaml
+	@env image=$(IMAGE) tag=$(VERSION) \
+		$(GO_TOOL) yq -i '(.spec.deployment.admission.runtimeCluster.values.image.repository = env(image)) | (.spec.deployment.admission.runtimeCluster.values.image.tag = env(tag))' $(SRC_ROOT)/examples/operator-extension/patches/extension.yaml
 
 deploy deploy-operator: export IMAGE=$(LOCAL_REGISTRY)/extensions/$(EXTENSION_NAME)
 

README.md

@@ -5,7 +5,7 @@ The `gardener-extension-shoot-traefik` deploys Traefik ingress controller to Gar
 ## Features
 
 - **Traefik Ingress Controller**: Deploys Traefik v3.x as the ingress controller in shoot clusters
-- **Admission Webhook**: Validates that Traefik extension is only enabled for shoots with purpose "evaluation"
+- **Admission Webhook**: Validates that Traefik extension is only enabled for shoots with purpose "evaluation". Deployed as a separate admission controller using the same binary with the `webhook` subcommand.
 - **ManagedResource**: Uses Gardener's ManagedResource mechanism for deployment and lifecycle management
 - **Configurable**: Supports custom Traefik image, replicas, and ingress class configuration
 
@@ -119,6 +119,57 @@ kubectl -n kube-system port-forward deployment/traefik 9000:9000
 
 Then open `http://localhost:9000/dashboard/` in your browser (the trailing `/` is required).
 
+## Admission Controller
+
+The extension includes an admission controller that validates Shoot resources to ensure
+the Traefik extension can only be enabled for shoots with `purpose: evaluation`.
+
+The admission controller is deployed as a separate component using the same binary
+(`extension-traefik webhook`) and has its own Helm charts under
+`charts/gardener-extension-admission-traefik/`. Following the Gardener extension
+convention, it consists of two sub-charts:
+
+- **`charts/runtime/`** — Deployed in the runtime cluster. Contains the Deployment,
+  Service, RBAC, VPA, and PodDisruptionBudget resources for the webhook server.
+- **`charts/application/`** — Deployed in the virtual garden cluster. Contains the
+  ClusterRole, ClusterRoleBinding, and ServiceAccount needed for the webhook to
+  access Shoot resources.
+
+### Deployment via Gardener Operator
+
+When deploying via `gardener-operator`, the admission controller is automatically
+deployed alongside the extension. The `Extension` resource (from group
+`operator.gardener.cloud/v1alpha1`) specifies both the extension and the admission
+deployment:
+
+```yaml
+apiVersion: operator.gardener.cloud/v1alpha1
+kind: Extension
+metadata:
+  name: gardener-extension-shoot-traefik
+spec:
+  deployment:
+    admission:
+      runtimeCluster:
+        helm:
+          ociRepository:
+            ref: <registry>/admission-shoot-traefik-runtime:<version>
+      virtualCluster:
+        helm:
+          ociRepository:
+            ref: <registry>/admission-shoot-traefik-application:<version>
+    extension:
+      helm:
+        ociRepository:
+          ref: <registry>/gardener-extension-shoot-traefik:<version>
+  resources:
+  - kind: Extension
+    type: shoot-traefik
+```
+
+See [`examples/operator-extension/`](./examples/operator-extension/) for a
+complete example.
+
 ## Development
 
 In order to build a binary of the extension, you can use the following command.
@@ -194,9 +245,9 @@ The `deploy-operator` target takes care of the following.
 
 1. Builds a Docker image of the extension
 2. Loads the image into the `kind` cluster nodes
-3. Packages the Helm charts and pushes them to the local registry
+3. Packages the Helm charts (extension + admission) and pushes them to the local registry
 4. Deploys the `Extension` (from group `operator.gardener.cloud/v1alpha1`) to
-   the _runtime_ cluster
+   the _runtime_ cluster, which includes the admission controller configuration
 
 Verify that we have successfully created the
 `Extension` (from group `operator.gardener.cloud/v1alpha1`) resource.

charts/gardener-extension-admission-traefik/charts/application/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/gardener-extension-admission-traefik/charts/application/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+description: A Helm chart to deploy the gardener-extension-admission-traefik application related resources
+name: admission-traefik-application
+version: 0.1.0
+sources:
+- https://github.com/gardener/gardener-extension-shoot-traefik

charts/gardener-extension-admission-traefik/charts/application/templates/_helpers.tpl

@@ -0,0 +1,15 @@
+{{- define "name" -}}
+gardener-extension-admission-traefik
+{{- end -}}
+
+{{- define "labels.app.key" -}}
+app.kubernetes.io/name
+{{- end -}}
+{{- define "labels.app.value" -}}
+{{ include "name" . }}
+{{- end -}}
+
+{{- define "labels" -}}
+{{ include "labels.app.key" . }}: {{ include "labels.app.value" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}

charts/gardener-extension-admission-traefik/charts/application/templates/rbac.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - core.gardener.cloud
+  resources:
+  - shoots
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  resourceNames:
+  - {{ include "name" . }}
+  verbs:
+  - patch
+  - update
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}
+subjects:
+{{- if .Values.gardener.virtualCluster.serviceAccount.name }}
+- kind: ServiceAccount
+  name: {{ required ".Values.gardener.virtualCluster.serviceAccount.name is required" .Values.gardener.virtualCluster.serviceAccount.name }}
+  namespace: {{ required ".Values.gardener.virtualCluster.serviceAccount.namespace is required" .Values.gardener.virtualCluster.serviceAccount.namespace }}
+{{- else }}
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/gardener-extension-admission-traefik/charts/application/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if and .Values.gardener.virtualCluster.enabled ( not .Values.gardener.virtualCluster.serviceAccount.name ) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "labels" . | indent 4 }}
+{{- end }}

charts/gardener-extension-admission-traefik/charts/application/values.yaml

@@ -0,0 +1,6 @@
+gardener:
+  virtualCluster:
+    enabled: true
+    serviceAccount: {}
+#     name: gardener-extension-admission-traefik
+#     namespace: kube-system

charts/gardener-extension-admission-traefik/charts/runtime/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/