[Feature] Add Webhook

Signed-off-by: yandongxiao <[email protected]>

Author: yandongxiao

CLAUDE.md

@@ -0,0 +1,104 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Development Commands
+
+### Build and Development
+- `make build` - Build the operator binary (output: bin/sroperator)
+- `make run` - Run the controller locally from your host
+- `make docker` - Build Docker image (requires IMG environment variable)
+- `make test` - Run all tests with coverage
+- `make fmt` - Format Go code (fails if formatting needed)
+- `make vet` - Run go vet static analysis
+- `make tidy` - Clean up go.mod dependencies
+
+### Code Quality and Testing Workflow
+When making code changes, always run these commands in order:
+1. `golangci-lint run` - Check code quality and style
+2. `make build` - Verify code compiles successfully
+3. `go test ./pkg/path/to/your/package` - Run unit tests for modified packages
+4. `make test` - Run full test suite if needed
+
+**Important**: All three checks must pass before committing code changes.
+
+### Code Generation
+- `make generate` - Generate DeepCopy methods for API types
+- `make manifests` - Generate CRDs, webhooks, and RBAC manifests
+- `make crd-all` - Generate all CRDs and API documentation
+- `make gen-api` - Generate API reference documentation (NOTE: This automatically runs during `make build` - no need to run separately)
+
+### Kubernetes Deployment
+- `make install` - Install CRDs into current Kubernetes cluster
+- `make deploy` - Deploy operator to current Kubernetes cluster
+- `make uninstall` - Remove CRDs from cluster
+- `make undeploy` - Remove operator from cluster
+
+## Architecture
+
+### Core Components
+This is a Kubernetes operator for StarRocks, an OLAP database system. The operator manages three main component types:
+- **FE (Frontend)** - Query coordination and metadata management
+- **BE (Backend)** - Data storage and compute for OLAP workloads  
+- **CN (Compute Node)** - Elastic compute nodes, can be auto-scaled
+
+### Code Structure
+- `pkg/apis/starrocks/v1/` - CRD definitions for StarRocksCluster and StarRocksWarehouse
+- `pkg/controllers/` - Main reconciliation controllers for the CRDs
+- `pkg/subcontrollers/` - Component-specific controllers (fe/, be/, cn/, feproxy/)
+- `pkg/k8sutils/` - Kubernetes resource management utilities and templates
+- `pkg/common/` - Shared utilities (hashing, logging, resource utils)
+- `cmd/main.go` - Operator entry point
+- `config/crd/` - CRD definitions and patches (only CRDs remain after kustomize removal)
+- `deploy/` - Generated YAML files for direct application (generated by scripts/operator.sh)
+- `helm-charts/` - Helm charts for operator and StarRocks deployment
+  - `charts/kube-starrocks/` - Parent chart composed of two sub-charts
+  - `charts/kube-starrocks/charts/operator/` - Operator deployment chart
+  - `charts/kube-starrocks/charts/starrocks/` - StarRocks cluster deployment chart
+- `examples/` - Sample StarRocks cluster configurations
+
+### Key Patterns
+- Uses Kubebuilder v3 framework for operator development
+- Employs subcontroller pattern where main controllers delegate to component-specific subcontrollers
+- Extensive use of Kubernetes templates in `pkg/k8sutils/templates/` for generating resources
+- Auto-scaling support specifically for CN (Compute Node) components
+- Support for both direct YAML application and Helm-based deployment
+- Kustomize support has been removed - only Helm charts and direct YAML files are supported
+
+### Testing
+- Unit tests are co-located with source files (`*_test.go`)
+- Integration tests use controller-runtime's envtest framework
+- Test coverage reports generated during `make test`
+- Uses go-sqlmock for database interaction testing
+
+### Important Files
+- `pkg/apis/starrocks/v1/starrockscluster_types.go` - Main CRD specification
+- `pkg/controllers/starrockscluster_controller.go` - Primary reconciliation logic
+- `pkg/subcontrollers/subcontroller.go` - Base interface for component controllers
+- `pkg/webhook/starrockscluster_webhook.go` - Validating admission webhook for StarRocksCluster
+- `scripts/operator.sh` - Generates `deploy/operator.yaml` using `helm template`
+- `scripts/create-parent-chart-values.sh` - Generates parent chart values.yaml
+
+### Webhook Configuration
+- The operator includes a validating admission webhook that validates StarRocksCluster resources
+- Webhook validates cluster configuration, resource requirements, HA settings, and autoscaling policies
+- Webhook can be enabled/disabled through Helm values (`starrocksOperator.webhook.enabled`)
+- Supports both automatic self-signed certificate generation and custom certificates
+
+#### Local Development with Webhooks
+- By default, webhooks are disabled when running locally (`make run`)
+- To enable webhooks locally: `make run -- --enable-webhooks`
+- The operator automatically generates self-signed certificates when webhooks are enabled
+- No manual certificate generation needed for local development
+
+#### Production Deployment with Webhooks
+- Enable webhooks in Helm values: `starrocksOperator.webhook.enabled=true`
+- For custom certificates, provide secret name in `starrocksOperator.webhook.tls.secretName`
+- Recommended to use cert-manager for automatic certificate management
+
+#### Webhook Certificate Management
+- The operator automatically generates self-signed certificates when webhooks are enabled and no custom certificate is provided
+- Certificates are stored in an emptyDir volume mounted at the path specified by `starrocksOperator.webhook.tls.certDir`
+- The operator dynamically updates the ValidatingAdmissionWebhook configuration with the CA bundle after startup
+- This ensures proper TLS verification between Kubernetes API server and the webhook endpoint
+- For production use, consider using cert-manager or providing your own certificates via `starrocksOperator.webhook.tls.secretName`

Makefile

@@ -155,10 +155,6 @@ ENVTEST = $(GOBIN)/setup-envtest
 envtest: ## Download envtest-setup locally if necessary.
 	$(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 
-.PHONY: gen-api
-gen-api:
-	cd scripts && ./gen-api-reference-docs.sh
-
 .PHONY: crd-all
 crd-all: generate manifests gen-api
 

cmd/config/config.go

@@ -8,6 +8,9 @@ var (
 
 	// VolumeNameWithHash decides whether adding a hash to the volume name
 	VolumeNameWithHash bool
+
+	// WebhookCertValidityDays is the validity period in days for self-signed certificates
+	WebhookCertValidityDays int
 )
 
 func GetServiceDomainSuffix() string {

cmd/main.go

@@ -17,27 +17,69 @@ limitations under the License.
 package main
 
 import (
+	"context"
 	"flag"
+	"fmt"
 	"os"
 	"time"
 
+	"github.com/go-logr/logr"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
 	"github.com/StarRocks/starrocks-kubernetes-operator/cmd/config"
 	srapi "github.com/StarRocks/starrocks-kubernetes-operator/pkg/apis/starrocks/v1"
 	"github.com/StarRocks/starrocks-kubernetes-operator/pkg/controllers"
 	"github.com/StarRocks/starrocks-kubernetes-operator/pkg/k8sutils"
+	srwebhook "github.com/StarRocks/starrocks-kubernetes-operator/pkg/webhook"
 )
 
 var (
 	_metricsAddr          string
 	_enableLeaderElection bool
 	_probeAddr            string
 	_namespace            string
+	_enableWebhooks       bool
 )
 
+// caBundleUpdater updates the ValidatingAdmissionWebhook with CA bundle after manager starts
+type caBundleUpdater struct {
+	client client.Client
+	caCert []byte
+	logger logr.Logger
+}
+
+// Start implements the Runnable interface
+func (c *caBundleUpdater) Start(ctx context.Context) error {
+	c.logger.Info("updating webhook CA bundle")
+
+	webhookName := "starrockscluster-validating-webhook"
+
+	// Get the existing ValidatingAdmissionWebhook
+	webhook := &admissionregistrationv1.ValidatingWebhookConfiguration{}
+	if err := c.client.Get(ctx, types.NamespacedName{Name: webhookName}, webhook); err != nil {
+		return fmt.Errorf("failed to get ValidatingAdmissionWebhook: %v", err)
+	}
+
+	// Update caBundle for all webhooks
+	for i := range webhook.Webhooks {
+		webhook.Webhooks[i].ClientConfig.CABundle = c.caCert
+	}
+
+	// Update the webhook configuration
+	if err := c.client.Update(ctx, webhook); err != nil {
+		return fmt.Errorf("failed to update ValidatingAdmissionWebhook: %v", err)
+	}
+
+	c.logger.Info("webhook CA bundle updated successfully")
+	return nil
+}
+
 func main() {
 	flag.StringVar(&_metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&_probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
@@ -48,6 +90,10 @@ func main() {
 		"restricts the manager's cache to watch objects in the desired namespace. Defaults to all namespaces.")
 	flag.StringVar(&config.DNSDomainSuffix, "dns-domain-suffix", "cluster.local", "The suffix of the dns domain in k8s")
 	flag.BoolVar(&config.VolumeNameWithHash, "volume-name-with-hash", true, "Add a hash to the volume name")
+	flag.BoolVar(&_enableWebhooks, "enable-webhooks", false, "Enable admission webhooks. "+
+		"Requires TLS certificates to be configured. Disabled by default for local development.")
+	flag.IntVar(&config.WebhookCertValidityDays, "webhook-cert-validity-days", 365,
+		"Validity period in days for self-signed webhook certificates")
 
 	// Set up logger.
 	opts := zap.Options{}
@@ -86,6 +132,41 @@ func main() {
 		os.Exit(1)
 	}
 
+	// setup webhooks if enabled
+	if _enableWebhooks {
+		// Get webhook configuration from environment variables
+		webhookNamespace := os.Getenv("WEBHOOK_NAMESPACE")
+		webhookServiceName := os.Getenv("WEBHOOK_SERVICE_NAME")
+		webhookCertDir := os.Getenv("WEBHOOK_CERT_DIR")
+
+		// Generate self-signed certificates if not provided
+		caCert, err := srwebhook.GenerateSelfSignedCerts(webhookCertDir, webhookServiceName, webhookNamespace, config.WebhookCertValidityDays)
+		if err != nil {
+			logger.Error(err, "unable to generate self-signed certificates")
+			os.Exit(1)
+		}
+		logger.Info("self-signed certificates generated for webhook server", "validityDays",
+			config.WebhookCertValidityDays, "namespace", webhookNamespace, "serviceName", webhookServiceName, "certDir", webhookCertDir)
+
+		// Add CA bundle updater as a runnable that starts after the manager cache is ready
+		if err := mgr.Add(&caBundleUpdater{
+			client: mgr.GetClient(),
+			caCert: caCert,
+			logger: logger.WithName("ca-bundle-updater"),
+		}); err != nil {
+			logger.Error(err, "unable to add CA bundle updater")
+			os.Exit(1)
+		}
+
+		if err := setupWebhooks(mgr); err != nil {
+			logger.Error(err, "unable to set up webhooks")
+			os.Exit(1)
+		}
+		logger.Info("webhooks enabled")
+	} else {
+		logger.Info("webhooks disabled - use --enable-webhooks to enable")
+	}
+
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
@@ -107,3 +188,22 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// setupWebhooks sets up webhooks for the manager
+func setupWebhooks(mgr ctrl.Manager) error {
+	// Set up the webhook server
+	hookServer := mgr.GetWebhookServer()
+	if hookServer == nil {
+		return fmt.Errorf("failed to get webhook server from manager")
+	}
+
+	// Register the StarRocksCluster validating webhook
+	validator := &srwebhook.StarRocksClusterValidator{
+		Client: mgr.GetClient(),
+	}
+
+	hookServer.Register("/validate-starrocks-com-v1-starrockscluster",
+		&webhook.Admission{Handler: validator})
+
+	return nil
+}