feat: Split State server with Webhook

In some deployment models, we might need to deploy the webhook in the
host network. E.g. EKS with tunneling networking where the Control Plane
cannot communicate with pods through the pod network.

To facilitate this behavior we'd want to deploy only the webhook in the
host network and keep the state grpc server running on the Pod network.

This changeset aims to separate those two components into two different
deployables, the state and webhook deployments.
We're changing the chart to accomodate these changes.

Signed-off-by: Samuel Torres <[email protected]>

Author: samuel-form3

.github/workflows/release.yaml

@@ -26,6 +26,7 @@ jobs:
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}
+      WEBHOOK_IMAGE_NAME: ${{ github.repository }}-webhook
     steps:
       - name: Checkout Code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -51,20 +52,40 @@ jobs:
         id: build-push
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
         with:
+          file: "{context}/Dockerfile"
           provenance: true
           sbom: true
           push: true
           platforms: linux/amd64,linux/arm64
           labels: ${{ steps.meta.outputs.labels }}
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}
           outputs: "type=registry,push=true"
+      - name: Build and push webhook
+        id: build-push
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
+        with:
+          file: "{context}/Dockerfile.webhook"
+          provenance: true
+          sbom: true
+          push: true
+          platforms: linux/amd64,linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ env.REGISTRY }}/${{ env.WEBHOOK_IMAGE_NAME }}:${{ github.event.inputs.version }}
+          outputs: "type=registry,push=true"
       - name: Attest
         uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
         id: attest
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.build-push.outputs.digest }}
           push-to-registry: true
+      - name: Attest Webhook
+        uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.WEBHOOK_IMAGE_NAME }}
+          subject-digest: ${{ steps.build-push.outputs.digest }}
+          push-to-registry: true
 
   publish-chart:
     needs: publish

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.3-alpine3.20 AS builder
+FROM golang:1.23 AS builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -11,11 +11,11 @@ COPY vendor/ vendor/
 RUN go mod verify
 
 COPY api/ api/
-COPY cmd/controller cmd/controller
+COPY cmd/state cmd/state
 COPY internal/ internal/
 COPY pkg/ pkg/
 
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o x-pdb cmd/controller/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o x-pdb cmd/state/main.go
 
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /

Dockerfile.webhook

@@ -0,0 +1,24 @@
+FROM golang:1.23 AS builder
+
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+
+COPY go.mod go.mod
+COPY go.sum go.sum
+COPY vendor/ vendor/
+RUN go mod verify
+
+COPY api/ api/
+COPY cmd/webhook cmd/webhook
+COPY internal/ internal/
+COPY pkg/ pkg/
+
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o x-pdb cmd/webhook/main.go
+
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/x-pdb .
+USER 65532:65532
+ENTRYPOINT ["/x-pdb"]

Makefile

@@ -4,11 +4,13 @@
 
 # Image names
 IMG                       ?= ghcr.io/form3tech-oss/x-pdb:latest
+WEBHOOK_IMG               ?= ghcr.io/form3tech-oss/x-pdb-webhook:latest
 TEST_APP_IMG              ?= x-pdb-test:latest
 TEST_DISRUPTION_PROBE_IMG ?= x-pdb-test-disruption-probe:latest
 
 # Docker file paths
 DOCKERFILE_PATH                       ?= Dockerfile
+WEBHOOK_DOCKERFILE_PATH               ?= Dockerfile.webhook
 TEST_APP_DOCKERFILE_PATH              ?= Dockerfile.testapp
 TEST_DISRUPTION_PROBE_DOCKERFILE_PATH ?= Dockerfile.testdisruptionprobe
 
@@ -107,7 +109,7 @@ test-disruption-probe-load-image: ## Loads Test disruption probe docker image in
 	kind load docker-image $(TEST_DISRUPTION_PROBE_IMG) --name $(KIND_CLUSTER_NAME)
 
 .PHONY: deploy-e2e
-deploy-e2e: test-app-docker-build test-disruption-probe-docker-build docker-build ## Deploys x-pdb and loads test images into all the testing KinD clusters.
+deploy-e2e: test-app-docker-build test-disruption-probe-docker-build webhook-docker-build docker-build ## Deploys x-pdb and loads test images into all the testing KinD clusters.
 	@echo "building and deploying x-pdb and e2e test apps"
 	for number in 1 2 3; do \
 		$(MAKE) install CLUSTER=$$number; \
@@ -148,6 +150,10 @@ run: manifests generate fmt vet ## Run a controller from your host.
 docker-build: ## Build docker image with the manager.
 	$(CONTAINER_TOOL) build -f $(DOCKERFILE_PATH) -t $(IMG) .
 
+.PHONY: webhook-docker-build
+webhook-docker-build: ## Generates Test disruption probe docker image.
+	$(MAKE) docker-build IMG=$(WEBHOOK_IMG) DOCKERFILE_PATH=$(WEBHOOK_DOCKERFILE_PATH)
+
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	$(CONTAINER_TOOL) push ${IMG}
@@ -186,7 +192,7 @@ destroy-multi-cluster: ## Destroys all the testing KinD clusters.
 	kind get clusters | grep x-pdb | xargs -I {} kind delete cluster -n {}
 
 .PHONY: deploy
-deploy: docker-build ## Deploys x-pdb on all testing KinD clusters.
+deploy: docker-build webhook-docker-build ## Deploys x-pdb on all testing KinD clusters.
 	@echo "building and deploying x-pdb"
 	for number in 1 2 3; do \
 		$(MAKE) install CLUSTER=$$number; \
@@ -212,12 +218,16 @@ install-cert-manager: ## Installs cert-manager and a cluster issuer in a KinD cl
 kind-load: ## Loads an image into a KinD cluster.
 	kind load docker-image ${IMG} --name $(KIND_CLUSTER_NAME)
 
+.PHONY: kind-load-webhook
+kind-load-webhook: ## Loads Test App docker image into a KinD cluster.
+	kind load docker-image $(WEBHOOK_IMG) --name $(KIND_CLUSTER_NAME)
+
 .PHONY: gen-certs
 gen-certs: ## Generates all the TLS certificates for x-pdb
 	./hack/gen-certs.sh
 
 .PHONY: install
-install: kind-load ## Installs x-pdb into a cluster
+install: kind-load kind-load-webhook ## Installs x-pdb into a cluster
 	./hack/install-xpdb.sh $(CONTEXT) $(CLUSTER)
 
 ##@ Proto

charts/x-pdb/templates/_helpers.tpl

@@ -43,12 +43,12 @@ Create chart name and version as used by the chart label.
 {{- end }}
 
 {{/*
-Common labels
+State labels
 */}}
-{{- define "x-pdb.labels" -}}
+{{- define "x-pdb.stateLabels" -}}
 helm.sh/chart: {{ include "x-pdb.chart" . }}
-{{ include "x-pdb.selectorLabels" . -}}
-{{ with .Values.extraLabels }}
+{{ include "x-pdb.stateSelectorLabels" . -}}
+{{ with .Values.state.extraLabels }}
 {{- toYaml . }}
 {{- end }}
 {{- if .Chart.AppVersion }}
@@ -58,10 +58,33 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 {{/*
-Selector labels
+State Selector labels
 */}}
-{{- define "x-pdb.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "x-pdb.name" . }}
+{{- define "x-pdb.stateSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "x-pdb.name" . }}-state
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Webhook labels
+*/}}
+{{- define "x-pdb.webhookLabels" -}}
+helm.sh/chart: {{ include "x-pdb.chart" . }}
+{{ include "x-pdb.webhookSelectorLabels" . -}}
+{{ with .Values.webhook.extraLabels }}
+{{- toYaml . }}
+{{- end }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Webhook Selector labels
+*/}}
+{{- define "x-pdb.webhookSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "x-pdb.name" . }}-webhook
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 

charts/x-pdb/templates/certificates.yaml

@@ -1,55 +1,55 @@
-{{- if .Values.webhook.tls.certManager.enabled }}
+{{- if .Values.certificates.webhook.certManager.enabled }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: {{ include "x-pdb.fullname" . }}-webhook-cert
   namespace: {{ include "x-pdb.namespace" . }}
   labels:
-    {{- include "x-pdb.labels" . | nindent 4 }}
+    {{- include "x-pdb.webhookLabels" . | nindent 4 }}
 spec:
-  {{- if .Values.webhook.tls.certManager.injectFromSecret }}
+  {{- if .Values.certificates.webhook.certManager.injectFromSecret }}
   secretTemplate:
     annotations:
       cert-manager.io/allow-direct-injection: "true"
   {{- end }}
   dnsNames:
-  - {{ include "x-pdb.fullname" . }}.{{ .Release.Namespace }}.svc
-  - {{ include "x-pdb.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ include "x-pdb.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+  - {{ include "x-pdb.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local
   issuerRef:
-    {{- toYaml .Values.webhook.tls.certManager.issuerRef | nindent 4 }}
+    {{- toYaml .Values.certificates.webhook.certManager.issuerRef | nindent 4 }}
   secretName: {{ include "x-pdb.fullname" . }}-webhook-cert
-  renewBefore: {{ .Values.webhook.tls.certManager.renewBefore }}
-  duration: {{ .Values.webhook.tls.certManager.duration }}
+  renewBefore: {{ .Values.certificates.webhook.certManager.renewBefore }}
+  duration: {{ .Values.certificates.webhook.certManager.duration }}
   privateKey:
     algorithm: RSA
     encoding: PKCS1
     size: 2048
 {{- end }}
 
-{{- if .Values.controller.tls.certManager.enabled }}
+{{- if .Values.certificates.state.certManager.enabled }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "x-pdb.fullname" . }}-controller-cert
+  name: {{ include "x-pdb.fullname" . }}-state-cert
   namespace: {{ include "x-pdb.namespace" . }}
   labels:
-    {{- include "x-pdb.labels" . | nindent 4 }}
+    {{- include "x-pdb.stateLabels" . | nindent 4 }}
 spec:
   dnsNames:
-    {{- toYaml .Values.controller.tls.certManager.dnsNames | nindent 4 }}
+    {{- toYaml .Values.certificates.state.certManager.dnsNames | nindent 4 }}
   ipAddresses:
-    {{- toYaml .Values.controller.tls.certManager.ipAddresses | nindent 4 }}
+    {{- toYaml .Values.certificates.state.certManager.ipAddresses | nindent 4 }}
   issuerRef:
-    {{- toYaml .Values.webhook.tls.certManager.issuerRef | nindent 4 }}
-  secretName: {{ include "x-pdb.fullname" . }}-controller-cert
+    {{- toYaml .Values.certificates.state.certManager.issuerRef | nindent 4 }}
+  secretName: {{ include "x-pdb.fullname" . }}-state-cert
   privateKey:
     algorithm: RSA
     encoding: PKCS1
     size: 2048
-  renewBefore: {{ .Values.webhook.tls.certManager.renewBefore }}
-  duration: {{ .Values.webhook.tls.certManager.duration }}
+  renewBefore: {{ .Values.certificates.state.certManager.renewBefore }}
+  duration: {{ .Values.certificates.state.certManager.duration }}
   usages:
     - digital signature
     - key encipherment