add webhook for deletion validation

commands/alpha/repo/reg/command.go

@@ -88,7 +88,7 @@ type runner struct {
 
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/repo/unreg/command.go

@@ -71,7 +71,7 @@ type runner struct {
 
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/rpkg/clone/command.go

@@ -92,7 +92,7 @@ type runner struct {
 
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/rpkg/copy/command.go

@@ -69,7 +69,7 @@ type runner struct {
 
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/rpkg/del/command.go

@@ -71,7 +71,7 @@ type runner struct {
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
 
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/rpkg/init/command.go

@@ -80,7 +80,7 @@ type runner struct {
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
 
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/rpkg/propose/command.go

@@ -69,7 +69,7 @@ type runner struct {
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
 
-	client, err := porch.CreateClient(r.cfg)
+	client, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

commands/alpha/rpkg/update/command.go

@@ -72,7 +72,7 @@ type runner struct {
 
 func (r *runner) preRunE(cmd *cobra.Command, args []string) error {
 	const op errors.Op = command + ".preRunE"
-	c, err := porch.CreateClient(r.cfg)
+	c, err := porch.CreateClientWithFlags(r.cfg)
 	if err != nil {
 		return errors.E(op, err)
 	}

internal/util/porch/client.go

@@ -30,12 +30,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func CreateClient(flags *genericclioptions.ConfigFlags) (client.Client, error) {
-	config, err := flags.ToRESTConfig()
-	if err != nil {
-		return nil, err
-	}
-
+func CreateClient(config *rest.Config) (client.Client, error) {
 	scheme, err := createScheme()
 	if err != nil {
 		return nil, err
@@ -52,6 +47,15 @@ func CreateClient(flags *genericclioptions.ConfigFlags) (client.Client, error) {
 	return c, nil
 }
 
+func CreateClientWithFlags(flags *genericclioptions.ConfigFlags) (client.Client, error) {
+	config, err := flags.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	return CreateClient(config)
+}
+
 func CreateDynamicClient(flags *genericclioptions.ConfigFlags) (client.WithWatch, error) {
 	config, err := flags.ToRESTConfig()
 	if err != nil {

porch/Makefile

@@ -43,6 +43,7 @@ endif
 PORCH_SERVER_IMAGE ?= porch-server
 PORCH_FUNCTION_RUNNER_IMAGE ?= porch-function-runner
 PORCH_CONTROLLERS_IMAGE ?= porch-controllers
+PORCH_WEBHOOKS_IMAGE ?= porch-webhooks
 PORCH_WRAPPER_SERVER_IMAGE ?= porch-wrapper-server
 TEST_GIT_SERVER_IMAGE ?= test-git-server
 
@@ -179,13 +180,15 @@ fix-all: fix-headers fmt tidy
 push-images:
 	docker buildx build --push --tag $(IMAGE_REPO)/$(PORCH_SERVER_IMAGE):$(IMAGE_TAG) -f ./build/Dockerfile.porch "$(KPTDIR)"
 	IMAGE_NAME="$(PORCH_CONTROLLERS_IMAGE)" make -C controllers/ push-image
+	IMAGE_NAME="$(PORCH_WEBHOOKS_IMAGE)" make -C webhooks/ push-image
 	IMAGE_NAME="$(PORCH_FUNCTION_RUNNER_IMAGE)" WRAPPER_SERVER_IMAGE_NAME="$(PORCH_WRAPPER_SERVER_IMAGE)" make -C func/ push-image
 	IMAGE_NAME="$(TEST_GIT_SERVER_IMAGE)" make -C test/ push-image
 
 .PHONY: build-images
 build-images:
 	docker buildx build --load --tag $(IMAGE_REPO)/$(PORCH_SERVER_IMAGE):$(IMAGE_TAG) -f ./build/Dockerfile.porch "$(KPTDIR)"
 	IMAGE_NAME="$(PORCH_CONTROLLERS_IMAGE)" make -C controllers/ build-image
+	IMAGE_NAME="$(PORCH_WEBHOOKS_IMAGE)" make -C webhooks/ build-image
 	IMAGE_NAME="$(PORCH_FUNCTION_RUNNER_IMAGE)" WRAPPER_SERVER_IMAGE_NAME="$(PORCH_WRAPPER_SERVER_IMAGE)" make -C func/ build-image
 	IMAGE_NAME="$(TEST_GIT_SERVER_IMAGE)" make -C test/ build-image
 
@@ -218,6 +221,7 @@ deployment-config:
 	  --destination "$(DEPLOYCONFIGDIR)" \
 	  --server-image "$(IMAGE_REPO)/$(PORCH_SERVER_IMAGE):$(IMAGE_TAG)" \
 	  --controllers-image "$(IMAGE_REPO)/$(PORCH_CONTROLLERS_IMAGE):$(IMAGE_TAG)" \
+  	  --webhooks-image "$(IMAGE_REPO)/$(PORCH_WEBHOOKS_IMAGE):$(IMAGE_TAG)" \
 	  --function-image "$(IMAGE_REPO)/$(PORCH_FUNCTION_RUNNER_IMAGE):$(IMAGE_TAG)" \
 	  --wrapper-server-image "$(IMAGE_REPO)/$(PORCH_WRAPPER_SERVER_IMAGE):$(IMAGE_TAG)" \
 	  --enabled-reconcilers "$(ENABLED_RECONCILERS)" \
@@ -244,6 +248,7 @@ deployment-config-no-sa:
 	  --destination "$(DEPLOYCONFIG_NO_SA_DIR)" \
 	  --server-image "$(IMAGE_REPO)/$(PORCH_SERVER_IMAGE):$(IMAGE_TAG)" \
 	  --controllers-image "$(IMAGE_REPO)/$(PORCH_CONTROLLERS_IMAGE):$(IMAGE_TAG)" \
+	  --webhooks-image "$(IMAGE_REPO)/$(PORCH_WEBHOOKS_IMAGE):$(IMAGE_TAG)" \
 	  --function-image "$(IMAGE_REPO)/$(PORCH_FUNCTION_RUNNER_IMAGE):$(IMAGE_TAG)" \
 	  --wrapper-server-image "$(IMAGE_REPO)/$(PORCH_WRAPPER_SERVER_IMAGE):$(IMAGE_TAG)" \
 	  --enabled-reconcilers "$(ENABLED_RECONCILERS)"
@@ -260,6 +265,7 @@ run-in-kind:
 	IMAGE_REPO=porch-kind make build-images
 	kind load docker-image porch-kind/porch-server:${IMAGE_TAG}
 	kind load docker-image porch-kind/porch-controllers:${IMAGE_TAG}
+	kind load docker-image porch-kind/porch-webhooks:${IMAGE_TAG}
 	kind load docker-image porch-kind/porch-function-runner:${IMAGE_TAG}
 	kind load docker-image porch-kind/porch-wrapper-server:${IMAGE_TAG}
 	kind load docker-image porch-kind/test-git-server:${IMAGE_TAG}

porch/api/porch/types_packagerevisions.go

@@ -70,6 +70,8 @@ type PackageRevisionSpec struct {
 
 	Lifecycle PackageRevisionLifecycle `json:"lifecycle,omitempty"`
 
+	DeletionProposed bool `json:"deletionProposed,omitempty"`
+
 	Tasks []Task `json:"tasks,omitempty"`
 
 	ReadinessGates []ReadinessGate `json:"readinessGates,omitempty"`

porch/api/porch/v1alpha1/types_packagerevisions.go

@@ -78,6 +78,8 @@ type PackageRevisionSpec struct {
 
 	Lifecycle PackageRevisionLifecycle `json:"lifecycle,omitempty"`
 
+	DeletionProposed bool `json:"deletionProposed,omitempty"`
+
 	Tasks []Task `json:"tasks,omitempty"`
 
 	ReadinessGates []ReadinessGate `json:"readinessGates,omitempty"`

porch/deployments/porch/10-webhooks.yaml

@@ -0,0 +1,73 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: porch-webhook
+  namespace: porch-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: porch-webhook
+  namespace: porch-system
+spec:
+     replicas: 1
+     selector:
+       matchLabels:
+         app: porch-webhook
+     template:
+       metadata:
+         labels:
+           app: porch-webhook
+       spec:
+         serviceAccountName: porch-webhook
+         volumes:
+           - name: webhook-certs
+             emptyDir: {}
+         containers:
+           - name: porch-webhook
+             # Update image to the image of your porch apiserver build.
+             image: gcr.io/example-google-project-id/porch-webhooks:latest
+             imagePullPolicy: IfNotPresent
+             resources:
+               requests:
+                 memory: "256Mi"
+                 cpu: "250m"
+               limits:
+                 memory: "512Mi"
+             volumeMounts:
+               - mountPath: /etc/webhook/certs
+                 name: webhook-certs
+             env:
+               - name: VALIDATE_CONFIG
+                 value: validating-webhook-configuration
+               - name: WEBHOOK_SERVICE
+                 value: webhook-service
+               - name: WEBHOOK_NAMESPACE
+                 value: porch-system
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook-service
+  namespace: porch-system
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 443
+  selector:
+    app: porch-webhook

porch/deployments/porch/5-rbac.yaml

@@ -38,6 +38,22 @@ rules:
     resources: ["flowschemas", "prioritylevelconfigurations"]
     verbs: ["get", "watch", "list"]
 ---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: webhooks-clusterrole
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources:
+      ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+    verbs: ["get", "watch", "list", "create", "patch", "delete"]
+  - apiGroups: [ "porch.kpt.dev" ]
+    resources: [ "packagerevisions", "packagerevisions/status" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: ["config.porch.kpt.dev"]
+    resources: ["packagerevs", "packagerevs/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

porch/deployments/porch/6-rbac-bind.yaml

@@ -26,6 +26,19 @@ subjects:
     namespace: porch-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sample-webhooks-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: webhooks-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: porch-webhook
+    namespace: porch-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: sample-apiserver-rolebinding

porch/pkg/engine/engine.go

@@ -23,6 +23,7 @@ import (
 	"path"
 	"path/filepath"
 	"reflect"
+	"strconv"
 	"strings"
 	"unicode"
 
@@ -115,10 +116,18 @@ func (p *PackageRevision) GetPackageRevision(ctx context.Context) (*api.PackageR
 		}
 		repoPkgRev.Labels[api.LatestPackageRevisionKey] = api.LatestPackageRevisionValue
 	}
+	repoPkgRev.Spec.DeletionProposed, err = strconv.ParseBool(p.packageRevisionMeta.Labels[meta.PkgRevisionDeletionProposedLabel])
+	if err != nil {
+		klog.Warningf("could not parse deletionProposed label %s: %s", p.packageRevisionMeta.Labels[meta.PkgRevisionDeletionProposedLabel], err.Error())
+		repoPkgRev.Spec.DeletionProposed = false
+	}
+	delete(repoPkgRev.Labels, meta.PkgRevisionDeletionProposedLabel)
+
 	repoPkgRev.Annotations = p.packageRevisionMeta.Annotations
 	repoPkgRev.Finalizers = p.packageRevisionMeta.Finalizers
 	repoPkgRev.OwnerReferences = p.packageRevisionMeta.OwnerReferences
 	repoPkgRev.DeletionTimestamp = p.packageRevisionMeta.DeletionTimestamp
+
 	return repoPkgRev, nil
 }
 
@@ -332,10 +341,12 @@ func (cad *cadEngine) CreatePackageRevision(ctx context.Context, repositoryObj *
 	if err != nil {
 		return nil, err
 	}
+	labels := obj.Labels
+	labels[meta.PkgRevisionDeletionProposedLabel] = strconv.FormatBool(obj.Spec.DeletionProposed)
 	pkgRevMeta := meta.PackageRevisionMeta{
 		Name:            repoPkgRev.KubeObjectName(),
 		Namespace:       repoPkgRev.KubeObjectNamespace(),
-		Labels:          obj.Labels,
+		Labels:          labels,
 		Annotations:     obj.Annotations,
 		Finalizers:      obj.Finalizers,
 		OwnerReferences: obj.OwnerReferences,
@@ -702,10 +713,16 @@ func (cad *cadEngine) UpdatePackageRevision(ctx context.Context, repositoryObj *
 }
 
 func (cad *cadEngine) updatePkgRevMeta(ctx context.Context, repoPkgRev repository.PackageRevision, apiPkgRev *api.PackageRevision) (meta.PackageRevisionMeta, error) {
+	labels := apiPkgRev.Labels
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	labels[meta.PkgRevisionDeletionProposedLabel] = strconv.FormatBool(apiPkgRev.Spec.DeletionProposed)
+
 	pkgRevMeta := meta.PackageRevisionMeta{
 		Name:            repoPkgRev.KubeObjectName(),
 		Namespace:       repoPkgRev.KubeObjectNamespace(),
-		Labels:          apiPkgRev.Labels,
+		Labels:          labels,
 		Annotations:     apiPkgRev.Annotations,
 		Finalizers:      apiPkgRev.Finalizers,
 		OwnerReferences: apiPkgRev.OwnerReferences,

porch/pkg/meta/store.go

@@ -31,8 +31,9 @@ import (
 var tracer = otel.Tracer("meta")
 
 const (
-	PkgRevisionRepoLabel = "internal.porch.kpt.dev/repository"
-	PkgRevisionFinalizer = "internal.porch.kpt.dev/packagerevision"
+	PkgRevisionRepoLabel             = "internal.porch.kpt.dev/repository"
+	PkgRevisionFinalizer             = "internal.porch.kpt.dev/packagerevision"
+	PkgRevisionDeletionProposedLabel = "internal.porch.kpt.dev/deletionProposed"
 )
 
 var (