Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implement the admission server and a validation webhook for plugins #573

Merged
merged 23 commits into from
Sep 1, 2021
Merged

feat: Implement the admission server and a validation webhook for plugins #573

merged 23 commits into from
Sep 1, 2021

Conversation

fgksgf
Copy link
Member

@fgksgf fgksgf commented Jul 6, 2021
edited
Loading

Please answer these questions before submitting a pull request

New feature or improvement

  • Describe the details and related test reports.
    Implement an admission server via kubewebhook to validate configurations like plugins.

TODO

  • implement an admission server
  • implement a validating webhook for plugins
  • add YAML of webhook
  • add e2e test

@codecov-commenter
Copy link

codecov-commenter commented Jul 6, 2021
edited
Loading

Codecov Report

Merging #573 (240ffae) into master (62b7590) will increase coverage by 0.40%.
The diff coverage is 50.64%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #573      +/-   ##
==========================================
+ Coverage   34.31%   34.72%   +0.40%     
==========================================
  Files          57       60       +3     
  Lines        5746     5892     +146     
==========================================
+ Hits         1972     2046      +74     
- Misses       3527     3596      +69     
- Partials      247      250       +3
Impacted Files Coverage Δ
pkg/api/router/router.go 75.00% <ø> (ø)
pkg/api/validation/apisix_route.go 21.53% <21.53%> (ø)
pkg/api/validation/utils.go 46.15% <46.15%> (ø)
pkg/api/server.go 81.81% <79.31%> (+5.95%) ⬆️
cmd/ingress/ingress.go 77.27% <100.00%> (+0.26%) ⬆️
pkg/api/router/webhook.go 100.00% <100.00%> (ø)
pkg/config/config.go 86.44% <100.00%> (+0.72%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 62b7590...240ffae. Read the comment docs.

@fgksgf fgksgf marked this pull request as ready for review August 14, 2021 13:34
@fgksgf fgksgf requested a review from gxthrj August 14, 2021 13:34
gxthrj
gxthrj reviewed Aug 14, 2021
View reviewed changes
Copy link
Contributor

@gxthrj gxthrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, Need to add e2e test case to cover the logic of validating with the schema from APISIX.

pkg/api/validation/apisix_route.go Show resolved Hide resolved
pkg/api/router/webhook.go Outdated Show resolved Hide resolved
@fgksgf
Copy link
Member Author

fgksgf commented Aug 15, 2021

BTW, Need to add e2e test case to cover the logic of validating with the schema from APISIX.

Ok, where should I put the code, test/e2e/features/ or test/e2e/ingress/?

@tao12345666333 tao12345666333 added this to the 1.3.0 milestone Aug 18, 2021
@fgksgf fgksgf changed the title [WIP] Implement the admission server Implement the admission server Aug 22, 2021
@fgksgf fgksgf changed the title Implement the admission server feat: Implement the admission server and a validation webhook for plugins Aug 23, 2021
tokers
tokers reviewed Aug 23, 2021
View reviewed changes
Makefile Outdated Show resolved Hide resolved
cmd/ingress/ingress.go Outdated Show resolved Hide resolved
conf/config-default.yaml Outdated Show resolved Hide resolved
pkg/api/server.go
httpServer.GET("/debug/pprof/*profile", gin.WrapF(srv.pprofMu.ServeHTTP))
}

cert, err := tls.LoadX509KeyPair(cfg.CertFilePath, cfg.KeyFilePath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be optional? Only enable TLS if the certificate and private key are specified simultaneously.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because cfg.CertFilePath and cfg.KeyFilePath have default values.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then you should prepare the default certificate and private key, or it's difficult to start the server in the local environment.

pkg/api/server.go Outdated Show resolved Hide resolved
pkg/api/validation/apisix_route.go Show resolved Hide resolved
pkg/api/validation/apisix_route.go Outdated Show resolved Hide resolved
pkg/api/validation/utils.go Outdated

// GetSchemaClient returns a Schema client in the singleton way.
// It can query the schema of objects from APISIX.
func GetSchemaClient() (apisix.Schema, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why fetch schema in the singleton way, schema is synchronized periodically.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't get your point, it seems that the singleton will not interfere with the synchronization process.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just ignore my comment as long as the schema cache is refreshed periodically.

pkg/api/validation/utils.go Show resolved Hide resolved
test/e2e/ingress/webhook.go Outdated Show resolved Hide resolved
@tokers
Copy link
Contributor

tokers commented Aug 23, 2021

@fgksgf After this PR was approved, we need to change helm chart so that people can use it.

fgksgf
fgksgf commented Aug 25, 2021
View reviewed changes
test/e2e/scaffold/ssl.go Outdated Show resolved Hide resolved
fgksgf
fgksgf commented Aug 25, 2021
View reviewed changes
test/e2e/scaffold/scaffold.go Outdated Show resolved Hide resolved
@fgksgf fgksgf requested a review from tokers August 25, 2021 13:40
@fgksgf
Copy link
Member Author

fgksgf commented Aug 25, 2021

@gxthrj @tokers @tao12345666333 PTAL

gxthrj
gxthrj reviewed Aug 29, 2021
View reviewed changes
test/e2e/scaffold/ingress.go Outdated Show resolved Hide resolved
test/e2e/scaffold/ingress.go Outdated Show resolved Hide resolved
tokers
tokers reviewed Aug 30, 2021
View reviewed changes
pkg/api/server.go Outdated Show resolved Hide resolved
pkg/api/server.go Show resolved Hide resolved
pkg/api/router/webhook.go Show resolved Hide resolved
pkg/api/router/webhook.go Outdated Show resolved Hide resolved
pkg/api/server.go
httpServer.GET("/debug/pprof/*profile", gin.WrapF(srv.pprofMu.ServeHTTP))
}

cert, err := tls.LoadX509KeyPair(cfg.CertFilePath, cfg.KeyFilePath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then you should prepare the default certificate and private key, or it's difficult to start the server in the local environment.

pkg/api/server.go Outdated Show resolved Hide resolved
pkg/api/validation/apisix_route.go Outdated Show resolved Hide resolved
test/e2e/scaffold/scaffold.go Outdated Show resolved Hide resolved
test/e2e/scaffold/scaffold.go Outdated Show resolved Hide resolved
@fgksgf
Copy link
Member Author

fgksgf commented Aug 30, 2021

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.

I can help integrate cert-manager after webhooks are implemented.

@tokers
Copy link
Contributor

tokers commented Aug 30, 2021

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.

I can help integrate cert-manager after webhooks are implemented.

We may use CertificateSigningRequest, and give documentation to guide people.

@fgksgf
Copy link
Member Author

fgksgf commented Aug 30, 2021

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.
I can help integrate cert-manager after webhooks are implemented.

We may use CertificateSigningRequest, and give documentation to guide people.

Good idea. But how about file a new PR to do this, because the current PR is a bit huge.

@tokers
Copy link
Contributor

tokers commented Aug 30, 2021

reply: #573 (comment)

If we provide default TLS Certificates, they are not signed by CA, and the webhook still can't work. We can accomplish this after we have cert-manager.
I can help integrate cert-manager after webhooks are implemented.

We may use CertificateSigningRequest, and give documentation to guide people.

Good idea. But how about file a new PR to do this, because the current PR is a bit huge.

Sure.

@fgksgf
Copy link
Member Author

fgksgf commented Aug 30, 2021
edited
Loading

Webhook E2E test:
image

image

@gxthrj gxthrj merged commit 75a2aaa into apache:master Sep 1, 2021
@fgksgf fgksgf deleted the webhook branch September 2, 2021 09:31
@tao12345666333 tao12345666333 mentioned this pull request Nov 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gxthrj gxthrj gxthrj approved these changes

@tokers tokers tokers approved these changes

@tao12345666333 tao12345666333 Awaiting requested review from tao12345666333

Assignees
No one assigned
Labels
area/admission
Projects
None yet
Milestone
1.3.0
Development

Successfully merging this pull request may close these issues.
5 participants
@fgksgf @codecov-commenter @tokers @gxthrj @tao12345666333