From 277bf13c46ec197a3e95c9bd87d9cc1c1fdbca20 Mon Sep 17 00:00:00 2001 From: tzununbekov Date: Wed, 8 Apr 2020 19:52:39 +0600 Subject: [PATCH 1/3] GitlabSource webhooks added --- gitlab/cmd/controller/main.go | 80 +++++++++++++++++++- gitlab/config/201-clusterrole.yaml | 8 ++ gitlab/config/400-controller-service.yaml | 16 ++++ gitlab/config/500-controller.yaml | 17 ----- gitlab/config/500-webhook-configuration.yaml | 54 +++++++++++++ 5 files changed, 157 insertions(+), 18 deletions(-) create mode 100644 gitlab/config/500-webhook-configuration.yaml diff --git a/gitlab/cmd/controller/main.go b/gitlab/cmd/controller/main.go index 701feadc2a..ae1081ad14 100644 --- a/gitlab/cmd/controller/main.go +++ b/gitlab/cmd/controller/main.go @@ -17,14 +17,92 @@ limitations under the License. package main import ( + "context" + + sourcesv1alpha1 "knative.dev/eventing-contrib/gitlab/pkg/apis/sources/v1alpha1" gitlab "knative.dev/eventing-contrib/gitlab/pkg/reconciler" + + "k8s.io/apimachinery/pkg/runtime/schema" + "knative.dev/pkg/configmap" + "knative.dev/pkg/controller" "knative.dev/pkg/injection/sharedmain" + "knative.dev/pkg/signals" + "knative.dev/pkg/webhook" + "knative.dev/pkg/webhook/certificates" + "knative.dev/pkg/webhook/resourcesemantics" + "knative.dev/pkg/webhook/resourcesemantics/defaulting" + "knative.dev/pkg/webhook/resourcesemantics/validation" ) const ( component = "gitlab_controller" ) +var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{ + // List the types to validate. + sourcesv1alpha1.SchemeGroupVersion.WithKind("GitLabSource"): &sourcesv1alpha1.GitLabSource{}, +} + +func NewDefaultingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl { + return defaulting.NewAdmissionController(ctx, + + // Name of the resource webhook. + "defaulting.webhook.gitlab.sources.knative.dev", + + // The path on which to serve the webhook. + "/defaulting", + + // The resources to validate and default. + types, + + // A function that infuses the context passed to Validate/SetDefaults with custom metadata. + func(ctx context.Context) context.Context { + // Here is where you would infuse the context with state + // (e.g. attach a store with configmap data) + return ctx + }, + + // Whether to disallow unknown fields. + true, + ) +} + +func NewValidationAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl { + return validation.NewAdmissionController(ctx, + + // Name of the resource webhook. + "validation.webhook.gitlab.sources.knative.dev", + + // The path on which to serve the webhook. + "/resource-validation", + + // The resources to validate and default. + types, + + // A function that infuses the context passed to Validate/SetDefaults with custom metadata. + func(ctx context.Context) context.Context { + // Here is where you would infuse the context with state + // (e.g. attach a store with configmap data) + return ctx + }, + + // Whether to disallow unknown fields. + true, + ) +} + func main() { - sharedmain.Main(component, gitlab.NewController) + ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{ + ServiceName: "gitlab-source-webhook", + Port: 8443, + SecretName: "sources-webhook-certs", + }) + + sharedmain.WebhookMainWithContext(ctx, component, + certificates.NewController, + NewDefaultingAdmissionController, + NewValidationAdmissionController, + + gitlab.NewController, + ) } diff --git a/gitlab/config/201-clusterrole.yaml b/gitlab/config/201-clusterrole.yaml index 05a6a7ad2d..0d0512fde5 100644 --- a/gitlab/config/201-clusterrole.yaml +++ b/gitlab/config/201-clusterrole.yaml @@ -71,6 +71,14 @@ rules: - configmaps verbs: *everything + # For actually registering our webhook. +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: *everything + --- # The role is needed for the aggregated role source-observer in knative-eventing to provide readonly access to "Sources". # See https://knative.dev/eventing/blob/master/config/200-source-observer-clusterrole.yaml. diff --git a/gitlab/config/400-controller-service.yaml b/gitlab/config/400-controller-service.yaml index 06180b5db9..4ec0293065 100644 --- a/gitlab/config/400-controller-service.yaml +++ b/gitlab/config/400-controller-service.yaml @@ -27,3 +27,19 @@ spec: targetPort: 8443 selector: control-plane: gitlab-controller-manager + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + contrib.eventing.knative.dev/release: devel + role: webhook + name: gitlab-source-webhook + namespace: knative-sources +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + control-plane: gitlab-controller-manager \ No newline at end of file diff --git a/gitlab/config/500-controller.yaml b/gitlab/config/500-controller.yaml index 29f6e6c287..d16becd503 100644 --- a/gitlab/config/500-controller.yaml +++ b/gitlab/config/500-controller.yaml @@ -49,8 +49,6 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - - name: SECRET_NAME - value: gitlabsource-webhook-server-secret image: ko://knative.dev/eventing-contrib/gitlab/cmd/controller imagePullPolicy: Always resources: @@ -60,19 +58,4 @@ spec: requests: cpu: 100m memory: 20Mi - volumeMounts: - - mountPath: /tmp/cert - name: cert - readOnly: true terminationGracePeriodSeconds: 10 - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: gitlabsource-webhook-server-secret ---- -apiVersion: v1 -kind: Secret -metadata: - name: gitlabsource-webhook-server-secret - namespace: knative-sources diff --git a/gitlab/config/500-webhook-configuration.yaml b/gitlab/config/500-webhook-configuration.yaml new file mode 100644 index 0000000000..02a589e45c --- /dev/null +++ b/gitlab/config/500-webhook-configuration.yaml @@ -0,0 +1,54 @@ +# Copyright 2020 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: defaulting.webhook.gitlab.sources.knative.dev + labels: + contrib.eventing.knative.dev/release: devel +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: gitlab-source-webhook + namespace: knative-sources + failurePolicy: Fail + name: defaulting.webhook.gitlab.sources.knative.dev +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: validation.webhook.gitlab.sources.knative.dev + labels: + contrib.eventing.knative.dev/release: devel +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: gitlab-source-webhook + namespace: knative-sources + failurePolicy: Fail + name: validation.webhook.gitlab.sources.knative.dev +--- +apiVersion: v1 +kind: Secret +metadata: + name: sources-webhook-certs + namespace: knative-sources + labels: + contrib.eventing.knative.dev/release: devel +# The data is populated at install time. \ No newline at end of file From b1a6f677de7b3edb3e71ac0d664245cbf29cff33 Mon Sep 17 00:00:00 2001 From: tzununbekov Date: Wed, 8 Apr 2020 22:12:31 +0600 Subject: [PATCH 2/3] Controller role permissions extended, yamls linted --- gitlab/config/201-clusterrole.yaml | 2 ++ gitlab/config/400-controller-service.yaml | 2 +- gitlab/config/500-webhook-configuration.yaml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/gitlab/config/201-clusterrole.yaml b/gitlab/config/201-clusterrole.yaml index 0d0512fde5..aca36f13e3 100644 --- a/gitlab/config/201-clusterrole.yaml +++ b/gitlab/config/201-clusterrole.yaml @@ -62,6 +62,8 @@ rules: - get - list - watch + # Webhook controller needs it to update "sources-webhook-certs" contents + - update # Events admin - apiGroups: diff --git a/gitlab/config/400-controller-service.yaml b/gitlab/config/400-controller-service.yaml index 4ec0293065..243fd4c17b 100644 --- a/gitlab/config/400-controller-service.yaml +++ b/gitlab/config/400-controller-service.yaml @@ -42,4 +42,4 @@ spec: - port: 443 targetPort: 8443 selector: - control-plane: gitlab-controller-manager \ No newline at end of file + control-plane: gitlab-controller-manager diff --git a/gitlab/config/500-webhook-configuration.yaml b/gitlab/config/500-webhook-configuration.yaml index 02a589e45c..e1abef531c 100644 --- a/gitlab/config/500-webhook-configuration.yaml +++ b/gitlab/config/500-webhook-configuration.yaml @@ -51,4 +51,4 @@ metadata: namespace: knative-sources labels: contrib.eventing.knative.dev/release: devel -# The data is populated at install time. \ No newline at end of file +# The data is populated at install time. From 0c440293552af84905a2dc3cb693e78edd701364 Mon Sep 17 00:00:00 2001 From: tzununbekov Date: Tue, 14 Apr 2020 11:42:46 +0600 Subject: [PATCH 3/3] Unique secret for GitlabSource webhook certs --- gitlab/cmd/controller/main.go | 2 +- gitlab/config/201-clusterrole.yaml | 2 +- gitlab/config/500-webhook-configuration.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/gitlab/cmd/controller/main.go b/gitlab/cmd/controller/main.go index ae1081ad14..0d35b3634f 100644 --- a/gitlab/cmd/controller/main.go +++ b/gitlab/cmd/controller/main.go @@ -95,7 +95,7 @@ func main() { ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{ ServiceName: "gitlab-source-webhook", Port: 8443, - SecretName: "sources-webhook-certs", + SecretName: "gitlabsource-webhook-certs", }) sharedmain.WebhookMainWithContext(ctx, component, diff --git a/gitlab/config/201-clusterrole.yaml b/gitlab/config/201-clusterrole.yaml index aca36f13e3..b084cbd829 100644 --- a/gitlab/config/201-clusterrole.yaml +++ b/gitlab/config/201-clusterrole.yaml @@ -62,7 +62,7 @@ rules: - get - list - watch - # Webhook controller needs it to update "sources-webhook-certs" contents + # Webhook controller needs it to update certs in secret - update # Events admin diff --git a/gitlab/config/500-webhook-configuration.yaml b/gitlab/config/500-webhook-configuration.yaml index e1abef531c..0d4abb1809 100644 --- a/gitlab/config/500-webhook-configuration.yaml +++ b/gitlab/config/500-webhook-configuration.yaml @@ -47,7 +47,7 @@ webhooks: apiVersion: v1 kind: Secret metadata: - name: sources-webhook-certs + name: gitlabsource-webhook-certs namespace: knative-sources labels: contrib.eventing.knative.dev/release: devel