GitlabSource webhook that runs alongside the controller

gitlab/cmd/controller/main.go

@@ -17,14 +17,92 @@ limitations under the License.
 package main
 
 import (
+	"context"
+
+	sourcesv1alpha1 "knative.dev/eventing-contrib/gitlab/pkg/apis/sources/v1alpha1"
 	gitlab "knative.dev/eventing-contrib/gitlab/pkg/reconciler"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"knative.dev/pkg/configmap"
+	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/signals"
+	"knative.dev/pkg/webhook"
+	"knative.dev/pkg/webhook/certificates"
+	"knative.dev/pkg/webhook/resourcesemantics"
+	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
+	"knative.dev/pkg/webhook/resourcesemantics/validation"
 )
 
 const (
 	component = "gitlab_controller"
 )
 
+var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+	// List the types to validate.
+	sourcesv1alpha1.SchemeGroupVersion.WithKind("GitLabSource"): &sourcesv1alpha1.GitLabSource{},
+}
+
+func NewDefaultingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return defaulting.NewAdmissionController(ctx,
+
+		// Name of the resource webhook.
+		"defaulting.webhook.gitlab.sources.knative.dev",
+
+		// The path on which to serve the webhook.
+		"/defaulting",
+
+		// The resources to validate and default.
+		types,
+
+		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+		func(ctx context.Context) context.Context {
+			// Here is where you would infuse the context with state
+			// (e.g. attach a store with configmap data)
+			return ctx
+		},
+
+		// Whether to disallow unknown fields.
+		true,
+	)
+}
+
+func NewValidationAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return validation.NewAdmissionController(ctx,
+
+		// Name of the resource webhook.
+		"validation.webhook.gitlab.sources.knative.dev",
+
+		// The path on which to serve the webhook.
+		"/resource-validation",
+
+		// The resources to validate and default.
+		types,
+
+		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+		func(ctx context.Context) context.Context {
+			// Here is where you would infuse the context with state
+			// (e.g. attach a store with configmap data)
+			return ctx
+		},
+
+		// Whether to disallow unknown fields.
+		true,
+	)
+}
+
 func main() {
-	sharedmain.Main(component, gitlab.NewController)
+	ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+		ServiceName: "gitlab-source-webhook",
+		Port:        8443,
+		SecretName:  "gitlabsource-webhook-certs",
+	})
+
+	sharedmain.WebhookMainWithContext(ctx, component,
+		certificates.NewController,
+		NewDefaultingAdmissionController,
+		NewValidationAdmissionController,
+
+		gitlab.NewController,
+	)
 }

gitlab/config/201-clusterrole.yaml

@@ -62,6 +62,8 @@ rules:
   - get
   - list
   - watch
+  # Webhook controller needs it to update certs in secret
+  - update
 
 # Events admin
 - apiGroups:
@@ -71,6 +73,14 @@ rules:
   - configmaps
   verbs: *everything
 
+  # For actually registering our webhook.
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs: *everything
+
 ---
 # The role is needed for the aggregated role source-observer in knative-eventing to provide readonly access to "Sources".
 # See https://knative.dev/eventing/blob/master/config/200-source-observer-clusterrole.yaml.

gitlab/config/400-controller-service.yaml

@@ -27,3 +27,19 @@ spec:
     targetPort: 8443
   selector:
     control-plane: gitlab-controller-manager
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    contrib.eventing.knative.dev/release: devel
+    role: webhook
+  name: gitlab-source-webhook
+  namespace: knative-sources
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    control-plane: gitlab-controller-manager

gitlab/config/500-controller.yaml

@@ -49,8 +49,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        - name: SECRET_NAME
-          value: gitlabsource-webhook-server-secret
         image: ko://knative.dev/eventing-contrib/gitlab/cmd/controller
         imagePullPolicy: Always
         resources:
@@ -60,19 +58,4 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
-        volumeMounts:
-        - mountPath: /tmp/cert
-          name: cert
-          readOnly: true
       terminationGracePeriodSeconds: 10
-      volumes:
-      - name: cert
-        secret:
-          defaultMode: 420
-          secretName: gitlabsource-webhook-server-secret
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: gitlabsource-webhook-server-secret
-  namespace: knative-sources

gitlab/config/500-webhook-configuration.yaml

@@ -0,0 +1,54 @@
+# Copyright 2020 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: defaulting.webhook.gitlab.sources.knative.dev
+  labels:
+    contrib.eventing.knative.dev/release: devel
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    service:
+      name: gitlab-source-webhook
+      namespace: knative-sources
+  failurePolicy: Fail
+  name: defaulting.webhook.gitlab.sources.knative.dev
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validation.webhook.gitlab.sources.knative.dev
+  labels:
+    contrib.eventing.knative.dev/release: devel
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    service:
+      name: gitlab-source-webhook
+      namespace: knative-sources
+  failurePolicy: Fail
+  name: validation.webhook.gitlab.sources.knative.dev
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlabsource-webhook-certs
+  namespace: knative-sources
+  labels:
+    contrib.eventing.knative.dev/release: devel
+# The data is populated at install time.