Skip to content
This repository has been archived by the owner on Apr 25, 2023. It is now read-only.

feat: remove openshift/generic-admission-server #1263

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -83,9 +83,7 @@ spec:
command:
- "/hyperfed/webhook"
- "--secure-port=8443"
- "--audit-log-path=-"
- "--tls-cert-file=/var/serving-cert/tls.crt"
- "--tls-private-key-file=/var/serving-cert/tls.key"
- "--cert-dir=/var/serving-cert/"
- "--v={{ .Values.webhook.logLevel }}"
ports:
- containerPort: 8443
Expand All @@ -94,7 +92,7 @@ spec:
name: serving-cert
readinessProbe:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding a liveness probe too to /healthz?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer not to introduce any additional bigger changes in this PR to have a clear path to track back possible issues that might be caused by these changes. Would you agree on me adding a livenessProbe in a subsequent PR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes that's fine.

httpGet:
path: /healthz
path: /readyz
port: 8443
scheme: HTTPS
resources:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ webhooks:
service:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /apis/validation.core.kubefed.io/v1beta1/federatedtypeconfigs
path: /validate-federatedtypeconfigs
caBundle: {{ b64enc $ca.Cert | quote }}
rules:
- operations:
Expand Down Expand Up @@ -49,7 +49,7 @@ webhooks:
service:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /apis/validation.core.kubefed.io/v1beta1/kubefedclusters
path: /validate-kubefedcluster
caBundle: {{ b64enc $ca.Cert | quote }}
rules:
- operations:
Expand All @@ -74,7 +74,7 @@ webhooks:
service:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /apis/validation.core.kubefed.io/v1beta1/kubefedconfigs
path: /validate-kubefedconfig
caBundle: {{ b64enc $ca.Cert | quote }}
rules:
- operations:
Expand Down Expand Up @@ -110,7 +110,7 @@ webhooks:
service:
namespace: {{ .Release.Namespace | quote }}
name: kubefed-admission-webhook
path: /apis/mutation.core.kubefed.io/v1beta1/kubefedconfigs
path: /default-kubefedconfig
caBundle: {{ b64enc $ca.Cert | quote }}
rules:
- operations:
Expand Down
8 changes: 4 additions & 4 deletions cmd/hyperfed/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,9 @@ import (
utilflag "k8s.io/component-base/cli/flag"
"k8s.io/component-base/logs"

"sigs.k8s.io/kubefed/cmd/controller-manager/app"
ctrlapp "sigs.k8s.io/kubefed/cmd/controller-manager/app"
webhookapp "sigs.k8s.io/kubefed/cmd/webhook/app"
"sigs.k8s.io/kubefed/pkg/kubefedctl"
"sigs.k8s.io/kubefed/pkg/webhook"
)

func main() {
Expand Down Expand Up @@ -80,9 +80,9 @@ func commandFor(basename string, defaultCommand *cobra.Command, commands []func(
func NewHyperFedCommand() (*cobra.Command, []func() *cobra.Command) {
stopChan := genericapiserver.SetupSignalHandler()

controller := func() *cobra.Command { return app.NewControllerManagerCommand(stopChan) }
controller := func() *cobra.Command { return ctrlapp.NewControllerManagerCommand(stopChan) }
kubefedctlCmd := func() *cobra.Command { return kubefedctl.NewKubeFedCtlCommand(os.Stdout) }
webhookCmd := func() *cobra.Command { return webhook.NewWebhookCommand(stopChan) }
webhookCmd := func() *cobra.Command { return webhookapp.NewWebhookCommand(stopChan) }

commandFns := []func() *cobra.Command{
controller,
Expand Down
92 changes: 92 additions & 0 deletions cmd/webhook/app/webhook.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
package app

import (
"flag"
"fmt"
"net/http"
"os"

"github.com/spf13/cobra"
"k8s.io/client-go/tools/clientcmd"
"k8s.io/component-base/logs"
"k8s.io/klog"
"sigs.k8s.io/controller-runtime/pkg/healthz"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/manager/signals"
ctrwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"

"sigs.k8s.io/kubefed/pkg/controller/webhook/federatedtypeconfig"
"sigs.k8s.io/kubefed/pkg/controller/webhook/kubefedcluster"
"sigs.k8s.io/kubefed/pkg/controller/webhook/kubefedconfig"
"sigs.k8s.io/kubefed/pkg/version"
)

var (
certDir, kubeconfig, masterURL string
port = 8443
)

// NewWebhookCommand creates a *cobra.Command object with default parameters
func NewWebhookCommand(stopChan <-chan struct{}) *cobra.Command {
verFlag := false

cmd := &cobra.Command{
Use: "webhook",
Short: "Start a kubefed webhook server",
Long: "Start a kubefed webhook server",
Run: func(cmd *cobra.Command, args []string) {
fmt.Fprintf(os.Stdout, "KubeFed webhook version: %s\n", fmt.Sprintf("%#v", version.Get()))
if verFlag {
os.Exit(0)
}
// PrintFlags(cmd.Flags())

if err := Run(stopChan); err != nil {
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
},
}

// Add the command line flags from other dependencies(klog, kubebuilder, etc.)
cmd.Flags().AddGoFlagSet(flag.CommandLine)

cmd.Flags().StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
cmd.Flags().StringVar(&masterURL, "master", "", "The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.")
cmd.Flags().StringVar(&certDir, "cert-dir", "", "The directory where the TLS certs are located.")
cmd.Flags().IntVar(&port, "secure-port", port, "The port on which to serve HTTPS.")

return cmd
}

// Run runs the webhook with options. This should never exit.
func Run(stopChan <-chan struct{}) error {
logs.InitLogs()
defer logs.FlushLogs()

config, err := clientcmd.BuildConfigFromFlags(masterURL, kubeconfig)
if err != nil {
klog.Fatalf("error setting up webhook's config: %s", err)
}
mgr, err := manager.New(config, manager.Options{
Port: port,
CertDir: certDir,
})
if err != nil {
klog.Fatalf("error setting up webhook manager: %s", err)
}
hookServer := mgr.GetWebhookServer()

hookServer.Register("/validate-federatedtypeconfigs", &ctrwebhook.Admission{Handler: &federatedtypeconfig.FederatedTypeConfigAdmissionHook{}})
hookServer.Register("/validate-kubefedcluster", &ctrwebhook.Admission{Handler: &kubefedcluster.KubeFedClusterAdmissionHook{}})
hookServer.Register("/validate-kubefedconfig", &ctrwebhook.Admission{Handler: &kubefedconfig.KubeFedConfigValidator{}})
hookServer.Register("/default-kubefedconfig", &ctrwebhook.Admission{Handler: &kubefedconfig.KubeFedConfigDefaulter{}})

hookServer.WebhookMux.Handle("/readyz/", http.StripPrefix("/readyz/", &healthz.Handler{}))

if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
klog.Fatalf("unable to run manager: %s", err)
}

return nil
}
18 changes: 7 additions & 11 deletions cmd/webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,25 +17,21 @@ limitations under the License.
package main

import (
"flag"
"fmt"
"os"

genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/component-base/logs"
"k8s.io/klog"
"sigs.k8s.io/controller-runtime/pkg/manager/signals"

"sigs.k8s.io/kubefed/pkg/webhook"
"sigs.k8s.io/kubefed/cmd/webhook/app"
)

func main() {
logs.InitLogs()
defer logs.FlushLogs()

stopChan := genericapiserver.SetupSignalHandler()

cmd := webhook.NewWebhookCommand(stopChan)
cmd.Flags().AddGoFlagSet(flag.CommandLine)

if err := cmd.Execute(); err != nil {
klog.Fatal(err)
if err := app.NewWebhookCommand(signals.SetupSignalHandler()); err != nil {
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
}
1 change: 0 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ require (
github.com/json-iterator/go v1.1.9
github.com/onsi/ginkgo v1.13.0
github.com/onsi/gomega v1.10.1
github.com/openshift/generic-admission-server v1.14.0
github.com/pborman/uuid v1.2.0
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.0.0
Expand Down
4 changes: 1 addition & 3 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
Expand Down Expand Up @@ -283,8 +284,6 @@ github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/openshift/generic-admission-server v1.14.0 h1:GAQy5JNVcbmUuIpPvLd39+2rPecxEm7WQ2sP7ACrse4=
github.com/openshift/generic-admission-server v1.14.0/go.mod h1:GD9KN/W4KxqRQGVMbqQHpHzb2XcQVvLCaBaSciqXvfM=
github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
Expand Down Expand Up @@ -488,7 +487,6 @@ gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
Expand Down
41 changes: 9 additions & 32 deletions pkg/controller/webhook/federatedtypeconfig/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,11 @@ limitations under the License.
package federatedtypeconfig

import (
"strings"
"sync"
"context"

"github.com/openshift/generic-admission-server/pkg/apiserver"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/rest"
"k8s.io/klog"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

"sigs.k8s.io/kubefed/pkg/apis/core/v1beta1"
"sigs.k8s.io/kubefed/pkg/apis/core/v1beta1/validation"
Expand All @@ -38,52 +33,34 @@ const (
resourcePluralName = "federatedtypeconfigs"
)

type FederatedTypeConfigAdmissionHook struct {
client dynamic.ResourceInterface
type FederatedTypeConfigAdmissionHook struct{}

lock sync.RWMutex
initialized bool
}

var _ apiserver.ValidatingAdmissionHook = &FederatedTypeConfigAdmissionHook{}
var _ admission.Handler = &FederatedTypeConfigAdmissionHook{}

func (a *FederatedTypeConfigAdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {
klog.Infof("New ValidatingResource for %q", ResourceName)
return webhook.NewValidatingResource(resourcePluralName), strings.ToLower(ResourceName)
}

func (a *FederatedTypeConfigAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *FederatedTypeConfigAdmissionHook) Handle(ctx context.Context, admissionSpec admission.Request) admission.Response {
status := admission.Response{}

klog.V(4).Infof("Validating %q AdmissionRequest = %s", ResourceName, webhook.AdmissionRequestDebugString(admissionSpec))

// We want to let through:
// - Requests that are not for create, update
// - Requests for things that are not FederatedTypeConfigs
if webhook.Allowed(admissionSpec, resourcePluralName, status) {
if webhook.Allowed(admissionSpec, resourcePluralName, &status) {
return status
}

admittingObject := &v1beta1.FederatedTypeConfig{}
err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, status)
err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, &status)
if err != nil {
return status
}

if !webhook.Initialized(&a.initialized, &a.lock, status) {
return status
}

klog.V(4).Infof("Validating %q = %+v", ResourceName, *admittingObject)

isStatusSubResource := len(admissionSpec.SubResource) != 0
webhook.Validate(status, func() field.ErrorList {
webhook.Validate(&status, func() field.ErrorList {
return validation.ValidateFederatedTypeConfig(admittingObject, isStatusSubResource)
})

return status
}

func (a *FederatedTypeConfigAdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
return webhook.Initialize(kubeClientConfig, &a.client, &a.lock, &a.initialized, ResourceName)
}
41 changes: 9 additions & 32 deletions pkg/controller/webhook/kubefedcluster/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,11 @@ limitations under the License.
package kubefedcluster

import (
"strings"
"sync"
"context"

"github.com/openshift/generic-admission-server/pkg/apiserver"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/rest"
"k8s.io/klog"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

"sigs.k8s.io/kubefed/pkg/apis/core/v1beta1"
"sigs.k8s.io/kubefed/pkg/apis/core/v1beta1/validation"
Expand All @@ -38,52 +33,34 @@ const (
resourcePluralName = "kubefedclusters"
)

type KubeFedClusterAdmissionHook struct {
client dynamic.ResourceInterface
type KubeFedClusterAdmissionHook struct{}

lock sync.RWMutex
initialized bool
}

var _ apiserver.ValidatingAdmissionHook = &KubeFedClusterAdmissionHook{}
var _ admission.Handler = &KubeFedClusterAdmissionHook{}

func (a *KubeFedClusterAdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {
klog.Infof("New ValidatingResource for %q", ResourceName)
return webhook.NewValidatingResource(resourcePluralName), strings.ToLower(ResourceName)
}

func (a *KubeFedClusterAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
status := &admissionv1beta1.AdmissionResponse{}
func (a *KubeFedClusterAdmissionHook) Handle(ctx context.Context, admissionSpec admission.Request) admission.Response {
status := admission.Response{}

klog.V(4).Infof("Validating %q AdmissionRequest = %s", ResourceName, webhook.AdmissionRequestDebugString(admissionSpec))

// We want to let through:
// - Requests that are not for create, update
// - Requests for things that are not FederatedTypeConfigs
if webhook.Allowed(admissionSpec, resourcePluralName, status) {
if webhook.Allowed(admissionSpec, resourcePluralName, &status) {
return status
}

admittingObject := &v1beta1.KubeFedCluster{}
err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, status)
err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, &status)
if err != nil {
return status
}

if !webhook.Initialized(&a.initialized, &a.lock, status) {
return status
}

klog.V(4).Infof("Validating %q = %+v", ResourceName, *admittingObject)

isStatusSubResource := admissionSpec.SubResource == "status"
webhook.Validate(status, func() field.ErrorList {
webhook.Validate(&status, func() field.ErrorList {
return validation.ValidateKubeFedCluster(admittingObject, isStatusSubResource)
})

return status
}

func (a *KubeFedClusterAdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
return webhook.Initialize(kubeClientConfig, &a.client, &a.lock, &a.initialized, ResourceName)
}
Loading