feat(webhook): add webhook to mutate pod

Refs: #24

cmd/rollout/app/options/options.go

@@ -34,6 +34,7 @@ type Options struct {
 	LeaderElect                 bool
 	FederatedMode               bool
 	Logger                      string
+	CertDir                     string
 	ZapOptions                  *zap.Options
 	ControllerConcurrentWorkers int
 }
@@ -64,7 +65,7 @@ func (o *Options) Validate() []error {
 	return errs
 }
 
-func (o *Options) Flags(initializer initializer.Interface) cliflag.NamedFlagSets {
+func (o *Options) Flags(initializers ...initializer.Interface) cliflag.NamedFlagSets {
 	fss := cliflag.NamedFlagSets{}
 	fs := fss.FlagSet("options")
 
@@ -75,6 +76,7 @@ func (o *Options) Flags(initializer initializer.Interface) cliflag.NamedFlagSets
 			"Enabling this will ensure there is only one active controller manager.")
 	fs.BoolVar(&o.FederatedMode, "federated-mode", o.FederatedMode, "Enable federated mode for controller manager.")
 	fs.StringVar(&o.Logger, "logger", o.Logger, "The logger provider, Options are:\n"+strings.Join([]string{"zap", "klog"}, "\n"))
+	fs.StringVar(&o.CertDir, "cert-dir", o.CertDir, "The directory where the TLS certs are located. If not set, webhook server would look up the server key and certificate in {TempDir}/k8s-webhook-server/serving-certs.")
 	fs.IntVar(&o.ControllerConcurrentWorkers, "controller-concurrent-workers", o.ControllerConcurrentWorkers, "The number of concurrent workers for the controller.")
 
 	// bind zap flags
@@ -87,7 +89,9 @@ func (o *Options) Flags(initializer initializer.Interface) cliflag.NamedFlagSets
 	features.DefaultMutableFeatureGate.AddFlag(fs)
 
 	// bind initializer flags
-	initializer.BindFlag(fs)
+	for _, in := range initializers {
+		in.BindFlag(fs)
+	}
 	return fss
 }
 

cmd/rollout/app/rollout.go

@@ -22,22 +22,23 @@ import (
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/component-base/version/verflag"
-	"kusionstack.io/kube-utils/controller/initializer"
 	"kusionstack.io/kube-utils/multicluster"
 	"kusionstack.io/kube-utils/multicluster/clusterinfo"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 
 	"kusionstack.io/rollout/cmd/rollout/app/options"
+	"kusionstack.io/rollout/pkg/controllers"
 	"kusionstack.io/rollout/pkg/utils/cli"
+	"kusionstack.io/rollout/pkg/webhook"
 )
 
 var (
 	setupLog = ctrl.Log.WithName("setup")
 )
 
-func NewRolloutCommand(initializer initializer.Interface) *cobra.Command {
+func NewRolloutCommand() *cobra.Command {
 	opt := options.NewOptions()
 
 	cmd := &cobra.Command{
@@ -56,22 +57,23 @@ func NewRolloutCommand(initializer initializer.Interface) *cobra.Command {
 			verflag.PrintAndExitIfRequested()
 			cli.PrintFlags(setupLog, cmd.Flags())
 
-			return Run(opt, initializer)
+			return Run(opt)
 		},
 	}
 
-	cli.AddFlagsAndUsage(cmd, opt.Flags(initializer))
+	cli.AddFlagsAndUsage(cmd, opt.Flags(controllers.Initializer, webhook.Initializer))
 
 	return cmd
 }
 
-func Run(opt *options.Options, initializer initializer.Interface) error {
+func Run(opt *options.Options) error {
 	ctx := ctrl.SetupSignalHandler()
 
 	options := ctrl.Options{
 		Scheme:                 scheme.Scheme,
 		MetricsBindAddress:     opt.MetricsBindAddress,
 		Port:                   9443,
+		CertDir:                opt.CertDir,
 		HealthProbeBindAddress: opt.HealthProbeBindAddress,
 		LeaderElection:         opt.LeaderElect,
 		LeaderElectionID:       "rollout.kusionstack.io",
@@ -124,11 +126,16 @@ func Run(opt *options.Options, initializer initializer.Interface) error {
 		os.Exit(1)
 	}
 
-	err = initializer.SetupWithManager(mgr)
+	err = controllers.Initializer.SetupWithManager(mgr)
 	if err != nil {
 		setupLog.Error(err, "failed to initialize controllers")
 	}
 
+	err = webhook.Initializer.SetupWithManager(mgr)
+	if err != nil {
+		setupLog.Error(err, "failed to initialize webhooks")
+	}
+
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {

cmd/rollout/main.go

@@ -22,13 +22,12 @@ import (
 	"k8s.io/component-base/logs"
 
 	"kusionstack.io/rollout/cmd/rollout/app"
-	"kusionstack.io/rollout/pkg/controllers"
 )
 
 func main() {
 	rand.New(rand.NewSource(time.Now().UnixNano()))
 
-	command := app.NewRolloutCommand(controllers.Initializer)
+	command := app.NewRolloutCommand()
 
 	logs.InitLogs()
 	defer logs.FlushLogs()

config/webhook/manifests.yaml

@@ -0,0 +1,29 @@
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: mutating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook-service
+      namespace: system
+      path: /pods/mutating
+  failurePolicy: Ignore
+  name: mpod.kb.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods
+  sideEffects: None

go.mod

@@ -1,6 +1,8 @@
 module kusionstack.io/rollout
 
-go 1.19
+go 1.21
+
+toolchain go1.21.3
 
 require (
 	github.com/davecgh/go-spew v1.1.1
@@ -13,6 +15,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
+	github.com/tidwall/gjson v1.17.0
 	k8s.io/api v0.28.4
 	k8s.io/apiextensions-apiserver v0.28.3
 	k8s.io/apimachinery v0.28.4
@@ -24,25 +27,30 @@ require (
 	k8s.io/kubernetes v1.22.2
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
 	kusionstack.io/kube-api v0.0.27
-	kusionstack.io/kube-utils v0.1.8
+	kusionstack.io/kube-utils v0.1.9
 	sigs.k8s.io/controller-runtime v0.16.3
 )
 
 require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
 	gotest.tools/v3 v3.4.0 // indirect
 )
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.2 // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
+	github.com/felixge/httpsnoop v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-logr/zapr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.20.0 // indirect
@@ -53,6 +61,7 @@ require (
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -63,10 +72,21 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/runc v1.0.2 // indirect
 	github.com/prometheus/client_golang v1.17.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
+	go.opentelemetry.io/contrib v0.20.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 // indirect
+	go.opentelemetry.io/otel v0.20.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp v0.20.0 // indirect
+	go.opentelemetry.io/otel/metric v0.20.0 // indirect
+	go.opentelemetry.io/otel/sdk v0.20.0 // indirect
+	go.opentelemetry.io/otel/sdk/export/metric v0.20.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect
+	go.opentelemetry.io/otel/trace v0.20.0 // indirect
+	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/mod v0.14.0 // indirect
@@ -79,13 +99,18 @@ require (
 	golang.org/x/tools v0.15.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
+	google.golang.org/grpc v1.38.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/component-helpers v0.22.2 // indirect
 	k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	k8s.io/kubectl v0.28.4 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22 // indirect
 	sigs.k8s.io/gateway-api v1.0.0
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect