[webhooks] Support Version Distinction in Admission Control (#478)

Have the k8s.WebhookServer use GroupVersionKind when mapping validating
and mutating controllers, rather than GroupKind. The methods for adding
admission control already use `resource.Kind`, which is a GVK-scoped
object, so just support this when storing in the relation map and
lookups for handling requests.

k8s/webhooks.go

@@ -110,7 +110,11 @@ func (w *WebhookServer) AddValidatingAdmissionController(controller resource.Val
 	if w.validatingControllers == nil {
 		w.validatingControllers = make(map[string]validatingAdmissionControllerTuple)
 	}
-	w.validatingControllers[gk(kind.Group(), kind.Kind())] = validatingAdmissionControllerTuple{
+	w.validatingControllers[gvk(&metav1.GroupVersionKind{
+		Group:   kind.Group(),
+		Version: kind.Version(),
+		Kind:    kind.Kind(),
+	})] = validatingAdmissionControllerTuple{
 		schema:     kind,
 		controller: controller,
 	}
@@ -123,7 +127,11 @@ func (w *WebhookServer) AddMutatingAdmissionController(controller resource.Mutat
 	if w.mutatingControllers == nil {
 		w.mutatingControllers = make(map[string]mutatingAdmissionControllerTuple)
 	}
-	w.mutatingControllers[gk(kind.Group(), kind.Kind())] = mutatingAdmissionControllerTuple{
+	w.mutatingControllers[gvk(&metav1.GroupVersionKind{
+		Group:   kind.Group(),
+		Version: kind.Version(),
+		Kind:    kind.Kind(),
+	})] = mutatingAdmissionControllerTuple{
 		schema:     kind,
 		controller: controller,
 	}
@@ -197,7 +205,7 @@ func (w *WebhookServer) HandleValidateHTTP(writer http.ResponseWriter, req *http
 	// Look up the schema and controller
 	var schema resource.Kind
 	var controller resource.ValidatingAdmissionController
-	if tpl, ok := w.validatingControllers[gk(admRev.Request.RequestKind.Group, admRev.Request.RequestKind.Kind)]; ok {
+	if tpl, ok := w.validatingControllers[gvk(admRev.Request.RequestKind)]; ok {
 		schema = tpl.schema
 		controller = tpl.controller
 	} else if w.DefaultValidatingController != nil {
@@ -274,7 +282,7 @@ func (w *WebhookServer) HandleMutateHTTP(writer http.ResponseWriter, req *http.R
 	// Look up the schema and controller
 	var schema resource.Kind
 	var controller resource.MutatingAdmissionController
-	if tpl, ok := w.mutatingControllers[gk(admRev.Request.RequestKind.Group, admRev.Request.RequestKind.Kind)]; ok {
+	if tpl, ok := w.mutatingControllers[gvk(admRev.Request.RequestKind)]; ok {
 		schema = tpl.schema
 		controller = tpl.controller
 	} else if w.DefaultMutatingController != nil {
@@ -445,6 +453,10 @@ func gk(group, kind string) string {
 	return fmt.Sprintf("%s.%s", kind, group)
 }
 
+func gvk(kind *metav1.GroupVersionKind) string {
+	return kind.String()
+}
+
 //nolint:gosec
 func addAdmissionError(resp *admission.AdmissionResponse, err error) {
 	if err == nil || resp == nil {

k8s/webhooks_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/grafana/grafana-app-sdk/resource"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func TestNewWebhookServer(t *testing.T) {
@@ -80,13 +81,13 @@ func TestNewWebhookServer(t *testing.T) {
 		assert.Equal(t, defVal, srv.DefaultValidatingController)
 		assert.Equal(t, defMut, srv.DefaultMutatingController)
 		assert.Equal(t, map[string]validatingAdmissionControllerTuple{
-			gk(testSchema.Group(), testSchema.Kind()): {
+			gvk(&metav1.GroupVersionKind{Group: testSchema.Group(), Version: testSchema.Version(), Kind: testSchema.Kind()}): {
 				schema:     testKind,
 				controller: schVal,
 			},
 		}, srv.validatingControllers)
 		assert.Equal(t, map[string]mutatingAdmissionControllerTuple{
-			gk(testSchema.Group(), testSchema.Kind()): {
+			gvk(&metav1.GroupVersionKind{Group: testSchema.Group(), Version: testSchema.Version(), Kind: testSchema.Kind()}): {
 				schema:     testKind,
 				controller: schMut,
 			},
@@ -119,23 +120,23 @@ func TestWebhookServer_AddMutatingAdmissionController(t *testing.T) {
 	srv.AddMutatingAdmissionController(c1, sch1)
 	srv.AddMutatingAdmissionController(c2, sch2)
 	assert.Equal(t, map[string]mutatingAdmissionControllerTuple{
-		gk("foo", "bar"): {
+		gvk(&metav1.GroupVersionKind{Group: "foo", Version: "v1", Kind: "bar"}): {
 			schema:     sch1,
 			controller: c1,
 		},
-		gk("bar", "foo"): {
+		gvk(&metav1.GroupVersionKind{Group: "bar", Version: "v1", Kind: "foo"}): {
 			schema:     sch2,
 			controller: c2,
 		},
 	}, srv.mutatingControllers)
 	// Overwrite
 	srv.AddMutatingAdmissionController(c3, sch1)
 	assert.Equal(t, map[string]mutatingAdmissionControllerTuple{
-		gk("foo", "bar"): {
+		gvk(&metav1.GroupVersionKind{Group: "foo", Version: "v1", Kind: "bar"}): {
 			schema:     sch1,
 			controller: c3,
 		},
-		gk("bar", "foo"): {
+		gvk(&metav1.GroupVersionKind{Group: "bar", Version: "v1", Kind: "foo"}): {
 			schema:     sch2,
 			controller: c2,
 		},
@@ -167,23 +168,23 @@ func TestWebhookServer_AddValidatingAdmissionController(t *testing.T) {
 	srv.AddValidatingAdmissionController(c1, sch1)
 	srv.AddValidatingAdmissionController(c2, sch2)
 	assert.Equal(t, map[string]validatingAdmissionControllerTuple{
-		gk("foo", "bar"): {
+		gvk(&metav1.GroupVersionKind{Group: "foo", Version: "v1", Kind: "bar"}): {
 			schema:     sch1,
 			controller: c1,
 		},
-		gk("bar", "foo"): {
+		gvk(&metav1.GroupVersionKind{Group: "bar", Version: "v1", Kind: "foo"}): {
 			schema:     sch2,
 			controller: c2,
 		},
 	}, srv.validatingControllers)
 	// Overwrite
 	srv.AddValidatingAdmissionController(c3, sch1)
 	assert.Equal(t, map[string]validatingAdmissionControllerTuple{
-		gk("foo", "bar"): {
+		gvk(&metav1.GroupVersionKind{Group: "foo", Version: "v1", Kind: "bar"}): {
 			schema:     sch1,
 			controller: c3,
 		},
-		gk("bar", "foo"): {
+		gvk(&metav1.GroupVersionKind{Group: "bar", Version: "v1", Kind: "foo"}): {
 			schema:     sch2,
 			controller: c2,
 		},