wip: remove openshift/generic-admission-server

kubernetes-retired · Aug 3, 2020 · ac2a764 · ac2a764
1 parent 31d26fe
commit ac2a764
Show file tree

Hide file tree

Showing 11 changed files with 145 additions and 186 deletions.
diff --git a/charts/kubefed/charts/controllermanager/templates/webhook.yaml b/charts/kubefed/charts/controllermanager/templates/webhook.yaml
@@ -19,7 +19,7 @@ webhooks:
     service:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
-      path: /apis/validation.core.kubefed.io/v1beta1/federatedtypeconfigs
+      path: /validate-federatedtypeconfigs
     caBundle: {{ b64enc $ca.Cert | quote }}
   rules:
   - operations:
@@ -49,7 +49,7 @@ webhooks:
     service:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
-      path: /apis/validation.core.kubefed.io/v1beta1/kubefedclusters
+      path: /validate-kubefedcluster
     caBundle: {{ b64enc $ca.Cert | quote }}
   rules:
   - operations:
@@ -74,7 +74,7 @@ webhooks:
     service:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
-      path: /apis/validation.core.kubefed.io/v1beta1/kubefedconfigs
+      path: /validate-kubefedconfig
     caBundle: {{ b64enc $ca.Cert | quote }}
   rules:
   - operations:
@@ -110,7 +110,7 @@ webhooks:
     service:
       namespace: {{ .Release.Namespace | quote }}
       name: kubefed-admission-webhook
-      path: /apis/mutation.core.kubefed.io/v1beta1/kubefedconfigs
+      path: /default-kubefedconfig
     caBundle: {{ b64enc $ca.Cert | quote }}
   rules:
   - operations:

diff --git a/cmd/hyperfed/main.go b/cmd/hyperfed/main.go
@@ -37,9 +37,9 @@ import (
 	utilflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/logs"
 
-	"sigs.k8s.io/kubefed/cmd/controller-manager/app"
+	ctrlapp "sigs.k8s.io/kubefed/cmd/controller-manager/app"
+	webhookapp "sigs.k8s.io/kubefed/cmd/webhook/app"
 	"sigs.k8s.io/kubefed/pkg/kubefedctl"
-	"sigs.k8s.io/kubefed/pkg/webhook"
 )
 
 func main() {
@@ -80,9 +80,9 @@ func commandFor(basename string, defaultCommand *cobra.Command, commands []func(
 func NewHyperFedCommand() (*cobra.Command, []func() *cobra.Command) {
 	stopChan := genericapiserver.SetupSignalHandler()
 
-	controller := func() *cobra.Command { return app.NewControllerManagerCommand(stopChan) }
+	controller := func() *cobra.Command { return ctrlapp.NewControllerManagerCommand(stopChan) }
 	kubefedctlCmd := func() *cobra.Command { return kubefedctl.NewKubeFedCtlCommand(os.Stdout) }
-	webhookCmd := func() *cobra.Command { return webhook.NewWebhookCommand(stopChan) }
+	webhookCmd := func() *cobra.Command { return webhookapp.NewWebhookCommand(stopChan) }
 
 	commandFns := []func() *cobra.Command{
 		controller,

diff --git a/cmd/webhook/app/webhook.go b/cmd/webhook/app/webhook.go
@@ -0,0 +1,85 @@
+package app
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"k8s.io/client-go/rest"
+
+	"github.com/spf13/cobra"
+	"k8s.io/component-base/logs"
+	"k8s.io/klog"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	ctrwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/kubefed/pkg/controller/webhook/federatedtypeconfig"
+	"sigs.k8s.io/kubefed/pkg/controller/webhook/kubefedcluster"
+	"sigs.k8s.io/kubefed/pkg/controller/webhook/kubefedconfig"
+	"sigs.k8s.io/kubefed/pkg/version"
+)
+
+const (
+	metricsDefaultBindAddress = ":9090"
+	healthzDefaultBindAddress = ":8080"
+)
+
+var (
+	metricsAddr, healthzAddr string
+)
+
+// NewWebhookCommand creates a *cobra.Command object with default parameters
+func NewWebhookCommand(stopChan <-chan struct{}) *cobra.Command {
+	verFlag := false
+
+	cmd := &cobra.Command{
+		Use:   "webhook",
+		Short: "Start a kubefed webhook server",
+		Long:  "Start a kubefed webhook server",
+		Run: func(cmd *cobra.Command, args []string) {
+			fmt.Fprintf(os.Stdout, "KubeFed webhook version: %s\n", fmt.Sprintf("%#v", version.Get()))
+			if verFlag {
+				os.Exit(0)
+			}
+			// PrintFlags(cmd.Flags())
+
+			if err := Run(stopChan); err != nil {
+				fmt.Fprintf(os.Stderr, "%v\n", err)
+				os.Exit(1)
+			}
+		},
+	}
+
+	// Add the command line flags from other dependencies(klog, kubebuilder, etc.)
+	cmd.Flags().AddGoFlagSet(flag.CommandLine)
+
+	cmd.Flags().StringVar(&healthzAddr, "healthz-addr", healthzDefaultBindAddress, "The address the healthz endpoint binds to.")
+	cmd.Flags().StringVar(&metricsAddr, "metrics-addr", metricsDefaultBindAddress, "The address the metric endpoint binds to.")
+	cmd.Flags().BoolVar(&verFlag, "version", false, "Prints the Version info of controller-manager.")
+
+	return cmd
+}
+
+// Run runs the webhook with options. This should never exit.
+func Run(stopChan <-chan struct{}) error {
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	config := rest.Config{}
+	mgr, err := manager.New(&config, manager.Options{})
+	if err != nil {
+		klog.Fatalf("error setting up webhook manager: %s", err)
+	}
+	hookServer := mgr.GetWebhookServer()
+
+	hookServer.Register("/validate-federatedtypeconfigs", &ctrwebhook.Admission{Handler: &federatedtypeconfig.FederatedTypeConfigAdmissionHook{}})
+	hookServer.Register("/validate-kubefedcluster", &ctrwebhook.Admission{Handler: &kubefedcluster.KubeFedClusterAdmissionHook{}})
+	hookServer.Register("/validate-kubefedconfig", &ctrwebhook.Admission{Handler: &kubefedconfig.KubeFedConfigValidator{}})
+	hookServer.Register("/default-kubefedconfig", &ctrwebhook.Admission{Handler: &kubefedconfig.KubeFedConfigDefaulter{}})
+
+	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
+		klog.Fatalf("unable to run manager: %s", err)
+	}
+
+	return nil
+}
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -17,25 +17,21 @@ limitations under the License.
 package main
 
 import (
-	"flag"
+	"fmt"
+	"os"
 
-	genericapiserver "k8s.io/apiserver/pkg/server"
-	"k8s.io/component-base/logs"
-	"k8s.io/klog"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/kubefed/cmd/webhook/app"
 
-	"sigs.k8s.io/kubefed/pkg/webhook"
+	"k8s.io/component-base/logs"
 )
 
 func main() {
 	logs.InitLogs()
 	defer logs.FlushLogs()
 
-	stopChan := genericapiserver.SetupSignalHandler()
-
-	cmd := webhook.NewWebhookCommand(stopChan)
-	cmd.Flags().AddGoFlagSet(flag.CommandLine)
-
-	if err := cmd.Execute(); err != nil {
-		klog.Fatal(err)
+	if err := app.NewWebhookCommand(signals.SetupSignalHandler()); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
 	}
 }
diff --git a/go.mod b/go.mod
@@ -8,7 +8,6 @@ require (
 	github.com/json-iterator/go v1.1.9
 	github.com/onsi/ginkgo v1.13.0
 	github.com/onsi/gomega v1.10.1
-	github.com/openshift/generic-admission-server v1.14.0
 	github.com/pborman/uuid v1.2.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.0.0

diff --git a/go.sum b/go.sum
@@ -87,6 +87,7 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -283,8 +284,6 @@ github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
 github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/openshift/generic-admission-server v1.14.0 h1:GAQy5JNVcbmUuIpPvLd39+2rPecxEm7WQ2sP7ACrse4=
-github.com/openshift/generic-admission-server v1.14.0/go.mod h1:GD9KN/W4KxqRQGVMbqQHpHzb2XcQVvLCaBaSciqXvfM=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
@@ -488,7 +487,6 @@ gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

diff --git a/pkg/controller/webhook/federatedtypeconfig/webhook.go b/pkg/controller/webhook/federatedtypeconfig/webhook.go
@@ -17,15 +17,12 @@ limitations under the License.
 package federatedtypeconfig
 
 import (
-	"strings"
+	"context"
 	"sync"
 
-	"github.com/openshift/generic-admission-server/pkg/apiserver"
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/rest"
 	"k8s.io/klog"
 
 	"sigs.k8s.io/kubefed/pkg/apis/core/v1beta1"
@@ -39,51 +36,40 @@ const (
 )
 
 type FederatedTypeConfigAdmissionHook struct {
-	client dynamic.ResourceInterface
-
 	lock        sync.RWMutex
 	initialized bool
 }
 
-var _ apiserver.ValidatingAdmissionHook = &FederatedTypeConfigAdmissionHook{}
-
-func (a *FederatedTypeConfigAdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {
-	klog.Infof("New ValidatingResource for %q", ResourceName)
-	return webhook.NewValidatingResource(resourcePluralName), strings.ToLower(ResourceName)
-}
+var _ admission.Handler = &FederatedTypeConfigAdmissionHook{}
 
-func (a *FederatedTypeConfigAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
-	status := &admissionv1beta1.AdmissionResponse{}
+func (a *FederatedTypeConfigAdmissionHook) Handle(ctx context.Context, admissionSpec admission.Request) admission.Response {
+	status := admission.Response{}
 
 	klog.V(4).Infof("Validating %q AdmissionRequest = %s", ResourceName, webhook.AdmissionRequestDebugString(admissionSpec))
 
 	// We want to let through:
 	// - Requests that are not for create, update
 	// - Requests for things that are not FederatedTypeConfigs
-	if webhook.Allowed(admissionSpec, resourcePluralName, status) {
+	if webhook.Allowed(admissionSpec, resourcePluralName, &status) {
 		return status
 	}
 
 	admittingObject := &v1beta1.FederatedTypeConfig{}
-	err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, status)
+	err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, &status)
 	if err != nil {
 		return status
 	}
 
-	if !webhook.Initialized(&a.initialized, &a.lock, status) {
+	if !webhook.Initialized(&a.initialized, &a.lock, &status) {
 		return status
 	}
 
 	klog.V(4).Infof("Validating %q = %+v", ResourceName, *admittingObject)
 
 	isStatusSubResource := len(admissionSpec.SubResource) != 0
-	webhook.Validate(status, func() field.ErrorList {
+	webhook.Validate(&status, func() field.ErrorList {
 		return validation.ValidateFederatedTypeConfig(admittingObject, isStatusSubResource)
 	})
 
 	return status
 }
-
-func (a *FederatedTypeConfigAdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
-	return webhook.Initialize(kubeClientConfig, &a.client, &a.lock, &a.initialized, ResourceName)
-}
diff --git a/pkg/controller/webhook/kubefedcluster/webhook.go b/pkg/controller/webhook/kubefedcluster/webhook.go
@@ -17,15 +17,11 @@ limitations under the License.
 package kubefedcluster
 
 import (
-	"strings"
-	"sync"
+	"context"
+
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
-	"github.com/openshift/generic-admission-server/pkg/apiserver"
-	admissionv1beta1 "k8s.io/api/admission/v1beta1"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/rest"
 	"k8s.io/klog"
 
 	"sigs.k8s.io/kubefed/pkg/apis/core/v1beta1"
@@ -38,52 +34,34 @@ const (
 	resourcePluralName = "kubefedclusters"
 )
 
-type KubeFedClusterAdmissionHook struct {
-	client dynamic.ResourceInterface
-
-	lock        sync.RWMutex
-	initialized bool
-}
+type KubeFedClusterAdmissionHook struct{}
 
-var _ apiserver.ValidatingAdmissionHook = &KubeFedClusterAdmissionHook{}
-
-func (a *KubeFedClusterAdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {
-	klog.Infof("New ValidatingResource for %q", ResourceName)
-	return webhook.NewValidatingResource(resourcePluralName), strings.ToLower(ResourceName)
-}
+var _ admission.Handler = &KubeFedClusterAdmissionHook{}
 
-func (a *KubeFedClusterAdmissionHook) Validate(admissionSpec *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse {
-	status := &admissionv1beta1.AdmissionResponse{}
+func (a *KubeFedClusterAdmissionHook) Handle(ctx context.Context, admissionSpec admission.Request) admission.Response {
+	status := admission.Response{}
 
 	klog.V(4).Infof("Validating %q AdmissionRequest = %s", ResourceName, webhook.AdmissionRequestDebugString(admissionSpec))
 
 	// We want to let through:
 	// - Requests that are not for create, update
 	// - Requests for things that are not FederatedTypeConfigs
-	if webhook.Allowed(admissionSpec, resourcePluralName, status) {
+	if webhook.Allowed(admissionSpec, resourcePluralName, &status) {
 		return status
 	}
 
 	admittingObject := &v1beta1.KubeFedCluster{}
-	err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, status)
+	err := webhook.Unmarshal(&admissionSpec.Object, admittingObject, &status)
 	if err != nil {
 		return status
 	}
 
-	if !webhook.Initialized(&a.initialized, &a.lock, status) {
-		return status
-	}
-
 	klog.V(4).Infof("Validating %q = %+v", ResourceName, *admittingObject)
 
 	isStatusSubResource := admissionSpec.SubResource == "status"
-	webhook.Validate(status, func() field.ErrorList {
+	webhook.Validate(&status, func() field.ErrorList {
 		return validation.ValidateKubeFedCluster(admittingObject, isStatusSubResource)
 	})
 
 	return status
 }
-
-func (a *KubeFedClusterAdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
-	return webhook.Initialize(kubeClientConfig, &a.client, &a.lock, &a.initialized, ResourceName)
-}