Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow Unstructured callback from Defaulting Webhook #2363

Merged
merged 9 commits into from
Jan 14, 2022
26 changes: 20 additions & 6 deletions testing/resource.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"

"knative.dev/pkg/apis"
)

Expand All @@ -43,19 +44,32 @@ var _ apis.Listable = (*Resource)(nil)

// ResourceSpec represents test resource spec.
type ResourceSpec struct {
FieldWithDefault string `json:"fieldWithDefault,omitempty"`
FieldWithContextDefault string `json:"fieldWithContextDefault,omitempty"`
FieldWithValidation string `json:"fieldWithValidation,omitempty"`
FieldThatsImmutable string `json:"fieldThatsImmutable,omitempty"`
FieldThatsImmutableWithDefault string `json:"fieldThatsImmutableWithDefault,omitempty"`
FieldForCallbackValidation string `json:"fieldThatCallbackRejects,omitempty"`
FieldWithDefault string `json:"fieldWithDefault,omitempty"`
FieldWithContextDefault string `json:"fieldWithContextDefault,omitempty"`
FieldWithValidation string `json:"fieldWithValidation,omitempty"`
FieldThatsImmutable string `json:"fieldThatsImmutable,omitempty"`
FieldThatsImmutableWithDefault string `json:"fieldThatsImmutableWithDefault,omitempty"`
FieldForCallbackValidation string `json:"fieldThatCallbackRejects,omitempty"`
FieldForCallbackDefaulting string `json:"fieldDefaultingCallback,omitempty"`
FieldForCallbackDefaultingIsWithinUpdate bool `json:"fieldForIsWithinUpdate,omitempty"`
FieldForCallbackDefaultingUsername string `json:"FieldForCallbackDefaultingUsername,omitempty"`
}

// GetGroupVersionKind returns the GroupVersionKind.
func (r *Resource) GetGroupVersionKind() schema.GroupVersionKind {
return SchemeGroupVersion.WithKind("Resource")
}

// GetGroupVersionKindMeta returns the metav1.GroupVersionKind.
func (r *Resource) GetGroupVersionKindMeta() metav1.GroupVersionKind {
gvk := r.GroupVersionKind()
return metav1.GroupVersionKind{
Group: gvk.Group,
Version: gvk.Version,
Kind: gvk.Kind,
}
}

// GetUntypedSpec returns the spec of the resource.
func (r *Resource) GetUntypedSpec() interface{} {
return r.Spec
Expand Down
22 changes: 19 additions & 3 deletions webhook/resourcesemantics/defaulting/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/tools/cache"

"knative.dev/pkg/controller"
"knative.dev/pkg/system"
"knative.dev/pkg/webhook"
Expand All @@ -42,6 +43,7 @@ func NewAdmissionController(
handlers map[schema.GroupVersionKind]resourcesemantics.GenericCRD,
wc func(context.Context) context.Context,
disallowUnknownFields bool,
callbacks ...map[schema.GroupVersionKind]Callback,
) *controller.Impl {

client := kubeclient.Get(ctx)
Expand All @@ -51,6 +53,19 @@ func NewAdmissionController(

key := types.NamespacedName{Name: name}

// This not ideal, we are using a variadic argument to effectively make callbacks optional
// This allows this addition to be non-breaking to consumers of /pkg
// TODO: once all sub-repos have adopted this, we might move this back to a traditional param.
var unwrappedCallbacks map[schema.GroupVersionKind]Callback
switch len(callbacks) {
case 0:
unwrappedCallbacks = map[schema.GroupVersionKind]Callback{}
case 1:
unwrappedCallbacks = callbacks[0]
default:
panic("NewAdmissionController may not be called with multiple callback maps")
}

wh := &reconciler{
LeaderAwareFuncs: pkgreconciler.LeaderAwareFuncs{
// Have this reconciler enqueue our singleton whenever it becomes leader.
Expand All @@ -60,9 +75,10 @@ func NewAdmissionController(
},
},

key: key,
path: path,
handlers: handlers,
key: key,
path: path,
handlers: handlers,
callbacks: unwrappedCallbacks,

withContext: wc,
disallowUnknownFields: disallowUnknownFields,
Expand Down
124 changes: 118 additions & 6 deletions webhook/resourcesemantics/defaulting/defaulting.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,16 +25,18 @@ import (

"github.com/gobuffalo/flect"
"go.uber.org/zap"
jsonpatch "gomodules.xyz/jsonpatch/v2"
"gomodules.xyz/jsonpatch/v2"
admissionv1 "k8s.io/api/admission/v1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/client-go/kubernetes"
admissionlisters "k8s.io/client-go/listers/admissionregistration/v1"
corelisters "k8s.io/client-go/listers/core/v1"

"knative.dev/pkg/apis"
"knative.dev/pkg/apis/duck"
"knative.dev/pkg/controller"
Expand All @@ -56,9 +58,10 @@ type reconciler struct {
webhook.StatelessAdmissionImpl
pkgreconciler.LeaderAwareFuncs

key types.NamespacedName
path string
handlers map[schema.GroupVersionKind]resourcesemantics.GenericCRD
key types.NamespacedName
path string
handlers map[schema.GroupVersionKind]resourcesemantics.GenericCRD
callbacks map[schema.GroupVersionKind]Callback

withContext func(context.Context) context.Context

Expand All @@ -70,6 +73,37 @@ type reconciler struct {
secretName string
}

// CallbackFunc is the function to be invoked.
type CallbackFunc func(ctx context.Context, unstructured *unstructured.Unstructured) error

// Callback is a generic function to be called by a consumer of defaulting.
type Callback struct {
// function is the callback to be invoked.
function CallbackFunc

// supportedVerbs are the verbs supported for the callback.
// The function will only be called on these actions.
supportedVerbs map[webhook.Operation]struct{}
}

// NewCallback creates a new callback function to be invoked on supported verbs.
func NewCallback(function func(context.Context, *unstructured.Unstructured) error, supportedVerbs ...webhook.Operation) Callback {
pierDipi marked this conversation as resolved.
Show resolved Hide resolved
if function == nil {
panic("expected function, got nil")
}
m := make(map[webhook.Operation]struct{})
for _, op := range supportedVerbs {
if op == webhook.Delete {
panic("Verb " + webhook.Delete + " not allowed")
}
if _, has := m[op]; has {
panic("duplicate verbs not allowed")
}
m[op] = struct{}{}
}
return Callback{function: function, supportedVerbs: m}
}

var _ controller.Reconciler = (*reconciler)(nil)
var _ pkgreconciler.LeaderAware = (*reconciler)(nil)
var _ webhook.AdmissionController = (*reconciler)(nil)
Expand Down Expand Up @@ -137,7 +171,17 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
logger := logging.FromContext(ctx)

rules := make([]admissionregistrationv1.RuleWithOperations, 0, len(ac.handlers))
gvks := make(map[schema.GroupVersionKind]struct{}, len(ac.handlers)+len(ac.callbacks))
for gvk := range ac.handlers {
gvks[gvk] = struct{}{}
}
for gvk := range ac.callbacks {
if _, ok := gvks[gvk]; !ok {
gvks[gvk] = struct{}{}
}
}

for gvk := range gvks {
plural := strings.ToLower(flect.Pluralize(gvk.Kind))

rules = append(rules, admissionregistrationv1.RuleWithOperations{
Expand Down Expand Up @@ -231,8 +275,18 @@ func (ac *reconciler) mutate(ctx context.Context, req *admissionv1.AdmissionRequ
logger := logging.FromContext(ctx)
handler, ok := ac.handlers[gvk]
if !ok {
logger.Error("Unhandled kind: ", gvk)
return nil, fmt.Errorf("unhandled kind: %v", gvk)
if _, ok := ac.callbacks[gvk]; !ok {
logger.Error("Unhandled kind: ", gvk)
return nil, fmt.Errorf("unhandled kind: %v", gvk)
}
patches, err := ac.callback(ctx, gvk, req, true /* shouldSetUserInfo */, duck.JSONPatch{})
if err != nil {
logger.Errorw("Failed the callback defaulter", zap.Error(err))
// Return the error message as-is to give the defaulter callback
// discretion over (our portion of) the message that the user sees.
return nil, err
}
return json.Marshal(patches)
}

// nil values denote absence of `old` (create) or `new` (delete) objects.
Expand Down Expand Up @@ -302,6 +356,13 @@ func (ac *reconciler) mutate(ctx context.Context, req *admissionv1.AdmissionRequ
return nil, err
}

if patches, err = ac.callback(ctx, gvk, req, false /* shouldSetUserInfo */, patches); err != nil {
logger.Errorw("Failed the callback defaulter", zap.Error(err))
// Return the error message as-is to give the defaulter callback
// discretion over (our portion of) the message that the user sees.
return nil, err
}

// None of the validators will accept a nil value for newObj.
if newObj == nil {
return nil, errMissingNewObject
Expand Down Expand Up @@ -329,6 +390,57 @@ func (ac *reconciler) setUserInfoAnnotations(ctx context.Context, patches duck.J
return append(patches, patch...), nil
}

func (ac *reconciler) callback(ctx context.Context, gvk schema.GroupVersionKind, req *admissionv1.AdmissionRequest, shouldSetUserInfo bool, patches duck.JSONPatch) (duck.JSONPatch, error) {
// Get callback.
callback, ok := ac.callbacks[gvk]
if !ok {
return patches, nil
}

// Check if request operation is a supported webhook operation.
if _, isSupported := callback.supportedVerbs[req.Operation]; !isSupported {
return patches, nil
}

oldBytes := req.OldObject.Raw
newBytes := req.Object.Raw

before := &unstructured.Unstructured{}
after := &unstructured.Unstructured{}

// Get unstructured object.
if err := json.Unmarshal(newBytes, before); err != nil {
return nil, fmt.Errorf("cannot decode object: %w", err)
}
// Copy before in after unstructured objects.
before.DeepCopyInto(after)

// Setup context.
if len(oldBytes) != 0 {
if req.SubResource == "" {
ctx = apis.WithinUpdate(ctx, before)
} else {
ctx = apis.WithinSubResourceUpdate(ctx, before, req.SubResource)
}
} else {
ctx = apis.WithinCreate(ctx)
}
ctx = apis.WithUserInfo(ctx, &req.UserInfo)

// Call callback passing after.
if err := callback.function(ctx, after); err != nil {
return patches, err
}

if shouldSetUserInfo {
setUserInfoAnnotationsUnstructured(ctx, after, before, req)
}

// Create patches.
patch, err := duck.CreatePatch(before.Object, after.Object)
return append(patches, patch...), err
}

// roundTripPatch generates the JSONPatch that corresponds to round tripping the given bytes through
// the Golang type (JSON -> Golang type -> JSON). Because it is not always true that
// bytes == json.Marshal(json.Unmarshal(bytes)).
Expand Down
Loading