Merge pull request #55132 from caesarxuchao/webhook-move-shared-code

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Reorganize admission webhook code

ref: kubernetes/enhancements#492

* Moved client and kubeconfig related code to webhook/config;
* Moved the rule matcher to webhook/rules;
* Left TODOs saying we are going to move some other common utilities;
* Other code is moved to webhook/validation.


This is to prepare adding the mutating webhook. See kubernetes/kubernetes#54892.

Kubernetes-commit: ff7934fdeea38bf6a56c61bbbe15721c4f45023e

Author: k8s-publish-robot

pkg/admission/BUILD

@@ -78,7 +78,9 @@ filegroup(
         "//staging/src/k8s.io/apiserver/pkg/admission/initializer:all-srcs",
         "//staging/src/k8s.io/apiserver/pkg/admission/plugin/initialization:all-srcs",
         "//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:all-srcs",
-        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook:all-srcs",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config:all-srcs",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/rules:all-srcs",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:all-srcs",
     ],
     tags = ["automanaged"],
 )

pkg/admission/plugin/webhook/config/BUILD

@@ -0,0 +1,54 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "authentication.go",
+        "client.go",
+        "errors.go",
+        "kubeconfig.go",
+        "serviceresolver.go",
+    ],
+    importpath = "k8s.io/apiserver/pkg/admission/plugin/webhook/config",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/hashicorp/golang-lru:go_default_library",
+        "//vendor/k8s.io/api/admissionregistration/v1alpha1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "authentication_test.go",
+        "serviceresolver_test.go",
+    ],
+    importpath = "k8s.io/apiserver/pkg/admission/plugin/webhook/config",
+    library = ":go_default_library",
+    deps = [
+        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

pkg/admission/plugin/webhook/authentication.go renamed to pkg/admission/plugin/webhook/config/authentication.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package webhook
+package config
 
 import (
 	"fmt"
@@ -27,14 +27,19 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
+// AuthenticationInfoResolverWrapper can be used to inject Dial function to the
+// rest.Config generated by the resolver.
 type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) AuthenticationInfoResolver
 
+// AuthenticationInfoResolver builds rest.Config base on the server name.
 type AuthenticationInfoResolver interface {
 	ClientConfigFor(server string) (*rest.Config, error)
 }
 
+// AuthenticationInfoResolverFunc implements AuthenticationInfoResolver.
 type AuthenticationInfoResolverFunc func(server string) (*rest.Config, error)
 
+//ClientConfigFor implements AuthenticationInfoResolver.
 func (a AuthenticationInfoResolverFunc) ClientConfigFor(server string) (*rest.Config, error) {
 	return a(server)
 }
@@ -43,7 +48,10 @@ type defaultAuthenticationInfoResolver struct {
 	kubeconfig clientcmdapi.Config
 }
 
-func newDefaultAuthenticationInfoResolver(kubeconfigFile string) (AuthenticationInfoResolver, error) {
+// NewDefaultAuthenticationInfoResolver generates an AuthenticationInfoResolver
+// that builds rest.Config based on the kubeconfig file. kubeconfigFile is the
+// path to the kubeconfig.
+func NewDefaultAuthenticationInfoResolver(kubeconfigFile string) (AuthenticationInfoResolver, error) {
 	if len(kubeconfigFile) == 0 {
 		return &defaultAuthenticationInfoResolver{}, nil
 	}

pkg/admission/plugin/webhook/authentication_test.go renamed to pkg/admission/plugin/webhook/config/authentication_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package webhook
+package config
 
 import (
 	"testing"

pkg/admission/plugin/webhook/config/client.go

@@ -0,0 +1,174 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+
+	lru "github.com/hashicorp/golang-lru"
+	"k8s.io/api/admissionregistration/v1alpha1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/client-go/rest"
+)
+
+const (
+	defaultCacheSize = 200
+)
+
+var (
+	ErrNeedServiceOrURL = errors.New("webhook configuration must have either service or URL")
+)
+
+// ClientManager builds REST clients to talk to webhooks. It caches the clients
+// to avoid duplicate creation.
+type ClientManager struct {
+	authInfoResolver     AuthenticationInfoResolver
+	serviceResolver      ServiceResolver
+	negotiatedSerializer runtime.NegotiatedSerializer
+	cache                *lru.Cache
+}
+
+// NewClientManager creates a ClientManager.
+func NewClientManager() (ClientManager, error) {
+	cache, err := lru.New(defaultCacheSize)
+	if err != nil {
+		return ClientManager{}, err
+	}
+	return ClientManager{
+		cache: cache,
+	}, nil
+}
+
+// SetAuthenticationInfoResolverWrapper sets the
+// AuthenticationInfoResolverWrapper.
+func (cm *ClientManager) SetAuthenticationInfoResolverWrapper(wrapper AuthenticationInfoResolverWrapper) {
+	if wrapper != nil {
+		cm.authInfoResolver = wrapper(cm.authInfoResolver)
+	}
+}
+
+// SetAuthenticationInfoResolver sets the AuthenticationInfoResolver.
+func (cm *ClientManager) SetAuthenticationInfoResolver(resolver AuthenticationInfoResolver) {
+	cm.authInfoResolver = resolver
+}
+
+// SetServiceResolver sets the ServiceResolver.
+func (cm *ClientManager) SetServiceResolver(sr ServiceResolver) {
+	if sr != nil {
+		cm.serviceResolver = sr
+	}
+}
+
+// SetNegotiatedSerializer sets the NegotiatedSerializer.
+func (cm *ClientManager) SetNegotiatedSerializer(n runtime.NegotiatedSerializer) {
+	cm.negotiatedSerializer = n
+}
+
+// Validate checks if ClientManager is properly set up.
+func (cm *ClientManager) Validate() error {
+	var errs []error
+	if cm.negotiatedSerializer == nil {
+		errs = append(errs, fmt.Errorf("the ClientManager requires a negotiatedSerializer"))
+	}
+	if cm.serviceResolver == nil {
+		errs = append(errs, fmt.Errorf("the ClientManager requires a serviceResolver"))
+	}
+	if cm.authInfoResolver == nil {
+		errs = append(errs, fmt.Errorf("the ClientManager requires an authInfoResolver"))
+	}
+	return utilerrors.NewAggregate(errs)
+}
+
+// HookClient get a RESTClient from the cache, or constructs one based on the
+// webhook configuration.
+func (cm *ClientManager) HookClient(h *v1alpha1.Webhook) (*rest.RESTClient, error) {
+	cacheKey, err := json.Marshal(h.ClientConfig)
+	if err != nil {
+		return nil, err
+	}
+	if client, ok := cm.cache.Get(string(cacheKey)); ok {
+		return client.(*rest.RESTClient), nil
+	}
+
+	complete := func(cfg *rest.Config) (*rest.RESTClient, error) {
+		cfg.TLSClientConfig.CAData = h.ClientConfig.CABundle
+		cfg.ContentConfig.NegotiatedSerializer = cm.negotiatedSerializer
+		cfg.ContentConfig.ContentType = runtime.ContentTypeJSON
+		client, err := rest.UnversionedRESTClientFor(cfg)
+		if err == nil {
+			cm.cache.Add(string(cacheKey), client)
+		}
+		return client, err
+	}
+
+	if svc := h.ClientConfig.Service; svc != nil {
+		serverName := svc.Name + "." + svc.Namespace + ".svc"
+		restConfig, err := cm.authInfoResolver.ClientConfigFor(serverName)
+		if err != nil {
+			return nil, err
+		}
+		cfg := rest.CopyConfig(restConfig)
+		host := serverName + ":443"
+		cfg.Host = "https://" + host
+		if svc.Path != nil {
+			cfg.APIPath = *svc.Path
+		}
+		cfg.TLSClientConfig.ServerName = serverName
+
+		delegateDialer := cfg.Dial
+		if delegateDialer == nil {
+			delegateDialer = net.Dial
+		}
+		cfg.Dial = func(network, addr string) (net.Conn, error) {
+			if addr == host {
+				u, err := cm.serviceResolver.ResolveEndpoint(svc.Namespace, svc.Name)
+				if err != nil {
+					return nil, err
+				}
+				addr = u.Host
+			}
+			return delegateDialer(network, addr)
+		}
+
+		return complete(cfg)
+	}
+
+	if h.ClientConfig.URL == nil {
+		return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: ErrNeedServiceOrURL}
+	}
+
+	u, err := url.Parse(*h.ClientConfig.URL)
+	if err != nil {
+		return nil, &ErrCallingWebhook{WebhookName: h.Name, Reason: fmt.Errorf("Unparsable URL: %v", err)}
+	}
+
+	restConfig, err := cm.authInfoResolver.ClientConfigFor(u.Host)
+	if err != nil {
+		return nil, err
+	}
+
+	cfg := rest.CopyConfig(restConfig)
+	cfg.Host = u.Host
+	cfg.APIPath = u.Path
+
+	return complete(cfg)
+}

pkg/admission/plugin/webhook/config/errors.go

@@ -0,0 +1,34 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+import "fmt"
+
+// ErrCallingWebhook is returned for transport-layer errors calling webhooks. It
+// represents a failure to talk to the webhook, not the webhook rejecting a
+// request.
+type ErrCallingWebhook struct {
+	WebhookName string
+	Reason      error
+}
+
+func (e *ErrCallingWebhook) Error() string {
+	if e.Reason != nil {
+		return fmt.Sprintf("failed calling admission webhook %q: %v", e.WebhookName, e.Reason)
+	}
+	return fmt.Sprintf("failed calling admission webhook %q; no further details available", e.WebhookName)
+}

pkg/admission/plugin/webhook/config.go renamed to pkg/admission/plugin/webhook/config/kubeconfig.go

@@ -14,9 +14,32 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package webhook
+package config
+
+import (
+	"io"
+
+	"k8s.io/apimachinery/pkg/util/yaml"
+)
 
 // AdmissionConfig holds config data that is unique to each API server.
 type AdmissionConfig struct {
+	// KubeConfigFile is the path to the kubeconfig file.
 	KubeConfigFile string `json:"kubeConfigFile"`
 }
+
+// LoadConfig extract the KubeConfigFile from configFile
+func LoadConfig(configFile io.Reader) (string, error) {
+	var kubeconfigFile string
+	if configFile != nil {
+		// TODO: move this to a versioned configuration file format
+		var config AdmissionConfig
+		d := yaml.NewYAMLOrJSONDecoder(configFile, 4096)
+		err := d.Decode(&config)
+		if err != nil {
+			return "", err
+		}
+		kubeconfigFile = config.KubeConfigFile
+	}
+	return kubeconfigFile, nil
+}

pkg/admission/plugin/webhook/serviceresolver.go renamed to pkg/admission/plugin/webhook/config/serviceresolver.go

@@ -14,17 +14,25 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package webhook checks a webhook for configured operation admission
-package webhook
+package config
 
 import (
 	"errors"
 	"fmt"
 	"net/url"
 )
 
+// ServiceResolver knows how to convert a service reference into an actual location.
+type ServiceResolver interface {
+	ResolveEndpoint(namespace, name string) (*url.URL, error)
+}
+
 type defaultServiceResolver struct{}
 
+func NewDefaultServiceResolver() ServiceResolver {
+	return &defaultServiceResolver{}
+}
+
 // ResolveEndpoint constructs a service URL from a given namespace and name
 // note that the name and namespace are required and by default all created addresses use HTTPS scheme.
 // for example:

pkg/admission/plugin/webhook/serviceresolver_test.go renamed to pkg/admission/plugin/webhook/config/serviceresolver_test.go

@@ -14,8 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package webhook checks a webhook for configured operation admission
-package webhook
+package config
 
 import (
 	"fmt"