From 21f631acbcf91aec0598e72d8f9a06e1a3b377fe Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Mon, 12 Jun 2023 14:00:01 +0200 Subject: [PATCH] set the controller options Signed-off-by: Hector Fernandez --- cmd/policy_webhook/main.go | 183 ------------------------------------- cmd/webhook/main.go | 32 +++++++ go.mod | 2 +- go.sum | 4 +- 4 files changed, 35 insertions(+), 186 deletions(-) delete mode 100644 cmd/policy_webhook/main.go diff --git a/cmd/policy_webhook/main.go b/cmd/policy_webhook/main.go deleted file mode 100644 index 7039e6c4c..000000000 --- a/cmd/policy_webhook/main.go +++ /dev/null @@ -1,183 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "context" - "flag" - "log" - "time" - - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/apimachinery/pkg/util/sets" - "knative.dev/pkg/configmap" - "knative.dev/pkg/controller" - "knative.dev/pkg/injection/sharedmain" - "knative.dev/pkg/logging" - "knative.dev/pkg/signals" - "knative.dev/pkg/webhook" - "knative.dev/pkg/webhook/certificates" - "knative.dev/pkg/webhook/resourcesemantics" - "knative.dev/pkg/webhook/resourcesemantics/conversion" - "knative.dev/pkg/webhook/resourcesemantics/defaulting" - "knative.dev/pkg/webhook/resourcesemantics/validation" - "sigs.k8s.io/release-utils/version" - - "github.com/sigstore/policy-controller/pkg/apis/policy" - "github.com/sigstore/policy-controller/pkg/apis/policy/common" - "github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1" - "github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1" - "github.com/sigstore/policy-controller/pkg/config" - "github.com/sigstore/policy-controller/pkg/reconciler/clusterimagepolicy" - "github.com/sigstore/policy-controller/pkg/reconciler/trustroot" - - // Register the provider-specific plugins - _ "github.com/sigstore/sigstore/pkg/signature/kms/aws" - _ "github.com/sigstore/sigstore/pkg/signature/kms/azure" - _ "github.com/sigstore/sigstore/pkg/signature/kms/gcp" - _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault" -) - -var ( - // mutatingWebhookName holds the name of the mutating webhook configuration - // resource dispatching admission requests to policy-webhook. - // It is also the name of the webhook which is injected by the controller - // with the resource types, namespace selectors, CABindle and service path. - // If this changes, you must also change: - // ./config/501-policy-webhook-configurations.yaml - // https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml - mutatingWebhookName = flag.String("mutating-webhook-name", "defaulting.clusterimagepolicy.sigstore.dev", "The name of the mutating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.") - // validatingWebhookName holds the name of the validating webhook configuration - // resource dispatching admission requests to policy-webhook. - // It is also the name of the webhook which is injected by the controller - // with the resource types, namespace selectors, CABindle and service path. - // If this changes, you must also change: - // ./config/501-policy-webhook-configurations.yaml - // https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml - validatingWebhookName = flag.String("validating-webhook-name", "validating.clusterimagepolicy.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.") - - // policyResyncPeriod holds the interval which ClusterImagePolicies will resync - // This is essential for triggering a reconcile update for potentially stale KMS authorities. - policyResyncPeriod = flag.String("policy-resync-period", "10h", "The resync period for ClusterImagePolicies. The default is 10h.") -) - -var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{ - // v1alpha1 - v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{}, - v1alpha1.SchemeGroupVersion.WithKind("TrustRoot"): &v1alpha1.TrustRoot{}, - // v1beta1 - v1beta1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1beta1.ClusterImagePolicy{}, -} - -func main() { - opts := webhook.Options{ - ServiceName: "policy-webhook", - Port: 8443, - SecretName: "policy-webhook-certs", - } - ctx := webhook.WithOptions(signals.NewContext(), opts) - - // Allow folks to configure the port the webhook serves on. - flag.IntVar(&opts.Port, "secure-port", opts.Port, "The port on which to serve HTTPS.") - - flag.Parse() - - if duration, err := time.ParseDuration(*policyResyncPeriod); err != nil { - logging.FromContext(ctx).Panicf("Failed to parse --policy-resync-period '%s' : %v", *policyResyncPeriod, err) - } else { - ctx = clusterimagepolicy.ToContext(ctx, duration) - } - - // This must match the set of resources we configure in - // cmd/webhook/main.go in the "types" map. - common.ValidResourceNames = sets.NewString("replicasets", "deployments", - "pods", "cronjobs", "jobs", "statefulsets", "daemonsets") - - v := version.GetVersionInfo() - vJSON, _ := v.JSONString() - log.Printf("%v", vJSON) - // This calls flag.Parse() - sharedmain.MainWithContext(ctx, "clusterimagepolicy", - certificates.NewController, - trustroot.NewController, - clusterimagepolicy.NewController, - NewPolicyValidatingAdmissionController, - NewPolicyMutatingAdmissionController, - newConversionController, - ) -} - -func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl { - store := config.NewStore(logging.FromContext(ctx).Named("config-store")) - store.WatchConfigs(cmw) - policyControllerConfigStore := config.NewStore(logging.FromContext(ctx).Named("config-policy-controller")) - policyControllerConfigStore.WatchConfigs(cmw) - - return validation.NewAdmissionController( - ctx, - *validatingWebhookName, - "/validating", - types, - func(ctx context.Context) context.Context { - ctx = policyControllerConfigStore.ToContext(ctx) - return ctx - }, - true, - ) -} - -func NewPolicyMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *controller.Impl { - return defaulting.NewAdmissionController( - ctx, - *mutatingWebhookName, - "/defaulting", - types, - func(ctx context.Context) context.Context { - return ctx - }, - true, - ) -} - -func newConversionController(ctx context.Context, _ configmap.Watcher) *controller.Impl { - // nolint: revive - var ( - v1alpha1GroupVersion = v1alpha1.SchemeGroupVersion.Version - v1beta1GroupVersion = v1beta1.SchemeGroupVersion.Version - ) - - return conversion.NewConversionController(ctx, - // The path on which to serve the webhook - "/resource-conversion", - - // Specify the types of custom resource definitions that should be converted - map[schema.GroupKind]conversion.GroupKindConversion{ - v1beta1.Kind("ClusterImagePolicy"): { - DefinitionName: policy.ClusterImagePolicyResource.String(), - HubVersion: v1alpha1GroupVersion, - Zygotes: map[string]conversion.ConvertibleObject{ - v1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{}, - v1beta1GroupVersion: &v1beta1.ClusterImagePolicy{}, - }, - }, - }, - - // A function that infuses the context passed to ConvertTo/ConvertFrom/SetDefaults with custom metadata - func(ctx context.Context) context.Context { - return ctx - }, - ) -} diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index 15df0bbac..6889858e8 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -18,6 +18,7 @@ package main import ( "context" "flag" + "fmt" "log" "os" "time" @@ -223,6 +224,14 @@ func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller")) policyControllerConfigStore.WatchConfigs(cmw) + logger := logging.FromContext(ctx) + woptions := webhook.GetOptions(ctx) + woptions.ControllerOptions = &controller.ControllerOptions{ + WorkQueueName: fmt.Sprintf("%s-%s", *webhookName, "validating"), + Logger: logger.Named(*webhookName), + } + ctx = webhook.WithOptions(ctx, *woptions) + kc := kubeclient.Get(ctx) validator := cwebhook.NewValidator(ctx) @@ -259,6 +268,13 @@ func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher func NewMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *controller.Impl { kc := kubeclient.Get(ctx) + logger := logging.FromContext(ctx) + woptions := webhook.GetOptions(ctx) + woptions.ControllerOptions = &controller.ControllerOptions{ + WorkQueueName: fmt.Sprintf("%s-%s", *webhookName, "mutating"), + Logger: logger.Named(*webhookName), + } + ctx = webhook.WithOptions(ctx, *woptions) validator := cwebhook.NewValidator(ctx) return defaulting.NewAdmissionController(ctx, @@ -292,6 +308,14 @@ func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.W store.WatchConfigs(cmw) policyControllerConfigStore := config.NewStore(logging.FromContext(ctx).Named("config-policy-controller")) policyControllerConfigStore.WatchConfigs(cmw) + logger := logging.FromContext(ctx) + + woptions := webhook.GetOptions(ctx) + woptions.ControllerOptions = &controller.ControllerOptions{ + WorkQueueName: *validatingCIPWebhookName, + Logger: logger.Named(*validatingCIPWebhookName), + } + ctx = webhook.WithOptions(ctx, *woptions) return validation.NewAdmissionController( ctx, @@ -307,6 +331,14 @@ func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.W } func NewPolicyMutatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl { + woptions := webhook.GetOptions(ctx) + logger := logging.FromContext(ctx) + woptions.ControllerOptions = &controller.ControllerOptions{ + WorkQueueName: *mutatingCIPWebhookName, + Logger: logger.Named(*mutatingCIPWebhookName), + } + ctx = webhook.WithOptions(ctx, *woptions) + return defaulting.NewAdmissionController( ctx, *mutatingCIPWebhookName, diff --git a/go.mod b/go.mod index 68312e852..1a5cbac9f 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 knative.dev/hack v0.0.0-20230417170854-f591fea109b3 knative.dev/hack/schema v0.0.0-20221024013916-9d2ae47c16b2 - knative.dev/pkg v0.0.0-20230525143525-9bda38b21643 + knative.dev/pkg v0.0.0-20230612083802-15605c78a270 sigs.k8s.io/release-utils v0.7.4 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index bdd4d26fd..6acbf5568 100644 --- a/go.sum +++ b/go.sum @@ -1399,8 +1399,8 @@ knative.dev/hack v0.0.0-20230417170854-f591fea109b3 h1:+W4WBOq83tfGXKhtv8OB/uJeY knative.dev/hack v0.0.0-20230417170854-f591fea109b3/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/hack/schema v0.0.0-20221024013916-9d2ae47c16b2 h1:X3EYiEmuqxiVSOPG1CsuRO+QUA956BvUw79A6oXrrs0= knative.dev/hack/schema v0.0.0-20221024013916-9d2ae47c16b2/go.mod h1:GeIb+PLd5mllawcpHEGF5J5fYTQrvgEO5liao8lUKUs= -knative.dev/pkg v0.0.0-20230525143525-9bda38b21643 h1:DoGHeW3ckr509v87NcYSSuRHEnxKIxyJxWrrDO/71CY= -knative.dev/pkg v0.0.0-20230525143525-9bda38b21643/go.mod h1:dqC6IrvyBE7E+oZocs5PkVhq1G59pDTA7r8U17EAKMk= +knative.dev/pkg v0.0.0-20230612083802-15605c78a270 h1:lJkZy+MQA1zPRuBUWabkiCwWE/dqxf8WFwqMxz6ePfE= +knative.dev/pkg v0.0.0-20230612083802-15605c78a270/go.mod h1:dqC6IrvyBE7E+oZocs5PkVhq1G59pDTA7r8U17EAKMk= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=