Restructure webhook code to use Defaulting interfaces and initialization

gbraxton · gbraxton · commit 04a8e802dc18 · 2025-01-21T09:16:42.000-08:00
diff --git a/cmd/main.go b/cmd/main.go
@@ -17,7 +17,6 @@ limitations under the License.
 package main
 
 import (
-	"context"
 	"crypto/tls"
 	"encoding/json"
 	"flag"
@@ -26,8 +25,6 @@ import (
 	"os"
 	"path/filepath"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -146,27 +143,10 @@ func main() {
 	setupLog.Info("setting up pod config injector webhook")
 
 	webhookServer := webhook.NewServer(webhook.Options{
-		TLSOpts: webhookTLSOpts, Port: webhookPort,
-	})
-	cfg := ctrl.GetConfigOrDie()
-	client, err := client.New(cfg, client.Options{})
-	if err != nil {
-		setupLog.Error(err, "error creating client")
-		os.Exit(1)
-	}
-
-	webhookServer.Register("/mutate-v1-pod", &webhook.Admission{
-		Handler: &webhook2.PodConfigInjector{
-			Client:                   client,
-			Log:                      ctrl.Log.WithName("webhooks").WithName("pod-config-injector"),
-			DefaultContainerSelector: &containerSelector,
-		},
+		TLSOpts: webhookTLSOpts,
+		Port:    webhookPort,
 	})
 
-	if err := webhookServer.Start(context.Background()); err != nil {
-		setupLog.Error(err, "error starting webhook server")
-		os.Exit(1)
-	}
 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server.
 	// More info:
 	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server
@@ -232,6 +212,11 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "KconfigBinding")
 		os.Exit(1)
 	}
+
+	if err = webhook2.SetupPodConfigInjectorWithManager(mgr, &containerSelector); err != nil {
+		setupLog.Error(err, "unable to setup pod config injector", "webhook", "Pod")
+		os.Exit(1)
+	}
 	// +kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -5,7 +5,7 @@ metadata:
   name: mutating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
-  - '[v1]'
+  - v1
   clientConfig:
     service:
       name: webhook-service
diff --git a/internal/webhook/pod_injector_webhook.go b/internal/webhook/pod_injector_webhook.go
@@ -17,56 +17,63 @@ package webhook
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"net/http"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sort"
 	"strings"
 
 	"github.com/att-cloudnative-labs/kconfig-controller/api/v1beta1"
-	"github.com/go-logr/logr"
 	v1 "k8s.io/api/core/v1"
 	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
-const (
-	InjectConfigAnnotation       = "kconfigcontroller.atteg.com/inject"
-	ExclusiveEnvConfigAnnotation = "kconfigcontroller.atteg.com/exclusive-env"
-)
+var podConfigInjectorLog = logf.Log.WithName("pod-config-injector")
+
+func SetupPodConfigInjectorWithManager(mgr ctrl.Manager, sel *v12.LabelSelector) error {
+	return ctrl.NewWebhookManagedBy(mgr).For(&v1.Pod{}).
+		WithDefaulter(
+			&PodConfigInjector{
+				Client:                   mgr.GetClient(),
+				DefaultContainerSelector: sel,
+			},
+		).
+		Complete()
+}
 
-// +kubebuilder:webhook:path=/mutate-v1-pod,admissionReviewVersions=[v1],sideEffects=None,mutating=true,failurePolicy=ignore,groups="",resources=pods,verbs=create,versions=v1,name=config-injector.kconfigcontroller.aeg.cloud
+// +kubebuilder:webhook:path=/mutate-v1-pod,mutating=true,failurePolicy=ignore,sideEffects=None,groups="",resources=pods,verbs=create,versions=v1,name=config-injector.kconfigcontroller.aeg.cloud,admissionReviewVersions=v1
 
 type PodConfigInjector struct {
 	Client                   client.Client
-	decoder                  admission.Decoder
-	Log                      logr.Logger
 	DefaultContainerSelector *v12.LabelSelector
 }
 
-func (r *PodConfigInjector) InjectDecoder(d *admission.Decoder) error {
-	r.decoder = *d
-	return nil
-}
+const (
+	InjectConfigAnnotation       = "kconfigcontroller.atteg.com/inject"
+	ExclusiveEnvConfigAnnotation = "kconfigcontroller.atteg.com/exclusive-env"
+)
 
-func (r *PodConfigInjector) Handle(ctx context.Context, req admission.Request) admission.Response {
-	pod := &v1.Pod{}
+var _ webhook.CustomDefaulter = &PodConfigInjector{}
 
-	err := r.decoder.Decode(req, pod)
-	if err != nil {
-		return admission.Errored(http.StatusBadRequest, err)
+func (r *PodConfigInjector) Default(ctx context.Context, obj runtime.Object) error {
+	pod, ok := obj.(*v1.Pod)
+	if !ok {
+		return fmt.Errorf("expected an Pod object but got %T", obj)
 	}
 
 	// only inject into pods with proper annotation
 	if pod.Annotations == nil || strings.ToLower(pod.Annotations[InjectConfigAnnotation]) != "true" {
-		return admission.Allowed("kconfig inject not indicated")
+		podConfigInjectorLog.Info(fmt.Sprintf("skipping %s - not annotated", pod.Name))
+		return nil
 	}
 	// get bindings that select this rs
 	kcbs := v1beta1.KconfigBindingList{}
-	if err := r.Client.List(ctx, &kcbs, client.InNamespace(req.Namespace)); err != nil {
-		return admission.Errored(http.StatusInternalServerError, fmt.Errorf("could not get kconfigbininglist: %s", err.Error()))
+	if err := r.Client.List(ctx, &kcbs, client.InNamespace(pod.Namespace)); err != nil {
+		return fmt.Errorf("could not get kconfigbininglist: %s", err.Error())
 	}
 
 	// cleanup old pod env configs
@@ -78,7 +85,7 @@ func (r *PodConfigInjector) Handle(ctx context.Context, req admission.Request) a
 	for _, kcb := range kcbs.Items {
 		ls, err := v12.LabelSelectorAsSelector(&kcb.Spec.Selector)
 		if err != nil {
-			r.Log.Error(err, fmt.Sprintf("couldn't get selector of kcb: %s", err.Error()))
+			podConfigInjectorLog.Error(err, fmt.Sprintf("couldn't get selector of kcb: %s", err.Error()))
 			continue
 		}
 
@@ -98,7 +105,7 @@ func (r *PodConfigInjector) Handle(ctx context.Context, req admission.Request) a
 			}
 			selector, err := v12.LabelSelectorAsSelector(labelSelector)
 			if err != nil {
-				r.Log.Error(err, fmt.Sprintf("error reading kcb containerSelector: %s", err.Error()))
+				podConfigInjectorLog.Error(err, fmt.Sprintf("error reading kcb containerSelector: %s", err.Error()))
 				continue
 			}
 			if selector.Matches(labelsForContainer) {
@@ -109,11 +116,7 @@ func (r *PodConfigInjector) Handle(ctx context.Context, req admission.Request) a
 			}
 		}
 	}
-	marshaledPod, err := json.Marshal(pod)
-	if err != nil {
-		return admission.Errored(http.StatusInternalServerError, fmt.Errorf("could not marshal pod json: %s", err.Error()))
-	}
-	return admission.PatchResponseFromRaw(req.Object.Raw, marshaledPod)
+	return nil
 }
 
 // ByLevel sort function for sorting array of KconfigBindingSpecs by their level
diff --git a/test/admission-request/sample-admission-request1.json b/test/admission-request/sample-admission-request1.json
@@ -0,0 +1,75 @@
+{
+  "kind": "AdmissionReview",
+  "apiVersion": "admission.k8s.io/v1",
+  "request": {
+    "uid": "12345678-1234-1234-1234-1234567890ab",
+    "kind": {
+      "group": "",
+      "version": "v1",
+      "kind": "Pod"
+    },
+    "resource": {
+      "group": "",
+      "version": "v1",
+      "resource": "pods"
+    },
+    "subResource": "",
+    "requestKind": {
+      "group": "",
+      "version": "v1",
+      "kind": "Pod"
+    },
+    "requestResource": {
+      "group": "",
+      "version": "v1",
+      "resource": "pods"
+    },
+    "requestSubResource": "",
+    "name": "example-pod",
+    "namespace": "sandbox-george",
+    "operation": "CREATE",
+    "userInfo": {
+      "username": "system:serviceaccount:kube-system:default",
+      "uid": "abcd1234-5678-90ef-ghij-klmnopqrstuv",
+      "groups": [
+        "system:serviceaccounts",
+        "system:serviceaccounts:kube-system",
+        "system:authenticated"
+      ]
+    },
+    "object": {
+      "apiVersion": "v1",
+      "kind": "Pod",
+      "metadata": {
+        "name": "example-pod",
+        "namespace": "sandbox-george",
+        "labels": {
+          "app": "okpipeline"
+        },
+        "annotations": {
+          "kconfigcontroller.atteg.com/inject": "true"
+        }
+      },
+      "spec": {
+        "containers": [
+          {
+            "name": "okpipeline",
+            "image": "nginx:1.19",
+            "ports": [
+              {
+                "containerPort": 80
+              }
+            ]
+          }
+        ]
+      }
+    },
+    "oldObject": null,
+    "dryRun": false,
+    "options": {
+      "apiVersion": "meta.k8s.io/v1",
+      "kind": "CreateOptions"
+    }
+  }
+}
+
