restructure certwriter and certprovisioner packages

Author: Mengqi Yu

pkg/webhook/bootstrap.go

@@ -17,11 +17,12 @@ limitations under the License.
 package webhook
 
 import (
-	"bytes"
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"path"
 
 	"github.com/ghodss/yaml"
@@ -35,14 +36,15 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/internal/cert"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/internal/cert/generator"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/internal/cert/writer"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/types"
 )
 
 // setDefault does defaulting for the Server.
 func (s *Server) setDefault() {
 	if len(s.Name) == 0 {
-		s.Name = "default-admission-server"
+		s.Name = "default-k8s-webhook-server"
 	}
 	if s.registry == nil {
 		s.registry = map[string]Webhook{}
@@ -54,7 +56,10 @@ func (s *Server) setDefault() {
 		s.Port = 443
 	}
 	if len(s.CertDir) == 0 {
-		s.CertDir = path.Join("admission-server", "cert")
+		s.CertDir = path.Join("k8s-webhook-server", "cert")
+	}
+	if s.KVMap == nil {
+		s.KVMap = map[string]interface{}{}
 	}
 	s.setBootstrappingDefault()
 }
@@ -76,89 +81,125 @@ func (s *Server) setBootstrappingDefault() {
 	if s.Service != nil && s.Port != 443 {
 		s.Port = 443
 	}
-	if s.CertProvisioner == nil {
-		s.CertProvisioner = &cert.Provisioner{
-			Client: s.Client,
-		}
+	if s.certProvisioner == nil {
+		s.certProvisioner = &cert.Provisioner{}
+	}
+	if s.CertGenerator == nil {
+		s.CertGenerator = &generator.SelfSignedCertGenerator{}
+	}
+	if s.Writer == nil {
+		s.Writer = os.Stdout
 	}
 }
 
 // bootstrap returns the configuration of admissionWebhookConfiguration in yaml format if dryrun is true.
 // Otherwise, it creates the the admissionWebhookConfiguration objects and service if any.
 // It also provisions the certificate for your admission server.
-func (s *Server) bootstrap(dryrun bool) ([]byte, error) {
+func (s *Server) bootstrap(dryrun bool) error {
+	// do defaulting if necessary
 	s.once.Do(s.setDefault)
 
 	var err error
 	s.mutatingWebhookConfig, err = s.mutatingWHConfigs()
 	if err != nil {
-		return nil, err
-	}
-	err = s.CertProvisioner.Sync(s.mutatingWebhookConfig)
-	if err != nil {
-		return nil, err
+		return err
 	}
 
 	s.validatingWebhookConfig, err = s.validatingWHConfigs()
 	if err != nil {
-		return nil, err
+		return err
 	}
-	err = s.CertProvisioner.Sync(s.validatingWebhookConfig)
-	if err != nil {
-		return nil, err
+
+	cc, err := s.clientConfig()
+
+	s.certProvisioner = &cert.Provisioner{
+		ClientConfig:  cc,
+		CertGenerator: s.CertGenerator,
+	}
+
+	if s.Secret != nil {
+		s.certWriter, err = writer.NewSecretCertWriter(
+			writer.SecretCertWriterOptions{
+				Secret: s.Secret,
+			})
+	} else {
+		s.certWriter, err = writer.NewFSCertWriter(
+			writer.FSCertWriterOptions{
+				Path: s.CertDir,
+			})
 	}
+	// Provision the cert by creating new one or refreshing existing one.
+	s.certProvisioner.Provision(false)
+	// Inject the cert into MutatingWebhookConfiguration, ValidatingWebhookConfiguration and ConversionWebhook
+	s.certProvisioner.Inject(s.mutatingWebhookConfig, s.validatingWebhookConfig)
 
 	svc := s.service()
 
-	// if dryrun, return the AdmissionWebhookConfiguration in yaml format.
 	if dryrun {
-		return s.genYamlConfig([]runtime.Object{s.mutatingWebhookConfig, s.validatingWebhookConfig, svc})
+		// TODO: print here
+		// if dryrun, return the AdmissionWebhookConfiguration in yaml format.
+		s.genYamlConfig([]runtime.Object{s.mutatingWebhookConfig, s.validatingWebhookConfig, svc})
+		return nil
 	}
 
 	if s.Client == nil {
-		return nil, errors.New("client needs to be set for bootstrapping")
+		return errors.New("client needs to be set for bootstrapping")
 	}
 
-	err = createOrReplace(s.Client, svc, func(current, desired runtime.Object) error {
-		typedC := current.(*corev1.Service)
-		typedD := desired.(*corev1.Service)
-		typedC.Spec.Selector = typedD.Spec.Selector
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
+	objects := []runtime.Object{s.mutatingWebhookConfig, s.validatingWebhookConfig, svc}
 
-	err = createOrReplace(s.Client, s.mutatingWebhookConfig, func(current, desired runtime.Object) error {
-		typedC := current.(*admissionregistration.MutatingWebhookConfiguration)
-		typedD := desired.(*admissionregistration.MutatingWebhookConfiguration)
-		typedC.Webhooks = typedD.Webhooks
-		return nil
-	})
-	if err != nil {
-		return nil, err
+	for _, obj := range objects {
+		err = createOrReplace(s.Client, obj)
+		if err != nil {
+			return err
+		}
 	}
+	return nil
+}
 
-	err = createOrReplace(s.Client, s.validatingWebhookConfig, func(current, desired runtime.Object) error {
-		typedC := current.(*admissionregistration.ValidatingWebhookConfiguration)
-		typedD := desired.(*admissionregistration.ValidatingWebhookConfiguration)
-		typedC.Webhooks = typedD.Webhooks
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
+type mutateFn func(current, desired runtime.Object) error
 
-	return nil, nil
+var serviceFn = func(current, desired runtime.Object) error {
+	typedC := current.(*corev1.Service)
+	typedD := desired.(*corev1.Service)
+	typedC.Spec.Selector = typedD.Spec.Selector
+	return nil
 }
 
-type mutateFn func(current, desired runtime.Object) error
+var mutatingWebhookConfigFn = func(current, desired runtime.Object) error {
+	typedC := current.(*admissionregistration.MutatingWebhookConfiguration)
+	typedD := desired.(*admissionregistration.MutatingWebhookConfiguration)
+	typedC.Webhooks = typedD.Webhooks
+	return nil
+}
+
+var validatingWebhookConfigFn = func(current, desired runtime.Object) error {
+	typedC := current.(*admissionregistration.ValidatingWebhookConfiguration)
+	typedD := desired.(*admissionregistration.ValidatingWebhookConfiguration)
+	typedC.Webhooks = typedD.Webhooks
+	return nil
+}
 
 // createOrReplace creates the object if it doesn't exist;
 // otherwise, it will replace it.
-// When replacing, fn knows how to preserve existing fields in the object GET from the APIServer.
+// When replacing, it knows how to preserve existing fields in the object GET from the APIServer.
+func createOrReplace(c client.Client, obj runtime.Object) error {
+	switch obj.(type) {
+	case *admissionregistration.MutatingWebhookConfiguration:
+		return createOrReplaceHelper(c, obj, mutatingWebhookConfigFn)
+	case *admissionregistration.ValidatingWebhookConfiguration:
+		return createOrReplaceHelper(c, obj, validatingWebhookConfigFn)
+	case *corev1.Service:
+		return createOrReplaceHelper(c, obj, serviceFn)
+	}
+	return nil
+}
+
+// createOrReplaceHelper creates the object if it doesn't exist;
+// otherwise, it will replace it.
+// When replacing, fn  should know how to preserve existing fields in the object GET from the APIServer.
 // TODO: use the helper in #98 when it merges.
-func createOrReplace(c client.Client, obj runtime.Object, fn mutateFn) error {
+func createOrReplaceHelper(c client.Client, obj runtime.Object, fn mutateFn) error {
 	if obj == nil {
 		return nil
 	}
@@ -183,59 +224,31 @@ func createOrReplace(c client.Client, obj runtime.Object, fn mutateFn) error {
 	return err
 }
 
-// genYamlConfig generates yaml config for runtime.Object
-func (s *Server) genYamlConfig(objs []runtime.Object) ([]byte, error) {
-	var buf bytes.Buffer
-	firstObject := true
-	for _, awc := range objs {
-		if !firstObject {
-			_, err := buf.WriteString("---")
-			if err != nil {
-				return nil, err
-			}
-		}
-		firstObject = false
-		b, err := yaml.Marshal(awc)
+// genYamlConfig generates yaml config for admissionWebhookConfiguration
+func (s *Server) genYamlConfig(objs []runtime.Object) error {
+	for _, obj := range objs {
+		_, err := s.Writer.Write([]byte("---"))
 		if err != nil {
-			return nil, err
+			return err
 		}
-		_, err = buf.Write(b)
+		b, err := yaml.Marshal(obj)
 		if err != nil {
-			return nil, err
-		}
-	}
-	return buf.Bytes(), nil
-}
-
-func (s *Server) annotations(t types.WebhookType) map[string]string {
-	anno := map[string]string{}
-	for _, webhook := range s.registry {
-		if webhook.GetType() != t {
-			continue
+			return err
 		}
-		if s.Secret != nil {
-			key := writer.SecretCertProvisionAnnotationKeyPrefix + webhook.GetName()
-			anno[key] = s.Secret.String()
-		} else {
-			key := writer.FSCertProvisionAnnotationKeyPrefix + webhook.GetName()
-			anno[key] = s.CertDir
+		_, err = s.Writer.Write(b)
+		if err != nil {
+			return err
 		}
 	}
-	return anno
-}
-
-type webhookClientConfig struct {
-	*admissionregistration.WebhookClientConfig
+	return nil
 }
 
-func (s *Server) clientConfig() (*webhookClientConfig, error) {
+func (s *Server) clientConfig() (*admissionregistration.WebhookClientConfig, error) {
 	if s.Host != nil && s.Service != nil {
 		return nil, errors.New("URL and Service can't be set at the same time")
 	}
-	cc := &webhookClientConfig{
-		WebhookClientConfig: &admissionregistration.WebhookClientConfig{
-			CABundle: []byte{},
-		},
+	cc := &admissionregistration.WebhookClientConfig{
+		CABundle: []byte{},
 	}
 	if s.Host != nil {
 		u := url.URL{
@@ -255,18 +268,26 @@ func (s *Server) clientConfig() (*webhookClientConfig, error) {
 	return cc, nil
 }
 
-func (w *webhookClientConfig) withPath(path string) error {
-	if w.URL != nil {
-		u, err := url.Parse(*w.URL)
+func (s *Server) clientConfigWithPath(path string) (*admissionregistration.WebhookClientConfig, error) {
+	cc, err := s.clientConfig()
+	if err != nil {
+		return nil, err
+	}
+	return cc, setPath(cc, path)
+}
+
+func setPath(cc *admissionregistration.WebhookClientConfig, path string) error {
+	if cc.URL != nil {
+		u, err := url.Parse(*cc.URL)
 		if err != nil {
 			return err
 		}
 		u.Path = path
 		urlString := u.String()
-		w.URL = &urlString
+		cc.URL = &urlString
 	}
-	if w.Service != nil {
-		w.Service.Path = &path
+	if cc.Service != nil {
+		cc.Service.Path = &path
 	}
 	return nil
 }
@@ -285,19 +306,22 @@ func (s *Server) mutatingWHConfigs() (runtime.Object, error) {
 		if err != nil {
 			return nil, err
 		}
+		cc, err := s.clientConfigWithPath(path)
+		if err != nil {
+			return nil, err
+		}
+		wh.ClientConfig = *cc
 		mutatingWebhooks = append(mutatingWebhooks, *wh)
-
 	}
 
 	if len(mutatingWebhooks) > 0 {
 		return &admissionregistration.MutatingWebhookConfiguration{
 			TypeMeta: metav1.TypeMeta{
-				APIVersion: "admissionregistration.k8s.io/v1beta1",
+				APIVersion: fmt.Sprintf("%s/%s", admissionregistration.GroupName, "v1beta1"),
 				Kind:       "MutatingWebhookConfiguration",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Name:        s.MutatingWebhookConfigName,
-				Annotations: s.annotations(types.WebhookTypeMutating),
+				Name: s.MutatingWebhookConfigName,
 			},
 			Webhooks: mutatingWebhooks,
 		}, nil
@@ -318,18 +342,22 @@ func (s *Server) validatingWHConfigs() (runtime.Object, error) {
 		if err != nil {
 			return nil, err
 		}
+		cc, err := s.clientConfigWithPath(path)
+		if err != nil {
+			return nil, err
+		}
+		wh.ClientConfig = *cc
 		validatingWebhooks = append(validatingWebhooks, *wh)
 	}
 
 	if len(validatingWebhooks) > 0 {
 		return &admissionregistration.ValidatingWebhookConfiguration{
 			TypeMeta: metav1.TypeMeta{
-				APIVersion: "admissionregistration.k8s.io/v1beta1",
+				APIVersion: fmt.Sprintf("%s/%s", admissionregistration.GroupName, "v1beta1"),
 				Kind:       "ValidatingWebhookConfiguration",
 			},
 			ObjectMeta: metav1.ObjectMeta{
-				Name:        s.ValidatingWebhookConfigName,
-				Annotations: s.annotations(types.WebhookTypeValidating),
+				Name: s.ValidatingWebhookConfigName,
 			},
 			Webhooks: validatingWebhooks,
 		}, nil
@@ -353,11 +381,11 @@ func (s *Server) admissionWebhook(path string, wh *admission.Webhook) (*admissio
 	if err != nil {
 		return nil, err
 	}
-	err = cc.withPath(path)
+	err = setPath(cc, path)
 	if err != nil {
 		return nil, err
 	}
-	webhook.ClientConfig = *cc.WebhookClientConfig
+	webhook.ClientConfig = *cc
 	return webhook, nil
 }