✨ Pass webhook logger to handler via context

timebertt · timebertt · commit ff6768dad589 · 2022-08-10T11:43:09.000+02:00
diff --git a/examples/builtins/mutatingwebhook.go b/examples/builtins/mutatingwebhook.go
@@ -22,7 +22,9 @@ import (
 	"net/http"
 
 	corev1 "k8s.io/api/core/v1"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
@@ -36,8 +38,10 @@ type podAnnotator struct {
 
 // podAnnotator adds an annotation to every incoming pods.
 func (a *podAnnotator) Handle(ctx context.Context, req admission.Request) admission.Response {
-	pod := &corev1.Pod{}
+	// set up a convenient log object so we don't have to type request over and over again
+	log := logf.FromContext(ctx)
 
+	pod := &corev1.Pod{}
 	err := a.decoder.Decode(req, pod)
 	if err != nil {
 		return admission.Errored(http.StatusBadRequest, err)
@@ -52,6 +56,7 @@ func (a *podAnnotator) Handle(ctx context.Context, req admission.Request) admiss
 	if err != nil {
 		return admission.Errored(http.StatusInternalServerError, err)
 	}
+	log.Info("Annotating Pod")
 
 	return admission.PatchResponseFromRaw(req.Object.Raw, marshaledPod)
 }
diff --git a/examples/builtins/validatingwebhook.go b/examples/builtins/validatingwebhook.go
@@ -22,7 +22,9 @@ import (
 	"net/http"
 
 	corev1 "k8s.io/api/core/v1"
+
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
@@ -36,13 +38,17 @@ type podValidator struct {
 
 // podValidator admits a pod if a specific annotation exists.
 func (v *podValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
-	pod := &corev1.Pod{}
+	// set up a convenient log object so we don't have to type request over and over again
+	log := logf.FromContext(ctx)
 
+	pod := &corev1.Pod{}
 	err := v.decoder.Decode(req, pod)
 	if err != nil {
 		return admission.Errored(http.StatusBadRequest, err)
 	}
 
+	log.Info("Validating Pod")
+
 	key := "example-mutating-admission-webhook"
 	anno, found := pod.Annotations[key]
 	if !found {
diff --git a/pkg/webhook/admission/defaulter_test.go b/pkg/webhook/admission/defaulter_test.go
@@ -10,13 +10,16 @@ import (
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
 )
 
 var _ = Describe("Defaulter Handler", func() {
 
 	It("should return ok if received delete verb in defaulter handler", func() {
 		obj := &TestDefaulter{}
 		handler := DefaultingWebhookFor(obj)
+		Expect(inject.LoggerInto(log, handler)).To(BeTrue())
 
 		resp := handler.Handle(context.TODO(), Request{
 			AdmissionRequest: admissionv1.AdmissionRequest{
diff --git a/pkg/webhook/admission/http.go b/pkg/webhook/admission/http.go
@@ -52,15 +52,15 @@ func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	var reviewResponse Response
 	if r.Body == nil {
 		err = errors.New("request body is empty")
-		wh.log.Error(err, "bad request")
+		wh.getLogger(nil).Error(err, "bad request")
 		reviewResponse = Errored(http.StatusBadRequest, err)
 		wh.writeResponse(w, reviewResponse)
 		return
 	}
 
 	defer r.Body.Close()
 	if body, err = io.ReadAll(r.Body); err != nil {
-		wh.log.Error(err, "unable to read the body from the incoming request")
+		wh.getLogger(nil).Error(err, "unable to read the body from the incoming request")
 		reviewResponse = Errored(http.StatusBadRequest, err)
 		wh.writeResponse(w, reviewResponse)
 		return
@@ -69,7 +69,7 @@ func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// verify the content type is accurate
 	if contentType := r.Header.Get("Content-Type"); contentType != "application/json" {
 		err = fmt.Errorf("contentType=%s, expected application/json", contentType)
-		wh.log.Error(err, "unable to process a request with an unknown content type", "content type", contentType)
+		wh.getLogger(nil).Error(err, "unable to process a request with an unknown content type", "content type", contentType)
 		reviewResponse = Errored(http.StatusBadRequest, err)
 		wh.writeResponse(w, reviewResponse)
 		return
@@ -88,12 +88,12 @@ func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	ar.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("AdmissionReview"))
 	_, actualAdmRevGVK, err := admissionCodecs.UniversalDeserializer().Decode(body, nil, &ar)
 	if err != nil {
-		wh.log.Error(err, "unable to decode the request")
+		wh.getLogger(nil).Error(err, "unable to decode the request")
 		reviewResponse = Errored(http.StatusBadRequest, err)
 		wh.writeResponse(w, reviewResponse)
 		return
 	}
-	wh.log.V(1).Info("received request", "UID", req.UID, "kind", req.Kind, "resource", req.Resource)
+	wh.getLogger(nil).V(1).Info("received request", "UID", req.UID, "kind", req.Kind, "resource", req.Resource)
 
 	reviewResponse = wh.Handle(ctx, req)
 	wh.writeResponseTyped(w, reviewResponse, actualAdmRevGVK)
@@ -124,19 +124,19 @@ func (wh *Webhook) writeResponseTyped(w io.Writer, response Response, admRevGVK
 // writeAdmissionResponse writes ar to w.
 func (wh *Webhook) writeAdmissionResponse(w io.Writer, ar v1.AdmissionReview) {
 	if err := json.NewEncoder(w).Encode(ar); err != nil {
-		wh.log.Error(err, "unable to encode and write the response")
+		wh.getLogger(nil).Error(err, "unable to encode and write the response")
 		// Since the `ar v1.AdmissionReview` is a clear and legal object,
 		// it should not have problem to be marshalled into bytes.
 		// The error here is probably caused by the abnormal HTTP connection,
 		// e.g., broken pipe, so we can only write the error response once,
 		// to avoid endless circular calling.
 		serverError := Errored(http.StatusInternalServerError, err)
 		if err = json.NewEncoder(w).Encode(v1.AdmissionReview{Response: &serverError.AdmissionResponse}); err != nil {
-			wh.log.Error(err, "still unable to encode and write the InternalServerError response")
+			wh.getLogger(nil).Error(err, "still unable to encode and write the InternalServerError response")
 		}
 	} else {
 		res := ar.Response
-		if log := wh.log; log.V(1).Enabled() {
+		if log := wh.getLogger(nil); log.V(1).Enabled() {
 			if res.Result != nil {
 				log = log.WithValues("code", res.Result.Code, "reason", res.Result.Reason)
 			}
diff --git a/pkg/webhook/admission/webhook.go b/pkg/webhook/admission/webhook.go
@@ -23,15 +23,17 @@ import (
 	"net/http"
 
 	"github.com/go-logr/logr"
-	jsonpatch "gomodules.xyz/jsonpatch/v2"
+	"gomodules.xyz/jsonpatch/v2"
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/json"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/klog/v2"
 
-	logf "sigs.k8s.io/controller-runtime/pkg/internal/log"
+	internallog "sigs.k8s.io/controller-runtime/pkg/internal/log"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics"
 )
@@ -131,6 +133,12 @@ type Webhook struct {
 	// headers thus allowing you to read them from within the handler
 	WithContextFunc func(context.Context, *http.Request) context.Context
 
+	// LogConstructor is used to construct a logger for logging messages during webhook calls
+	// based on the given base logger (which might carry more values like the webhook's path).
+	// Note: LogConstructor has to be able to handle nil requests as we are also using it
+	// outside the context of requests.
+	LogConstructor func(base logr.Logger, req *Request) logr.Logger
+
 	// decoder is constructed on receiving a scheme and passed down to then handler
 	decoder *Decoder
 
@@ -166,15 +174,38 @@ func (wh *Webhook) Handle(ctx context.Context, req Request) (response Response)
 		}()
 	}
 
+	reqLog := wh.getLogger(&req)
+	reqLog = reqLog.WithValues("requestID", req.UID)
+	ctx = logf.IntoContext(ctx, reqLog)
+
 	resp := wh.Handler.Handle(ctx, req)
 	if err := resp.Complete(req); err != nil {
-		wh.log.Error(err, "unable to encode response")
+		reqLog.Error(err, "unable to encode response")
 		return Errored(http.StatusInternalServerError, errUnableToEncodeResponse)
 	}
 
 	return resp
 }
 
+// getLogger constructs a logger from the injected log and LogConstructor.
+func (wh *Webhook) getLogger(req *Request) logr.Logger {
+	logConstructor := wh.LogConstructor
+	if logConstructor == nil {
+		logConstructor = DefaultLogConstructor
+	}
+	return logConstructor(wh.log, req)
+}
+
+// DefaultLogConstructor adds some commonly interesting fields to the given logger.
+func DefaultLogConstructor(base logr.Logger, req *Request) logr.Logger {
+	if req != nil {
+		return base.WithValues("object", klog.KRef(req.Namespace, req.Name),
+			"resource", req.Resource, "user", req.UserInfo.Username,
+		)
+	}
+	return base
+}
+
 // InjectScheme injects a scheme into the webhook, in order to construct a Decoder.
 func (wh *Webhook) InjectScheme(s *runtime.Scheme) error {
 	// TODO(directxman12): we should have a better way to pass this down
@@ -267,7 +298,7 @@ func StandaloneWebhook(hook *Webhook, opts StandaloneOptions) (http.Handler, err
 	}
 
 	if opts.Logger.GetSink() == nil {
-		opts.Logger = logf.RuntimeLog.WithName("webhook")
+		opts.Logger = internallog.RuntimeLog.WithName("webhook")
 	}
 	hook.log = opts.Logger
 
diff --git a/pkg/webhook/admission/webhook_test.go b/pkg/webhook/admission/webhook_test.go
@@ -18,22 +18,37 @@ package admission
 
 import (
 	"context"
+	"io"
 	"net/http"
 
+	"github.com/go-logr/logr"
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
-
-	jsonpatch "gomodules.xyz/jsonpatch/v2"
+	"github.com/onsi/gomega/gbytes"
+	"gomodules.xyz/jsonpatch/v2"
 	admissionv1 "k8s.io/api/admission/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	machinerytypes "k8s.io/apimachinery/pkg/types"
 
-	logf "sigs.k8s.io/controller-runtime/pkg/internal/log"
+	internallog "sigs.k8s.io/controller-runtime/pkg/internal/log"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
 )
 
 var _ = Describe("Admission Webhooks", func() {
+	var (
+		logBuffer  *gbytes.Buffer
+		testLogger logr.Logger
+	)
+
+	BeforeEach(func() {
+		logBuffer = gbytes.NewBuffer()
+		testLogger = zap.New(zap.JSONEncoder(), zap.WriteTo(io.MultiWriter(logBuffer, GinkgoWriter)))
+	})
+
 	allowHandler := func() *Webhook {
 		handler := &fakeHandler{
 			fn: func(ctx context.Context, req Request) Response {
@@ -46,7 +61,7 @@ var _ = Describe("Admission Webhooks", func() {
 		}
 		webhook := &Webhook{
 			Handler: handler,
-			log:     logf.RuntimeLog.WithName("webhook"),
+			log:     internallog.RuntimeLog.WithName("webhook"),
 		}
 
 		return webhook
@@ -96,7 +111,7 @@ var _ = Describe("Admission Webhooks", func() {
 					},
 				}
 			}),
-			log: logf.RuntimeLog.WithName("webhook"),
+			log: internallog.RuntimeLog.WithName("webhook"),
 		}
 
 		By("invoking the webhook")
@@ -113,7 +128,7 @@ var _ = Describe("Admission Webhooks", func() {
 			Handler: HandlerFunc(func(ctx context.Context, req Request) Response {
 				return Patched("", jsonpatch.Operation{Operation: "add", Path: "/a", Value: 2}, jsonpatch.Operation{Operation: "replace", Path: "/b", Value: 4})
 			}),
-			log: logf.RuntimeLog.WithName("webhook"),
+			log: internallog.RuntimeLog.WithName("webhook"),
 		}
 
 		By("invoking the webhook")
@@ -125,6 +140,70 @@ var _ = Describe("Admission Webhooks", func() {
 		Expect(resp.Patch).To(Equal([]byte(`[{"op":"add","path":"/a","value":2},{"op":"replace","path":"/b","value":4}]`)))
 	})
 
+	It("should pass a request logger via the context", func() {
+		By("setting up a webhook that uses the request logger")
+		webhook := &Webhook{
+			Handler: HandlerFunc(func(ctx context.Context, req Request) Response {
+				logf.FromContext(ctx).Info("Received request")
+
+				return Response{
+					AdmissionResponse: admissionv1.AdmissionResponse{
+						Allowed: true,
+					},
+				}
+			}),
+			log: testLogger,
+		}
+
+		By("invoking the webhook")
+		resp := webhook.Handle(context.Background(), Request{AdmissionRequest: admissionv1.AdmissionRequest{
+			UID:       "test123",
+			Name:      "foo",
+			Namespace: "bar",
+			Resource: metav1.GroupVersionResource{
+				Group:    "apps",
+				Version:  "v1",
+				Resource: "deployments",
+			},
+			UserInfo: authenticationv1.UserInfo{
+				Username: "tim",
+			},
+		}})
+		Expect(resp.Allowed).To(BeTrue())
+
+		By("checking that the log message contains the request fields")
+		Eventually(logBuffer).Should(gbytes.Say(`"msg":"Received request","object":{"name":"foo","namespace":"bar"},"resource":{"group":"apps","version":"v1","resource":"deployments"},"user":"tim","requestID":"test123"}`))
+	})
+
+	It("should pass a request logger created by LogConstructor via the context", func() {
+		By("setting up a webhook that uses the request logger")
+		webhook := &Webhook{
+			Handler: HandlerFunc(func(ctx context.Context, req Request) Response {
+				logf.FromContext(ctx).Info("Received request")
+
+				return Response{
+					AdmissionResponse: admissionv1.AdmissionResponse{
+						Allowed: true,
+					},
+				}
+			}),
+			LogConstructor: func(base logr.Logger, req *Request) logr.Logger {
+				return base.WithValues("operation", req.Operation)
+			},
+			log: testLogger,
+		}
+
+		By("invoking the webhook")
+		resp := webhook.Handle(context.Background(), Request{AdmissionRequest: admissionv1.AdmissionRequest{
+			UID:       "test123",
+			Operation: admissionv1.Create,
+		}})
+		Expect(resp.Allowed).To(BeTrue())
+
+		By("checking that the log message contains the request fields")
+		Eventually(logBuffer).Should(gbytes.Say(`"msg":"Received request","operation":"CREATE","requestID":"test123"}`))
+	})
+
 	Describe("dependency injection", func() {
 		It("should set dependencies passed in on the handler", func() {
 			By("setting up a webhook and injecting it with a injection func that injects a string")
@@ -139,7 +218,7 @@ var _ = Describe("Admission Webhooks", func() {
 			handler := &fakeHandler{}
 			webhook := &Webhook{
 				Handler: handler,
-				log:     logf.RuntimeLog.WithName("webhook"),
+				log:     internallog.RuntimeLog.WithName("webhook"),
 			}
 			Expect(setFields(webhook)).To(Succeed())
 			Expect(inject.InjectorInto(setFields, webhook)).To(BeTrue())
@@ -159,7 +238,7 @@ var _ = Describe("Admission Webhooks", func() {
 			handler := &fakeHandler{}
 			webhook := &Webhook{
 				Handler: handler,
-				log:     logf.RuntimeLog.WithName("webhook"),
+				log:     internallog.RuntimeLog.WithName("webhook"),
 			}
 			Expect(setFields(webhook)).To(Succeed())
 			Expect(inject.InjectorInto(setFields, webhook)).To(BeTrue())
@@ -204,7 +283,7 @@ var _ = Describe("Admission Webhooks", func() {
 				webhook := &Webhook{
 					Handler:      handler,
 					RecoverPanic: true,
-					log:          logf.RuntimeLog.WithName("webhook"),
+					log:          internallog.RuntimeLog.WithName("webhook"),
 				}
 
 				return webhook
@@ -231,7 +310,7 @@ var _ = Describe("Admission Webhooks", func() {
 				}
 				webhook := &Webhook{
 					Handler: handler,
-					log:     logf.RuntimeLog.WithName("webhook"),
+					log:     internallog.RuntimeLog.WithName("webhook"),
 				}
 
 				return webhook
