Bump kubernetes to 1.16.5 and knative/pkg to release-0.12

cmd/webhook/main.go

@@ -18,110 +18,119 @@ package main
 
 import (
  "context"
- "flag"
- "log"
  "os"
 
- apiconfig "github.com/tektoncd/pipeline/pkg/apis/config"
+ defaultconfig "github.com/tektoncd/pipeline/pkg/apis/config"
  "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
  "github.com/tektoncd/pipeline/pkg/contexts"
- tklogging "github.com/tektoncd/pipeline/pkg/logging"
- "github.com/tektoncd/pipeline/pkg/system"
- "go.uber.org/zap"
  "k8s.io/apimachinery/pkg/runtime/schema"
- "k8s.io/client-go/kubernetes"
- "k8s.io/client-go/rest"
  "knative.dev/pkg/configmap"
+ "knative.dev/pkg/controller"
+ "knative.dev/pkg/injection/sharedmain"
  "knative.dev/pkg/logging"
- "knative.dev/pkg/logging/logkey"
  "knative.dev/pkg/signals"
  "knative.dev/pkg/webhook"
+ "knative.dev/pkg/webhook/certificates"
+ "knative.dev/pkg/webhook/configmaps"
+ "knative.dev/pkg/webhook/resourcesemantics"
+ "knative.dev/pkg/webhook/resourcesemantics/defaulting"
+ "knative.dev/pkg/webhook/resourcesemantics/validation"
 )
 
-// WebhookLogKey is the name of the logger for the webhook cmd
-const WebhookLogKey = "webhook"
+var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+ v1alpha1.SchemeGroupVersion.WithKind("Pipeline"): &v1alpha1.Pipeline{},
+ v1alpha1.SchemeGroupVersion.WithKind("Task"): &v1alpha1.Task{},
+ v1alpha1.SchemeGroupVersion.WithKind("ClusterTask"): &v1alpha1.ClusterTask{},
+ v1alpha1.SchemeGroupVersion.WithKind("TaskRun"): &v1alpha1.TaskRun{},
+ v1alpha1.SchemeGroupVersion.WithKind("PipelineRun"): &v1alpha1.PipelineRun{},
+ v1alpha1.SchemeGroupVersion.WithKind("Condition"): &v1alpha1.Condition{},
+ v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &v1alpha1.PipelineResource{},
+}
 
-func main() {
- flag.Parse()
- cm, err := configmap.Load("/etc/config-logging")
- if err != nil {
- log.Fatalf("Error loading logging configuration: %v", err)
- }
- config, err := logging.NewConfigFromMap(cm)
- if err != nil {
- log.Fatalf("Error parsing logging configuration: %v", err)
- }
- logger, atomicLevel := logging.NewLoggerFromConfig(config, WebhookLogKey)
- defer func() {
- _ = logger.Sync()
- }()
- logger = logger.With(zap.String(logkey.ControllerType, "webhook"))
+func NewDefaultingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+ // Decorate contexts with the current state of the config.
+ store := defaultconfig.NewStore(logging.FromContext(ctx).Named("config-store"))
+ store.WatchConfigs(cmw)
 
- logger.Info("Starting the Configuration Webhook")
+ return defaulting.NewAdmissionController(ctx,
 
- // set up signals so we handle the first shutdown signal gracefully
- stopCh := signals.SetupSignalHandler()
+  // Name of the resource webhook.
+  "webhook.pipeline.tekton.dev",
 
- clusterConfig, err := rest.InClusterConfig()
- if err != nil {
- logger.Fatal("Failed to get in cluster config", zap.Error(err))
- }
+ // The path on which to serve the webhook.
+ "/defaulting",
 
- kubeClient, err := kubernetes.NewForConfig(clusterConfig)
- if err != nil {
- logger.Fatal("Failed to get the client set", zap.Error(err))
- }
- // Watch the logging config map and dynamically update logging levels.
- configMapWatcher := configmap.NewInformedWatcher(kubeClient, system.GetNamespace())
- configMapWatcher.Watch(tklogging.ConfigName, logging.UpdateLevelFromConfigMap(logger, atomicLevel, WebhookLogKey))
+ // The resources to validate and default.
+ types,
 
- store := apiconfig.NewStore(logger.Named("config-store"))
- store.WatchConfigs(configMapWatcher)
+ // A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+ func(ctx context.Context) context.Context {
+ // FIXME(vdemeester) uncomment that for auto-conversion
+ // return v1alpha2.WithUpgradeViaDefaulting(store.ToContext(ctx))
+ return contexts.WithDefaultConfigurationName(store.ToContext(ctx))
+ },
 
- if err = configMapWatcher.Start(stopCh); err != nil {
- logger.Fatalf("failed to start configuration manager: %v", err)
- }
+ // Whether to disallow unknown fields.
+ true,
+ )
+}
 
- serviceName := os.Getenv("WEBHOOK_SERVICE_NAME")
- if serviceName == "" {
- serviceName = "tekton-pipelines-webhook"
- }
+func NewValidationAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+ return validation.NewAdmissionController(ctx,
 
- options := webhook.ControllerOptions{
- ServiceName: serviceName,
- DeploymentName: serviceName,
- Namespace: system.GetNamespace(),
- Port: 8443,
- SecretName: "webhook-certs",
- WebhookName: "webhook.tekton.dev",
- ResourceAdmissionControllerPath: "/",
- }
- resourceHandlers := map[schema.GroupVersionKind]webhook.GenericCRD{
- v1alpha1.SchemeGroupVersion.WithKind("Pipeline"): &v1alpha1.Pipeline{},
- v1alpha1.SchemeGroupVersion.WithKind("Task"): &v1alpha1.Task{},
- v1alpha1.SchemeGroupVersion.WithKind("ClusterTask"): &v1alpha1.ClusterTask{},
- v1alpha1.SchemeGroupVersion.WithKind("TaskRun"): &v1alpha1.TaskRun{},
- v1alpha1.SchemeGroupVersion.WithKind("PipelineRun"): &v1alpha1.PipelineRun{},
- v1alpha1.SchemeGroupVersion.WithKind("Condition"): &v1alpha1.Condition{},
- v1alpha1.SchemeGroupVersion.WithKind("PipelineResource"): &v1alpha1.PipelineResource{},
- }
+ // Name of the resource webhook.
+ "validation.webhook.pipeline.tekton.dev",
 
- resourceAdmissionController := webhook.NewResourceAdmissionController(resourceHandlers, options, true)
- admissionControllers := map[string]webhook.AdmissionController{
- options.ResourceAdmissionControllerPath: resourceAdmissionController,
- }
+ // The path on which to serve the webhook.
+ "/resource-validation",
 
- // Decorate contexts with the current state of the config.
- ctxFunc := func(ctx context.Context) context.Context {
- return contexts.WithDefaultConfigurationName(store.ToContext(ctx))
- }
+ // The resources to validate and default.
+ types,
 
- controller, err := webhook.New(kubeClient, options, admissionControllers, logger, ctxFunc)
- if err != nil {
- logger.Fatal("Error creating admission controller", zap.Error(err))
- }
+ // A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+ func(ctx context.Context) context.Context {
+ return ctx
+ },
+
+ // Whether to disallow unknown fields.
+ true,
+ )
+}
+
+func NewConfigValidationController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+ return configmaps.NewAdmissionController(ctx,
+
+ // Name of the configmap webhook.
+ "config.webhook.pipeline.tekton.dev",
+
+ // The path on which to serve the webhook.
+ "/config-validation",
 
- if err := controller.Run(stopCh); err != nil {
- logger.Fatal("Error running admission controller", zap.Error(err))
+ // The configmaps to validate.
+ configmap.Constructors{
+ logging.ConfigMapName(): logging.NewConfigFromConfigMap,
+ defaultconfig.DefaultsConfigName: defaultconfig.NewDefaultsFromConfigMap,
+ },
+ )
+}
+
+func main() {
+ serviceName := os.Getenv("WEBHOOK_SERVICE_NAME")
+ if serviceName == "" {
+ serviceName = "tekton-pipelines-webhook"
  }
+
+ // Set up a signal context with our webhook options
+ ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
+ ServiceName: serviceName,
+ Port: 8443,
+ SecretName: "webhook-certs",
+ })
+
+ sharedmain.MainWithContext(ctx, "webhook",
+ certificates.NewController,
+ NewDefaultingAdmissionController,
+ NewValidationAdmissionController,
+ NewConfigValidationController,
+ )
 }

config/200-clusterrole.yaml

@@ -13,7 +13,7 @@ rules:
  resources: ["deployments/finalizers"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
- resources: ["mutatingwebhookconfigurations"]
+ resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
  verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
  - apiGroups: ["tekton.dev"]
  resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "pipelineresources", "conditions"]

config/500-webhooks.yaml

@@ -0,0 +1,120 @@
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+ name: webhook-certs
+ namespace: tekton-pipelines
+ labels:
+ pipeline.tekton.dev/release: devel
+# The data is populated at install time.
+
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: validation.webhook.pipeline.tekton.dev
+ labels:
+ pipeline.tekton.dev/release: devel
+webhooks:
+- admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: validation.webhook.pipeline.tekton.dev
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+ name: webhook.pipeline.tekton.dev
+ labels:
+ pipeline.tekton.dev/release: devel
+webhooks:
+- admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: webhook.pipeline.tekton.dev
+---
+# Copyright 2020 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: config.webhook.pipeline.tekton.dev
+ labels:
+ pipeline.tekton.dev/release: devel
+webhooks:
+- admissionReviewVersions:
+ - v1beta1
+ clientConfig:
+ service:
+ name: tekton-pipelines-webhook
+ namespace: tekton-pipelines
+ failurePolicy: Fail
+ sideEffects: None
+ name: config.webhook.pipeline.tekton.dev
+ namespaceSelector:
+ matchExpressions:
+ - key: pipeline.tekton.dev/release
+ operator: Exists