Split apart defaulting and validation webhooks

Related: knative/pkg#848

cmd/webhook/main.go

@@ -30,6 +30,8 @@ import (
 	"knative.dev/pkg/webhook/certificates"
 	"knative.dev/pkg/webhook/configmaps"
 	"knative.dev/pkg/webhook/resourcesemantics"
+	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
+	"knative.dev/pkg/webhook/resourcesemantics/validation"
 
 	// resource validation types
 	autoscalingv1alpha1 "knative.dev/serving/pkg/apis/autoscaling/v1alpha1"
@@ -51,49 +53,74 @@ import (
 	domainconfig "knative.dev/serving/pkg/reconciler/route/config"
 )
 
-func NewResourceAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+	v1alpha1.SchemeGroupVersion.WithKind("Revision"):      &v1alpha1.Revision{},
+	v1alpha1.SchemeGroupVersion.WithKind("Configuration"): &v1alpha1.Configuration{},
+	v1alpha1.SchemeGroupVersion.WithKind("Route"):         &v1alpha1.Route{},
+	v1alpha1.SchemeGroupVersion.WithKind("Service"):       &v1alpha1.Service{},
+	v1beta1.SchemeGroupVersion.WithKind("Revision"):       &v1beta1.Revision{},
+	v1beta1.SchemeGroupVersion.WithKind("Configuration"):  &v1beta1.Configuration{},
+	v1beta1.SchemeGroupVersion.WithKind("Route"):          &v1beta1.Route{},
+	v1beta1.SchemeGroupVersion.WithKind("Service"):        &v1beta1.Service{},
+	v1.SchemeGroupVersion.WithKind("Revision"):            &v1.Revision{},
+	v1.SchemeGroupVersion.WithKind("Configuration"):       &v1.Configuration{},
+	v1.SchemeGroupVersion.WithKind("Route"):               &v1.Route{},
+	v1.SchemeGroupVersion.WithKind("Service"):             &v1.Service{},
+
+	autoscalingv1alpha1.SchemeGroupVersion.WithKind("PodAutoscaler"): &autoscalingv1alpha1.PodAutoscaler{},
+	autoscalingv1alpha1.SchemeGroupVersion.WithKind("Metric"):        &autoscalingv1alpha1.Metric{},
+
+	net.SchemeGroupVersion.WithKind("Certificate"):       &net.Certificate{},
+	net.SchemeGroupVersion.WithKind("Ingress"):           &net.Ingress{},
+	net.SchemeGroupVersion.WithKind("ServerlessService"): &net.ServerlessService{},
+}
+
+func NewDefaultingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
 	// Decorate contexts with the current state of the config.
 	store := defaultconfig.NewStore(logging.FromContext(ctx).Named("config-store"))
 	store.WatchConfigs(cmw)
-	ctxFunc := func(ctx context.Context) context.Context {
-		return v1.WithUpgradeViaDefaulting(store.ToContext(ctx))
-	}
 
-	return resourcesemantics.NewAdmissionController(ctx,
+	return defaulting.NewAdmissionController(ctx,
 
 		// Name of the resource webhook.
-		// TODO(mattmoor): This can be changed after 0.10, once the lifecycle of
-		// this object is not managed by OwnerReferences.
 		"webhook.serving.knative.dev",
 
 		// The path on which to serve the webhook.
+		// TODO(mattmoor): This can be changed after 0.11 once
+		// we have release reconciliation-based webhooks.
 		"/",
 
 		// The resources to validate and default.
-		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
-			v1alpha1.SchemeGroupVersion.WithKind("Revision"):      &v1alpha1.Revision{},
-			v1alpha1.SchemeGroupVersion.WithKind("Configuration"): &v1alpha1.Configuration{},
-			v1alpha1.SchemeGroupVersion.WithKind("Route"):         &v1alpha1.Route{},
-			v1alpha1.SchemeGroupVersion.WithKind("Service"):       &v1alpha1.Service{},
-			v1beta1.SchemeGroupVersion.WithKind("Revision"):       &v1beta1.Revision{},
-			v1beta1.SchemeGroupVersion.WithKind("Configuration"):  &v1beta1.Configuration{},
-			v1beta1.SchemeGroupVersion.WithKind("Route"):          &v1beta1.Route{},
-			v1beta1.SchemeGroupVersion.WithKind("Service"):        &v1beta1.Service{},
-			v1.SchemeGroupVersion.WithKind("Revision"):            &v1.Revision{},
-			v1.SchemeGroupVersion.WithKind("Configuration"):       &v1.Configuration{},
-			v1.SchemeGroupVersion.WithKind("Route"):               &v1.Route{},
-			v1.SchemeGroupVersion.WithKind("Service"):             &v1.Service{},
-
-			autoscalingv1alpha1.SchemeGroupVersion.WithKind("PodAutoscaler"): &autoscalingv1alpha1.PodAutoscaler{},
-			autoscalingv1alpha1.SchemeGroupVersion.WithKind("Metric"):        &autoscalingv1alpha1.Metric{},
-
-			net.SchemeGroupVersion.WithKind("Certificate"):       &net.Certificate{},
-			net.SchemeGroupVersion.WithKind("Ingress"):           &net.Ingress{},
-			net.SchemeGroupVersion.WithKind("ServerlessService"): &net.ServerlessService{},
+		types,
+
+		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+		func(ctx context.Context) context.Context {
+			return v1.WithUpgradeViaDefaulting(store.ToContext(ctx))
 		},
 
+		// Whether to disallow unknown fields.
+		true,
+	)
+}
+
+func NewValidationAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	return validation.NewAdmissionController(ctx,
+
+		// Name of the resource webhook.
+		"validation.webhook.serving.knative.dev",
+
+		// The path on which to serve the webhook.
+		// TODO(mattmoor): This can be changed after 0.11 once
+		// we have release reconciliation-based webhooks.
+		"/",
+
+		// The resources to validate and default.
+		types,
+
 		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
-		ctxFunc,
+		func(ctx context.Context) context.Context {
+			return ctx
+		},
 
 		// Whether to disallow unknown fields.
 		true,
@@ -136,7 +163,8 @@ func main() {
 
 	sharedmain.MainWithContext(ctx, "webhook",
 		certificates.NewController,
-		NewResourceAdmissionController,
+		NewDefaultingAdmissionController,
+		NewValidationAdmissionController,
 		NewConfigValidationController,
 	)
 }

config/500-webhook-configuration.yaml

@@ -30,6 +30,22 @@ webhooks:
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
+metadata:
+  name: validation.webhook.serving.knative.dev
+  labels:
+    serving.knative.dev/release: devel
+webhooks:
+- admissionReviewVersions:
+  - v1beta1
+  clientConfig:
+    service:
+      name: webhook
+      namespace: knative-serving
+  failurePolicy: Fail
+  name: validation.webhook.serving.knative.dev
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
 metadata:
   name: config.webhook.serving.knative.dev
   labels:

vendor/knative.dev/pkg/OWNERS_ALIASES

@@ -2,12 +2,10 @@ aliases:
   pkg-approvers:
   - evankanderson
   - mattmoor
-  - vaikas-google
   - vaikas
 
   apis-approvers:
   - mattmoor
-  - vaikas-google
   - vaikas
   - n3wscott
 
@@ -16,12 +14,6 @@ aliases:
 
   apis-duck-approvers:
   - mattmoor
-  - vaikas-google
-  - vaikas
-
-  cloudevents-approvers:
-  - n3wscott
-  - vaikas-google
   - vaikas
 
   configmap-approvers:
@@ -68,7 +60,6 @@ aliases:
 
   source-approvers:
   - n3wscott
-  - vaikas-google
   - vaikas
 
   webhook-approvers:

vendor/knative.dev/pkg/RELEASING.md

@@ -88,3 +88,13 @@ their own release branches, so to update the `knative/pkg` dependency we run:
 dep ensure -update knative.dev/pkg
 ./hack/update-deps.sh
 ```
+
+## Revert to Master
+
+Post release, reverse the process. `Gopkg.toml` should look like:
+
+```toml
+[[override]]
+  name = "knative.dev/pkg"
+  branch = "master"
+```

vendor/knative.dev/pkg/apis/condition_types.go

@@ -55,7 +55,6 @@ const (
 // Conditions defines a readiness condition for a Knative resource.
 // See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
 // +k8s:deepcopy-gen=true
-// +k8s:openapi-gen=true
 type Condition struct {
 	// Type of condition.
 	// +required

vendor/knative.dev/pkg/apis/duck/v1/destination.go

@@ -0,0 +1,93 @@
+/*
+Copyright 2019 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	"knative.dev/pkg/apis"
+)
+
+// Destination represents a target of an invocation over HTTP.
+type Destination struct {
+	// Ref points to an Addressable.
+	// +optional
+	Ref *corev1.ObjectReference `json:"ref,omitempty"`
+
+	// URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.
+	// +optional
+	URI *apis.URL `json:"uri,omitempty"`
+}
+
+func (dest *Destination) Validate(ctx context.Context) *apis.FieldError {
+	if dest == nil {
+		return nil
+	}
+	return ValidateDestination(*dest).ViaField(apis.CurrentField)
+}
+
+// ValidateDestination validates Destination.
+func ValidateDestination(dest Destination) *apis.FieldError {
+	var ref *corev1.ObjectReference
+	if dest.Ref != nil {
+		ref = dest.Ref
+	}
+	if ref == nil && dest.URI == nil {
+		return apis.ErrGeneric("expected at least one, got none", "ref", "uri")
+	}
+
+	if ref != nil && dest.URI != nil && dest.URI.URL().IsAbs() {
+		return apis.ErrGeneric("Absolute URI is not allowed when Ref or [apiVersion, kind, name] is present", "[apiVersion, kind, name]", "ref", "uri")
+	}
+	// IsAbs() check whether the URL has a non-empty scheme. Besides the non-empty scheme, we also require dest.URI has a non-empty host
+	if ref == nil && dest.URI != nil && (!dest.URI.URL().IsAbs() || dest.URI.Host == "") {
+		return apis.ErrInvalidValue("Relative URI is not allowed when Ref and [apiVersion, kind, name] is absent", "uri")
+	}
+	if ref != nil && dest.URI == nil {
+		if dest.Ref != nil {
+			return validateDestinationRef(*ref).ViaField("ref")
+		}
+	}
+	return nil
+}
+
+// GetRef gets the ObjectReference from this Destination, if one is present. If no ref is present,
+// then nil is returned.
+func (dest *Destination) GetRef() *corev1.ObjectReference {
+	if dest == nil {
+		return nil
+	}
+	return dest.Ref
+}
+
+func validateDestinationRef(ref corev1.ObjectReference) *apis.FieldError {
+	// Check the object.
+	var errs *apis.FieldError
+	// Required Fields
+	if ref.Name == "" {
+		errs = errs.Also(apis.ErrMissingField("name"))
+	}
+	if ref.APIVersion == "" {
+		errs = errs.Also(apis.ErrMissingField("apiVersion"))
+	}
+	if ref.Kind == "" {
+		errs = errs.Also(apis.ErrMissingField("kind"))
+	}
+
+	return errs
+}

vendor/knative.dev/pkg/apis/duck/v1/source_types.go

@@ -25,7 +25,6 @@ import (
 
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/apis/duck"
-	apisv1alpha1 "knative.dev/pkg/apis/v1alpha1"
 )
 
 // Source is an Implementable "duck type".
@@ -51,7 +50,7 @@ type Source struct {
 type SourceSpec struct {
 	// Sink is a reference to an object that will resolve to a domain name or a
 	// URI directly to use as the sink.
-	Sink apisv1alpha1.Destination `json:"sink,omitempty"`
+	Sink Destination `json:"sink,omitempty"`
 
 	// CloudEventOverrides defines overrides to control the output format and
 	// modifications of the event sent to the sink.
@@ -117,7 +116,7 @@ func (*Source) GetFullType() duck.Populatable {
 
 // Populate implements duck.Populatable
 func (s *Source) Populate() {
-	s.Spec.Sink = apisv1alpha1.Destination{
+	s.Spec.Sink = Destination{
 		URI: &apis.URL{
 			Scheme:   "https",
 			Host:     "tableflip.dev",

vendor/knative.dev/pkg/apis/duck/v1/status_types.go

@@ -36,7 +36,6 @@ var _ duck.Implementable = (*Conditions)(nil)
 
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +k8s:openapi-gen=true
 
 // KResource is a skeleton type wrapping Conditions in the manner we expect
 // resource writers defining compatible resources to embed it.  We will