Skip to content
This repository has been archived by the owner on Jun 4, 2021. It is now read-only.

Commit

Permalink
Add PrometheusSource webhook
Browse files Browse the repository at this point in the history
Fixes: #1111

* Add validation and default webhook for prometheus source.
  • Loading branch information
MIBc committed May 16, 2020
1 parent 7480cf5 commit 8954435
Show file tree
Hide file tree
Showing 11 changed files with 553 additions and 0 deletions.
105 changes: 105 additions & 0 deletions prometheus/cmd/webhook/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
/*
Copyright 2020 The Knative Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
"context"

"k8s.io/apimachinery/pkg/runtime/schema"
sourcev1alpha1 "knative.dev/eventing-contrib/prometheus/pkg/apis/sources/v1alpha1"
"knative.dev/eventing/pkg/logconfig"
"knative.dev/pkg/configmap"
"knative.dev/pkg/controller"
"knative.dev/pkg/injection/sharedmain"
"knative.dev/pkg/signals"
"knative.dev/pkg/webhook"
"knative.dev/pkg/webhook/certificates"
"knative.dev/pkg/webhook/resourcesemantics"
"knative.dev/pkg/webhook/resourcesemantics/defaulting"
"knative.dev/pkg/webhook/resourcesemantics/validation"
)

var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
sourcev1alpha1.SchemeGroupVersion.WithKind("PrometheusSource"): &sourcev1alpha1.PrometheusSource{},
}

var callbacks = map[schema.GroupVersionKind]validation.Callback{}

func NewDefaultingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
return defaulting.NewAdmissionController(ctx,

// Name of the resource webhook.
"defaulting.webhook.prometheus.sources.knative.dev",

// The path on which to serve the webhook.
"/defaulting",

// The resources to validate and default.
types,

// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
func(ctx context.Context) context.Context {
// Here is where you would infuse the context with state
// (e.g. attach a store with configmap data)
return ctx
},

// Whether to disallow unknown fields.
true,
)
}

func NewValidationAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
return validation.NewAdmissionController(ctx,

// Name of the resource webhook.
"validation.webhook.prometheus.sources.knative.dev",

// The path on which to serve the webhook.
"/resource-validation",

// The resources to validate and default.
types,

// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
func(ctx context.Context) context.Context {
// Here is where you would infuse the context with state
// (e.g. attach a store with configmap data)
return ctx
},

// Whether to disallow unknown fields.
true,

// Extra validating callbacks to be applied to resources.
callbacks,
)
}

func main() {
ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
ServiceName: logconfig.WebhookName(),
Port: 8443,
SecretName: "prometheus-source-webhook-certs",
})

sharedmain.WebhookMainWithContext(ctx, logconfig.WebhookName(),
certificates.NewController,
NewDefaultingAdmissionController,
NewValidationAdmissionController,
)
}
10 changes: 10 additions & 0 deletions prometheus/config/200-serviceaccount.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,13 @@ kind: ServiceAccount
metadata:
name: prometheus-controller-manager
namespace: knative-sources

---

apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus-source-webhook
namespace: knative-sources
labels:
contrib.eventing.knative.dev/release: devel
16 changes: 16 additions & 0 deletions prometheus/config/202-clusterrolebinding.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,19 @@ roleRef:
kind: ClusterRole
name: addressable-resolver

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: eventing-sources-prometheus-webhook
labels:
contrib.eventing.knative.dev/release: devel
subjects:
- kind: ServiceAccount
name: prometheus-source-webhook
namespace: knative-sources
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus-source-webhook
122 changes: 122 additions & 0 deletions prometheus/config/203-webhook-clusterrole.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: prometheus-source-webhook
labels:
contrib.eventing.knative.dev/release: devel
rules:
# Sources admin
- apiGroups:
- sources.knative.dev
resources:
- prometheussources
verbs: &everything
- get
- list
- watch
- create
- update
- patch
- delete

# Sources finalizer
- apiGroups:
- sources.knative.dev
resources:
- prometheussources/finalizers
verbs: *everything

# Source statuses update
- apiGroups:
- sources.knative.dev
resources:
- prometheussources/status
verbs:
- get
- update
- patch

# Deployments admin
- apiGroups:
- apps
resources:
- deployments
verbs: *everything

# Knative Services admin
- apiGroups:
- serving.knative.dev
resources:
- services
verbs: *everything

# Secrets read
- apiGroups:
- ""
resources:
- secrets
- services
verbs:
- get
- list
- watch

# Namespace labelling for webhook
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- patch

# Events admin
- apiGroups:
- ""
resources:
- events
- configmaps
verbs: *everything

# EventTypes admin
- apiGroups:
- eventing.knative.dev
resources:
- eventtypes
verbs: *everything

# For manipulating certs into secrets.
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "create"
- "update"
- "list"
- "watch"

# For actually registering our webhook.
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "mutatingwebhookconfigurations"
- "validatingwebhookconfigurations"
verbs: *everything
45 changes: 45 additions & 0 deletions prometheus/config/500-webhook-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: defaulting.webhook.prometheus.sources.knative.dev
labels:
contrib.eventing.knative.dev/release: devel
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: prometheus-source-webhook
namespace: knative-sources
failurePolicy: Fail
name: defaulting.webhook.prometheus.sources.knative.dev
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validation.webhook.prometheus.sources.knative.dev
labels:
contrib.eventing.knative.dev/release: devel
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
service:
name: prometheus-source-webhook
namespace: knative-sources
failurePolicy: Fail
name: validation.webhook.prometheus.sources.knative.dev
80 changes: 80 additions & 0 deletions prometheus/config/500-webhook.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Copyright 2020 The Knative Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Secret
metadata:
name: prometheus-source-webhook-certs
namespace: knative-sources
labels:
contrib.eventing.knative.dev/release: devel
# The data is populated at install time.

---

apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-source-webhook
namespace: knative-sources
labels:
contrib.eventing.knative.dev/release: devel
spec:
replicas: 1
selector:
matchLabels: &labels
app: prometheus-source-webhook
role: prometheus-source-webhook
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels: *labels
spec:
serviceAccountName: prometheus-source-webhook
containers:
- name: prometheus-source-webhook
terminationMessagePolicy: FallbackToLogsOnError
image: ko://knative.dev/eventing-contrib/prometheus/cmd/webhook
env:
- name: SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIG_LOGGING_NAME
value: config-logging
- name: METRICS_DOMAIN
value: knative.dev/eventing
- name: WEBHOOK_NAME
value: prometheus-source-webhook
ports:
- containerPort: 9090
name: metrics
# TODO set proper resource limits.
---
apiVersion: v1
kind: Service
metadata:
labels:
eventing.knative.dev/release: devel
role: prometheus-source-webhook
name: prometheus-source-webhook
namespace: knative-sources
spec:
ports:
- name: https-webhook
port: 443
targetPort: 8443
selector:
role: prometheus-source-webhook
Loading

0 comments on commit 8954435

Please sign in to comment.