Update controller-runtime to 0.10.2 (#2611)

Signed-off-by: Faisal Memon <f.memon@f5.com>
spiffe · Nov 4, 2021 · b84f83c · b84f83c
1 parent 6e62094
commit b84f83c
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 56 deletions.
diff --git a/go.mod b/go.mod
@@ -172,16 +172,16 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.22.1
-	k8s.io/apiextensions-apiserver v0.22.1 // indirect
-	k8s.io/apimachinery v0.22.1
-	k8s.io/client-go v0.22.1
-	k8s.io/component-base v0.22.1 // indirect
+	k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver v0.22.2 // indirect
+	k8s.io/apimachinery v0.22.2
+	k8s.io/client-go v0.22.2
+	k8s.io/component-base v0.22.2 // indirect
 	k8s.io/klog/v2 v2.9.0 // indirect
-	k8s.io/kube-aggregator v0.22.1
+	k8s.io/kube-aggregator v0.22.2
 	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
 	k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e
-	sigs.k8s.io/controller-runtime v0.10.0
+	sigs.k8s.io/controller-runtime v0.10.2
 	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -1390,38 +1390,37 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.22.1 h1:ISu3tD/jRhYfSW8jI/Q1e+lRxkR7w9UwQEZ7FgslrwY=
-k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY=
-k8s.io/apiextensions-apiserver v0.22.1 h1:YSJYzlFNFSfUle+yeEXX0lSQyLEoxoPJySRupepb0gE=
-k8s.io/apiextensions-apiserver v0.22.1/go.mod h1:HeGmorjtRmRLE+Q8dJu6AYRoZccvCMsghwS8XTUYb2c=
-k8s.io/apimachinery v0.22.1 h1:DTARnyzmdHMz7bFWFDDm22AM4pLWTQECMpRTFu2d2OM=
-k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
-k8s.io/apiserver v0.22.1/go.mod h1:2mcM6dzSt+XndzVQJX21Gx0/Klo7Aen7i0Ai6tIa400=
-k8s.io/client-go v0.22.1 h1:jW0ZSHi8wW260FvcXHkIa0NLxFBQszTlhiAVsU5mopw=
-k8s.io/client-go v0.22.1/go.mod h1:BquC5A4UOo4qVDUtoc04/+Nxp1MeHcVc1HJm1KmG8kk=
-k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
-k8s.io/component-base v0.22.1 h1:SFqIXsEN3v3Kkr1bS6rstrs1wd45StJqbtgbQ4nRQdo=
-k8s.io/component-base v0.22.1/go.mod h1:0D+Bl8rrnsPN9v0dyYvkqFfBeAd4u7n77ze+p8CMiPo=
+k8s.io/api v0.22.2 h1:M8ZzAD0V6725Fjg53fKeTJxGsJvRbk4TEm/fexHMtfw=
+k8s.io/api v0.22.2/go.mod h1:y3ydYpLJAaDI+BbSe2xmGcqxiWHmWjkEeIbiwHvnPR8=
+k8s.io/apiextensions-apiserver v0.22.2 h1:zK7qI8Ery7j2CaN23UCFaC1hj7dMiI87n01+nKuewd4=
+k8s.io/apiextensions-apiserver v0.22.2/go.mod h1:2E0Ve/isxNl7tWLSUDgi6+cmwHi5fQRdwGVCxbC+KFA=
+k8s.io/apimachinery v0.22.2 h1:ejz6y/zNma8clPVfNDLnPbleBo6MpoFy/HBiBqCouVk=
+k8s.io/apimachinery v0.22.2/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
+k8s.io/apiserver v0.22.2/go.mod h1:vrpMmbyjWrgdyOvZTSpsusQq5iigKNWv9o9KlDAbBHI=
+k8s.io/client-go v0.22.2 h1:DaSQgs02aCC1QcwUdkKZWOeaVsQjYvWv8ZazcZ6JcHc=
+k8s.io/client-go v0.22.2/go.mod h1:sAlhrkVDf50ZHx6z4K0S40wISNTarf1r800F+RlCF6U=
+k8s.io/code-generator v0.22.2/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
+k8s.io/component-base v0.22.2 h1:vNIvE0AIrLhjX8drH0BgCNJcR4QZxMXcJzBsDplDx9M=
+k8s.io/component-base v0.22.2/go.mod h1:5Br2QhI9OTe79p+TzPe9JKNQYvEKbq9rTJDWllunGug=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
 k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
-k8s.io/kube-aggregator v0.22.1 h1:hsntyWsnkLiL4ccmoKfqiUVyxnlnqtqPRMuq/mT2wGQ=
-k8s.io/kube-aggregator v0.22.1/go.mod h1:VbmI+8fUeCPkzSvarWTrlIGEgUGEGI/66SFajDQ0Pdc=
+k8s.io/kube-aggregator v0.22.2 h1:7rJfpqe/VQ4dFEs2D/QwxqigsXxIcKLBkYQij/D61Yk=
+k8s.io/kube-aggregator v0.22.2/go.mod h1:hsd0LEmVQSvMc0UzAwmcm/Gk3HzLp50mq/o6cu1ky2A=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e h1:KLHHjkdQFomZy8+06csTWZ0m1343QqxZhR2LJ1OxCYM=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
-k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e h1:ldQh+neBabomh7+89dTpiFAB8tGdfVmuIzAHbvtl+9I=
 k8s.io/utils v0.0.0-20210820185131-d34e5cb4466e/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/controller-runtime v0.10.0 h1:HgyZmMpjUOrtkaFtCnfxsR1bGRuFoAczSNbn2MoKj5U=
-sigs.k8s.io/controller-runtime v0.10.0/go.mod h1:GCdh6kqV6IY4LK0JLwX0Zm6g233RtVGdb/f0+KSfprg=
+sigs.k8s.io/controller-runtime v0.10.2 h1:jW8qiY+yMnnPx6O9hu63tgcwaKzd1yLYui+mpvClOOc=
+sigs.k8s.io/controller-runtime v0.10.2/go.mod h1:CQp8eyUQZ/Q7PJvnIrB6/hgfTC1kBkGylwsLgOQi1WY=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
 sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=

diff --git a/support/k8s/k8s-workload-registrar/config_crd.go b/support/k8s/k8s-workload-registrar/config_crd.go
@@ -144,12 +144,11 @@ func (c *CRDMode) Run(ctx context.Context) error {
 				}
 			}()
 		}
-		err = spiffeidv1beta1.AddSpiffeIDWebhook(spiffeidv1beta1.SpiffeIDWebhookConfig{
-			Ctx:         ctx,
+		err = spiffeidv1beta1.AddSpiffeIDWebhook(spiffeidv1beta1.SpiffeIDWebhook{
+			E:           entryClient,
 			Log:         log,
 			Mgr:         mgr,
 			Namespace:   myPodNamespace,
-			E:           entryClient,
 			TrustDomain: c.TrustDomain,
 		})
 		if err != nil {

diff --git a/support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_webhook.go b/support/k8s/k8s-workload-registrar/mode-crd/api/spiffeid/v1beta1/spiffeid_webhook.go
@@ -17,6 +17,7 @@ package v1beta1
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 
@@ -25,43 +26,40 @@ import (
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/x509util"
-	"github.com/zeebo/errs"
-
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/webhook"
 )
 
-type SpiffeIDWebhookConfig struct {
-	Ctx         context.Context
+type SpiffeIDWebhook struct {
+	E           entryv1.EntryClient
 	Log         logrus.FieldLogger
 	Mgr         ctrl.Manager
 	Namespace   string
-	E           entryv1.EntryClient
 	TrustDomain string
 }
 
-var c SpiffeIDWebhookConfig
-
-func AddSpiffeIDWebhook(config SpiffeIDWebhookConfig) error {
-	c = config
-	return ctrl.NewWebhookManagedBy(config.Mgr).
+func AddSpiffeIDWebhook(w SpiffeIDWebhook) error {
+	return ctrl.NewWebhookManagedBy(w.Mgr).
 		For(&SpiffeID{}).
+		WithValidator(w).
 		Complete()
 }
 
-var _ webhook.Validator = &SpiffeID{}
-
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type
-func (s *SpiffeID) ValidateCreate() error {
-	if err := s.validateSpiffeID(); err != nil {
+func (w SpiffeIDWebhook) ValidateCreate(ctx context.Context, obj runtime.Object) error {
+	s, ok := obj.(*SpiffeID)
+	if !ok {
+		return errors.New("wrong type, expecting SpiffeID")
+	}
+
+	if err := w.validateSpiffeID(s); err != nil {
 		return err
 	}
 
 	// TODO: filter additionally by SPIFFE ID? what about parent ID?
 
 	// Check for duplicates
-	resp, err := c.E.ListEntries(c.Ctx, &entryv1.ListEntriesRequest{
+	resp, err := w.E.ListEntries(ctx, &entryv1.ListEntriesRequest{
 		Filter: &entryv1.ListEntriesRequest_Filter{
 			BySelectors: &types.SelectorMatch{
 				Match:     types.SelectorMatch_MATCH_EXACT,
@@ -80,12 +78,12 @@ func (s *SpiffeID) ValidateCreate() error {
 		}
 		if s.Spec.SpiffeId == entrySPIFFEID.String() {
 			if s.Status.EntryId == nil || *s.Status.EntryId != entry.Id {
-				c.Log.WithFields(logrus.Fields{
+				w.Log.WithFields(logrus.Fields{
 					"spiffeID": s.Spec.SpiffeId,
 					"name":     s.ObjectMeta.Name,
 					"entryId":  s.Status.EntryId,
 				}).Info("Duplicate detected")
-				return errs.New("Duplicate detected")
+				return errors.New("Duplicate detected")
 			}
 		}
 	}
@@ -94,38 +92,43 @@ func (s *SpiffeID) ValidateCreate() error {
 }
 
 // ValidateUpdate implements webhook.Validator so a webhook will be registered for the type
-func (s *SpiffeID) ValidateUpdate(old runtime.Object) error {
-	return s.validateSpiffeID()
+func (w SpiffeIDWebhook) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) error {
+	s, ok := newObj.(*SpiffeID)
+	if !ok {
+		return errors.New("wrong type, expecting SpiffeID")
+	}
+
+	return w.validateSpiffeID(s)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
-func (s *SpiffeID) ValidateDelete() error {
+func (w SpiffeIDWebhook) ValidateDelete(ctx context.Context, obj runtime.Object) error {
 	return nil
 }
 
 // validateSpiffeID does basic checks to make sure the SPIFFE ID resource is formatted correctly
-func (s *SpiffeID) validateSpiffeID() error {
-	spiffeIDPrefix := "spiffe://" + c.TrustDomain
+func (w SpiffeIDWebhook) validateSpiffeID(s *SpiffeID) error {
+	spiffeIDPrefix := "spiffe://" + w.TrustDomain
 
 	// Validate Spiffe and Parent IDs have the correct format
 	if !strings.HasPrefix(s.Spec.ParentId, spiffeIDPrefix) {
-		return errs.New("spec.parentId must begin with " + spiffeIDPrefix)
+		return errors.New("spec.parentId must begin with " + spiffeIDPrefix)
 	}
 
 	if !strings.HasPrefix(s.Spec.SpiffeId, spiffeIDPrefix) {
-		return errs.New("spec.spiffeId must begin with " + spiffeIDPrefix)
+		return errors.New("spec.spiffeId must begin with " + spiffeIDPrefix)
 	}
 
 	if s.Spec.Selector.Cluster != "" || s.Spec.Selector.AgentNodeUid != "" {
 		// k8s_psat selectors can only be used from the k8s-workload-registrar namespace
-		if s.ObjectMeta.Namespace != c.Namespace {
-			return errs.New("spec.Selector.Cluster and spec.Selector.AgentNodeUid can " +
+		if s.ObjectMeta.Namespace != w.Namespace {
+			return errors.New("spec.Selector.Cluster and spec.Selector.AgentNodeUid can " +
 				"only be used by the k8s-workload-registrar")
 		}
 	} else {
 		// Ensure namespace selector matches namespace of Spiffe ID resource for k8s selectors
 		if s.ObjectMeta.Namespace != s.Spec.Selector.Namespace {
-			return errs.New("spec.Selector.Namespace must match namespace of resource")
+			return errors.New("spec.Selector.Namespace must match namespace of resource")
 		}
 	}