fix(charts): failed to call webhook

duanhongyi · duanhongyi · commit 47d5a0589100 · 2024-03-28T16:34:27.000+08:00
diff --git a/charts/controller/templates/controller-job-upgrade.yaml b/charts/controller/templates/controller-job-upgrade.yaml
@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: drycc-controller-job-upgrade
+  name: drycc-controller-job-upgrade-{{ now | date "20060102150405" }}
   labels:
     heritage: drycc
   annotations:
diff --git a/charts/controller/templates/controller-mutate-deloyment.yaml b/charts/controller/templates/controller-mutate-deloyment.yaml
@@ -1,21 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: drycc-controller-webhook
+  name: drycc-controller-mutate
 spec:
-  replicas: {{ .Values.webhookReplicas }}
+  replicas: {{ .Values.mutateReplicas }}
   selector:
     matchLabels:
-      component: drycc-controller-webhook
+      component: drycc-controller-mutate
   template:
     metadata:
       labels: {{- include "common.labels.standard" . | nindent 8 }}
-        component: drycc-controller-webhook
+        component: drycc-controller-mutate
     spec:
       affinity:
-        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.webhook.podAffinityPreset.type "component" "" "extraMatchLabels" .Values.webhook.podAffinityPreset.extraMatchLabels "topologyKey" "" "context" $) | nindent 10 }}
-        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.webhook.podAntiAffinityPreset.type "component" "" "extraMatchLabels" .Values.webhook.podAntiAffinityPreset.extraMatchLabels "topologyKey" "" "context" $) | nindent 10 }}
-        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.webhook.nodeAffinityPreset.type "key" .Values.webhook.nodeAffinityPreset.key "values" .Values.webhook.nodeAffinityPreset.values ) | nindent 10 }}
+        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.mutate.podAffinityPreset.type "component" "" "extraMatchLabels" .Values.mutate.podAffinityPreset.extraMatchLabels "topologyKey" "" "context" $) | nindent 10 }}
+        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.mutate.podAntiAffinityPreset.type "component" "" "extraMatchLabels" .Values.mutate.podAntiAffinityPreset.extraMatchLabels "topologyKey" "" "context" $) | nindent 10 }}
+        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.mutate.nodeAffinityPreset.type "key" .Values.mutate.nodeAffinityPreset.key "values" .Values.mutate.nodeAffinityPreset.values ) | nindent 10 }}
       initContainers:
       - name: drycc-controller-init
         image: {{.Values.imageRegistry}}/{{.Values.imageOrg}}/python-dev:latest
@@ -57,18 +57,11 @@ spec:
             name: https
         {{- end }}
         volumeMounts:
-        - name: controller-webhook-cert
-          mountPath: /etc/controller/webhook/cert
+        - name: controller-mutate-cert
+          mountPath: /etc/controller/mutate/cert
         {{- include "controller.limits" . | indent 8 }}
         {{- include "controller.envs" . | indent 8 }}
       volumes:
-      - name: controller-webhook-cert                                                                                                                                                                                               
+      - name: controller-mutate-cert                                                                                                                                                                                               
         secret:                                                                                                                                                                                                                           
-          secretName: controller-webhook-cert                                                                                                                                                                                       
-          items:  
-          - key: token                                                                                                                                                                                                                  
-            path: token                                                                                                                                                                                                                           
-          - key: tls.crt                                                                                                                                                                                                                  
-            path: tls.crt                                                                                                                                                                                                                 
-          - key: tls.key                                                                                                                                                                                                                  
-            path: tls.key
+          secretName: controller-mutate-cert
diff --git a/charts/controller/templates/controller-mutate-service.yaml b/charts/controller/templates/controller-mutate-service.yaml
@@ -1,11 +1,11 @@
 kind: Service
 apiVersion: v1
 metadata:
-  name: drycc-controller-webhook
+  name: drycc-controller-mutate
 spec:
   selector:
-    component: drycc-controller-webhook
+    component: drycc-controller-mutate
   ports:
   - name: https
-    port: 8443
+    port: 443
     targetPort: 8443
diff --git a/charts/controller/templates/controller-mutate-webhook.yaml b/charts/controller/templates/controller-mutate-webhook.yaml
@@ -0,0 +1,50 @@
+{{- $key := randAlphaNum 128 | lower }}
+{{- $ca := genCA "controller-mutate-ca" 3650 }}
+{{- $altName1 := printf "drycc-controller-mutate.%s" .Release.Namespace }}
+{{- $altName2 := printf "drycc-controller-mutate.%s.svc" .Release.Namespace }}
+{{- $cert := genSignedCert "drycc-controller-mutate" nil (list $altName1 $altName2) 3650 $ca }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ .Release.Namespace }}-controller-mutate
+webhooks:
+- name: mutate.drycc.cc
+  sideEffects: None
+  admissionReviewVersions: ["v1"]
+  clientConfig:
+    caBundle: {{ b64enc $ca.Cert }}
+    service:
+      name: drycc-controller-mutate
+      namespace: "{{ .Release.Namespace }}"
+      path: "{{ printf "/v2/mutate/%s/" $key }}"
+  failurePolicy: Fail
+  objectSelector:
+    matchLabels:
+      heritage: drycc
+  rules:
+  - operations: ["UPDATE"]
+    apiGroups: ["batch"]
+    apiVersions: ["*"]
+    resources: ["jobs/status"]
+  - operations: ["UPDATE"]
+    apiGroups: ["apps"]
+    apiVersions: ["*"]
+    resources: ["deployments/scale"]
+  - operations: ["UPDATE"]
+    apiGroups: ["servicecatalog.k8s.io"]
+    apiVersions: ["*"]
+    resources: ["serviceinstances/status", "servicebindings/status"]
+  timeoutSeconds: 30
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: controller-mutate-cert
+  labels:
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  key: {{ b64enc $key }}
+  tls.crt: {{ b64enc $cert.Cert }}
+  tls.key: {{ b64enc $cert.Key }}
diff --git a/charts/controller/templates/controller-webhook-register.yaml b/charts/controller/templates/controller-webhook-register.yaml
diff --git a/charts/controller/values.yaml b/charts/controller/values.yaml
@@ -44,8 +44,8 @@ appPodExecTimeout: 3600
 apiReplicas: 1
 # Set celery replicas
 celeryReplicas: 1
-# Set webhook replicas
-webhookReplicas: 1
+# Set mutate replicas
+mutateReplicas: 1
 # Set cronjob concurrencyPolicy
 # Allow (default): The cron job allows concurrently running jobs
 # Forbid: The cron job does not allow concurrent runs; if it is time for a new job run and the previous job run hasn't finished yet, the cron job skips the new job run
@@ -112,7 +112,7 @@ celery:
     extraMatchLabels:
       app: "drycc-controller-celery"
 
-webhook:
+mutate:
   nodeAffinityPreset:
     key: "drycc.cc/node"
     type: "soft"
@@ -125,7 +125,7 @@ webhook:
   podAntiAffinityPreset:
     type: "soft"
     extraMatchLabels:
-      component: "drycc-controller-webhook"
+      component: "drycc-controller-mutate"
 
 redis:
   replicas: 1
diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
@@ -12,7 +12,7 @@ RUN groupadd drycc --gid ${DRYCC_GID} \
 COPY requirements.txt ${DRYCC_HOME_DIR}/requirements.txt
 
 RUN buildDeps='gcc libffi-dev libpq-dev rustc cargo'; \
-    install-packages ${buildDeps} \
+    install-packages inotify-tools ${buildDeps} \
   && install-stack python $PYTHON_VERSION && . init-stack \
   && python3 -m venv ${DRYCC_HOME_DIR}/.venv \
   && source ${DRYCC_HOME_DIR}/.venv/bin/activate \
diff --git a/rootfs/Dockerfile.test b/rootfs/Dockerfile.test
@@ -14,7 +14,7 @@ ENV PGDATA="/opt/drycc/postgresql/data" \
   GOSU_VERSION="1.17"
 
 RUN buildDeps='gcc rustc cargo  libffi-dev musl-dev openssl'; \
-  install-packages mercurial ca-certificates git $buildDeps \
+  install-packages mercurial ca-certificates git inotify-tools $buildDeps \
   && install-stack python $PYTHON_VERSION \
   && install-stack redis $REDIS_VERSION \
   && install-stack rabbitmq $RABBITMQ_VERSION \
diff --git a/rootfs/api/settings/production.py b/rootfs/api/settings/production.py
@@ -280,6 +280,14 @@
 SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', random_secret)
 BUILDER_KEY = os.environ.get('DRYCC_BUILDER_KEY', random_secret)
 
+# Drycc admission mutate key
+MUTATE_KEY_PATH = os.environ.get('DRYCC_MUTATE_KEY_PATH', '/etc/controller/mutate/cert/key')
+if os.path.exists(MUTATE_KEY_PATH):
+    with open(MUTATE_KEY_PATH) as f:
+        MUTATE_KEY = f.read()
+else:
+    MUTATE_KEY = None
+
 # gateway class name
 GATEWAY_CLASS = os.environ.get('DRYCC_GATEWAY_CLASS', '')
 
@@ -462,10 +470,3 @@
 WORKFLOW_MANAGER_URL = os.environ.get('WORKFLOW_MANAGER_URL', None)
 WORKFLOW_MANAGER_ACCESS_KEY = os.environ.get('WORKFLOW_MANAGER_ACCESS_KEY', None)
 WORKFLOW_MANAGER_SECRET_KEY = os.environ.get('WORKFLOW_MANAGER_SECRET_KEY', None)
-
-# Drycc admission webhook token
-if os.path.exists("/etc/controller/webhook/cert"):
-    with open("/etc/controller/webhook/cert/token") as f:
-        DRYCC_ADMISSION_WEBHOOK_TOKEN = f.read()
-else:
-    DRYCC_ADMISSION_WEBHOOK_TOKEN = None
diff --git a/rootfs/api/urls.py b/rootfs/api/urls.py
@@ -230,15 +230,15 @@
     re_path('', include('social_django.urls', namespace='social')),
 ]
 
-webhook_urlpatterns = [
+mutate_urlpatterns = [
     re_path(
-        r'^webhooks/(?P<token>.+)/?$',
+        r'^mutate/(?P<key>.+)/?$',
         views.AdmissionWebhookViewSet.as_view({'post': 'handle'})
     ),
 ]
 
-# If there is a mutating admission webhook configuration, use webhook url
-if settings.DRYCC_ADMISSION_WEBHOOK_TOKEN:
-    urlpatterns = webhook_urlpatterns
+# If there is a mutating admission mutate configuration, use mutate url
+if settings.MUTATE_KEY:
+    urlpatterns = mutate_urlpatterns
 else:
     urlpatterns = app_urlpatterns
diff --git a/rootfs/api/views.py b/rootfs/api/views.py
@@ -162,9 +162,9 @@ class AdmissionWebhookViewSet(GenericViewSet):
     permission_classes = (AllowAny, )
 
     def handle(self, request,  **kwargs):
-        token = kwargs['token']
+        key = kwargs['key']
         data = json.loads(request.body.decode("utf8"))["request"]
-        if settings.DRYCC_ADMISSION_WEBHOOK_TOKEN == token:
+        if settings.MUTATE_KEY == key:
             allowed = True
             for admission_class in self.admission_classes:
                 admission = admission_class()
diff --git a/rootfs/drycc/gunicorn/config.py b/rootfs/drycc/gunicorn/config.py
@@ -1,14 +1,23 @@
 import os
-from os.path import dirname, realpath
+from os.path import dirname, realpath, exists
 
 import faulthandler
 faulthandler.enable()
 
-# If there is a mutating admission webhook configuration, start webhook
-if os.path.exists("/etc/controller/webhook/cert"):
+bind = '0.0.0.0:8000'
+
+# If there is a mutating admission mutate configuration, start mutate
+MUTATE_KEY_PATH = os.environ.get(
+    'DRYCC_MUTATE_KEY_PATH', '/etc/controller/mutate/cert/key')
+MUTATE_TLS_KEY_PATH = os.environ.get(
+    'DRYCC_MUTATE_TLS_KEY_PATH', '/etc/controller/mutate/cert/tls.key')
+MUTATE_TLS_CRT_PATH = os.environ.get(
+    'DRYCC_MUTATE_TLS_CRT_PATH', '/etc/controller/mutate/cert/tls.crt')
+if exists(MUTATE_KEY_PATH) and exists(MUTATE_TLS_KEY_PATH) and exists(MUTATE_TLS_CRT_PATH):
     bind = '0.0.0.0:8443'
-    keyfile = "/etc/controller/webhook/cert/tls.key"
-    certfile = "/etc/controller/webhook/cert/tls.crt"
+    keyfile = MUTATE_TLS_KEY_PATH
+    certfile = MUTATE_TLS_CRT_PATH
+    reload_extra_files = [MUTATE_KEY_PATH, MUTATE_TLS_KEY_PATH, MUTATE_TLS_CRT_PATH]
 else:
     bind = '0.0.0.0:8000'
 
diff --git a/rootfs/requirements.txt b/rootfs/requirements.txt
@@ -1,4 +1,5 @@
 # Drycc controller requirements
+inotify==0.2.10
 backoff==2.2.1
 django==4.2.11
 channels==4.0.0
