health checks and metrics

.gitignore

@@ -2,4 +2,5 @@
 cacert
 coverage.out
 private.*
-dist
+dist
+certs

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.16.0
 	github.com/pavel-v-chernykh/keystore-go v2.1.0+incompatible
+	github.com/prometheus/client_golang v1.11.0
 	github.com/snorwin/k8s-generic-webhook v1.2.4
 	k8s.io/api v0.22.3
 	k8s.io/apimachinery v0.22.3
@@ -43,7 +44,6 @@ require (
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/prometheus/client_golang v1.11.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.26.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect

helm/templates/deployment.yaml

@@ -3,28 +3,28 @@ kind: Deployment
 metadata:
   name: {{ include "java-truststore-injection-webhook.fullname" . }}
   labels:
-    {{- include "java-truststore-injection-webhook.labels" . | nindent 4 }}
+  {{- include "java-truststore-injection-webhook.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      {{- include "java-truststore-injection-webhook.selectorLabels" . | nindent 6 }}
+  {{- include "java-truststore-injection-webhook.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       {{- with .Values.podAnnotations }}
       annotations:
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "java-truststore-injection-webhook.selectorLabels" . | nindent 8 }}
+    {{- include "java-truststore-injection-webhook.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "java-truststore-injection-webhook.serviceAccountName" . }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -38,11 +38,20 @@ spec:
               name: "webhook-certs"
               readOnly: true
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
+          {{- toYaml .Values.resources | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
       {{- with .Values.nodeSelector }}
       nodeSelector:
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 8 }}
       {{- end }}
+
       volumes:
         - name: "webhook-certs"
           secret:

helm/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: ghcr.io/bakito/java-truststore-injection-webhook
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: main
+  tag: ""
 
 nameOverride: ""
 fullnameOverride: ""

main.go

@@ -15,7 +15,6 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	//+kubebuilder:scaffold:imports
 )
 
 var (
@@ -25,16 +24,10 @@ var (
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
-
-	//+kubebuilder:scaffold:scheme
 }
 
 func main() {
 
-	var metricsAddr string
-	var probeAddr string
-	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -45,10 +38,10 @@ func main() {
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
-		MetricsBindAddress:     metricsAddr,
+		MetricsBindAddress:     ":8080",
 		Port:                   9443,
 		CertDir:                "certs",
-		HealthProbeBindAddress: probeAddr,
+		HealthProbeBindAddress: ":8081",
 		LeaderElection:         false,
 	})
 	if err != nil {

pkg/configmap/webhook.go

@@ -3,11 +3,13 @@ package configmap
 import (
 	"context"
 	"encoding/pem"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/snorwin/k8s-generic-webhook/pkg/webhook"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 	"strings"
 )
@@ -22,6 +24,21 @@ const (
 	AnnotationLastTruststoreName = "jti.bakito.ch/last-injected-truststore-name"
 )
 
+var (
+	certsInConfigMap = prometheus.NewGaugeVec(
+		prometheus.GaugeOpts{
+			Name: "jti_certificates_truststore",
+			Help: "Number certificates in the truststore",
+		},
+		[]string{"namespace", "configmap", "truststore"},
+	)
+)
+
+func init() {
+	// Register custom metrics with the global prometheus registry
+	metrics.Registry.MustRegister(certsInConfigMap)
+}
+
 type Webhook struct {
 	webhook.MutatingWebhook
 }
@@ -51,18 +68,22 @@ func (w *Webhook) Mutate(ctx context.Context, _ admission.Request, object runtim
 		if p, ok := cm.Annotations[annotationTruststorePass]; ok {
 			pass = p
 		}
-		if ltn, ok := cm.Annotations[AnnotationLastTruststoreName]; ok {
+		if ltn, ok := cm.Annotations[AnnotationLastTruststoreName]; ok && cm.BinaryData != nil {
 			delete(cm.BinaryData, ltn)
+			certsInConfigMap.DeleteLabelValues(cm.Namespace, cm.Name, ltn)
 		}
 	}
 
 	// delete if the label is not present anymore
 	if !isEnabled(cm) {
 		l.Info("removing truststore")
-		delete(cm.BinaryData, tsn)
+		if cm.BinaryData != nil {
+			delete(cm.BinaryData, tsn)
+		}
 		if cm.Annotations != nil {
 			delete(cm.Annotations, AnnotationLastTruststoreName)
 		}
+		certsInConfigMap.DeleteLabelValues(cm.Namespace, cm.Name, tsn)
 		return admission.Allowed("")
 	}
 
@@ -84,6 +105,8 @@ func (w *Webhook) Mutate(ctx context.Context, _ admission.Request, object runtim
 	}
 	cm.Annotations[AnnotationLastTruststoreName] = tsn
 	l.WithValues("certs", len(allPems), "truststore", tsn).Info("added certs to truststore")
+	certsInConfigMap.WithLabelValues(cm.Namespace, cm.Name, tsn).Set(float64(len(allPems)))
+
 	return admission.Allowed("")
 }