Consolidate webhooks

[skonto]

Part of the work for #13965

Proposed Changes

• As discussed in Merge domain mapping logic into the controller #14024 this is a quick win for webhooks and then a feature doc will be provided to describe how we move next with different deployment models.
• Merges the logic for the domain mapping and serving webhooks
• This requires Defaulting Controller options for all kind of webhooks pkg#2738 to pass the queue name nicely.

Release Note

Domain mapping controller logic is now merged with the Serving controller. Domainmapping webhook is merged with the Serving webhook. 

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: +0.04 🎉

Comparison is base (bde2f42) 86.23% compared to head (40a9e9f) 86.27%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14082      +/-   ##
==========================================
+ Coverage   86.23%   86.27%   +0.04%     
==========================================
  Files         199      199              
  Lines       14795    14795              
==========================================
+ Hits        12759    12765       +6     
+ Misses       1733     1730       -3     
+ Partials      303      300       -3     

Impacted Files	Coverage Δ
cmd/controller/main.go	0.00% <ø> (ø)

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[nak3]

domainmapping v1alpha1 is deprecated #14059 and will be removed after v1.11 cut #14060.
We should add v1alpha1 if this PR will be merged before v1.11 cut but it will be dropped very soon 😅

[dprotaso]

You can just add domain mapping types to the newDefaultingAdmissionController and newValidationAdmissionController and you don't need to create new ones

[skonto]

@dprotaso I thought about that. My idea was to keep a separate controller per concern for now, to be able to have some independent configuration in the future eg. number of workers per queue, logging etc.
If we merge then should not we increase the concurrency for the common controller (default is 2)?

[dprotaso]

If we merge then should not we increase the concurrency for the common controller (default is 2)?

There really isn't an advantange here - this admission controller is reconciling a single resource

[skonto]

Yes but is not the case that the number of reconciled objects can be equal to the number of services, since a domain mapping can be set per service? So the load for the domain reconciler is not low as far as I can tell eg. during a restart. Should we merge the controllers and keep the concurrency defaults? Anyway I will do a quick test.

[dprotaso]

I'm confused - this controller just mutates this one resource here https://github.com/knative/serving/blob/main/config/core/webhooks/defaulting.yaml

So the load for the domain reconciler is not low as far as I can tell eg. during a restart. Should we merge the controllers and keep the concurrency defaults? Anyway I will do a quick test.

Increasing the # of controllers will bump the total QPS & Burst (it's code in the sharedmain) for the process. As for the reconciler there are two go routines each - so this doesn't change when moving a controller/reconciler from one go cmd to another.

[skonto]

As for the reconciler there are two go routines each - so this doesn't change when moving a controller/reconciler from one go cmd to another.

I was referring to the reconciliation work done and the #of workqueue workers, not the rate with which we hit the api server (the latter is fine as you said). Check here: https://github.com/knative/pkg/blob/main/controller/controller.go#L209. The default concurrency there is 2.
When a controller is started that value is passed to it https://github.com/knative/pkg/blob/main/controller/controller.go#L446. So if we move the domain mapping types for defaulting to the default controller then we will still have 2 routines but with more types to handle in case of reconciliation, no?
In detail, controller will do reconciliation in c.processNextWorkItem here: https://github.com/knative/pkg/blob/main/controller/controller.go#L487-L494, that function is called in a separate thread and total threads equals concurrency:

	for i := 0; i < threadiness; i++ {
		sg.Add(1)
		go func() {
			defer sg.Done()
			for c.processNextWorkItem() {
			}
		}()
	}

That function will call reconcile at some point: https://github.com/knative/pkg/blob/main/controller/controller.go#L542.
In other words, let's say we initially have two controllers, let's say: newDefaultingAdmissionController,
newDefaultingDomainMappingAdmissionController, each has 2 routines for its reconciler by default and a separate work queue for each.
If we merge these controllers then we have 2 routines by default but with potentially more keys enqueued and more work for the common work queue, no?

[dprotaso]

So if we move the domain mapping types for defaulting to the default controller then we will still have 2 routines but with more types to handle in case of reconciliation, no?

More types in the webhook != more resources that need reconciliation. We should only have one defaulting webhook and one validation webhook.

It's this one here

serving/config/core/webhooks/defaulting.yaml

Lines 34 to 53 in 921daf8

	- apiGroups:
	- autoscaling.internal.knative.dev
	- networking.internal.knative.dev
	- serving.knative.dev
	apiVersions:
	- "*"
	operations:
	- CREATE
	- UPDATE
	scope: "*"
	resources:
	- metrics
	- podautoscalers
	- certificates
	- ingresses
	- serverlessservices
	- configurations
	- revisions
	- routes
	- services

Actually we should be moving these values from this webhook over to the new one and just exclude the /status

serving/config/core/webhooks/domainmapping-defaulting.yaml

Lines 42 to 44 in 921daf8

	resources:
	- domainmappings
	- domainmappings/status

If we merge these controllers then we have 2 routines by default but with potentially more keys enqueued and more work for the common work queue, no?

Generally we haven't cared about this but it's not an issue for the webhook controllers since it's only reconciling a single resource. There are better gains to make elsewhere - for example the revision controller still has a concurrency of two - maybe the serverlessservice (since it deals with endpoint updates) could be bumped higher.

But I'd say that's out of scope for this PR.

[skonto]

Ok let's postpone this discussion for another PR.

[dprotaso]

I guess to clarify I'm referring to the 'threadiness' per controller out of scope for this PR. But I still think it makes sense to consolidate domain mapping into the default webhook

[dprotaso]

We can delete these webhooks since we can merge them into the default validation and defaulting ones

[skonto]

Yes if we move everything to the default ones then we can delete it, also there will be no need for the special queue name. Should we? Still thinking about it. Check my comment above.

[skonto]

@dprotaso gentle ping. I updated the PR, now all webhooks are served by one controller.

[dprotaso]

/lgtm
/approve

thanks @skonto

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dprotaso,skonto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment