webhook: refactor to use controller-runtime server #1751
Conversation
kubermatic-bot
added
kind/feature
|
Hi @LittleFox94. Thanks for your PR. I'm waiting for a kubermatic member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
kubermatic-bot
added
size/M
| // we could change this to get the CertDir from the configured CertName | ||
| // and KeyName, but doing so does not bring us any benefits but would | ||
| // technically break compatibility. |
There was a problem hiding this comment.
technically breaks compatibility if we enforce TLS cert and key being in the same directory
cmd/webhook/main.go
Outdated
| defer func() { | ||
| if err := srv.Close(); err != nil { | ||
| log.Fatalw("Failed to shutdown server", zap.Error(err)) | ||
| } | ||
| cancelServerContext() | ||
| }() |
There was a problem hiding this comment.
I'm not sure if this is actually still needed, together with the cancel-context above
There was a problem hiding this comment.
I think you can just do
serverContext, cancelServerContext := context.WithCancel(context.Background())
defer cancelServerContext()
if err := srv.Start(serverContext); err != nil {
log.Fatalw("Failed to start server", zap.Error(err))
}There was a problem hiding this comment.
not done, according to #1751 (comment)
|
thank you for this! /ok-to-test |
kubermatic-bot
added
ok-to-test
|
heya @embik :) |
Because it's the silent time of the year, I'd like to give colleagues a few more days to voice any second opinions (PR looks good from my perspective though) before merging it if that's okay by you. So ETA would be beginning of January. |
cmd/webhook/main.go
Outdated
| }.Build() | ||
| if err != nil { | ||
| log.Fatalw("Failed to create admission hook", zap.Error(err)) | ||
| } | ||
|
|
||
| log.Infow("Listening", "address", opt.admissionListenAddress) | ||
|
|
||
| if err := srv.ListenAndServeTLS(opt.admissionTLSCertPath, opt.admissionTLSKeyPath); err != nil { | ||
| serverContext, cancelServerContext := context.WithCancel(context.Background()) |
There was a problem hiding this comment.
Okay, looks like I do have something to comment on: This shouldn't use context.Background() but a context that cancels on SIGINT/SIGTERM so the server shuts down gracefully. Then you can probably drop the defer cancelServerContext() as well that I commented on below (don't think we need a context.WithCancel then).
You can use signals.SetupSignalHandler for that (like we do over in the seed-controller-manager).
There was a problem hiding this comment.
I was thinking about that, but when I run machine-controller locally on my machine, it already reacts perfectly fine to SIGINT - you sure this is needed?
There was a problem hiding this comment.
Sorry for the late reply. I'm not 100% sure it's needed, but it's the proper way to handle signals and might cover more corner cases than the current code. I would prefer it, if only for consistency with the KKP code base.
There was a problem hiding this comment.
alright, changed code according to this :)
Sorry for my late reply as well, was still off the first week of the year ^^
Have a good new year btw :)
There was a problem hiding this comment.
Happy new year! Hope you got to enjoy the days off :)
Refactor the webhook to use the controller-runtime provided webhook.Server instead of a plain HTTP server. The biggest benefit this brings, is it automatically loading changed certificate files instead of forever using the ones present when the server was started. This could have been implemented by using the controller-runtime CertWatcher manually, but that would've been more code and aligning machine-controller with the ecosystem-provided standards seems worth it. Signed-off-by: Mara Sophie Grosch <mgrosch@anexia-it.com>
LittleFox94
force-pushed
the
webhook-from-controller-runtime
branch
from
81a9982
to
6559ad2
Compare
|
LGTM label has been added. Git tree hash: fbf4b23dc63816b87aa723582507363b3dfdde61
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: embik The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubermatic-bot
added
the
approved
Refactor the webhook to use the controller-runtime provided webhook.Server instead of a plain HTTP server. The biggest benefit this brings, is it automatically loading changed certificate files instead of forever using the ones present when the server was started. This could have been implemented by using the controller-runtime CertWatcher manually, but that would've been more code and aligning machine-controller with the ecosystem-provided standards seems worth it. Signed-off-by: Mara Sophie Grosch <mgrosch@anexia-it.com>
* Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (kubermatic#1731) Bumps [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.42.0 to 0.46.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.42.0...zpages/v0.46.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Migrate to dl.k8s.io from kubernetes release bucket (kubermatic#1737) Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Flatcar Support for GCE (kubermatic#1739) * Flatcar Support for GCE Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Update compatibility matrix Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> --------- Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Update Prow jobs to build image with Go 1.21.5 (kubermatic#1746) * Update Prow jobs to build image with Go 1.21.5 Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Also update golang images Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Also update Dockerfile and Makefile Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Update OSM flags Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Use fixed build image Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * ??? Signed-off-by: Marvin Beckers <marvin@kubermatic.com> --------- Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Deprecate sig-virtualization (kubermatic#1749) with merge of sig-virtualization into sig-cluster-management, there is no need for standalone OWNERS hierarchy for kubevirt Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com> * kubevirt: allow setting storage volume access types (kubermatic#1740) this is important for live migration because only RWX volumes can be live migrated Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com> * AWS: increase spot instance price (kubermatic#1754) Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Adds field to check if a IP reservation is still valid, (kubermatic#1753) if the IP is no longer valid a new one is requested. This fixes a bug where we use an IP that expired already for a VM, if the VM provisioning failed, which then leads to a race condition. In which we wait for the VM provisioning to finish, but it can't due the IP being no longer useable, but we also never request a new IP in that case. Signed-off-by: Zofia hagenguth <zhagenguth@anexia-it.com> * webhook: refactor to use controller-runtime server (kubermatic#1751) Refactor the webhook to use the controller-runtime provided webhook.Server instead of a plain HTTP server. The biggest benefit this brings, is it automatically loading changed certificate files instead of forever using the ones present when the server was started. This could have been implemented by using the controller-runtime CertWatcher manually, but that would've been more code and aligning machine-controller with the ecosystem-provided standards seems worth it. Signed-off-by: Mara Sophie Grosch <mgrosch@anexia-it.com> * Support for Kubernetes 1.29 (kubermatic#1755) * Add support for kubernetes v1.29 Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Update dependencies and k8s API to v1.29 Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Enable in-tree providers Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Update fixtures Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Refactored code Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> --------- Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Upgrade to Go 1.22 (kubermatic#1759) * Upgrade to Go 1.22 Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Upgrade CRDs for OSM Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> --------- Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> * Update prow jobs and remove yamllint image (kubermatic#1764) Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Remove TORCX_BINDIR from containerd binary call (kubermatic#1760) Signed-off-by: Marvin Beckers <marvin@kubermatic.com> * Support Edge Provider in Machine Controller (kubermatic#1765) * support edge provider Signed-off-by: Moath Qasim <moad.qassem@gmail.com> Signed-off-by: Moath Qasim <moad.qassem@gmail.com> * fix linting Signed-off-by: Moath Qasim <moad.qassem@gmail.com> Signed-off-by: Moath Qasim <moad.qassem@gmail.com> --------- Signed-off-by: Moath Qasim <moad.qassem@gmail.com> * fix syseleven changes * update fixtures * update go version in unit tests github workflow --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Waleed Malik <ahmedwaleedmalik@gmail.com> Signed-off-by: Marvin Beckers <marvin@kubermatic.com> Signed-off-by: Jan Wozniak <wozniak.jan@gmail.com> Signed-off-by: Zofia hagenguth <zhagenguth@anexia-it.com> Signed-off-by: Mara Sophie Grosch <mgrosch@anexia-it.com> Signed-off-by: Moath Qasim <moad.qassem@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Waleed Malik <ahmedwaleedmalik@gmail.com> Co-authored-by: Marvin Beckers <marvin@kubermatic.com> Co-authored-by: Jan Wozniak <wozniak.jan@gmail.com> Co-authored-by: Andromeda <zofi@xamh.de> Co-authored-by: Mara Sophie Grosch <mgrosch@anexia-it.com> Co-authored-by: Moath Qasim <moad.qassem@gmail.com> Co-authored-by: Robert Nemeti <r.nemeti@syseleven.de>
What this PR does / why we need it:
Refactor the webhook to use the controller-runtime provided webhook.Server instead of a plain HTTP server. The biggest benefit this brings, is it automatically loading changed certificate files instead of forever using the ones present when the server was started.
What type of PR is this?
I'm not quite sure, I'll label this as feature but the webhook server not reloading changed certificates could also be seen as a bug.
/kind feature
Special notes for your reviewer:
This could have been implemented by using the controller-runtime CertWatcher manually, but that would've been more code and aligning machine-controller with the ecosystem-provided standards seems worth it.
Does this PR introduce a user-facing change? Then add your Release Note here:
Documentation: