Use ConfigMap to pass configuration to the webhook, make the base con…

…figuration the default

Makefile

@@ -26,8 +26,8 @@ delete-certs:
 
 deploy-config:
 	@echo 'Applying configuration to active cluster...'
-	kustomize build deploy/overlays/default | kubectl apply -f -
+	kustomize build deploy/base | kubectl apply -f -
 
 delete-config:
 	@echo 'Tearing down mutating controller and associated resources...'
-	kustomize build deploy/overlays/default | kubectl delete -f -
+	kustomize build deploy/base | kubectl delete -f -

README.md

@@ -21,4 +21,8 @@ The included `Makefile` makes these steps straightforward and the available comm
 * `make cluster-up`: apply certificate configuration and deployment configuration to cluster for the mutating webhook
 * `make cluster-down`: delete resources associated with the mutating webhook from the active cluster
 
+There are example patches which can be used with `kustomize` to configure the deployment of this webhook into your cluster under `deploy/base/overlays/example`. This example custom configuration can be applied with:  
 
+`kustomize build deploy/overlays/example | kubectl apply -f -`
+
+This can be used, for example, to set different sampling policies between production and staging clusters.

config.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+
+	yaml "gopkg.in/yaml.v2"
+)
+
+// DefaultConfigPath refers to location of configuration mount dir specified in deployment
+const DefaultConfigPath = "/etc/webhook/config/config.yaml"
+
+// Config represents all config we need to initialize the webhook server
+type Config struct {
+	Trace struct {
+		SampleRate float64 `yaml:"sampleRate"`
+	}
+}
+
+// ParseConfigFromPath reads YAML config into config struct
+func ParseConfigFromPath(c *Config, path string) (bool, error) {
+
+	configYaml, err := ioutil.ReadFile(path)
+	if err != nil {
+		return false, fmt.Errorf("could not read YAML configuration file: %v", err)
+	}
+
+	err = yaml.Unmarshal(configYaml, &c)
+	if err != nil {
+		return false, fmt.Errorf("could not umarshal YAML configuration file: %v", err)
+	}
+
+	return true, nil
+}
+
+// Validate accepts a WebhookServerConfig and returns whether the config was valid and an error if needed
+func (cfg *Config) Validate() (bool, error) {
+	if cfg.Trace.SampleRate < 0 || cfg.Trace.SampleRate > 1 {
+		return false, errors.New("sampling rate must be between 0 and 1 inclusive")
+	}
+
+	return true, nil
+}

deploy/base/configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: trace-context-injector-webhook-config-map
+data:
+  config.yaml: |
+    trace:
+      sampleRate: 1.0

deploy/base/deployment.yaml

@@ -12,12 +12,19 @@ spec:
       containers:
         - name: trace-context-injector
           image: k8s.gcr.io/trace-context-injector:latest
-          imagePullPolicy: Always 
+          imagePullPolicy: Always
+          args:
+            - -configPath=/etc/webhook/config/config.yaml
           volumeMounts:
             - name: webhook-certs
               mountPath: /etc/webhook/certs
               readOnly: true
+            - name: webhook-config
+              mountPath: /etc/webhook/config
       volumes:
         - name: webhook-certs
           secret:
             secretName: trace-context-injector-webhook-certs
+        - name: webhook-config
+          configMap:
+            name: trace-context-injector-webhook-config-map

deploy/base/kustomization.yaml

@@ -4,3 +4,4 @@ resources:
   - deployment.yaml
   - mutatingwebhook-ca-bundle.yaml
   - service.yaml
+  - configmap.yaml

deploy/overlays/example/kustomization.yaml

@@ -0,0 +1,5 @@
+
+bases:
+- ../../base
+patches:
+- trace-context-injector-config.yaml

deploy/overlays/example/trace-context-injector-config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: trace-context-injector-webhook-config-map
+data:
+  config.yaml: |
+    trace:
+      sampleRate: 0.1

main.go

@@ -11,27 +11,43 @@ import (
 	"syscall"
 
 	"github.com/golang/glog"
+	"go.opencensus.io/trace"
 )
 
 func main() {
-	var parameters WebhookServerParameters
-	var traceConfig TraceConfig
 
-	// get command line parameters
-	flag.Float64Var(&traceConfig.samplingRate, "rate", 1.00, "Float between 0.0 and 1.0 inclusive which sets the probability that any given span context is sampled")
-	flag.IntVar(&parameters.port, "port", 443, "Webhook server port.")
-	flag.StringVar(&parameters.certFile, "tlsCertFile", "/etc/webhook/certs/cert.pem", "File containing the x509 Certificate for HTTPS.")
-	flag.StringVar(&parameters.keyFile, "tlsKeyFile", "/etc/webhook/certs/key.pem", "File containing the x509 private key to --tlsCertFile.")
+	// read configuration location from command line arg
+	var configPath string
+	flag.StringVar(&configPath, "configPath", DefaultConfigPath, "Path that points to the YAML configuration for this webhook.")
 	flag.Parse()
 
-	pair, err := tls.LoadX509KeyPair(parameters.certFile, parameters.keyFile)
+	// parse and validate configuration
+	config := Config{}
+
+	ok, err := ParseConfigFromPath(&config, configPath)
+	if !ok {
+		glog.Errorf("configuration parse failed with error: %v", err)
+		return
+	}
+
+	ok, err = config.Validate()
+	if !ok {
+		glog.Errorf("configuration validation failed with error: %v", err)
+		return
+	}
+
+	// configure global tracer
+	trace.ApplyConfig(trace.Config{DefaultSampler: trace.ProbabilitySampler(config.Trace.SampleRate)})
+
+	// configure certificates
+	pair, err := tls.LoadX509KeyPair("/etc/webhook/certs/cert.pem", "/etc/webhook/certs/key.pem")
 	if err != nil {
 		glog.Errorf("Failed to load key pair: %v", err)
 	}
 
 	whsvr := &WebhookServer{
 		server: &http.Server{
-			Addr:      fmt.Sprintf(":%v", parameters.port),
+			Addr:      fmt.Sprintf(":%v", 443),
 			TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
 		},
 	}
@@ -40,13 +56,6 @@ func main() {
 	mux.HandleFunc("/mutate", whsvr.serve)
 	whsvr.server.Handler = mux
 
-	// pass configuration through here
-	err = ConfigureTracing(&traceConfig)
-	if err != nil {
-		glog.Errorf("could not validate passed tracing configuration: %v", err)
-		return
-	}
-
 	// begin webhook server
 	go func() {
 		if err := whsvr.server.ListenAndServeTLS("", ""); err != nil {

traceutil.go

@@ -3,28 +3,11 @@ package main
 import (
 	"context"
 	"encoding/base64"
-	"errors"
 
 	"go.opencensus.io/trace"
 	"go.opencensus.io/trace/propagation"
 )
 
-// TraceConfig is the struct used to pass configuration to the tracer
-type TraceConfig struct {
-	samplingRate float64
-}
-
-// ConfigureTracing will take passed configuration and set the sampling policy accordingly
-func ConfigureTracing(config *TraceConfig) error {
-	//validate configuration
-	if config.samplingRate < 0.0 || config.samplingRate > 1.0 {
-		return errors.New("invalid sample rate: must be between 0 and 1 inclusive")
-	}
-
-	trace.ApplyConfig(trace.Config{DefaultSampler: trace.ProbabilitySampler(config.samplingRate)})
-	return nil
-}
-
 // GenerateEmbeddableSpanContext takes a SpanContext and returns a serialized string
 func GenerateEmbeddableSpanContext() string {
 	// should not be exported, purpose of this span is to retrieve OC compliant SpanContext

webhook.go

@@ -29,13 +29,6 @@ type WebhookServer struct {
 	server *http.Server
 }
 
-// WebhookServerParameters represents all config we need to initialize the webhook server
-type WebhookServerParameters struct {
-	port     int
-	certFile string
-	keyFile  string
-}
-
 type patchOperation struct {
 	Op    string      `json:"op"`
 	Path  string      `json:"path"`