Reorganize admission webhook code

cmd/kube-apiserver/app/BUILD

@@ -59,7 +59,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/server:go_default_library",

cmd/kube-apiserver/app/server.go

@@ -44,7 +44,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilwait "k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/admission"
-	"k8s.io/apiserver/pkg/admission/plugin/webhook"
+	webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapiserver "k8s.io/apiserver/pkg/server"
@@ -446,8 +446,8 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
 		genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName)
 	}
 
-	webhookAuthResolver := func(delegate webhook.AuthenticationInfoResolver) webhook.AuthenticationInfoResolver {
-		return webhook.AuthenticationInfoResolverFunc(func(server string) (*rest.Config, error) {
+	webhookAuthResolver := func(delegate webhookconfig.AuthenticationInfoResolver) webhookconfig.AuthenticationInfoResolver {
+		return webhookconfig.AuthenticationInfoResolverFunc(func(server string) (*rest.Config, error) {
 			if server == "kubernetes.default.svc" {
 				return genericConfig.LoopbackClientConfig, nil
 			}
@@ -486,7 +486,7 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
 }
 
 // BuildAdmissionPluginInitializer constructs the admission plugin initializer
-func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client internalclientset.Interface, sharedInformers informers.SharedInformerFactory, serviceResolver aggregatorapiserver.ServiceResolver, webhookAuthWrapper webhook.AuthenticationInfoResolverWrapper) (admission.PluginInitializer, error) {
+func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client internalclientset.Interface, sharedInformers informers.SharedInformerFactory, serviceResolver aggregatorapiserver.ServiceResolver, webhookAuthWrapper webhookconfig.AuthenticationInfoResolverWrapper) (admission.PluginInitializer, error) {
 	var cloudConfig []byte
 
 	if s.CloudProvider.CloudConfigFile != "" {

hack/.golint_failures

@@ -542,7 +542,8 @@ staging/src/k8s.io/apiserver/pkg/admission
 staging/src/k8s.io/apiserver/pkg/admission/configuration
 staging/src/k8s.io/apiserver/pkg/admission/plugin/initialization
 staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle
-staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook
+staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config
+staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating
 staging/src/k8s.io/apiserver/pkg/apis/apiserver
 staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1
 staging/src/k8s.io/apiserver/pkg/apis/audit

pkg/kubeapiserver/admission/BUILD

@@ -13,7 +13,7 @@ go_test(
     library = ":go_default_library",
     deps = [
         "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library",
     ],
 )
 
@@ -27,7 +27,7 @@ go_library(
         "//pkg/quota:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/admission:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/config:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes:go_default_library",
     ],

pkg/kubeapiserver/admission/init_test.go

@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	"k8s.io/apiserver/pkg/admission"
-	"k8s.io/apiserver/pkg/admission/plugin/webhook"
+	"k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 )
 
 type doNothingAdmission struct{}
@@ -61,7 +61,7 @@ type serviceWanter struct {
 	got ServiceResolver
 }
 
-func (s *serviceWanter) SetServiceResolver(sr webhook.ServiceResolver) { s.got = sr }
+func (s *serviceWanter) SetServiceResolver(sr config.ServiceResolver) { s.got = sr }
 
 func TestWantsServiceResolver(t *testing.T) {
 	sw := &serviceWanter{}

pkg/kubeapiserver/admission/initializer.go

@@ -21,7 +21,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apiserver/pkg/admission"
-	"k8s.io/apiserver/pkg/admission/plugin/webhook"
+	webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
@@ -62,7 +62,7 @@ type WantsQuotaConfiguration interface {
 // WantsServiceResolver defines a fuction that accepts a ServiceResolver for
 // admission plugins that need to make calls to services.
 type WantsServiceResolver interface {
-	SetServiceResolver(webhook.ServiceResolver)
+	SetServiceResolver(webhookconfig.ServiceResolver)
 }
 
 // ServiceResolver knows how to convert a service reference into an actual
@@ -74,7 +74,7 @@ type ServiceResolver interface {
 // WantsAuthenticationInfoResolverWrapper defines a function that wraps the standard AuthenticationInfoResolver
 // to allow the apiserver to control what is returned as auth info
 type WantsAuthenticationInfoResolverWrapper interface {
-	SetAuthenticationInfoResolverWrapper(webhook.AuthenticationInfoResolverWrapper)
+	SetAuthenticationInfoResolverWrapper(webhookconfig.AuthenticationInfoResolverWrapper)
 	admission.InitializationValidator
 }
 
@@ -86,8 +86,8 @@ type PluginInitializer struct {
 	cloudConfig                       []byte
 	restMapper                        meta.RESTMapper
 	quotaConfiguration                quota.Configuration
-	serviceResolver                   webhook.ServiceResolver
-	authenticationInfoResolverWrapper webhook.AuthenticationInfoResolverWrapper
+	serviceResolver                   webhookconfig.ServiceResolver
+	authenticationInfoResolverWrapper webhookconfig.AuthenticationInfoResolverWrapper
 }
 
 var _ admission.PluginInitializer = &PluginInitializer{}
@@ -101,8 +101,8 @@ func NewPluginInitializer(
 	cloudConfig []byte,
 	restMapper meta.RESTMapper,
 	quotaConfiguration quota.Configuration,
-	authenticationInfoResolverWrapper webhook.AuthenticationInfoResolverWrapper,
-	serviceResolver webhook.ServiceResolver,
+	authenticationInfoResolverWrapper webhookconfig.AuthenticationInfoResolverWrapper,
+	serviceResolver webhookconfig.ServiceResolver,
 ) *PluginInitializer {
 	return &PluginInitializer{
 		internalClient:                    internalClient,

staging/src/k8s.io/apiserver/pkg/admission/BUILD

@@ -78,7 +78,9 @@ filegroup(
         "//staging/src/k8s.io/apiserver/pkg/admission/initializer:all-srcs",
         "//staging/src/k8s.io/apiserver/pkg/admission/plugin/initialization:all-srcs",
         "//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:all-srcs",
-        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook:all-srcs",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config:all-srcs",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/rules:all-srcs",
+        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:all-srcs",
     ],
     tags = ["automanaged"],
 )

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/BUILD

@@ -0,0 +1,54 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "authentication.go",
+        "client.go",
+        "errors.go",
+        "kubeconfig.go",
+        "serviceresolver.go",
+    ],
+    importpath = "k8s.io/apiserver/pkg/admission/plugin/webhook/config",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/hashicorp/golang-lru:go_default_library",
+        "//vendor/k8s.io/api/admissionregistration/v1alpha1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/yaml:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = [
+        "authentication_test.go",
+        "serviceresolver_test.go",
+    ],
+    importpath = "k8s.io/apiserver/pkg/admission/plugin/webhook/config",
+    library = ":go_default_library",
+    deps = [
+        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
+        "//vendor/k8s.io/client-go/tools/clientcmd/api:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/authentication.go → staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package webhook
+package config
 
 import (
 	"fmt"
@@ -27,14 +27,19 @@ import (
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
 
+// AuthenticationInfoResolverWrapper can be used to inject Dial function to the
+// rest.Config generated by the resolver.
 type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) AuthenticationInfoResolver
 
+// AuthenticationInfoResolver builds rest.Config base on the server name.
 type AuthenticationInfoResolver interface {
 	ClientConfigFor(server string) (*rest.Config, error)
 }
 
+// AuthenticationInfoResolverFunc implements AuthenticationInfoResolver.
 type AuthenticationInfoResolverFunc func(server string) (*rest.Config, error)
 
+//ClientConfigFor implements AuthenticationInfoResolver.
 func (a AuthenticationInfoResolverFunc) ClientConfigFor(server string) (*rest.Config, error) {
 	return a(server)
 }
@@ -43,7 +48,10 @@ type defaultAuthenticationInfoResolver struct {
 	kubeconfig clientcmdapi.Config
 }
 
-func newDefaultAuthenticationInfoResolver(kubeconfigFile string) (AuthenticationInfoResolver, error) {
+// NewDefaultAuthenticationInfoResolver generates an AuthenticationInfoResolver
+// that builds rest.Config based on the kubeconfig file. kubeconfigFile is the
+// path to the kubeconfig.
+func NewDefaultAuthenticationInfoResolver(kubeconfigFile string) (AuthenticationInfoResolver, error) {
 	if len(kubeconfigFile) == 0 {
 		return &defaultAuthenticationInfoResolver{}, nil
 	}

staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/authentication_test.go → staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/authentication_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package webhook
+package config
 
 import (
 	"testing"