Fix issue of observed webhook object changing prior to CA patch (#273)

* Fix issue of observed webhook object changing prior to CA patch

* Remove retry

* Remove safety for onEvent handler not being registered

* changelog

Author: tcp13equals2

CHANGELOG.md

@@ -15,7 +15,7 @@
   * `k8s.io/api` from `v0.33.1` to `v0.33.3`
   * `k8s.io/apimachinery` from `v0.33.1` to `v0.33.3`
   * `k8s.io/client-go` from `v0.33.1` to `v0.33.3`
-* [ENHANCEMENT] Automatically patch new validating and mutating rollout-operator webhooks with the self-signed CA if they are created after rollout-operator starts. #262
+* [ENHANCEMENT] Automatically patch validating and mutating rollout-operator webhooks with the self-signed CA if they are created or modified after the rollout-operator starts. #262, #273
 * [ENHANCEMENT] Support for zone and partition aware pod disruption budgets, enabling finer control over pod eviction policies. #253
 * [BUGFIX] Always configure HTTP client with a timeout. #240
 * [BUGFIX] Use a StatefulSet's `.spec.serviceName` when constructing the delayed downscale endpoint for a pod. #258

integration/e2e_test.go

@@ -4,13 +4,15 @@ package integration
 
 import (
 	"context"
+	"encoding/json"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/kubernetes/scheme"
 
@@ -149,6 +151,20 @@ func TestWebHookInformer(t *testing.T) {
 
 		t.Log("Await CABundle assignment")
 		require.Eventually(t, awaitCABundleAssignment(3, ctx, api), time.Second*30, time.Millisecond*10, "New webhooks have CABundle added")
+
+		wh, err = api.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(ctx, wh.GetName(), metav1.GetOptions{})
+		require.NoError(t, err)
+
+		t.Log("Update a webhook")
+		wh.Webhooks[0].ClientConfig.CABundle = nil
+		data, err := json.Marshal(wh)
+		require.NoError(t, err)
+		wh, err = api.AdmissionregistrationV1().ValidatingWebhookConfigurations().Patch(context.Background(), wh.GetName(), types.MergePatchType, data, metav1.PatchOptions{})
+		require.NoError(t, err)
+		require.Nil(t, wh.Webhooks[0].ClientConfig.CABundle)
+
+		t.Log("Await CABundle assignment after update")
+		require.Eventually(t, awaitCABundleAssignment(3, ctx, api), time.Second*30, time.Millisecond*10, "New webhooks have CABundle added")
 	}
 }
 

pkg/tlscert/webhook_observer.go

@@ -2,6 +2,7 @@ package tlscert
 
 import (
 	"fmt"
+	"sync"
 	"time"
 
 	"github.com/go-kit/log"
@@ -32,6 +33,8 @@ type WebhookObserver struct {
 	informerMutatingWebhooks   cache.SharedIndexInformer
 	log                        log.Logger
 	stopCh                     chan struct{}
+	lock                       sync.Mutex
+	onEvent                    *WebhookConfigurationListener
 }
 
 func NewWebhookObserver(kubeClient kubernetes.Interface, namespace string, logger log.Logger) *WebhookObserver {
@@ -45,31 +48,44 @@ func NewWebhookObserver(kubeClient kubernetes.Interface, namespace string, logge
 		informerMutatingWebhooks:   factory.Admissionregistration().V1().MutatingWebhookConfigurations().Informer(),
 		log:                        logger,
 		stopCh:                     make(chan struct{}),
+		lock:                       sync.Mutex{},
 	}
 
 	return c
 }
 
+func (c *WebhookObserver) onWebHookConfigurationObserved(obj interface{}) {
+	// avoid any concurrent modifications where the same webhook is passed in
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	var err error
+	switch obj := obj.(type) {
+	case *admissionregistrationv1.ValidatingWebhookConfiguration:
+		err = c.onEvent.OnValidatingWebhookConfiguration(obj)
+	case *admissionregistrationv1.MutatingWebhookConfiguration:
+		err = c.onEvent.OnMutatingWebhookConfiguration(obj)
+	default:
+		level.Error(c.log).Log("msg", "unknown object", "type", fmt.Sprintf("%T", obj))
+	}
+	if err != nil {
+		level.Error(c.log).Log("msg", "unknown to call configuration listener", "err", err)
+	}
+}
+
 // Init starts watching for validating and mutating webhook configurations being added.
 // The given WebhookConfigurationListener is called when any webhook configurations is added.
 func (c *WebhookObserver) Init(onEvent *WebhookConfigurationListener) error {
+	c.onEvent = onEvent
 
 	informers := []cache.SharedIndexInformer{c.informerValidatingWebhooks, c.informerMutatingWebhooks}
 	for _, informer := range informers {
 		if _, err := informer.AddEventHandler(cache.ResourceEventHandlerFuncs{
 			AddFunc: func(obj interface{}) {
-				var err error
-				switch obj := obj.(type) {
-				case *admissionregistrationv1.ValidatingWebhookConfiguration:
-					err = onEvent.OnValidatingWebhookConfiguration(obj)
-				case *admissionregistrationv1.MutatingWebhookConfiguration:
-					err = onEvent.OnMutatingWebhookConfiguration(obj)
-				default:
-					level.Error(c.log).Log("msg", "Unknown object", "type", fmt.Sprintf("%T", obj))
-				}
-				if err != nil {
-					level.Error(c.log).Log("msg", "Unable to call webhook configuration listener", "err", err)
-				}
+				c.onWebHookConfigurationObserved(obj)
+			},
+			UpdateFunc: func(_, new interface{}) {
+				c.onWebHookConfigurationObserved(new)
 			},
 		}); err != nil {
 			return errors.Wrap(err, "failed to add webhook listener")

pkg/tlscert/webhook_observer_test.go

@@ -2,12 +2,14 @@ package tlscert
 
 import (
 	"context"
+	"encoding/json"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/require"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
 )
 
@@ -69,8 +71,9 @@ func TestWebhookObserver_ListenerInvoked(t *testing.T) {
 	require.Empty(t, observedValidatingWebhooks)
 	require.Empty(t, observedMutatingWebhooks)
 
-	_, err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.Background(), validatingWebhookConfiguration("validating-webhook"), metav1.CreateOptions{})
+	validatingWebhook, err := client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.Background(), validatingWebhookConfiguration("validating-webhook"), metav1.CreateOptions{})
 	require.NoError(t, err)
+	require.NotEmpty(t, validatingWebhook)
 
 	// wait for the informer to be aware of this create
 	task := func() bool {
@@ -80,15 +83,42 @@ func TestWebhookObserver_ListenerInvoked(t *testing.T) {
 	require.Equal(t, "validating-webhook", observedValidatingWebhooks[0].Name)
 	require.Empty(t, observedMutatingWebhooks)
 
-	_, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.Background(), mutatingWebhookConfiguration("mutating-webhook"), metav1.CreateOptions{})
+	mutatingWebhook, err := client.AdmissionregistrationV1().MutatingWebhookConfigurations().Create(context.Background(), mutatingWebhookConfiguration("mutating-webhook"), metav1.CreateOptions{})
 	require.NoError(t, err)
+	require.NotEmpty(t, mutatingWebhook)
 
 	// wait for the informer to be aware of this create
 	task = func() bool {
 		return len(observedMutatingWebhooks) == 1
 	}
 	require.Eventually(t, task, time.Second*5, time.Millisecond*10, "MutatingWebhookConfiguration should have 1 MutatingWebhookConfiguration")
 	require.Equal(t, "mutating-webhook", observedMutatingWebhooks[0].Name)
+
+	// modify our validating webhook
+	validatingWebhook.SetLabels(map[string]string{"foo": "bar"})
+	data, err := json.Marshal(validatingWebhook)
+	require.NoError(t, err)
+	_, err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Patch(context.Background(), validatingWebhook.GetName(), types.MergePatchType, data, metav1.PatchOptions{})
+	require.NoError(t, err)
+
+	// wait for the informer to be aware of this create
+	task = func() bool {
+		return len(observedValidatingWebhooks) == 2
+	}
+	require.Eventually(t, task, time.Second*5, time.Millisecond*10, "ValidatingWebhookConfiguration should have 2 ValidatingWebhookConfigurations")
+
+	// modify our mutating webhook
+	mutatingWebhook.SetLabels(map[string]string{"foo": "bar"})
+	data, err = json.Marshal(mutatingWebhook)
+	require.NoError(t, err)
+	_, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Patch(context.Background(), mutatingWebhook.GetName(), types.MergePatchType, data, metav1.PatchOptions{})
+	require.NoError(t, err)
+
+	// wait for the informer to be aware of this create
+	task = func() bool {
+		return len(observedMutatingWebhooks) == 2
+	}
+	require.Eventually(t, task, time.Second*5, time.Millisecond*10, "MutatingWebhookConfiguration should have 2 MutatingWebhookConfigurations")
 }
 
 // validatingWebhookConfiguration returns a new ValidatingWebhookConfiguration with only it's name set