update admission webhook to accept client config

Kubernetes-commit: 0859798e8e278ec382dcbeb77914f40bf2c78a2c
sttts · Oct 18, 2017 · fd64dc7 · fd64dc7
1 parent c3f2826
commit fd64dc7
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 42 deletions.
diff --git a/pkg/admission/initializer/BUILD b/pkg/admission/initializer/BUILD
@@ -19,6 +19,7 @@ go_library(
         "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
         "//vendor/k8s.io/client-go/informers:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/rest:go_default_library",
     ],
 )
 

diff --git a/pkg/admission/initializer/initializer.go b/pkg/admission/initializer/initializer.go
@@ -22,17 +22,16 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 type pluginInitializer struct {
 	externalClient    kubernetes.Interface
 	externalInformers informers.SharedInformerFactory
 	authorizer        authorizer.Authorizer
-	// serverIdentifyingClientCert used to provide identity when calling out to admission plugins
-	serverIdentifyingClientCert []byte
-	// serverIdentifyingClientKey private key for the client certificate used when calling out to admission plugins
-	serverIdentifyingClientKey []byte
-	scheme                     *runtime.Scheme
+	// webhookRESTClientConfig provies a client used to contact webhooks
+	webhookRESTClientConfig *rest.Config
+	scheme                  *runtime.Scheme
 }
 
 // New creates an instance of admission plugins initializer.
@@ -41,17 +40,15 @@ func New(
 	extClientset kubernetes.Interface,
 	extInformers informers.SharedInformerFactory,
 	authz authorizer.Authorizer,
-	serverIdentifyingClientCert,
-	serverIdentifyingClientKey []byte,
+	webhookRESTClientConfig *rest.Config,
 	scheme *runtime.Scheme,
 ) (pluginInitializer, error) {
 	return pluginInitializer{
-		externalClient:              extClientset,
-		externalInformers:           extInformers,
-		authorizer:                  authz,
-		serverIdentifyingClientCert: serverIdentifyingClientCert,
-		serverIdentifyingClientKey:  serverIdentifyingClientKey,
-		scheme: scheme,
+		externalClient:          extClientset,
+		externalInformers:       extInformers,
+		authorizer:              authz,
+		webhookRESTClientConfig: webhookRESTClientConfig,
+		scheme:                  scheme,
 	}, nil
 }
 
@@ -70,8 +67,8 @@ func (i pluginInitializer) Initialize(plugin admission.Interface) {
 		wants.SetAuthorizer(i.authorizer)
 	}
 
-	if wants, ok := plugin.(WantsClientCert); ok {
-		wants.SetClientCert(i.serverIdentifyingClientCert, i.serverIdentifyingClientKey)
+	if wants, ok := plugin.(WantsWebhookRESTClientConfig); ok {
+		wants.SetWebhookRESTClientConfig(i.webhookRESTClientConfig)
 	}
 
 	if wants, ok := plugin.(WantsScheme); ok {

diff --git a/pkg/admission/initializer/initializer_test.go b/pkg/admission/initializer/initializer_test.go
@@ -33,7 +33,7 @@ import (
 // the WantsScheme interface is implemented by a plugin.
 func TestWantsScheme(t *testing.T) {
 	scheme := runtime.NewScheme()
-	target, err := initializer.New(nil, nil, nil, nil, nil, scheme)
+	target, err := initializer.New(nil, nil, nil, nil, scheme)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -47,7 +47,7 @@ func TestWantsScheme(t *testing.T) {
 // TestWantsAuthorizer ensures that the authorizer is injected
 // when the WantsAuthorizer interface is implemented by a plugin.
 func TestWantsAuthorizer(t *testing.T) {
-	target, err := initializer.New(nil, nil, &TestAuthorizer{}, nil, nil, nil)
+	target, err := initializer.New(nil, nil, &TestAuthorizer{}, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -62,7 +62,7 @@ func TestWantsAuthorizer(t *testing.T) {
 // when the WantsExternalKubeClientSet interface is implemented by a plugin.
 func TestWantsExternalKubeClientSet(t *testing.T) {
 	cs := &fake.Clientset{}
-	target, err := initializer.New(cs, nil, &TestAuthorizer{}, nil, nil, nil)
+	target, err := initializer.New(cs, nil, &TestAuthorizer{}, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -78,7 +78,7 @@ func TestWantsExternalKubeClientSet(t *testing.T) {
 func TestWantsExternalKubeInformerFactory(t *testing.T) {
 	cs := &fake.Clientset{}
 	sf := informers.NewSharedInformerFactory(cs, time.Duration(1)*time.Second)
-	target, err := initializer.New(cs, sf, &TestAuthorizer{}, nil, nil, nil)
+	target, err := initializer.New(cs, sf, &TestAuthorizer{}, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -89,20 +89,6 @@ func TestWantsExternalKubeInformerFactory(t *testing.T) {
 	}
 }
 
-// TestWantsClientCert ensures that the client certificate and key are injected
-// when the WantsClientCert interface is implemented by a plugin.
-func TestWantsClientCert(t *testing.T) {
-	target, err := initializer.New(nil, nil, nil, []byte("cert"), []byte("key"), nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	wantClientCert := &clientCertWanter{}
-	target.Initialize(wantClientCert)
-	if string(wantClientCert.gotCert) != "cert" || string(wantClientCert.gotKey) != "key" {
-		t.Errorf("expected client cert to be initialized, clientCert = %v, clientKey = %v", wantClientCert.gotCert, wantClientCert.gotKey)
-	}
-}
-
 // WantExternalKubeInformerFactory is a test stub that fulfills the WantsExternalKubeInformerFactory interface
 type WantExternalKubeInformerFactory struct {
 	sf informers.SharedInformerFactory

diff --git a/pkg/admission/initializer/interfaces.go b/pkg/admission/initializer/interfaces.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 // WantsExternalKubeClientSet defines a function which sets external ClientSet for admission plugins that need it
@@ -42,10 +43,10 @@ type WantsAuthorizer interface {
 	admission.Validator
 }
 
-// WantsClientCert defines a fuction that accepts a cert & key for admission
+// WantsWebhookRESTClientConfig defines a function that accepts client config for admission
 // plugins that need to make calls and prove their identity.
-type WantsClientCert interface {
-	SetClientCert(cert, key []byte)
+type WantsWebhookRESTClientConfig interface {
+	SetWebhookRESTClientConfig(*rest.Config)
 	admission.Validator
 }
 

diff --git a/pkg/admission/plugin/namespace/lifecycle/admission_test.go b/pkg/admission/plugin/namespace/lifecycle/admission_test.go
@@ -48,7 +48,7 @@ func newHandlerForTestWithClock(c clientset.Interface, cacheClock clock.Clock) (
 	if err != nil {
 		return nil, f, err
 	}
-	pluginInitializer, err := kubeadmission.New(c, f, nil, nil, nil, nil)
+	pluginInitializer, err := kubeadmission.New(c, f, nil, nil, nil)
 	if err != nil {
 		return handler, f, err
 	}

diff --git a/pkg/server/options/admission.go b/pkg/server/options/admission.go
@@ -80,9 +80,8 @@ func (a *AdmissionOptions) AddFlags(fs *pflag.FlagSet) {
 func (a *AdmissionOptions) ApplyTo(
 	c *server.Config,
 	informers informers.SharedInformerFactory,
-	serverIdentifyingClientCert []byte,
-	serverIdentifyingClientKey []byte,
-	clientConfig *rest.Config,
+	kubeAPIServerClientConfig *rest.Config,
+	webhookClientConfig *rest.Config,
 	scheme *runtime.Scheme,
 	pluginInitializers ...admission.PluginInitializer,
 ) error {
@@ -96,11 +95,11 @@ func (a *AdmissionOptions) ApplyTo(
 		return fmt.Errorf("failed to read plugin config: %v", err)
 	}
 
-	clientset, err := kubernetes.NewForConfig(clientConfig)
+	clientset, err := kubernetes.NewForConfig(kubeAPIServerClientConfig)
 	if err != nil {
 		return err
 	}
-	genericInitializer, err := initializer.New(clientset, informers, c.Authorizer, serverIdentifyingClientCert, serverIdentifyingClientKey, scheme)
+	genericInitializer, err := initializer.New(clientset, informers, c.Authorizer, webhookClientConfig, scheme)
 	if err != nil {
 		return err
 	}