add webhook validation

WORKSPACE

@@ -275,7 +275,7 @@ go_repository(
     name = "io_k8s_apiserver",
     build_file_generation = "on",
     build_file_name = "BUILD.bazel",
-    commit = "ab57ed5a72c3b67058f665d660e23bae18339fc2",
+    commit = "149fc2228647cea28b0670c240ec582e985e8eda",  # Jul Aug 1, 2017
     importpath = "k8s.io/apiserver",
 )
 

adapter/config/crd/client.go

@@ -149,7 +149,7 @@ func (cl *Client) RegisterResources() error {
 	}
 
 	for _, schema := range cl.descriptor {
-		name := resourceName(schema.Plural) + "." + model.IstioAPIGroup
+		name := ResourceName(schema.Plural) + "." + model.IstioAPIGroup
 		crd := &apiextensionsv1beta1.CustomResourceDefinition{
 			ObjectMeta: meta_v1.ObjectMeta{
 				Name: name,
@@ -159,7 +159,7 @@ func (cl *Client) RegisterResources() error {
 				Version: model.IstioAPIVersion,
 				Scope:   apiextensionsv1beta1.NamespaceScoped,
 				Names: apiextensionsv1beta1.CustomResourceDefinitionNames{
-					Plural: resourceName(schema.Plural),
+					Plural: ResourceName(schema.Plural),
 					Kind:   kabobCaseToCamelCase(schema.Type),
 				},
 			},
@@ -175,7 +175,7 @@ func (cl *Client) RegisterResources() error {
 	errPoll := wait.Poll(500*time.Millisecond, 60*time.Second, func() (bool, error) {
 	descriptor:
 		for _, schema := range cl.descriptor {
-			name := resourceName(schema.Plural) + "." + model.IstioAPIGroup
+			name := ResourceName(schema.Plural) + "." + model.IstioAPIGroup
 			crd, errGet := clientset.ApiextensionsV1beta1().CustomResourceDefinitions().Get(name, meta_v1.GetOptions{})
 			if errGet != nil {
 				return false, errGet
@@ -219,7 +219,7 @@ func (cl *Client) DeregisterResources() error {
 
 	var errs error
 	for _, schema := range cl.descriptor {
-		name := resourceName(schema.Plural) + "." + model.IstioAPIGroup
+		name := ResourceName(schema.Plural) + "." + model.IstioAPIGroup
 		err := clientset.ApiextensionsV1beta1().CustomResourceDefinitions().Delete(name, nil)
 		errs = multierror.Append(errs, err)
 	}
@@ -241,7 +241,7 @@ func (cl *Client) Get(typ, name, namespace string) (*model.Config, bool) {
 	config := knownTypes[typ].object.DeepCopyObject().(IstioObject)
 	err := cl.dynamic.Get().
 		Namespace(namespace).
-		Resource(resourceName(schema.Plural)).
+		Resource(ResourceName(schema.Plural)).
 		Name(name).
 		Do().Into(config)
 
@@ -250,7 +250,7 @@ func (cl *Client) Get(typ, name, namespace string) (*model.Config, bool) {
 		return nil, false
 	}
 
-	out, err := convertObject(schema, config, cl.domainSuffix)
+	out, err := ConvertObject(schema, config, cl.domainSuffix)
 	if err != nil {
 		glog.Warning(err)
 		return nil, false
@@ -269,15 +269,15 @@ func (cl *Client) Create(config model.Config) (string, error) {
 		return "", multierror.Prefix(err, "validation error:")
 	}
 
-	out, err := convertConfig(schema, config)
+	out, err := ConvertConfig(schema, config)
 	if err != nil {
 		return "", err
 	}
 
 	obj := knownTypes[schema.Type].object.DeepCopyObject().(IstioObject)
 	err = cl.dynamic.Post().
 		Namespace(out.GetObjectMeta().Namespace).
-		Resource(resourceName(schema.Plural)).
+		Resource(ResourceName(schema.Plural)).
 		Body(out).
 		Do().Into(obj)
 	if err != nil {
@@ -302,15 +302,15 @@ func (cl *Client) Update(config model.Config) (string, error) {
 		return "", fmt.Errorf("revision is required")
 	}
 
-	out, err := convertConfig(schema, config)
+	out, err := ConvertConfig(schema, config)
 	if err != nil {
 		return "", err
 	}
 
 	obj := knownTypes[schema.Type].object.DeepCopyObject().(IstioObject)
 	err = cl.dynamic.Put().
 		Namespace(out.GetObjectMeta().Namespace).
-		Resource(resourceName(schema.Plural)).
+		Resource(ResourceName(schema.Plural)).
 		Name(out.GetObjectMeta().Name).
 		Body(out).
 		Do().Into(obj)
@@ -330,7 +330,7 @@ func (cl *Client) Delete(typ, name, namespace string) error {
 
 	return cl.dynamic.Delete().
 		Namespace(namespace).
-		Resource(resourceName(schema.Plural)).
+		Resource(ResourceName(schema.Plural)).
 		Name(name).
 		Do().Error()
 }
@@ -345,12 +345,12 @@ func (cl *Client) List(typ, namespace string) ([]model.Config, error) {
 	list := knownTypes[schema.Type].collection.DeepCopyObject().(IstioObjectList)
 	errs := cl.dynamic.Get().
 		Namespace(namespace).
-		Resource(resourceName(schema.Plural)).
+		Resource(ResourceName(schema.Plural)).
 		Do().Into(list)
 
 	out := make([]model.Config, 0)
 	for _, item := range list.GetItems() {
-		obj, err := convertObject(schema, item, cl.domainSuffix)
+		obj, err := ConvertObject(schema, item, cl.domainSuffix)
 		if err != nil {
 			errs = multierror.Append(errs, err)
 		} else {

adapter/config/crd/controller.go

@@ -72,7 +72,7 @@ func (c *controller) addInformer(schema model.ProtoSchema, namespace string, res
 			result = knownTypes[schema.Type].collection.DeepCopyObject()
 			err = c.client.dynamic.Get().
 				Namespace(namespace).
-				Resource(resourceName(schema.Plural)).
+				Resource(ResourceName(schema.Plural)).
 				VersionedParams(&opts, meta_v1.ParameterCodec).
 				Do().
 				Into(result)
@@ -82,7 +82,7 @@ func (c *controller) addInformer(schema model.ProtoSchema, namespace string, res
 			return c.client.dynamic.Get().
 				Prefix("watch").
 				Namespace(namespace).
-				Resource(resourceName(schema.Plural)).
+				Resource(ResourceName(schema.Plural)).
 				VersionedParams(&opts, meta_v1.ParameterCodec).
 				Watch()
 		})
@@ -141,7 +141,7 @@ func (c *controller) RegisterEventHandler(typ string, f func(model.Config, model
 	c.kinds[typ].handler.Append(func(object interface{}, ev model.Event) error {
 		item, ok := object.(IstioObject)
 		if ok {
-			config, err := convertObject(schema, item, c.client.domainSuffix)
+			config, err := ConvertObject(schema, item, c.client.domainSuffix)
 			if err != nil {
 				glog.Warningf("error translating object %#v", object)
 			} else {
@@ -199,7 +199,7 @@ func (c *controller) Get(typ, name, namespace string) (*model.Config, bool) {
 		return nil, false
 	}
 
-	config, err := convertObject(schema, obj, c.client.domainSuffix)
+	config, err := ConvertObject(schema, obj, c.client.domainSuffix)
 	if err != nil {
 		return nil, false
 	}
@@ -237,7 +237,7 @@ func (c *controller) List(typ, namespace string) ([]model.Config, error) {
 			continue
 		}
 
-		config, err := convertObject(schema, item, c.client.domainSuffix)
+		config, err := ConvertObject(schema, item, c.client.domainSuffix)
 		if err != nil {
 			errs = multierror.Append(errs, err)
 		} else {

adapter/config/crd/conversion.go

@@ -23,7 +23,9 @@ import (
 	"istio.io/pilot/model"
 )
 
-func convertObject(schema model.ProtoSchema, object IstioObject, domain string) (*model.Config, error) {
+// ConvertObject converts an IstioObject k8s-style object to the
+// internal configuration model.
+func ConvertObject(schema model.ProtoSchema, object IstioObject, domain string) (*model.Config, error) {
 	data, err := schema.FromJSONMap(object.GetSpec())
 	if err != nil {
 		return nil, err
@@ -43,8 +45,8 @@ func convertObject(schema model.ProtoSchema, object IstioObject, domain string)
 	}, nil
 }
 
-// convertConfig translates Istio config to k8s config JSON
-func convertConfig(schema model.ProtoSchema, config model.Config) (IstioObject, error) {
+// ConvertConfig translates Istio config to k8s config JSON
+func ConvertConfig(schema model.ProtoSchema, config model.Config) (IstioObject, error) {
 	spec, err := schema.ToJSONMap(config.Spec)
 	if err != nil {
 		return nil, err
@@ -62,9 +64,9 @@ func convertConfig(schema model.ProtoSchema, config model.Config) (IstioObject,
 	return out, nil
 }
 
-// resourceName converts "my-name" to "myname".
+// ResourceName converts "my-name" to "myname".
 // This is needed by k8s API server as dashes prevent kubectl from accessing CRDs
-func resourceName(s string) string {
+func ResourceName(s string) string {
 	return strings.Replace(s, "-", "", -1)
 }
 
@@ -78,9 +80,8 @@ func kabobCaseToCamelCase(s string) string {
 	return out
 }
 
-// camelCaseToKabobCase converts "MyName" to "my-name"
-// nolint: deadcode
-func camelCaseToKabobCase(s string) string {
+// CamelCaseToKabobCase converts "MyName" to "my-name"
+func CamelCaseToKabobCase(s string) string {
 	var out bytes.Buffer
 	for i := range s {
 		if 'A' <= s[i] && s[i] <= 'Z' {

adapter/config/crd/conversion_test.go

@@ -26,9 +26,9 @@ var (
 
 func TestCamelKabob(t *testing.T) {
 	for _, tt := range camelKabobs {
-		s := camelCaseToKabobCase(tt.in)
+		s := CamelCaseToKabobCase(tt.in)
 		if s != tt.out {
-			t.Errorf("camelCaseToKabobCase(%q) => %q, want %q", tt.in, s, tt.out)
+			t.Errorf("CamelCaseToKabobCase(%q) => %q, want %q", tt.in, s, tt.out)
 		}
 		u := kabobCaseToCamelCase(tt.out)
 		if u != tt.in {

bin/check.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -ex
 
-buildifier -showlog -mode=check $(find . -type f \( -name 'BUILD' -or -name 'WORKSPACE' -or -wholename '.*bazel' -or -wholename '.*bzl' \) -print )
+buildifier -showlog -mode=check $(find . -type f \( -name 'BUILD' -or -name 'WORKSPACE' -or -wholename '.*bazel$' -or -wholename '.*bzl$' \) -print )
 
 NUM_CPU=$(getconf _NPROCESSORS_ONLN)
 

cmd/pilot-discovery/BUILD

@@ -16,6 +16,7 @@ go_library(
         "//platform/consul:go_default_library",
         "//platform/eureka:go_default_library",
         "//platform/kube:go_default_library",
+        "//platform/kube/admit:go_default_library",
         "//proxy:go_default_library",
         "//proxy/envoy:go_default_library",
         "//tools/version:go_default_library",

cmd/pilot-discovery/main.go

@@ -36,6 +36,7 @@ import (
 	"istio.io/pilot/platform/consul"
 	"istio.io/pilot/platform/eureka"
 	"istio.io/pilot/platform/kube"
+	"istio.io/pilot/platform/kube/admit"
 	"istio.io/pilot/proxy"
 	"istio.io/pilot/proxy/envoy"
 	"istio.io/pilot/tools/version"
@@ -58,9 +59,10 @@ type args struct {
 	controllerOptions kube.ControllerOptions
 	discoveryOptions  envoy.DiscoveryServiceOptions
 
-	registries []string
-	consul     consulArgs
-	eureka     eurekaArgs
+	registries    []string
+	consul        consulArgs
+	eureka        eurekaArgs
+	admissionArgs admit.ControllerOptions
 }
 
 var (
@@ -91,6 +93,15 @@ var (
 
 			stop := make(chan struct{})
 
+			if flags.controllerOptions.Namespace == "" {
+				flags.controllerOptions.Namespace = os.Getenv("POD_NAMESPACE")
+			}
+
+			_, client, kuberr := kube.CreateInterface(flags.kubeconfig)
+			if kuberr != nil {
+				return multierror.Prefix(kuberr, "failed to connect to Kubernetes API.")
+			}
+
 			configClient, err := crd.NewClient(flags.kubeconfig, model.ConfigDescriptor{
 				model.RouteRule,
 				model.EgressRule,
@@ -116,15 +127,6 @@ var (
 				glog.V(2).Infof("Adding %s registry adapter", serviceRegistry)
 				switch serviceRegistry {
 				case platform.KubernetesRegistry:
-					_, client, kuberr := kube.CreateInterface(flags.kubeconfig)
-					if kuberr != nil {
-						return multierror.Prefix(kuberr, "failed to connect to Kubernetes API.")
-					}
-
-					if flags.controllerOptions.Namespace == "" {
-						flags.controllerOptions.Namespace = os.Getenv("POD_NAMESPACE")
-					}
-
 					kubectl := kube.NewController(client, mesh, flags.controllerOptions)
 					serviceControllers.AddRegistry(
 						aggregate.Registry{
@@ -196,6 +198,22 @@ var (
 				return fmt.Errorf("failed to create discovery service: %v", err)
 			}
 
+			// Set up configuration validation admission
+			// controller. Fill in remaining admission controller
+			// options
+			flags.admissionArgs.Descriptor = configClient.ConfigDescriptor()
+			flags.admissionArgs.ServiceNamespace = flags.controllerOptions.Namespace
+			flags.admissionArgs.DomainSuffix = flags.controllerOptions.DomainSuffix
+			flags.admissionArgs.ValidateNamespaces = []string{
+				flags.controllerOptions.Namespace,
+				flags.controllerOptions.WatchedNamespace,
+			}
+			admissionController, err := admit.NewController(client, flags.admissionArgs)
+			if err != nil {
+				return fmt.Errorf("failed to create validation admission controller: %v", err)
+			}
+
+			go admissionController.Run(stop)
 			go serviceControllers.Run(stop)
 			go configController.Run(stop)
 			go discovery.Run()
@@ -238,6 +256,19 @@ func init() {
 	discoveryCmd.PersistentFlags().StringVar(&flags.eureka.serverURL, "eurekaserverURL", "",
 		"URL for the Eureka server")
 
+	discoveryCmd.PersistentFlags().StringVar(&flags.admissionArgs.ExternalAdmissionWebhookName,
+		"admission-webhook-name", "pilot-webhook.istio.io", "Webhook name for Pilot admission controller")
+	discoveryCmd.PersistentFlags().StringVar(&flags.admissionArgs.ServiceName,
+		"admission-service", "istio-pilot-external",
+		"Service name the admission controller uses during registration")
+	discoveryCmd.PersistentFlags().IntVar(&flags.admissionArgs.Port, "admission-service-port", 443,
+		"HTTPS port of the admission service. Must be 443 if service has more than one port ")
+	discoveryCmd.PersistentFlags().StringVar(&flags.admissionArgs.SecretName, "admission-secret", "pilot-webhook",
+		"Name of k8s secret for pilot webhook certs")
+	discoveryCmd.PersistentFlags().DurationVar(&flags.admissionArgs.RegistrationDelay,
+		"admission-registration-delay", 5*time.Second,
+		"Time to delay webhook registration after starting webhook server")
+
 	cmd.AddFlags(rootCmd)
 	rootCmd.AddCommand(discoveryCmd)
 	rootCmd.AddCommand(cmd.VersionCmd)

model/BUILD

@@ -44,6 +44,7 @@ go_test(
 
 go_test(
     name = "go_default_xtest",
+    size = "small",
     srcs = ["config_test.go"],
     deps = [
         ":go_default_library",

platform/kube/admit/BUILD

@@ -0,0 +1,46 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["admit.go"],
+    visibility = ["//visibility:public"],
+    deps = [
+        "//adapter/config/crd:go_default_library",
+        "//model:go_default_library",
+        "@com_github_ghodss_yaml//:go_default_library",
+        "@com_github_golang_glog//:go_default_library",
+        "@io_k8s_api//admission/v1alpha1:go_default_library",
+        "@io_k8s_api//admissionregistration/v1alpha1:go_default_library",
+        "@io_k8s_api//core/v1:go_default_library",
+        "@io_k8s_apimachinery//pkg/api/errors:go_default_library",
+        "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
+        "@io_k8s_apimachinery//pkg/fields:go_default_library",
+        "@io_k8s_apiserver//pkg/admission:go_default_library",
+        "@io_k8s_client_go//kubernetes:go_default_library",
+        "@io_k8s_client_go//kubernetes/typed/admissionregistration/v1alpha1:go_default_library",
+        "@io_k8s_client_go//tools/cache:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    size = "small",
+    srcs = ["admit_test.go"],
+    data = glob(["testdata/**"]),
+    library = ":go_default_library",
+    deps = [
+        "//adapter/config/crd:go_default_library",
+        "//model:go_default_library",
+        "//model/test:go_default_library",
+        "//platform/kube:go_default_library",
+        "//platform/kube/admit/testcerts:go_default_library",
+        "//test/mock:go_default_library",
+        "@io_k8s_api//admission/v1alpha1:go_default_library",
+        "@io_k8s_api//admissionregistration/v1alpha1:go_default_library",
+        "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
+        "@io_k8s_apimachinery//pkg/runtime:go_default_library",
+        "@io_k8s_apiserver//pkg/admission:go_default_library",
+        "@io_k8s_client_go//kubernetes:go_default_library",
+        "@io_k8s_client_go//kubernetes/fake:go_default_library",
+    ],
+)