Add webhookconfiguration options to tektonConfig additional options

tektoncd · Jun 6, 2024 · f960f5e · f960f5e
1 parent 618e1c6
commit f960f5e
Show file tree

Hide file tree

Showing 14 changed files with 348 additions and 13 deletions.
diff --git a/docs/TektonConfig.md b/docs/TektonConfig.md
@@ -88,6 +88,7 @@ The TektonConfig CR provides the following features
         disabled: false
         configMaps: {}
         deployments: {}
+        webhookConfigurationOptions: {}
     pruner:
       disabled: false
       schedule: "0 8 * * *"
@@ -106,12 +107,14 @@ The TektonConfig CR provides the following features
         disabled: false
         configMaps: {}
         deployments: {}
+        webhookConfigurationOptions: {}
     dashboard:
       readonly: true
       options:
         disabled: false
         configMaps: {}
         deployments: {}
+        webhookConfigurationOptions: {}
     platforms:
       openshift:
         pipelinesAsCode:
@@ -144,6 +147,7 @@ The TektonConfig CR provides the following features
           disabled: false
           configMaps: {}
           deployments: {}
+          webhookConfigurationOptions: {}
 ```
 Look for the particular section to understand a particular field in the spec.
 
@@ -560,6 +564,15 @@ options:
               averageUtilization: 85
               type: Utilization
           type: Resource
+  webhookConfigurationOptions:
+    validation.webhook.pipeline.tekton.dev:
+      failurePolicy: Fail
+      timeoutSeconds: 20
+      sideEffects: None
+    webhook.pipeline.tekton.dev:
+      failurePolicy: Fail
+      timeoutSeconds: 20
+      sideEffects: None
 ```
 * `disabled` - disables the additional `options` support, if `disabled` set to `true`. default: `false`
 
@@ -655,6 +668,14 @@ The following fields are supported in `HorizontalPodAutoscaler` (aka HPA)
 
 **NOTE**: If a Deployment or StatefulSet has a Horizontal Pod Autoscaling (HPA) and is in active state, Operator will not control the replicas to that resource. However if `status.desiredReplicas` and `spec.minReplicas` not present in HPA, operator takes the control. Also if HPA disabled, operator takes control. Even though the operator takes the control, the replicas value will be adjusted to the hpa's scaling range.
 
+#### webhookConfigurationOptions
+Defines additional options for each webhooks. Use webhook name as a key to define options for a webhook. Options are ignored if the webhook does not exist with the name key. To get detailed information about webhooks options visit https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
+
+the following options are supported for webhookConfigurationOptions
+* `failurePolicy` -  defines how unrecognized errors and timeout errors from the admission webhook are handled. Allowed values are `Ignore` or `Fail`
+* `timeoutSeconds` - allows configuring how long the API server should wait for a webhook to respond before treating the call as a failure.
+* `sideEffects` -  indicates whether the webhook have a side effet. Allowed values are `None`, `NoneOnDryRun`, `Unknown`, or `Some`
+
 [node-selector]:https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
 [tolerations]:https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
 [schedule]:https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax

diff --git a/docs/TektonPipeline.md b/docs/TektonPipeline.md
@@ -58,6 +58,10 @@ spec:
     threads-per-controller: 2
     kube-api-qps: 5.0
     kube-api-burst: 10
+  options:
+    disabled: false
+    configMaps: {}
+    deployments: {}
 ```
 You can install this component using [TektonConfig](./TektonConfig.md) by choosing appropriate `profile`.
 

diff --git a/hack/fetch-releases.sh b/hack/fetch-releases.sh
@@ -280,8 +280,8 @@ copy_pruner_yaml() {
   srcPath=${SCRIPT_DIR}/config/pruner
   ko_data=${SCRIPT_DIR}/cmd/${TARGET}/operator/kodata
   dstPath=${ko_data}/tekton-pruner
-  rm $dstPath -rf
-  cp $srcPath $dstPath -r
+  rm -rf $dstPath
+  cp -r $srcPath $dstPath
 }
 
 main() {

diff --git a/pkg/apis/operator/v1alpha1/additional_options.go b/pkg/apis/operator/v1alpha1/additional_options.go
@@ -25,9 +25,10 @@ import (
 // additional options will be updated on the manifests
 // these values will be final
 type AdditionalOptions struct {
-	Disabled                 *bool                                            `json:"disabled,omitempty"`
-	ConfigMaps               map[string]corev1.ConfigMap                      `json:"configMaps,omitempty"`
-	Deployments              map[string]appsv1.Deployment                     `json:"deployments,omitempty"`
-	HorizontalPodAutoscalers map[string]autoscalingv2.HorizontalPodAutoscaler `json:"horizontalPodAutoscalers,omitempty"`
-	StatefulSets             map[string]appsv1.StatefulSet                    `json:"statefulSets,omitempty"`
+	Disabled                    *bool                                            `json:"disabled,omitempty"`
+	ConfigMaps                  map[string]corev1.ConfigMap                      `json:"configMaps,omitempty"`
+	Deployments                 map[string]appsv1.Deployment                     `json:"deployments,omitempty"`
+	HorizontalPodAutoscalers    map[string]autoscalingv2.HorizontalPodAutoscaler `json:"horizontalPodAutoscalers,omitempty"`
+	StatefulSets                map[string]appsv1.StatefulSet                    `json:"statefulSets,omitempty"`
+	WebhookConfigurationOptions map[string]WebhookConfigurationOptions           `json:"webhookConfigurationOptions,omitempty"`
 }
diff --git a/pkg/apis/operator/v1alpha1/additional_options_validation.go b/pkg/apis/operator/v1alpha1/additional_options_validation.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2024 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	"knative.dev/pkg/apis"
+)
+
+var (
+	validatePipelineWebhookConfigurationFailurePolicy = sets.NewString("Ignore", "Fail")
+	validatePipelineWebhookConfigurationSideEffects   = sets.NewString("NoneOnDryRun", "None", "Unknown", "Some")
+)
+
+func (w *WebhookConfigurationOptions) validate(path string) (errs *apis.FieldError) {
+	if w.FailurePolicy != nil && !validatePipelineWebhookConfigurationFailurePolicy.Has(string(*w.FailurePolicy)) {
+		errs = errs.Also(apis.ErrInvalidValue(*w.FailurePolicy, fmt.Sprintf("%s.webhookconfigurationoptions.failurePolicy", path)))
+	}
+	if w.SideEffects != nil && !validatePipelineWebhookConfigurationSideEffects.Has(string(*w.SideEffects)) {
+		errs = errs.Also(apis.ErrInvalidValue(*w.SideEffects, fmt.Sprintf("%s.webhookconfigurationoptions.sideEffects", path)))
+	}
+	return errs
+}
+
+func (op *AdditionalOptions) validate(path string) (errs *apis.FieldError) {
+	if op.WebhookConfigurationOptions != nil {
+		for _, webhookConfig := range op.WebhookConfigurationOptions {
+			return webhookConfig.validate(path)
+		}
+	}
+	return errs
+}
diff --git a/pkg/apis/operator/v1alpha1/tektonconfig_validation.go b/pkg/apis/operator/v1alpha1/tektonconfig_validation.go
@@ -115,6 +115,12 @@ func (tc *TektonConfig) Validate(ctx context.Context) (errs *apis.FieldError) {
 
 	errs = errs.Also(tc.Spec.Pipeline.PipelineProperties.validate("spec.pipeline"))
 
+	errs = errs.Also(tc.Spec.Pipeline.Options.validate("spec.pipeline.options"))
+	errs = errs.Also(tc.Spec.Hub.Options.validate("spec.hub.options"))
+	errs = errs.Also(tc.Spec.Dashboard.Options.validate("spec.dashboard.options"))
+	errs = errs.Also(tc.Spec.Chain.Options.validate("spec.chain.options"))
+	errs = errs.Also(tc.Spec.Trigger.Options.validate("spec.trigger.options"))
+
 	return errs.Also(tc.Spec.Trigger.TriggersProperties.validate("spec.trigger"))
 }
 

diff --git a/pkg/apis/operator/v1alpha1/tektonconfig_validation_test.go b/pkg/apis/operator/v1alpha1/tektonconfig_validation_test.go
@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	"gotest.tools/v3/assert"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"knative.dev/pkg/apis"
 )
@@ -207,6 +208,37 @@ func Test_ValidateTektonConfig_InvalidPipelineProperties(t *testing.T) {
 	assert.Equal(t, "invalid value: test: spec.pipeline.enable-api-fields", err.Error())
 }
 
+func Test_ValidateTektonConfig_InvalidPipelineOptions(t *testing.T) {
+	invalidPolicy := admissionregistrationv1.FailurePolicyType("InvalidPolicy")
+	sideEffectUnknown := admissionregistrationv1.SideEffectClassUnknown
+	tc := &TektonConfig{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "config",
+			Namespace: "namespace",
+		},
+		Spec: TektonConfigSpec{
+			CommonSpec: CommonSpec{
+				TargetNamespace: "namespace",
+			},
+			Profile: "all",
+			Pipeline: Pipeline{
+				Options: AdditionalOptions{
+					WebhookConfigurationOptions: map[string]WebhookConfigurationOptions{
+						"validation.webhook.tekton.dev": WebhookConfigurationOptions{
+							FailurePolicy: &invalidPolicy,
+							SideEffects:   &sideEffectUnknown,
+						},
+					},
+				},
+			},
+			Pruner: Prune{Disabled: true},
+		},
+	}
+
+	err := tc.Validate(context.TODO())
+	assert.Equal(t, "invalid value: InvalidPolicy: spec.pipeline.options.webhookconfigurationoptions.failurePolicy", err.Error())
+}
+
 func Test_ValidateTektonConfig_InvalidTriggerProperties(t *testing.T) {
 
 	tc := &TektonConfig{

diff --git a/pkg/apis/operator/v1alpha1/tektonpipeline_types.go b/pkg/apis/operator/v1alpha1/tektonpipeline_types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
@@ -143,6 +144,13 @@ type OptionalPipelineProperties struct {
 	DefaultResolverType                 string `json:"default-resolver-type,omitempty"`
 }
 
+// WebhookOptions defines options for webhooks
+type WebhookConfigurationOptions struct {
+	FailurePolicy  *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
+	TimeoutSeconds *int32                                     `json:"timeoutSeconds,omitempty"`
+	SideEffects    *admissionregistrationv1.SideEffectClass   `json:"sideEffects,omitempty"`
+}
+
 // PipelineMetricsProperties defines the fields which are configurable for
 // metrics
 type PipelineMetricsProperties struct {

diff --git a/pkg/apis/operator/v1alpha1/tektonpipeline_validation.go b/pkg/apis/operator/v1alpha1/tektonpipeline_validation.go
@@ -49,7 +49,11 @@ func (tp *TektonPipeline) Validate(ctx context.Context) (errs *apis.FieldError)
 	// execute common spec validations
 	errs = errs.Also(tp.Spec.CommonSpec.validate("spec"))
 
-	return errs.Also(tp.Spec.PipelineProperties.validate("spec"))
+	errs = errs.Also(tp.Spec.PipelineProperties.validate("spec"))
+
+	errs = errs.Also(tp.Spec.Options.validate("spec"))
+
+	return errs
 }
 
 func (p *PipelineProperties) validate(path string) (errs *apis.FieldError) {

diff --git a/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/operator/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/reconciler/common/testdata/test-additional-options-base-webhook.yaml b/pkg/reconciler/common/testdata/test-additional-options-base-webhook.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validation.webhook.pipeline.tekton.dev
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+    pipeline.tekton.dev/release: "v0.58.0"
+webhooks:
+  - admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: tekton-pipelines-webhook
+        namespace: tekton-pipelines
+    failurePolicy: Fail
+    sideEffects: None
+    name: validation.webhook.pipeline.tekton.dev
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: webhook.pipeline.tekton.dev
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+    pipeline.tekton.dev/release: "v0.58.0"
+webhooks:
+  - admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: tekton-pipelines-webhook
+        namespace: tekton-pipelines
+    failurePolicy: Fail
+    sideEffects: None
+    name: webhook.pipeline.tekton.dev
diff --git a/pkg/reconciler/common/testdata/test-additional-options-test-webhook.yaml b/pkg/reconciler/common/testdata/test-additional-options-test-webhook.yaml
@@ -0,0 +1,43 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: validation.webhook.pipeline.tekton.dev
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+    pipeline.tekton.dev/release: "v0.58.0"
+webhooks:
+  - admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: tekton-pipelines-webhook
+        namespace: tekton-pipelines
+    failurePolicy: Ignore
+    timeoutSeconds: 10
+    sideEffects: Unknown
+    name: validation.webhook.pipeline.tekton.dev
+
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: webhook.pipeline.tekton.dev
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+    pipeline.tekton.dev/release: "v0.58.0"
+webhooks:
+  - admissionReviewVersions: ["v1"]
+    clientConfig:
+      service:
+        name: tekton-pipelines-webhook
+        namespace: tekton-pipelines
+    failurePolicy: Fail
+    timeoutSeconds: 10
+    sideEffects: None
+    name: webhook.pipeline.tekton.dev