sets mutating webhook ReinvocationPolicy to ifNeeded (#2472)

Signed-off-by: Paul S. Schweigert <paulschw@us.ibm.com>
2022-06-07 11:53:37 -04:00 · 2022-06-07 11:53:37 -04:00 · aad4309963
parent 9ffe192ee6
commit aad4309963
5 changed files with 66 additions and 34 deletions
--- a/webhook/psbinding/psbinding.go
+++ b/webhook/psbinding/psbinding.go
@ -351,6 +351,7 @@ func (ac *Reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 			return fmt.Errorf("missing service reference for webhook: %s", wh.Name)
 		}
 		cur.ClientConfig.Service.Path = ptr.String(ac.Path())
+		cur.ReinvocationPolicy = ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy)
 	}

 	if ok := equality.Semantic.DeepEqual(configuredWebhook, current); !ok {
@ -364,3 +365,7 @@ func (ac *Reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 	}
 	return nil
 }
+
+func ptrReinvocationPolicyType(r admissionregistrationv1.ReinvocationPolicyType) *admissionregistrationv1.ReinvocationPolicyType {
+	return &r
+}
--- a/webhook/psbinding/table_test.go
+++ b/webhook/psbinding/table_test.go
@ -362,8 +362,9 @@ func TestWebhookReconcile(t *testing.T) {
 					// MatchPolicy is added.
 					MatchPolicy: &equivalent,
 					// Selectors are added.
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -396,6 +397,8 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"innerdefaultresources/*"},
 						},
 					}},
+					// Incorrect
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.NeverReinvocationPolicy),
 				}},
 			},
 		},
@ -421,8 +424,9 @@ func TestWebhookReconcile(t *testing.T) {
 					// MatchPolicy is added.
 					MatchPolicy: &equivalent,
 					// Selectors are added.
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -484,8 +488,9 @@ func TestWebhookReconcile(t *testing.T) {
 					// MatchPolicy is added.
 					MatchPolicy: &equivalent,
 					// Selectors are added.
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -514,8 +519,9 @@ func TestWebhookReconcile(t *testing.T) {
 					// MatchPolicy is fine.
 					MatchPolicy: &equivalent,
 					// Selectors are fine.
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		},
@ -589,9 +595,10 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"knoodles/*"},
 						},
 					}},
-					MatchPolicy:       &equivalent,
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					MatchPolicy:        &equivalent,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -663,9 +670,10 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"knoodles/*"},
 						},
 					}},
-					MatchPolicy:       &equivalent,
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					MatchPolicy:        &equivalent,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		},
@ -751,9 +759,10 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"knoodles/*"},
 						},
 					}},
-					MatchPolicy:       &equivalent,
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					MatchPolicy:        &equivalent,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		},
@ -812,9 +821,10 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"deployments/*"},
 						},
 					}},
-					MatchPolicy:       &equivalent,
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					MatchPolicy:        &equivalent,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		},
@ -918,9 +928,10 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"knoodles/*"},
 						},
 					}},
-					MatchPolicy:       &equivalent,
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					MatchPolicy:        &equivalent,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -969,8 +980,9 @@ func TestWebhookReconcile(t *testing.T) {
 					// MatchPolicy is fine.
 					MatchPolicy: &equivalent,
 					// Selectors are fine.
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		},
@ -998,9 +1010,10 @@ func TestWebhookReconcile(t *testing.T) {
 							Resources:   []string{"knoodles/*"},
 						},
 					}},
-					MatchPolicy:       &equivalent,
-					NamespaceSelector: &ExclusionSelector,
-					ObjectSelector:    &ExclusionSelector,
+					MatchPolicy:        &equivalent,
+					NamespaceSelector:  &ExclusionSelector,
+					ObjectSelector:     &ExclusionSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
--- a/webhook/resourcesemantics/defaulting/defaulting.go
+++ b/webhook/resourcesemantics/defaulting/defaulting.go
@ -245,6 +245,8 @@ func (ac *reconciler) reconcileMutatingWebhook(ctx context.Context, caCert []byt
 			return fmt.Errorf("missing service reference for webhook: %s", wh.Name)
 		}
 		cur.ClientConfig.Service.Path = ptr.String(ac.Path())
+
+		cur.ReinvocationPolicy = ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy)
 	}

 	if ok, err := kmp.SafeEqual(configuredWebhook, current); err != nil {
@ -471,3 +473,7 @@ func setDefaults(ctx context.Context, patches duck.JSONPatch, crd resourcesemant

 	return append(patches, patch...), nil
 }
+
+func ptrReinvocationPolicyType(r admissionregistrationv1.ReinvocationPolicyType) *admissionregistrationv1.ReinvocationPolicyType {
+	return &r
+}
--- a/webhook/resourcesemantics/defaulting/defaulting_test.go
+++ b/webhook/resourcesemantics/defaulting/defaulting_test.go
@ -125,6 +125,7 @@ var (
 					Name:      "webhook",
 				},
 			},
+			ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 		}},
 	}
 )
--- a/webhook/resourcesemantics/defaulting/table_test.go
+++ b/webhook/resourcesemantics/defaulting/table_test.go
@ -209,8 +209,9 @@ func TestReconcile(t *testing.T) {
 						CABundle: []byte("present"),
 					},
 					// Rules are added.
-					Rules:             expectedRules,
-					NamespaceSelector: namespaceSelector,
+					Rules:              expectedRules,
+					NamespaceSelector:  namespaceSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -243,6 +244,8 @@ func TestReconcile(t *testing.T) {
 							Resources:   []string{"innerdefaultresources", "innerdefaultresources/status"},
 						},
 					}},
+					// Incorrect
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.NeverReinvocationPolicy),
 				}},
 			},
 		},
@ -265,8 +268,9 @@ func TestReconcile(t *testing.T) {
 						CABundle: []byte("present"),
 					},
 					// Rules are fixed.
-					Rules:             expectedRules,
-					NamespaceSelector: namespaceSelector,
+					Rules:              expectedRules,
+					NamespaceSelector:  namespaceSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -325,8 +329,9 @@ func TestReconcile(t *testing.T) {
 						CABundle: []byte("present"),
 					},
 					// Rules are fixed.
-					Rules:             expectedRules,
-					NamespaceSelector: namespaceSelector,
+					Rules:              expectedRules,
+					NamespaceSelector:  namespaceSelector,
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},
@ -363,6 +368,7 @@ func TestReconcile(t *testing.T) {
 							Operator: metav1.LabelSelectorOpDoesNotExist,
 						}},
 					},
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		},
@ -429,6 +435,7 @@ func TestReconcile(t *testing.T) {
 							Operator: metav1.LabelSelectorOpDoesNotExist,
 						}},
 					},
+					ReinvocationPolicy: ptrReinvocationPolicyType(admissionregistrationv1.IfNeededReinvocationPolicy),
 				}},
 			},
 		}},