* webhook changes for observability
* go mod
* vendor
* Allow the webhook to accept a MetricsProvider. This makes it easier to unit test
Digging into OTel implementation it looks like instruments are cached.
Thus when different webhooks request the same instrument a cache lookup
for the instrument will occur.
* passthrough additional OTel interfaces
* linter fixes
* drop global meter in tests
* PR feedback
* PR feedback
* when recording the admission/conversion duration use the attributes from the labeler
* add a comment that otelhttp middleware creates the labeler
* simply code for readability
* change metric names to allow reuse across different webhook types
* fix linter
* tweak attribute names
* bump version strings
* bump go.mod
* run ./hack/update-deps.sh
* run ./hack/update-codegen.sh
* fix build
* fix fuzzing lib change
* switch fuzzers to use randfill
* run ./hack/update-deps.sh
* gofumpt file
* fix webhook build on go1.24
* ignore endpoint deprecation
* disable a staticcheck that isn't really that bad
* fix nolint directives
* don't use deprecated List and WatchFuncs
* fix deprecation of gengo.ExtractCommentTags
* apply demorgan's law where it makes sense
🐛 My previous change has revive/stylecheck warnings because I made the `warn` return value `[]error` and it wants the `error` last, which is kind of silly.
This mutes the linter on this signature, since it hits both revive and stylecheck
/kind bug
🧹 Previously we lacked a public method for turning our `apis.FieldError` multi-error into a list of constituent error messages, so when we turned things into a webhook warning we simply used the combined serialization of all of the warnings. Thanks to Nghia's recent change, we can now access the list of warnings to return as a list of errors.
/kind cleanup
* WIP: just one option exploration.
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* Another option. New signature and new type for configuration.
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* Use interfaces and type assertions.
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* log custom config with debug.
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* Address PR feedback.
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
* Add support for admission webhook warnings.
This extends `apis.FieldError` to support designating certain FieldErrors as "warnings" (or explicitly as "errors", however, this is the default for back-compat).
You can turn an `apis.FieldError` into a warning using: `fe.At(apis.WarningLevel)` or force it into an error using: `fe.At(apis.ErrorLevel)`.
You can get the errors at a particular diagnostic level using: `fe.Filter(apis.WarningLevel)`.
This change also hooks this into the admission webhook infrastructure to support surfacing the "warning" level `apis.FieldError`s via the `Warnings` section of the `AdmissionResponse`.
Fixes: #2497
* Add a comment about the use of defer.
* Create IsInDelete context
* Set up context with WithinDelete
* Test for callback delete
* fix subresource update
* Return oldObj for deletes
* include delete in webhook config
* include delete in unit test
* don't log on delete
* Add new callback pattern to pkg
* include the context
* typo
* Remove the empty instance of unstructured
* initialize the unstructured var
* Eliminate the unneeded pointer
* Pass a pointer to unstructured callback
* Create a validation specific context struct
* Move callback tests to own unit test case
* Switch from converting to decoding
* Update webhook/resourcesemantics/validation/validation.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* don't wrap context and include params
* split validation files
* include 2020 copyright
* include unit test for WithKubeClient
* Don't bother updating copyright date
* Inclue a unit test for panic
* Move dryRun to context
* Include context dry run unit test
* put the request operation in the context
* eliminate circular dep
* move kubeclient test out of context_test
* dont bother iterating callback map
* Callback takes a list of supported verbs
* Remove extra type
* Ensure Callback interface is public
* Alias Operation into validation
* alias Operation right in Webhook
* Update webhook/resourcesemantics/validation/validation_admit.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* Update webhook/resourcesemantics/validation/validation_admit_test.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* Update webhook/resourcesemantics/validation/validation_admit_test.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* Update webhook/resourcesemantics/validation/validation_admit.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* Update webhook/resourcesemantics/validation/validation_admit.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* Update webhook/resourcesemantics/validation/validation_admit_test.go
Co-Authored-By: Victor Agababov <vagababov@gmail.com>
* correct parens
* minor style fixes
* Rename Callback to Func
* Fix build error
* Switch callback to take a list with a factory
* keep descriptive names
* update comment
* Drop pointer, correct comments
* Add a unit test to disallow duplicate verbs
* fix comments, struct{} for set
* switch to variadic arg for NewCallback
Co-authored-by: Victor Agababov <vagababov@gmail.com>
Dave Protasowski
cola
Matt Moore
Ville Aikas
Markus Thömmes
Josh Soref
Victor Agababov
whaught