* bump k8s deps to v1.20.7
* fix migrator test pkg
* dynamicclient now expects List types to be declare either via a scheme or manually
* fix error message comparison
* drop excess vendor licenses
* Using the injection fake dynamic client will preserve pre-1.20 behaviour
This is accomplished by preprocessing the scheme/fixtures and declaring
a custom scheme were we map our types & lists to unstructured.* types
* revert webhook factory changes
* ensure objects to the dynamic client are unstructured
* seed the default dynamic client with k8s scheme
* include duckv1 types in default fake dynamic client scheme
* use default k8s scheme
looks like eventing adds to this scheme but we should import the correct one vs the one from the fake package
* drop duckv1 from default scheme
* set APIVersion/Kind if empty
* refactor ToUnstructured helper to a new package
* Switch to ed25519 and change the timeout of the certificate to seven days.
* Update comments to reflect the new grace period.
* Use oneWeek constant.
This change introduces a new `controller.NewSkipKey` method to designate certain reconciliations as "skipped".
The primary motivation for this is to squelch useless logging on non-leader replicas, which currently report success with trivial latency.
I have plumbed this through existing reconcilers and the code-gen so most things downstream should get this for free. In places where a key is observed, I do not mark the reconcile as skipped as the reconciler did some processing for which the awareness of side-effects and reported latency may be interesting.
* Add smart handling of selectors in webhooks
This is an alternative fix for #1590. Instead of arbitrarily adding a label from a different project to avoid the reconcilers racing, this adds "smart" handling of the selectors in that labels not inside the knative.dev domain are plainly ignored and our own selectors are added additively.
* Fix formatting
* Fix missing variable usage
* Factor index out of Reconciler
Applying multiple Bindings to the same subject makes the reconciler more
complex, so split out the index handling.
* unexport contents of index.go
* Apply multiple bindings to the same subject
The affected files are actually copyright 2019-2020,
but boilerplate-check fails if this is used. See:
https://github.com/mattmoor/boilerplate-check/issues/22
Fixes https://github.com/knative/pkg/issues/1786
* Enable golint and exclude some other generated or additional dirs
Also remove `test` ignore, since it's covered by path ignore rule.
* meh
* fixes
* more
* progressing
* further
* like a boss
Common use cases for this webhook involve using Kubernetes's
generateName API to randomise resource names (this is a good
idea in Tekton pipelines, for example, where there are uniqueness
constraints. That means that the webhook metrics here end up with
very high cardinality, which makes Prometheus fall over. Even
without generateName, it is possible to shoot oneself in the foot.
This commit just removes the resource_name label altogether.
* Remove patch detail for webhook being logged on info
It might contain the sensitive data so print it to debug log
* Pass admission review info to the fields in structured logging
* Remove knative namespace from admission webhook logkey
* Use loosely-typed key-value pairs for suggered logger in admission wb
* Move admission specific logkey to local package
* Print patch type with patch body on debug log
We still see users frequently struggle with this and the error message seemingly doesn't help them. This gives a more explicit description of what the user can do to fix the situation.
* Various cleanups around the codebase
- unindent the else after return
- make things private that are not used anywhere
- rearrange params
- etc
* add
* include a filter on control plane namespaces for defaulting and validation webhooks from knative/pkg
* Update unit tests to include control-plane
* adding a comment to explain why we are adding 'control-plane' to the webhook config
* Use two lane queue instead of the regular workqueue
- we need to poll for len in the webhook tests because we have async propagation now, and check at the wrong time will be not correct.
- otherwise just a drop in replacement.
* update test
* cmt
* tests hardened
* Implement a new shared "Drainer" handler.
This implements a new `http.Handler` called `Drainer`, which is intended to wrap some inner `http.Handler` business logic with a new outer handler that can respond to Kubelet probes (successfully until told to "Drain()").
This takes over the webhook's relatively new probe handling and lame duck logic with one key difference. Previously the webhook waited for a fixed period after SIGTERM before exitting, but the new logic waits for this same grace period AFTER THE LAST REQUEST. So if the handler keeps getting (non-probe) requests, the timer will continually reset, and once it stops receiving requests for the configured grace period, "Drain()" will return and the webhook will exit.
The goal of this work is to try to better cope with what we believe to be high tail latencies of the API server seeing that a webhook replica is shutting down.
Related: https://github.com/knative/pkg/issues/1509
* Switch to RWLock
Matt Moore
NovaHe
Dave Protasowski
Markus Thömmes
Evan Anderson
Jason Hall
Adam Harwayne
Matt Moore
Glyn Normington
Arghya Sadhu
Victor Agababov
Lionel Villard
Josh Soref
tianfeiyu
James Turley
Riccardo Piccoli
Tsubasa Nagasawa
Zbynek Roubalik
Scott Nichols