Update to Knative 1.1 (#502)

Author: mattmoor

.github/workflows/minkind-cosigned.yaml

@@ -95,9 +95,6 @@ jobs:
     - name: Run cosigned e2e tests
       working-directory: ./src/github.com/mattmoor/mink
       run: |
-        # Update the cosign verification-key secret with a proper key pair.
-        cosign generate-key-pair k8s://mink-system/verification-key
-
         sed -i 's/cosign-system/mink-system/g' ./vendor/github.com/sigstore/cosign/test/e2e_test_cosigned.sh
         bash ./vendor/github.com/sigstore/cosign/test/e2e_test_cosigned.sh
 

cmd/webhook/cosigned.go

@@ -21,45 +21,53 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
+	batchv1beta1 "k8s.io/api/batch/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/webhook/resourcesemantics"
+	"knative.dev/pkg/webhook/resourcesemantics/defaulting"
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	servingv1 "knative.dev/serving/pkg/apis/serving/v1"
 
 	cwebhook "github.com/sigstore/cosign/pkg/cosign/kubernetes/webhook"
 )
 
-func newCosignedWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+var cosignedTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
+	corev1.SchemeGroupVersion.WithKind("Pod"): &duckv1.Pod{},
+
+	appsv1.SchemeGroupVersion.WithKind("ReplicaSet"):  &duckv1.WithPod{},
+	appsv1.SchemeGroupVersion.WithKind("Deployment"):  &duckv1.WithPod{},
+	appsv1.SchemeGroupVersion.WithKind("StatefulSet"): &duckv1.WithPod{},
+	appsv1.SchemeGroupVersion.WithKind("DaemonSet"):   &duckv1.WithPod{},
+	batchv1.SchemeGroupVersion.WithKind("Job"):        &duckv1.WithPod{},
+
+	batchv1.SchemeGroupVersion.WithKind("CronJob"):      &duckv1.CronJob{},
+	batchv1beta1.SchemeGroupVersion.WithKind("CronJob"): &duckv1.CronJob{},
+
+	servingv1.SchemeGroupVersion.WithKind("Service"): &duckv1.WithPod{},
+}
+
+func newCosignedValidatingWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
 	validator := cwebhook.NewValidator(ctx, *secretName)
 
 	return validation.NewAdmissionController(ctx,
 		// Name of the resource webhook.
 		"cosigned.mink.knative.dev",
 
 		// The path on which to serve the webhook.
-		"/cosigned",
+		"/validations",
 
 		// The resources to validate.
-		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
-			corev1.SchemeGroupVersion.WithKind("Pod"): &duckv1.Pod{},
-
-			appsv1.SchemeGroupVersion.WithKind("ReplicaSet"):  &duckv1.WithPod{},
-			appsv1.SchemeGroupVersion.WithKind("Deployment"):  &duckv1.WithPod{},
-			appsv1.SchemeGroupVersion.WithKind("StatefulSet"): &duckv1.WithPod{},
-			appsv1.SchemeGroupVersion.WithKind("DaemonSet"):   &duckv1.WithPod{},
-			batchv1.SchemeGroupVersion.WithKind("Job"):        &duckv1.WithPod{},
-
-			servingv1.SchemeGroupVersion.WithKind("Service"): &duckv1.WithPod{},
-		},
+		cosignedTypes,
 
 		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
 		func(ctx context.Context) context.Context {
 			ctx = duckv1.WithPodValidator(ctx, validator.ValidatePod)
 			ctx = duckv1.WithPodSpecValidator(ctx, validator.ValidatePodSpecable)
+			ctx = duckv1.WithCronJobValidator(ctx, validator.ValidateCronJob)
 			return ctx
 		},
 
@@ -71,3 +79,30 @@ func newCosignedWebhook(ctx context.Context, cmw configmap.Watcher) *controller.
 		nil,
 	)
 }
+
+func newCosignedMutatingWebhook(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
+	validator := cwebhook.NewValidator(ctx, *secretName)
+
+	return defaulting.NewAdmissionController(ctx,
+		// Name of the resource webhook.
+		"cosigned.mink.knative.dev",
+
+		// The path on which to serve the webhook.
+		"/mutations",
+
+		// The resources to validate.
+		cosignedTypes,
+
+		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
+		func(ctx context.Context) context.Context {
+			ctx = duckv1.WithPodDefaulter(ctx, validator.ResolvePod)
+			ctx = duckv1.WithPodSpecDefaulter(ctx, validator.ResolvePodSpecable)
+			ctx = duckv1.WithCronJobDefaulter(ctx, validator.ResolveCronJob)
+			return ctx
+		},
+
+		// Whether to disallow unknown fields.
+		// We pass false because we're using partial schemas.
+		false,
+	)
+}

cmd/webhook/main.go

@@ -88,8 +88,6 @@ func main() {
 	flag.StringVar(&opts.Images.GsutilImage, "gsutil-image", "", "The container image containing gsutil")
 	flag.StringVar(&opts.Images.PRImage, "pr-image", "", "The container image containing our PR binary.")
 	flag.StringVar(&opts.Images.ImageDigestExporterImage, "imagedigest-exporter-image", "", "The container image containing our image digest exporter binary.")
-	flag.BoolVar(&opts.ExperimentalDisableResolution, "experimental-disable-in-tree-resolution", false,
-		"Disable resolution of taskrun and pipelinerun refs by the taskrun and pipelinerun reconcilers.")
 
 	flag.Parse()
 
@@ -122,7 +120,8 @@ func main() {
 		newValidationAdmissionController,
 		newConfigValidationController,
 		newConversionController,
-		newCosignedWebhook,
+		newCosignedValidatingWebhook,
+		newCosignedMutatingWebhook,
 
 		// Serving resource controllers.
 		configuration.NewController,

config/core/200-imported/200-eventing/100-resources/apiserversource.yaml

@@ -22,7 +22,7 @@ metadata:
     duck.knative.dev/source: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   annotations:
     # TODO add schemas and descriptions
     registry.knative.dev/eventTypes: |

config/core/200-imported/200-eventing/100-resources/broker.yaml

@@ -21,7 +21,7 @@ metadata:
     knative.dev/crd-install: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: eventing.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/channel.yaml

@@ -22,7 +22,7 @@ metadata:
     messaging.knative.dev/subscribable: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: messaging.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/containersource.yaml

@@ -21,7 +21,7 @@ metadata:
     duck.knative.dev/source: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   name: containersources.sources.knative.dev
 spec:
   group: sources.knative.dev

config/core/200-imported/200-eventing/100-resources/eventtype.yaml

@@ -19,7 +19,7 @@ metadata:
     knative.dev/release: devel
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: eventing.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/parallel.yaml

@@ -20,7 +20,7 @@ metadata:
     knative.dev/crd-install: "true"
     duck.knative.dev/addressable: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
 spec:
   group: flows.knative.dev
   versions:

config/core/200-imported/200-eventing/100-resources/pingsource.yaml

@@ -21,7 +21,7 @@ metadata:
     duck.knative.dev/source: "true"
     knative.dev/crd-install: "true"
     app.kubernetes.io/version: devel
-    app.kubernetes.io/part-of: mink-system
+    app.kubernetes.io/name: mink-system
   annotations:
     # TODO add schemas and descriptions
     registry.knative.dev/eventTypes: |