Use sigs.k8s.io certwatcher for convsersion webhook TLS config

TheRealJon · TheRealJon · commit 16965cce3629 · 2023-12-14T10:55:17.000-05:00
diff --git a/pkg/cmd/crdconversionwebhook/cmd.go b/pkg/cmd/crdconversionwebhook/cmd.go
@@ -1,11 +1,15 @@
 package crdconversionwebhook
 
 import (
+	"context"
 	"crypto/tls"
 	"fmt"
 	"net/http"
 
 	"github.com/spf13/cobra"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	converter "github.com/openshift/console-operator/pkg/cmd/crdconversionwebhook/converter"
 )
@@ -31,22 +35,63 @@ func NewConverter() *cobra.Command {
 	return cmd
 }
 
-// Config contains the server (the webhook) cert and key.
-type Config struct {
-	CertFile string
-	KeyFile  string
-}
-
 func startServer() {
-	config := Config{CertFile: certFile, KeyFile: keyFile}
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// Initialize klog
+	klog.InitFlags(nil)
+	log.SetLogger(klog.NewKlogr()) // controller-runtime/log will complain if we don't set this
+
+	// Log flag values for debugging
+	klog.Infof("Starting console conversion webhook server")
+	klog.V(4).Infof("Using flags:\n\t--tls-cert-file %s\n\t--tls-private-key-file %s\n\t--port %d", certFile, keyFile, port)
+
+	// Initialize a new cert watcher with cert/key pair
+	klog.V(4).Infof("Creating cert watcher")
+	watcher, err := certwatcher.New(certFile, keyFile)
+	if err != nil {
+		klog.Fatalf("Error creating cert watcher: %v", err)
+	}
+
+	// Start goroutine with certwatcher running fsnotify against supplied certdir
+	go func() {
+		klog.V(4).Infof("Starting cert watcher")
+		if err := watcher.Start(ctx); err != nil {
+			klog.Fatalf("Cert watcher failed: %v", err)
+		}
+	}()
 
-	http.HandleFunc("/crdconvert", converter.ServeExampleConvert)
+	// Setup TLS config using GetCertficate for fetching the cert when it changes
+	tlsConfig := &tls.Config{
+		GetCertificate: watcher.GetCertificate,
+		NextProtos:     []string{"http/1.1"}, // Disable HTTP/2
+	}
+
+	// Create TLS listener
+	klog.V(4).Infof("Creating TLS listener on port %d", port)
+	listener, err := tls.Listen("tcp", fmt.Sprintf(":%d", port), tlsConfig)
+	if err != nil {
+		klog.Fatalf("Error creating TLS listener: %v", err)
+	}
+
+	// Setup handlers and server
+	http.HandleFunc("/crdconvert", converter.ServeConsolePluginConvert)
 	http.HandleFunc("/readyz", func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("ok")) })
-	clientset := getClient()
-	server := &http.Server{
-		Addr:         fmt.Sprintf(":%d", port),
-		TLSConfig:    configTLS(config, clientset),
-		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // disable HTTP/2
+	server := &http.Server{}
+
+	// Shutdown server on context cancellation
+	go func() {
+		<-ctx.Done()
+		klog.V(4).Info("Shutting down server")
+		if err := server.Shutdown(context.Background()); err != nil {
+			klog.Fatalf("Error shutting down server: %v", err)
+		}
+	}()
+
+	// Serve
+	klog.Infof("Serving on %s", listener.Addr().String())
+	if err = server.Serve(listener); err != nil && err != http.ErrServerClosed {
+		klog.Fatalf("Error serving: %v", err)
 	}
-	server.ListenAndServeTLS("", "")
 }
diff --git a/pkg/cmd/crdconversionwebhook/config.go b/pkg/cmd/crdconversionwebhook/config.go
diff --git a/pkg/cmd/crdconversionwebhook/converter/converter.go b/pkg/cmd/crdconversionwebhook/converter/converter.go
@@ -11,7 +11,7 @@ import (
 	"github.com/openshift/console-operator/pkg/api"
 )
 
-func convertCRD(object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status) {
+func convertConsolePlugin(object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status) {
 	originalObject := object.DeepCopy()
 	fromVersion := object.GetAPIVersion()
 	convertedObject := &unstructured.Unstructured{}
diff --git a/pkg/cmd/crdconversionwebhook/converter/converter_test.go b/pkg/cmd/crdconversionwebhook/converter/converter_test.go
@@ -290,7 +290,7 @@ spec:
 			unstructuredOriginalObject := getUnstructuredObject(t, tc.originalObject)
 			unstructuredWantedObject := getUnstructuredObject(t, tc.wantedObject)
 
-			convertedCR, status := convertCRD(unstructuredOriginalObject, unstructuredWantedObject.GetAPIVersion())
+			convertedCR, status := convertConsolePlugin(unstructuredOriginalObject, unstructuredWantedObject.GetAPIVersion())
 			if status.Status == metav1.StatusFailure {
 				t.Errorf("error converting object: %s", status.Message)
 			}
diff --git a/pkg/cmd/crdconversionwebhook/converter/framework.go b/pkg/cmd/crdconversionwebhook/converter/framework.go
@@ -1,6 +1,7 @@
 package converter
 
 import (
+	"bytes"
 	"fmt"
 	"io"
 	"net/http"
@@ -83,15 +84,14 @@ func serve(w http.ResponseWriter, r *http.Request, convert convertFunc) {
 		return
 	}
 
-	klog.Infof("handling request: %v", body)
+	klog.V(4).Infof("Handling request body: \n%v", string(body))
 	obj, gvk, err := serializer.Decode(body, nil, nil)
 	if err != nil {
 		msg := fmt.Sprintf("failed to deserialize body (%v) with error %v", string(body), err)
 		klog.Error(err)
 		http.Error(w, msg, http.StatusBadRequest)
 		return
 	}
-
 	var responseObj runtime.Object
 	switch *gvk {
 	case v1.SchemeGroupVersion.WithKind("ConversionReview"):
@@ -104,8 +104,6 @@ func serve(w http.ResponseWriter, r *http.Request, convert convertFunc) {
 		}
 		convertReview.Response = doConversionV1(convertReview.Request, convert)
 		convertReview.Response.UID = convertReview.Request.UID
-		klog.Info(fmt.Sprintf("sending response: %v", convertReview.Response))
-
 		// reset the request, it is not needed in a response.
 		convertReview.Request = &v1.ConversionRequest{}
 		responseObj = convertReview
@@ -124,17 +122,21 @@ func serve(w http.ResponseWriter, r *http.Request, convert convertFunc) {
 		http.Error(w, msg, http.StatusBadRequest)
 		return
 	}
-	err = outSerializer.Encode(responseObj, w)
+
+	var responseBuffer bytes.Buffer
+	err = outSerializer.Encode(responseObj, &responseBuffer)
 	if err != nil {
 		klog.Error(err)
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
+	klog.V(4).Infof("Sending response: \n%v", responseBuffer.String())
+	w.Write(responseBuffer.Bytes())
 }
 
-// ServeExampleConvert servers endpoint for the example converter defined as convertExampleCRD function.
-func ServeExampleConvert(w http.ResponseWriter, r *http.Request) {
-	serve(w, r, convertCRD)
+// ServeConsolePluginConvert serves endpoint for the console converter defined as convertCRD function.
+func ServeConsolePluginConvert(w http.ResponseWriter, r *http.Request) {
+	serve(w, r, convertConsolePlugin)
 }
 
 type mediaType struct {

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import (`
`11`	`11`	`"github.com/openshift/console-operator/pkg/api"`
`12`	`12`	`)`
`13`	`13`
`14`		`-func convertCRD(object unstructured.Unstructured, toVersion string) (unstructured.Unstructured, metav1.Status) {`
	`14`	`+func convertConsolePlugin(object unstructured.Unstructured, toVersion string) (unstructured.Unstructured, metav1.Status) {`
`15`	`15`	`originalObject := object.DeepCopy()`
`16`	`16`	`fromVersion := object.GetAPIVersion()`
`17`	`17`	`convertedObject := &unstructured.Unstructured{}`
Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,7 @@ spec:`
`290`	`290`	`unstructuredOriginalObject := getUnstructuredObject(t, tc.originalObject)`
`291`	`291`	`unstructuredWantedObject := getUnstructuredObject(t, tc.wantedObject)`
`292`	`292`
`293`		`- convertedCR, status := convertCRD(unstructuredOriginalObject, unstructuredWantedObject.GetAPIVersion())`
	`293`	`+ convertedCR, status := convertConsolePlugin(unstructuredOriginalObject, unstructuredWantedObject.GetAPIVersion())`
`294`	`294`	`if status.Status == metav1.StatusFailure {`
`295`	`295`	`t.Errorf("error converting object: %s", status.Message)`
`296`	`296`	`}`