cluster/admitomatic: auto-restart on config change, clean up

- add admitomatic config hash to pod annotation to force kubernetes to restart the service after config change - clean up Go deprecations - default admitomatic to deny admission to unknown objects Change-Id: Icd3f684583ec87ff38a70886fd845e79bba9addf Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2108 Reviewed-by: informatic <informatic@hackerspace.pl>
2025-03-21 06:24:52 +00:00 · 2025-01-09 10:32:48 +01:00 · 2025-01-09 10:32:48 +01:00 · cc43f3189d
commit cc43f3189d
parent 9071403eec
4 changed files with 25 additions and 8 deletions
--- a/cluster/admitomatic/BUILD.bazel
+++ b/cluster/admitomatic/BUILD.bazel
@ -66,6 +66,6 @@ oci_image(
 oci_push(
    name = "push",
    image = ":runtime",
-    remote_tags = ["20250112172554"],
+    remote_tags = ["20250121182713"],
    repository = "registry.k0.hswaw.net/radex/admitomatic",
 )
--- a/cluster/admitomatic/main.go
+++ b/cluster/admitomatic/main.go
@ -3,7 +3,8 @@ package main
 import (
 	"context"
 	"flag"
-	"io/ioutil"
+	"os"
+
 	"net/http"
 	"time"

@ -44,7 +45,7 @@ func main() {
 		glog.Exitf("Serve(): %v", err)
 	}

-	configData, err := ioutil.ReadFile(flagConfig)
+	configData, err := os.ReadFile(flagConfig)
 	if err != nil {
 		glog.Exitf("Could not read config: %v", err)
 	}
@ -56,7 +57,6 @@ func main() {

 	mux := http.NewServeMux()
 	mux.HandleFunc("/", s.handler)
-	// TODO(q3k): implement admission controller
 	srv := &http.Server{Addr: flagListen, Handler: mux}

 	glog.Infof("Listening on %q...", flagListen)
--- a/cluster/admitomatic/service.go
+++ b/cluster/admitomatic/service.go
@ -3,7 +3,8 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
+
 	"net/http"

 	"github.com/golang/glog"
@ -55,7 +56,7 @@ func newService(configuration []byte) (*service, error) {
 func (s *service) handler(w http.ResponseWriter, r *http.Request) {
 	var body []byte
 	if r.Body != nil {
-		if data, err := ioutil.ReadAll(r.Body); err == nil {
+		if data, err := io.ReadAll(r.Body); err == nil {
 			body = data
 		}
 	}
@ -104,6 +105,15 @@ func (s *service) handler(w http.ResponseWriter, r *http.Request) {
 				},
 			}
 		}
+	default:
+		resp = &admission.AdmissionResponse{
+			UID:     req.UID,
+			Allowed: false,
+			Result: &meta.Status{
+				Code:    400,
+				Message: "admitomatic: invalid request",
+			},
+		}
 	}

 	glog.Infof("%s %s %s in %s: %v (%v)", req.Operation, req.Kind.Kind, req.Name, req.Namespace, resp.Allowed, resp.Result)
--- a/cluster/kube/lib/admitomatic.libsonnet
+++ b/cluster/kube/lib/admitomatic.libsonnet
@ -34,9 +34,10 @@ local prototext = import "../../../kube/prototext.libsonnet";

        cfg:: {
            namespace: "admitomatic",
-            image: "registry.k0.hswaw.net/radex/admitomatic:20250112172554",
+            image: "registry.k0.hswaw.net/radex/admitomatic:20250121182713",

            proto: {},
+            prototext: prototext.manifestProtoText(self.proto),

            pki: {
                webhookCert: error 'pki.webhookCert must be set',
@ -50,7 +51,7 @@ local prototext = import "../../../kube/prototext.libsonnet";

        config: ns.Contain(kube.ConfigMap("admitomatic")) {
            data: {
-                "config.pb.text": prototext.manifestProtoText(cfg.proto),
+                "config.pb.text": cfg.prototext,
            },
        },

@ -64,6 +65,12 @@ local prototext = import "../../../kube/prototext.libsonnet";
        daemonset: ns.Contain(kube.DaemonSet("admitomatic")) {
            spec+: {
                template+: {
+                    metadata+: {
+                        annotations: {
+                            // force an update whenever the config changes
+                            "hswaw.net/config-version": std.md5(cfg.prototext),
+                        },
+                    },
                    spec+: {
                        containers_: {
                            default: kube.Container("default") {