2020-01-14 10:38:55 +00:00
|
|
|
/*
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
// Package webhook implements a generic HTTP webhook plugin.
|
|
|
|
package webhook
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/serializer"
|
2020-04-14 07:04:33 +00:00
|
|
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
2020-01-14 10:38:55 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
2021-08-09 07:19:24 +00:00
|
|
|
"k8s.io/apiserver/pkg/util/x509metrics"
|
2020-01-14 10:38:55 +00:00
|
|
|
"k8s.io/client-go/rest"
|
|
|
|
"k8s.io/client-go/tools/clientcmd"
|
|
|
|
)
|
|
|
|
|
|
|
|
// defaultRequestTimeout is set for all webhook request. This is the absolute
|
|
|
|
// timeout of the HTTP request, including reading the response body.
|
|
|
|
const defaultRequestTimeout = 30 * time.Second
|
|
|
|
|
2020-12-17 12:28:29 +00:00
|
|
|
// DefaultRetryBackoffWithInitialDelay returns the default backoff parameters for webhook retry from a given initial delay.
|
|
|
|
// Handy for the client that provides a custom initial delay only.
|
|
|
|
func DefaultRetryBackoffWithInitialDelay(initialBackoffDelay time.Duration) wait.Backoff {
|
|
|
|
return wait.Backoff{
|
|
|
|
Duration: initialBackoffDelay,
|
|
|
|
Factor: 1.5,
|
|
|
|
Jitter: 0.2,
|
|
|
|
Steps: 5,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-01-14 10:38:55 +00:00
|
|
|
// GenericWebhook defines a generic client for webhooks with commonly used capabilities,
|
|
|
|
// such as retry requests.
|
|
|
|
type GenericWebhook struct {
|
2020-12-17 12:28:29 +00:00
|
|
|
RestClient *rest.RESTClient
|
|
|
|
RetryBackoff wait.Backoff
|
|
|
|
ShouldRetry func(error) bool
|
2020-01-14 10:38:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// DefaultShouldRetry is a default implementation for the GenericWebhook ShouldRetry function property.
|
|
|
|
// If the error reason is one of: networking (connection reset) or http (InternalServerError (500), GatewayTimeout (504), TooManyRequests (429)),
|
|
|
|
// or apierrors.SuggestsClientDelay() returns true, then the function advises a retry.
|
|
|
|
// Otherwise it returns false for an immediate fail.
|
|
|
|
func DefaultShouldRetry(err error) bool {
|
|
|
|
// these errors indicate a transient error that should be retried.
|
2023-08-17 05:15:28 +00:00
|
|
|
if utilnet.IsConnectionReset(err) || utilnet.IsHTTP2ConnectionLost(err) || apierrors.IsInternalError(err) || apierrors.IsTimeout(err) || apierrors.IsTooManyRequests(err) {
|
2020-01-14 10:38:55 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
// if the error sends the Retry-After header, we respect it as an explicit confirmation we should retry.
|
|
|
|
if _, shouldRetry := apierrors.SuggestsClientDelay(err); shouldRetry {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2022-05-05 02:47:06 +00:00
|
|
|
// NewGenericWebhook creates a new GenericWebhook from the provided rest.Config.
|
|
|
|
func NewGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, config *rest.Config, groupVersions []schema.GroupVersion, retryBackoff wait.Backoff) (*GenericWebhook, error) {
|
2020-01-14 10:38:55 +00:00
|
|
|
for _, groupVersion := range groupVersions {
|
|
|
|
if !scheme.IsVersionRegistered(groupVersion) {
|
|
|
|
return nil, fmt.Errorf("webhook plugin requires enabling extension resource: %s", groupVersion)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-05 02:47:06 +00:00
|
|
|
clientConfig := rest.CopyConfig(config)
|
2020-01-14 10:38:55 +00:00
|
|
|
|
|
|
|
codec := codecFactory.LegacyCodec(groupVersions...)
|
|
|
|
clientConfig.ContentConfig.NegotiatedSerializer = serializer.NegotiatedSerializerWrapper(runtime.SerializerInfo{Serializer: codec})
|
|
|
|
|
2022-05-05 02:47:06 +00:00
|
|
|
clientConfig.Wrap(x509metrics.NewDeprecatedCertificateRoundTripperWrapperConstructor(
|
|
|
|
x509MissingSANCounter,
|
|
|
|
x509InsecureSHA1Counter,
|
|
|
|
))
|
2020-04-14 07:04:33 +00:00
|
|
|
|
2020-01-14 10:38:55 +00:00
|
|
|
restClient, err := rest.UnversionedRESTClientFor(clientConfig)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-12-17 12:28:29 +00:00
|
|
|
return &GenericWebhook{restClient, retryBackoff, DefaultShouldRetry}, nil
|
2020-01-14 10:38:55 +00:00
|
|
|
}
|
|
|
|
|
2020-12-17 12:28:29 +00:00
|
|
|
// WithExponentialBackoff will retry webhookFn() as specified by the given backoff parameters with exponentially
|
|
|
|
// increasing backoff when it returns an error for which this GenericWebhook's ShouldRetry function returns true,
|
|
|
|
// confirming it to be retriable. If no ShouldRetry has been defined for the webhook,
|
|
|
|
// then the default one is used (DefaultShouldRetry).
|
2020-01-14 10:38:55 +00:00
|
|
|
func (g *GenericWebhook) WithExponentialBackoff(ctx context.Context, webhookFn func() rest.Result) rest.Result {
|
|
|
|
var result rest.Result
|
|
|
|
shouldRetry := g.ShouldRetry
|
|
|
|
if shouldRetry == nil {
|
|
|
|
shouldRetry = DefaultShouldRetry
|
|
|
|
}
|
2020-12-17 12:28:29 +00:00
|
|
|
WithExponentialBackoff(ctx, g.RetryBackoff, func() error {
|
2020-01-14 10:38:55 +00:00
|
|
|
result = webhookFn()
|
|
|
|
return result.Error()
|
|
|
|
}, shouldRetry)
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// WithExponentialBackoff will retry webhookFn up to 5 times with exponentially increasing backoff when
|
|
|
|
// it returns an error for which shouldRetry returns true, confirming it to be retriable.
|
2020-12-17 12:28:29 +00:00
|
|
|
func WithExponentialBackoff(ctx context.Context, retryBackoff wait.Backoff, webhookFn func() error, shouldRetry func(error) bool) error {
|
|
|
|
// having a webhook error allows us to track the last actual webhook error for requests that
|
|
|
|
// are later cancelled or time out.
|
|
|
|
var webhookErr error
|
2023-06-01 16:58:10 +00:00
|
|
|
err := wait.ExponentialBackoffWithContext(ctx, retryBackoff, func(_ context.Context) (bool, error) {
|
2020-12-17 12:28:29 +00:00
|
|
|
webhookErr = webhookFn()
|
|
|
|
if shouldRetry(webhookErr) {
|
2020-01-14 10:38:55 +00:00
|
|
|
return false, nil
|
|
|
|
}
|
2020-12-17 12:28:29 +00:00
|
|
|
if webhookErr != nil {
|
|
|
|
return false, webhookErr
|
2020-01-14 10:38:55 +00:00
|
|
|
}
|
|
|
|
return true, nil
|
|
|
|
})
|
2020-12-17 12:28:29 +00:00
|
|
|
|
|
|
|
switch {
|
|
|
|
// we check for webhookErr first, if webhookErr is set it's the most important error to return.
|
|
|
|
case webhookErr != nil:
|
|
|
|
return webhookErr
|
|
|
|
case err != nil:
|
|
|
|
return fmt.Errorf("webhook call failed: %s", err.Error())
|
|
|
|
default:
|
|
|
|
return nil
|
|
|
|
}
|
2020-01-14 10:38:55 +00:00
|
|
|
}
|
2022-05-05 02:47:06 +00:00
|
|
|
|
|
|
|
func LoadKubeconfig(kubeConfigFile string, customDial utilnet.DialFunc) (*rest.Config, error) {
|
|
|
|
loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
|
|
|
|
loadingRules.ExplicitPath = kubeConfigFile
|
|
|
|
loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
|
|
|
|
|
|
|
|
clientConfig, err := loader.ClientConfig()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
clientConfig.Dial = customDial
|
|
|
|
|
|
|
|
// Kubeconfigs can't set a timeout, this can only be set through a command line flag.
|
|
|
|
//
|
|
|
|
// https://github.com/kubernetes/client-go/blob/master/tools/clientcmd/overrides.go
|
|
|
|
//
|
|
|
|
// Set this to something reasonable so request to webhooks don't hang forever.
|
|
|
|
clientConfig.Timeout = defaultRequestTimeout
|
|
|
|
|
|
|
|
// Avoid client-side rate limiting talking to the webhook backend.
|
|
|
|
// Rate limiting should happen when deciding how many requests to serve.
|
|
|
|
clientConfig.QPS = -1
|
|
|
|
|
|
|
|
return clientConfig, nil
|
|
|
|
}
|