Merge pull request cert-manager#6289 from inteon/acme_webhook_openapi

Add openapi definitions to acme API server
fonsecas72 · Aug 24, 2023 · ba73f80 · ba73f80
2 parents cce304b + 9d2d1cd
commit ba73f80
Show file tree

Hide file tree

Showing 9 changed files with 4,183 additions and 29 deletions.
diff --git a/hack/k8s-codegen.sh b/hack/k8s-codegen.sh
@@ -26,6 +26,7 @@ informergen=$4
 listergen=$5
 defaultergen=$6
 conversiongen=$7
+openapigen=$8
 
 # If the envvar "VERIFY_ONLY" is set, we only check if everything's up to date
 # and don't actually generate anything
@@ -136,6 +137,25 @@ mkcp() {
 # Export mkcp for use in sub-shells
 export -f mkcp
 
+gen-openapi-acme() {
+  clean pkg/acme/webhook/openapi '*.go'
+  echo "+++ ${VERB} ACME openapi..." >&2
+  mkdir -p hack/openapi_reports
+  "$openapigen" \
+    ${VERIFY_FLAGS} \
+    --go-header-file "hack/boilerplate-go.txt" \
+    --report-filename "hack/openapi_reports/acme.txt" \
+    --input-dirs "k8s.io/apimachinery/pkg/version" \
+    --input-dirs "k8s.io/apimachinery/pkg/runtime" \
+    --input-dirs "k8s.io/apimachinery/pkg/apis/meta/v1" \
+    --input-dirs "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" \
+    --input-dirs "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" \
+    --trim-path-prefix "github.com/cert-manager/cert-manager" \
+    --output-package "github.com/cert-manager/cert-manager/pkg/acme/webhook/openapi" \
+    --output-base ./ \
+		-O zz_generated.openapi
+}
+
 gen-deepcopy() {
   clean pkg/apis 'zz_generated.deepcopy.go'
   clean pkg/acme/webhook/apis 'zz_generated.deepcopy.go'
@@ -237,6 +257,7 @@ gen-conversions() {
       --output-base ./
 }
 
+gen-openapi-acme
 gen-deepcopy
 gen-clientsets
 gen-listers

diff --git a/hack/openapi_reports/acme.txt b/hack/openapi_reports/acme.txt
@@ -0,0 +1,70 @@
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,ConversionRequest,Objects
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,ConversionResponse,ConvertedObjects
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,CustomResourceDefinitionNames,Categories
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,CustomResourceDefinitionNames,ShortNames
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,CustomResourceDefinitionSpec,Versions
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,CustomResourceDefinitionStatus,StoredVersions
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,CustomResourceDefinitionVersion,AdditionalPrinterColumns
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSON,Raw
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,AllOf
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,AnyOf
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Enum
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,OneOf
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Required
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListMapKeys
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,JSONSchemas
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Property
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,WebhookClientConfig,CABundle
+API rule violation: list_type_missing,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,WebhookConversion,ConversionReviewVersions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,ServerAddressByClientCIDRs
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroup,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIGroupList,Groups
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResource,Categories
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResource,ShortNames
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,ServerAddressByClientCIDRs
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,APIVersions,Versions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ApplyOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,CreateOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,DeleteOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,FieldsV1,Raw
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelector,MatchExpressions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,LabelSelectorRequirement,Values
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,Finalizers
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,ManagedFields
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,ObjectMeta,OwnerReferences
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,PatchOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,RootPaths,Paths
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,StatusDetails,Causes
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table,ColumnDefinitions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,Table,Rows
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,TableRow,Cells
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,TableRow,Conditions
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/apis/meta/v1,UpdateOptions,DryRun
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,RawExtension,Raw
+API rule violation: list_type_missing,k8s.io/apimachinery/pkg/runtime,Unknown,Raw
+API rule violation: names_match,github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1,ChallengeResponse,Result
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Ref
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XEmbeddedResource
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XIntOrString
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListMapKeys
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XListType
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XMapType
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XPreserveUnknownFields
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaProps,XValidations
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,JSONSchemas
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrArray,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrBool,Allows
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrBool,Schema
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Property
+API rule violation: names_match,k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1,JSONSchemaPropsOrStringArray,Schema
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,MicroTime,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause,Type
+API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
+API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
diff --git a/make/ci.mk b/make/ci.mk
@@ -89,7 +89,8 @@ verify-codegen: | k8s-codegen-tools $(NEEDS_GO)
 		./$(BINDIR)/tools/informer-gen \
 		./$(BINDIR)/tools/lister-gen \
 		./$(BINDIR)/tools/defaulter-gen \
-		./$(BINDIR)/tools/conversion-gen
+		./$(BINDIR)/tools/conversion-gen \
+		./$(BINDIR)/tools/openapi-gen
 
 .PHONY: update-codegen
 update-codegen: | k8s-codegen-tools $(NEEDS_GO)
@@ -100,7 +101,8 @@ update-codegen: | k8s-codegen-tools $(NEEDS_GO)
 		./$(BINDIR)/tools/informer-gen \
 		./$(BINDIR)/tools/lister-gen \
 		./$(BINDIR)/tools/defaulter-gen \
-		./$(BINDIR)/tools/conversion-gen
+		./$(BINDIR)/tools/conversion-gen \
+		./$(BINDIR)/tools/openapi-gen
 
 .PHONY: update-all
 ## Update CRDs, code generation and licenses to the latest versions.

diff --git a/make/tools.mk b/make/tools.mk
@@ -375,7 +375,7 @@ $(BINDIR)/downloaded/tools/ko@$(KO_VERSION)_%: | $(BINDIR)/downloaded/tools
 # k8s codegen tools #
 #####################
 
-K8S_CODEGEN_TOOLS := client-gen conversion-gen deepcopy-gen defaulter-gen informer-gen lister-gen
+K8S_CODEGEN_TOOLS := client-gen conversion-gen deepcopy-gen defaulter-gen informer-gen lister-gen openapi-gen
 K8S_CODEGEN_TOOLS_PATHS := $(K8S_CODEGEN_TOOLS:%=$(BINDIR)/tools/%)
 K8S_CODEGEN_TOOLS_DOWNLOADS := $(K8S_CODEGEN_TOOLS:%=$(BINDIR)/downloaded/tools/%@$(K8S_CODEGEN_VERSION))
 

diff --git a/pkg/acme/webhook/apis/acme/v1alpha1/doc.go b/pkg/acme/webhook/apis/acme/v1alpha1/doc.go
@@ -16,6 +16,7 @@ limitations under the License.
 
 // +k8s:deepcopy-gen=package,register
 // +k8s:defaulter-gen=TypeMeta
+// +k8s:openapi-gen=true
 
 // Package v1alpha1 is the v1alpha1 version of the API.
 // +groupName=webhook.acme.cert-manager.io

diff --git a/pkg/acme/webhook/apiserver/apiserver.go b/pkg/acme/webhook/apiserver/apiserver.go
@@ -25,12 +25,14 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/version"
+	"k8s.io/apiserver/pkg/endpoints/openapi"
 	"k8s.io/apiserver/pkg/registry/rest"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	restclient "k8s.io/client-go/rest"
 
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook"
 	whapi "github.com/cert-manager/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+	cmopenapi "github.com/cert-manager/cert-manager/pkg/acme/webhook/openapi"
 	"github.com/cert-manager/cert-manager/pkg/acme/webhook/registry/challengepayload"
 )
 
@@ -54,20 +56,12 @@ func init() {
 		&metav1.APIGroupList{},
 		&metav1.APIGroup{},
 		&metav1.APIResourceList{},
-		&metav1.ListOptions{},
-		&metav1.GetOptions{},
-		&metav1.PatchOptions{},
-		&metav1.DeleteOptions{},
-		&metav1.CreateOptions{},
-		&metav1.UpdateOptions{},
 	)
 }
 
 type Config struct {
 	GenericConfig *genericapiserver.RecommendedConfig
 	ExtraConfig   ExtraConfig
-
-	restConfig *restclient.Config
 }
 
 type ExtraConfig struct {
@@ -101,14 +95,17 @@ func (c *Config) Complete() CompletedConfig {
 	completedCfg := completedConfig{
 		c.GenericConfig.Complete(),
 		&c.ExtraConfig,
-		c.restConfig,
+		c.GenericConfig.ClientConfig,
 	}
 
 	completedCfg.GenericConfig.Version = &version.Info{
 		Major: "1",
 		Minor: "1",
 	}
 
+	completedCfg.GenericConfig.OpenAPIConfig = genericapiserver.DefaultOpenAPIConfig(cmopenapi.GetOpenAPIDefinitions, openapi.NewDefinitionNamer(Scheme))
+	completedCfg.GenericConfig.OpenAPIV3Config = genericapiserver.DefaultOpenAPIV3Config(cmopenapi.GetOpenAPIDefinitions, openapi.NewDefinitionNamer(Scheme))
+
 	return CompletedConfig{&completedCfg}
 }
 
@@ -126,42 +123,35 @@ func (c completedConfig) New() (*ChallengeServer, error) {
 		GenericAPIServer: genericServer,
 	}
 
-	if c.restConfig == nil {
-		c.restConfig, err = restclient.InClusterConfig()
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	// TODO we're going to need a later k8s.io/apiserver so that we can get discovery to list a different group version for
 	// our endpoint which we'll use to back some custom storage which will consume the AdmissionReview type and give back the correct response
 	apiGroupInfo := genericapiserver.APIGroupInfo{
 		VersionedResourcesStorageMap: map[string]map[string]rest.Storage{},
-		// TODO unhardcode this. It was hardcoded before, but we need to re-evaluate
-		OptionsExternalVersion: &schema.GroupVersion{Version: "v1alpha1"},
+		// TODO unhardcode this.  It was hardcoded before, but we need to re-evaluate
+		OptionsExternalVersion: &schema.GroupVersion{Version: "v1"},
 		Scheme:                 Scheme,
 		ParameterCodec:         metav1.ParameterCodec,
 		NegotiatedSerializer:   Codecs,
 	}
 
 	for _, solver := range solversByName(c.ExtraConfig.Solvers...) {
-		challengeHandler := challengepayload.NewREST(solver)
-		v1alpha1storage, ok := apiGroupInfo.VersionedResourcesStorageMap["v1alpha1"]
-		if !ok {
-			v1alpha1storage = map[string]rest.Storage{}
-		}
-
 		gvr := metav1.GroupVersionResource{
 			Group:    c.ExtraConfig.SolverGroup,
 			Version:  "v1alpha1",
 			Resource: solver.Name(),
 		}
 
+		challengeHandler := challengepayload.NewREST(solver)
+
 		apiGroupInfo.PrioritizedVersions = appendUniqueGroupVersion(apiGroupInfo.PrioritizedVersions, schema.GroupVersion{
 			Group:   gvr.Group,
 			Version: gvr.Version,
 		})
 
+		v1alpha1storage, ok := apiGroupInfo.VersionedResourcesStorageMap[gvr.Version]
+		if !ok {
+			v1alpha1storage = map[string]rest.Storage{}
+		}
 		v1alpha1storage[gvr.Resource] = challengeHandler
 		apiGroupInfo.VersionedResourcesStorageMap[gvr.Version] = v1alpha1storage
 	}

diff --git a/pkg/acme/webhook/apiserver/apiserver_test.go b/pkg/acme/webhook/apiserver/apiserver_test.go
@@ -75,7 +75,6 @@ func TestNewChallengeServer(t *testing.T) {
 						noOpSolver{name: "solver-1"},
 					},
 				},
-				restConfig: &rest.Config{},
 			},
 			expErr: false,
 		},
@@ -89,7 +88,6 @@ func TestNewChallengeServer(t *testing.T) {
 						noOpSolver{name: "solver-2"},
 					},
 				},
-				restConfig: &rest.Config{},
 			},
 			expErr: false,
 		},

diff --git a/pkg/acme/webhook/cmd/server/start.go b/pkg/acme/webhook/cmd/server/start.go
@@ -104,6 +104,10 @@ func (o WebhookServerOptions) Validate(args []string) error {
 		return err
 	}
 
+	if errs := o.RecommendedOptions.Validate(); len(errs) > 0 {
+		return fmt.Errorf("error validating recommended options: %v", errs)
+	}
+
 	return nil
 }