chore(admission webhookl): upgrade admission webhook controller runtime version (#6521)

chore(admission webhookl): upgrade admission webhook controller runtime version (#6518)

* feat(admission): upgrade admission webhook controller runtime version

* feat(admission): upgrade admission webhook controller runtime version

* feat(admission): upgrade admission webhook controller runtime version

* feat(admission): upgrade admission webhook controller runtime version

* feat(admission): upgrade admission webhook controller runtime version

* feat(admission): upgrade admission webhook controller runtime version

Co-authored-by: yy <56745951+lingdie@users.noreply.github.com>

Author: github-actions[bot]

webhooks/admission/Makefile

@@ -65,14 +65,14 @@ test: manifests generate fmt vet envtest ## Run tests.
 
 .PHONY: build
 build:  ## Build manager binary.
-	CGO_ENABLED=0 GOOS=linux  go build -ldflags "-s -w" -trimpath -o bin/manager cmd/main.go
+	CGO_ENABLED=0 GOOS=linux go build -ldflags "-s -w" -trimpath -o bin/manager cmd/main.go
 
 .PHONY: run
 run: manifests generate fmt vet ## Run a controller from your host.
 	go run ./main.go
 
 .PHONY: docker-build
-docker-build: test build ## Build docker image with the manager.
+docker-build: build ## Build docker image with the manager.
 	mv bin/manager bin/webhook-admission-${TARGETARCH}
 	chmod +x bin/webhook-admission-${TARGETARCH}
 	docker build -t ${IMG} . --build-arg TARGETARCH=${TARGETARCH}

webhooks/admission/api/v1/icp.go

@@ -46,7 +46,7 @@ type IcpValidator struct {
 	cache *cache.Cache
 }
 
-func NewIcpValidator(icpEnabled bool, icpEndpoint string, icpKey string) *IcpValidator {
+func NewIcpValidator(icpEnabled bool, icpEndpoint, icpKey string) *IcpValidator {
 	return &IcpValidator{
 		enabled:  icpEnabled,
 		endpoint: icpEndpoint,
@@ -64,7 +64,7 @@ func (i *IcpValidator) Query(rule *netv1.IngressRule) (*IcpResponse, error) {
 	// Check if result is already cached
 	cached, found := i.cache.Get(domainName)
 	if found {
-		return cached.(*IcpResponse), nil
+		return cached.(*IcpResponse), nil //nolint:errcheck // cache stores *IcpResponse
 	}
 
 	// Query ICP

webhooks/admission/api/v1/icp_test.go

@@ -22,7 +22,7 @@ import (
 
 func TestIcpValidator_Query(t *testing.T) {
 	icpValidator := NewIcpValidator(true, "http://v.juhe.cn/siteTools/app/NewDomain/query.php", "")
-	for i := 0; i <= 3; i++ {
+	for range 4 {
 		rule := &v1.IngressRule{
 			Host: "sealos.cn",
 		}

webhooks/admission/api/v1/ingress_webhook.go

@@ -26,7 +26,6 @@ import (
 	"time"
 
 	"github.com/labring/sealos/webhook/admission/pkg/code"
-
 	netv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -67,7 +66,13 @@ func (m *IngressMutator) Default(_ context.Context, obj runtime.Object) error {
 
 	for _, domain := range m.Domains {
 		if isUserNamespace(i.Namespace) && hasSubDomain(i, domain) {
-			ilog.Info("mutating ingress in user ns", "ingress namespace", i.Namespace, "ingress name", i.Name)
+			ilog.Info(
+				"mutating ingress in user ns",
+				"ingress namespace",
+				i.Namespace,
+				"ingress name",
+				i.Name,
+			)
 			m.mutateUserIngressAnnotations(i)
 		}
 	}
@@ -109,7 +114,7 @@ func (v *IngressValidator) SetupWithManager(mgr ctrl.Manager) error {
 		&netv1.Ingress{},
 		IngressHostIndex,
 		func(obj client.Object) []string {
-			ingress := obj.(*netv1.Ingress)
+			ingress := obj.(*netv1.Ingress) //nolint:errcheck // IndexField is registered for Ingress objects only
 			var hosts []string
 			for _, rule := range ingress.Spec.Rules {
 				hosts = append(hosts, rule.Host)
@@ -129,50 +134,79 @@ func (v *IngressValidator) SetupWithManager(mgr ctrl.Manager) error {
 
 //+kubebuilder:webhook:path=/validate-networking-k8s-io-v1-ingress,mutating=false,failurePolicy=ignore,sideEffects=None,groups=networking.k8s.io,resources=ingresses,verbs=create;update;delete,versions=v1,name=vingress.sealos.io,admissionReviewVersions=v1
 
-func (v *IngressValidator) ValidateCreate(ctx context.Context, obj runtime.Object) error {
+func (v *IngressValidator) ValidateCreate(
+	ctx context.Context,
+	obj runtime.Object,
+) (admission.Warnings, error) {
 	i, ok := obj.(*netv1.Ingress)
 	if !ok {
-		return errors.New("obj convert Ingress is error")
+		return nil, errors.New("obj convert Ingress is error")
 	}
 
 	ilog.Info("validating create", "ingress namespace", i.Namespace, "ingress name", i.Name)
-	return v.validate(ctx, i)
+	err := v.validate(ctx, i)
+	return nil, err
 }
 
-func (v *IngressValidator) ValidateUpdate(ctx context.Context, _, newObj runtime.Object) error {
+func (v *IngressValidator) ValidateUpdate(
+	ctx context.Context,
+	_, newObj runtime.Object,
+) (admission.Warnings, error) {
 	ni, ok := newObj.(*netv1.Ingress)
 	if !ok {
-		return errors.New("obj convert Ingress is error")
+		return nil, errors.New("obj convert Ingress is error")
 	}
-	//oi, ok := oldObj.(*netv1.Ingress)
-	//if !ok {
+	// oi, ok := oldObj.(*netv1.Ingress)
+	// if !ok {
 	//	return errors.New("obj convert Ingress is error")
 	//}
 	ilog.Info("validating update", "ingress namespace", ni.Namespace, "ingress name", ni.Name)
-	return v.validate(ctx, ni)
+	err := v.validate(ctx, ni)
+	return nil, err
 }
 
-func (v *IngressValidator) ValidateDelete(_ context.Context, obj runtime.Object) error {
+func (v *IngressValidator) ValidateDelete(
+	_ context.Context,
+	obj runtime.Object,
+) (admission.Warnings, error) {
 	i, ok := obj.(*netv1.Ingress)
 	if !ok {
-		return errors.New("obj convert Ingress is error")
+		return nil, errors.New("obj convert Ingress is error")
 	}
 
 	ilog.Info("validating delete", "ingress namespace", i.Namespace, "ingress name", i.Name)
 	// delete ingress, pass validate
-	return nil
+	return nil, nil
 }
 
 func (v *IngressValidator) validate(ctx context.Context, i *netv1.Ingress) error {
 	// count validate cost time
 
 	startTime := time.Now()
 	defer func() {
-		ilog.Info("finished validate", "ingress namespace", i.Namespace, "ingress name", i.Name, "cost", time.Since(startTime))
+		ilog.Info(
+			"finished validate",
+			"ingress namespace",
+			i.Namespace,
+			"ingress name",
+			i.Name,
+			"cost",
+			time.Since(startTime),
+		)
 	}()
 
 	request, _ := admission.RequestFromContext(ctx)
-	ilog.Info("validating", "ingress namespace", i.Namespace, "ingress name", i.Name, "user", request.UserInfo.Username, "userGroups", request.UserInfo.Groups)
+	ilog.Info(
+		"validating",
+		"ingress namespace",
+		i.Namespace,
+		"ingress name",
+		i.Name,
+		"user",
+		request.UserInfo.Username,
+		"userGroups",
+		request.UserInfo.Groups,
+	)
 	if !isUserServiceAccount(request.UserInfo.Username) {
 		ilog.Info("user is not user's serviceaccount, skip validate")
 		return nil
@@ -201,7 +235,15 @@ func (v *IngressValidator) validate(ctx context.Context, i *netv1.Ingress) error
 }
 
 func (v *IngressValidator) checkCname(i *netv1.Ingress, rule *netv1.IngressRule) error {
-	ilog.Info("checking cname", "ingress namespace", i.Namespace, "ingress name", i.Name, "rule host", rule.Host)
+	ilog.Info(
+		"checking cname",
+		"ingress namespace",
+		i.Namespace,
+		"ingress name",
+		i.Name,
+		"rule host",
+		rule.Host,
+	)
 	ilog.Info("domains:", "domains", strings.Join(v.Domains, ","))
 	// get cname and check if it is cname to domain
 	cname, err := net.LookupCNAME(rule.Host)
@@ -214,57 +256,147 @@ func (v *IngressValidator) checkCname(i *netv1.Ingress, rule *netv1.IngressRule)
 	for _, domain := range v.Domains {
 		// check if ingress host is end with domain
 		if strings.HasSuffix(rule.Host, domain) {
-			ilog.Info("ingress host is end with "+domain+", skip validate", "ingress namespace", i.Namespace, "ingress name", i.Name)
+			ilog.Info(
+				"ingress host is end with "+domain+", skip validate",
+				"ingress namespace",
+				i.Namespace,
+				"ingress name",
+				i.Name,
+			)
 			return nil
 		}
 		// if cname is not end with domain, return error
 		if strings.HasSuffix(cname, domain) {
-			ilog.Info("ingress host "+rule.Host+" is cname to "+cname+", pass checkCname validate", "ingress namespace", i.Namespace, "ingress name", i.Name, "cname", cname)
+			ilog.Info(
+				"ingress host "+rule.Host+" is cname to "+cname+", pass checkCname validate",
+				"ingress namespace",
+				i.Namespace,
+				"ingress name",
+				i.Name,
+				"cname",
+				cname,
+			)
 			return nil
 		}
 	}
-	return fmt.Errorf(code.MessageFormat, code.IngressFailedCnameCheck, "can not verify ingress host "+rule.Host+", cname is not end with any domains in "+strings.Join(v.Domains, ","))
+	return fmt.Errorf(
+		code.MessageFormat,
+		code.IngressFailedCnameCheck,
+		"can not verify ingress host "+rule.Host+", cname is not end with any domains in "+strings.Join(
+			v.Domains,
+			",",
+		),
+	)
 }
 
 func (v *IngressValidator) checkOwner(i *netv1.Ingress, rule *netv1.IngressRule) error {
 	iList := &netv1.IngressList{}
-	if err := v.cache.List(context.Background(), iList, client.MatchingFields{IngressHostIndex: rule.Host}); err != nil {
+	if err := v.cache.List(
+		context.Background(),
+		iList,
+		client.MatchingFields{IngressHostIndex: rule.Host},
+	); err != nil {
 		ilog.Error(err, "can not verify ingress host "+rule.Host+", list ingress error")
 		return fmt.Errorf(code.MessageFormat, code.IngressFailedOwnerCheck, err.Error())
 	}
 
 	for _, exitsIngress := range iList.Items {
 		if exitsIngress.Namespace != i.Namespace {
-			ilog.Info("ingress host "+rule.Host+" is owned by "+i.Namespace+", failed validate", "ingress namespace", i.Namespace, "ingress name", i.Name)
-			return fmt.Errorf(code.MessageFormat, code.IngressFailedOwnerCheck, "ingress host "+rule.Host+" is owned by other user, you can not create ingress with same host.")
+			ilog.Info(
+				"ingress host "+rule.Host+" is owned by "+i.Namespace+", failed validate",
+				"ingress namespace",
+				i.Namespace,
+				"ingress name",
+				i.Name,
+			)
+			return fmt.Errorf(
+				code.MessageFormat,
+				code.IngressFailedOwnerCheck,
+				"ingress host "+rule.Host+" is owned by other user, you can not create ingress with same host.",
+			)
 		}
 	}
 	// pass owner check
-	ilog.Info("ingress host "+rule.Host+" pass checkOwner validate", "ingress namespace", i.Namespace, "ingress name", i.Name)
+	ilog.Info(
+		"ingress host "+rule.Host+" pass checkOwner validate",
+		"ingress namespace",
+		i.Namespace,
+		"ingress name",
+		i.Name,
+	)
 	return nil
 }
 
 func (v *IngressValidator) checkIcp(i *netv1.Ingress, rule *netv1.IngressRule) error {
 	if !v.IcpValidator.enabled {
-		ilog.Info("icp is disabled, skip check icp", "ingress namespace", i.Namespace, "ingress name", i.Name, "rule host", rule.Host)
+		ilog.Info(
+			"icp is disabled, skip check icp",
+			"ingress namespace",
+			i.Namespace,
+			"ingress name",
+			i.Name,
+			"rule host",
+			rule.Host,
+		)
 		return nil
 	}
 	// check rule.host icp
 	icpRep, err := v.IcpValidator.Query(rule)
 	if err != nil {
 		ilog.Error(err, "can not verify ingress host "+rule.Host+", icp query error")
-		return fmt.Errorf(code.MessageFormat, code.IngressWebhookInternalError, "can not verify ingress host "+rule.Host+", icp query error")
+		return fmt.Errorf(
+			code.MessageFormat,
+			code.IngressWebhookInternalError,
+			"can not verify ingress host "+rule.Host+", icp query error",
+		)
 	}
 	if icpRep.ErrorCode != 0 {
-		ilog.Error(err, "icp query error", "ingress namespace", i.Namespace, "ingress name", i.Name, "rule host", rule.Host, "icp error code", icpRep.ErrorCode, "icp reason", icpRep.Reason)
+		ilog.Error(
+			err,
+			"icp query error",
+			"ingress namespace",
+			i.Namespace,
+			"ingress name",
+			i.Name,
+			"rule host",
+			rule.Host,
+			"icp error code",
+			icpRep.ErrorCode,
+			"icp reason",
+			icpRep.Reason,
+		)
 		return fmt.Errorf(code.MessageFormat, code.IngressWebhookInternalError, icpRep.Reason)
 	}
 	// if icpRep.Result.SiteLicense is empty, return error, failed validate
 	if icpRep.Result.SiteLicense == "" {
-		ilog.Info("deny ingress host "+rule.Host+", icp query result is empty", "ingress namespace", i.Namespace, "ingress name", i.Name, "rule host", rule.Host, "icp result", icpRep.Result)
-		return fmt.Errorf(code.MessageFormat, code.IngressFailedIcpCheck, "icp query result is empty")
+		ilog.Info(
+			"deny ingress host "+rule.Host+", icp query result is empty",
+			"ingress namespace",
+			i.Namespace,
+			"ingress name",
+			i.Name,
+			"rule host",
+			rule.Host,
+			"icp result",
+			icpRep.Result,
+		)
+		return fmt.Errorf(
+			code.MessageFormat,
+			code.IngressFailedIcpCheck,
+			"icp query result is empty",
+		)
 	}
 	// pass icp check
-	ilog.Info("ingress host "+rule.Host+" pass checkIcp validate", "ingress namespace", i.Namespace, "ingress name", i.Name, "rule host", rule.Host, "icp result", icpRep.Result)
+	ilog.Info(
+		"ingress host "+rule.Host+" pass checkIcp validate",
+		"ingress namespace",
+		i.Namespace,
+		"ingress name",
+		i.Name,
+		"rule host",
+		rule.Host,
+		"icp result",
+		icpRep.Result,
+	)
 	return nil
 }