Skip to content

Commit

Permalink
refactor: server commands names (#212)
Browse files Browse the repository at this point in the history 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
@eddycharly
eddycharly authored Nov 8, 2024
1 parent 8265e89 commit d8ad338
Show file tree
Hide file tree
Showing 10 changed files with 115 additions and 95 deletions.
2 changes: 2 additions & 0 deletions .vscode/launch.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
"program": "${workspaceFolder}",
"args": [
"serve",
"authz-server"
],
},
{
Expand All @@ -18,6 +19,7 @@
"mode": "auto",
"program": "${workspaceFolder}",
"args": [
"serve",
"sidecar-injector",
],
}
Expand Down
2 changes: 1 addition & 1 deletion charts/kyverno-authz-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ helm install kyverno-authz-server --namespace kyverno --create-namespace kyverno
| containers.server.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| containers.server.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| containers.server.ports | list | `[{"containerPort":9080,"name":"http","protocol":"TCP"},{"containerPort":9081,"name":"grpc","protocol":"TCP"}]` | Container ports. |
| containers.server.args | list | `["serve","--http-address=:9080","--grpc-address=:9081"]` | Container args. |
| containers.server.args | list | `["serve","authz-server","--http-address=:9080","--grpc-address=:9081"]` | Container args. |
| service.port | int | `9081` | Service port. |
| service.type | string | `"ClusterIP"` | Service type. |
| service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
Expand Down
1 change: 1 addition & 0 deletions charts/kyverno-authz-server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,7 @@ containers:
# -- Container args.
args:
- serve
- authz-server
- --http-address=:9080
- --grpc-address=:9081

Expand Down
2 changes: 1 addition & 1 deletion charts/kyverno-sidecar-injector/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ helm install kyverno-sidecar-injector --namespace kyverno --create-namespace kyv
| containers.injector.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| containers.injector.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| containers.injector.ports | list | `[{"containerPort":9443,"name":"https","protocol":"TCP"}]` | Container ports. |
| containers.injector.args | list | `["sidecar-injector","--address=:9443","--cert-file=/opt/kubernetes-sidecar-injector/certs/tls.crt","--key-file=/opt/kubernetes-sidecar-injector/certs/tls.key","--sidecar-image={{ include \"sidecar-injector.image\" .Values.containers.injector.image }}"]` | Container args. |
| containers.injector.args | list | `["serve","sidecar-injector","--address=:9443","--cert-file=/opt/kubernetes-sidecar-injector/certs/tls.crt","--key-file=/opt/kubernetes-sidecar-injector/certs/tls.key","--sidecar-image={{ include \"sidecar-injector.image\" .Values.containers.injector.image }}"]` | Container args. |
| service.port | int | `443` | Service port. |
| service.type | string | `"ClusterIP"` | Service type. |
| service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
Expand Down
1 change: 1 addition & 0 deletions charts/kyverno-sidecar-injector/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,7 @@ containers:

# -- Container args.
args:
- serve
- sidecar-injector
- --address=:9443
- --cert-file=/opt/kubernetes-sidecar-injector/certs/tls.crt
Expand Down
2 changes: 0 additions & 2 deletions pkg/commands/root/command.go
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
package root

import (
"github.com/kyverno/kyverno-envoy-plugin/pkg/commands/inject"
"github.com/kyverno/kyverno-envoy-plugin/pkg/commands/serve"
"github.com/spf13/cobra"
)
Expand All @@ -12,6 +11,5 @@ func Command() *cobra.Command {
Short: "kyverno-envoy-plugin is a plugin for Envoy",
}
root.AddCommand(serve.Command())
root.AddCommand(inject.Command())
return root
}
101 changes: 101 additions & 0 deletions pkg/commands/serve/authz-server/command.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
package authzserver

import (
"context"
"fmt"

"github.com/kyverno/kyverno-envoy-plugin/apis/v1alpha1"
"github.com/kyverno/kyverno-envoy-plugin/pkg/authz"
"github.com/kyverno/kyverno-envoy-plugin/pkg/policy"
"github.com/kyverno/kyverno-envoy-plugin/pkg/signals"
"github.com/spf13/cobra"
"go.uber.org/multierr"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/clientcmd"
ctrl "sigs.k8s.io/controller-runtime"
)

func Command() *cobra.Command {
var httpAddress string
var grpcAddress string
var grpcNetwork string
var kubeConfigOverrides clientcmd.ConfigOverrides
command := &cobra.Command{
Use: "authz-server",
Short: "Start the Kyverno Authz Server",
RunE: func(cmd *cobra.Command, args []string) error {
// setup signals aware context
return signals.Do(context.Background(), func(ctx context.Context) error {
// track errors
var httpErr, grpcErr, mgrErr error
err := func(ctx context.Context) error {
// create a rest config
kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
clientcmd.NewDefaultClientConfigLoadingRules(),
&kubeConfigOverrides,
)
config, err := kubeConfig.ClientConfig()
if err != nil {
return err
}
// create a wait group
var group wait.Group
// wait all tasks in the group are over
defer group.Wait()
// create a controller manager
scheme := runtime.NewScheme()
if err := v1alpha1.Install(scheme); err != nil {
return err
}
mgr, err := ctrl.NewManager(config, ctrl.Options{
Scheme: scheme,
})
if err != nil {
return fmt.Errorf("failed to construct manager: %w", err)
}
// create compiler
compiler := policy.NewCompiler()
// create provider
provider, err := policy.NewKubeProvider(mgr, compiler)
if err != nil {
return err
}
// create a cancellable context
ctx, cancel := context.WithCancel(ctx)
// start manager
group.StartWithContext(ctx, func(ctx context.Context) {
// cancel context at the end
defer cancel()
mgrErr = mgr.Start(ctx)
})
if !mgr.GetCache().WaitForCacheSync(ctx) {
defer cancel()
return fmt.Errorf("failed to wait for cache sync")
}
// create http and grpc servers
http := authz.NewHttpServer(httpAddress)
grpc := authz.NewGrpcServer(grpcNetwork, grpcAddress, provider)
// run servers
group.StartWithContext(ctx, func(ctx context.Context) {
// cancel context at the end
defer cancel()
httpErr = http.Run(ctx)
})
group.StartWithContext(ctx, func(ctx context.Context) {
// cancel context at the end
defer cancel()
grpcErr = grpc.Run(ctx)
})
return nil
}(ctx)
return multierr.Combine(err, httpErr, grpcErr, mgrErr)
})
},
}
command.Flags().StringVar(&httpAddress, "http-address", ":9080", "Address to listen on for health checks")
command.Flags().StringVar(&grpcAddress, "grpc-address", ":9081", "Address to listen on")
command.Flags().StringVar(&grpcNetwork, "grpc-network", "tcp", "Network to listen on")
clientcmd.BindOverrideFlags(&kubeConfigOverrides, command.Flags(), clientcmd.RecommendedConfigOverrideFlags("kube-"))
return command
}
94 changes: 5 additions & 89 deletions pkg/commands/serve/command.go
View file
Original file line number Diff line number Diff line change
@@ -1,101 +1,17 @@
package serve

import (
"context"
"fmt"

"github.com/kyverno/kyverno-envoy-plugin/apis/v1alpha1"
"github.com/kyverno/kyverno-envoy-plugin/pkg/authz"
"github.com/kyverno/kyverno-envoy-plugin/pkg/policy"
"github.com/kyverno/kyverno-envoy-plugin/pkg/signals"
authzserver "github.com/kyverno/kyverno-envoy-plugin/pkg/commands/serve/authz-server"
sidecarinjector "github.com/kyverno/kyverno-envoy-plugin/pkg/commands/serve/sidecar-injector"
"github.com/spf13/cobra"
"go.uber.org/multierr"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/clientcmd"
ctrl "sigs.k8s.io/controller-runtime"
)

func Command() *cobra.Command {
var httpAddress string
var grpcAddress string
var grpcNetwork string
var kubeConfigOverrides clientcmd.ConfigOverrides
command := &cobra.Command{
Use: "serve",
Short: "Start the kyverno-envoy-plugin server",
RunE: func(cmd *cobra.Command, args []string) error {
// setup signals aware context
return signals.Do(context.Background(), func(ctx context.Context) error {
// track errors
var httpErr, grpcErr, mgrErr error
err := func(ctx context.Context) error {
// create a rest config
kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
clientcmd.NewDefaultClientConfigLoadingRules(),
&kubeConfigOverrides,
)
config, err := kubeConfig.ClientConfig()
if err != nil {
return err
}
// create a wait group
var group wait.Group
// wait all tasks in the group are over
defer group.Wait()
// create a controller manager
scheme := runtime.NewScheme()
if err := v1alpha1.Install(scheme); err != nil {
return err
}
mgr, err := ctrl.NewManager(config, ctrl.Options{
Scheme: scheme,
})
if err != nil {
return fmt.Errorf("failed to construct manager: %w", err)
}
// create compiler
compiler := policy.NewCompiler()
// create provider
provider, err := policy.NewKubeProvider(mgr, compiler)
if err != nil {
return err
}
// create a cancellable context
ctx, cancel := context.WithCancel(ctx)
// start manager
group.StartWithContext(ctx, func(ctx context.Context) {
// cancel context at the end
defer cancel()
mgrErr = mgr.Start(ctx)
})
if !mgr.GetCache().WaitForCacheSync(ctx) {
defer cancel()
return fmt.Errorf("failed to wait for cache sync")
}
// create http and grpc servers
http := authz.NewHttpServer(httpAddress)
grpc := authz.NewGrpcServer(grpcNetwork, grpcAddress, provider)
// run servers
group.StartWithContext(ctx, func(ctx context.Context) {
// cancel context at the end
defer cancel()
httpErr = http.Run(ctx)
})
group.StartWithContext(ctx, func(ctx context.Context) {
// cancel context at the end
defer cancel()
grpcErr = grpc.Run(ctx)
})
return nil
}(ctx)
return multierr.Combine(err, httpErr, grpcErr, mgrErr)
})
},
Short: "Run Kyverno Envoy Plugin servers",
}
command.Flags().StringVar(&httpAddress, "http-address", ":9080", "Address to listen on for health checks")
command.Flags().StringVar(&grpcAddress, "grpc-address", ":9081", "Address to listen on")
command.Flags().StringVar(&grpcNetwork, "grpc-network", "tcp", "Network to listen on")
clientcmd.BindOverrideFlags(&kubeConfigOverrides, command.Flags(), clientcmd.RecommendedConfigOverrideFlags("kube-"))
command.AddCommand(authzserver.Command())
command.AddCommand(sidecarinjector.Command())
return command
}
4 changes: 2 additions & 2 deletions pkg/commands/inject/command.go → ...ommands/serve/sidecar-injector/command.go
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
package inject
package sidecarinjector

import (
"context"
Expand All @@ -15,7 +15,7 @@ func Command() *cobra.Command {
var sidecarImage string
command := &cobra.Command{
Use: "sidecar-injector",
Short: "Responsible for injecting sidecars into pod containers",
Short: "Start the Kubernetes mutating webhook injecting Kyverno Authz Server sidecars into pod containers",
RunE: func(cmd *cobra.Command, args []string) error {
// setup signals aware context
return signals.Do(context.Background(), func(ctx context.Context) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/sidecar/sidecar.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ func Sidecar(image string) corev1.Container {
}},
Args: []string{
"serve",
"authz-server",
"--http-address=:9080",
"--grpc-address=:9081",
},
Expand Down

0 comments on commit d8ad338

Please sign in to comment.