IMPORTANT: admission wiring changes

Author: deads2k

pkg/cmd/server/origin/admission/chain_builder.go

@@ -11,6 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
+	admissionmetrics "k8s.io/apiserver/pkg/admission/metrics"
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
 	noderestriction "k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	saadmit "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
@@ -245,11 +246,12 @@ func newAdmissionChain(pluginNames []string, admissionConfigFilename string, opt
 			admissionInitializer.Initialize(plugin)
 
 		default:
-			pluginsConfigProvider, err := admission.ReadAdmissionConfiguration([]string{pluginName}, admissionConfigFilename)
+			// TODO this needs to be refactored to use the admission scheme we created upstream.  I think this holds us for the rebase.
+			pluginsConfigProvider, err := admission.ReadAdmissionConfiguration([]string{pluginName}, admissionConfigFilename, configapi.Scheme)
 			if err != nil {
 				return nil, err
 			}
-			plugin, err = OriginAdmissionPlugins.NewFromPlugins([]string{pluginName}, pluginsConfigProvider, admissionInitializer)
+			plugin, err = OriginAdmissionPlugins.NewFromPlugins([]string{pluginName}, pluginsConfigProvider, admissionInitializer, admissionmetrics.WithControllerMetrics)
 			if err != nil {
 				// should have been caught with validation
 				return nil, err

pkg/cmd/server/origin/admission/plugin_initializer.go

@@ -26,19 +26,22 @@ import (
 	templateclient "github.com/openshift/origin/pkg/template/generated/internalclientset"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/initializer"
+	webhookconfig "k8s.io/apiserver/pkg/admission/plugin/webhook/config"
+	webhookinitializer "k8s.io/apiserver/pkg/admission/plugin/webhook/initializer"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/discovery"
 	cacheddiscovery "k8s.io/client-go/discovery/cached"
 	kexternalinformers "k8s.io/client-go/informers"
 	kubeclientgoinformers "k8s.io/client-go/informers"
-	kclientsetexternal "k8s.io/client-go/kubernetes"
 	kubeclientgoclient "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
@@ -68,10 +71,6 @@ func NewPluginInitializer(
 	if err != nil {
 		return nil, nil, err
 	}
-	kubeExternalClient, err := kclientsetexternal.NewForConfig(privilegedLoopbackConfig)
-	if err != nil {
-		return nil, nil, err
-	}
 	kubeClientGoClientSet, err := kubeclientgoclient.NewForConfig(privilegedLoopbackConfig)
 	if err != nil {
 		return nil, nil, err
@@ -138,25 +137,30 @@ func NewPluginInitializer(
 		}
 	}
 	// note: we are passing a combined quota registry here...
-	genericInitializer, err := initializer.New(kubeClientGoClientSet, informers.GetClientGoKubeInformers(), authorizer)
-	if err != nil {
-		return nil, nil, err
-	}
+	genericInitializer := initializer.New(
+		kubeClientGoClientSet,
+		informers.GetClientGoKubeInformers(),
+		authorizer,
+		legacyscheme.Scheme,
+	)
 	kubePluginInitializer := kadmission.NewPluginInitializer(
 		kubeInternalClient,
-		kubeExternalClient,
 		informers.GetInternalKubeInformers(),
-		authorizer,
 		cloudConfig,
 		restMapper,
-		quotaRegistry)
-	// upstream broke this, so we can't use their mechanism.  We need to get an actual client cert and practically speaking privileged loopback will always have one
-	kubePluginInitializer.SetClientCert(privilegedLoopbackConfig.TLSClientConfig.CertData, privilegedLoopbackConfig.TLSClientConfig.KeyData)
-	// this is a really problematic thing, because it breaks DNS resolution and IP routing, but its for an alpha feature that
-	// I need to work cluster-up
-	kubePluginInitializer.SetServiceResolver(aggregatorapiserver.NewClusterIPServiceResolver(
-		informers.GetClientGoKubeInformers().Core().V1().Services().Lister(),
-	))
+		generic.NewConfiguration(quotaRegistry.List(), map[schema.GroupResource]struct{}{}))
+
+	webhookInitializer := webhookinitializer.NewPluginInitializer(
+		func(delegate webhookconfig.AuthenticationInfoResolver) webhookconfig.AuthenticationInfoResolver {
+			return webhookconfig.AuthenticationInfoResolverFunc(func(server string) (*rest.Config, error) {
+				if server == "kubernetes.default.svc" {
+					return rest.CopyConfig(privilegedLoopbackConfig), nil
+				}
+				return delegate.ClientConfigFor(server)
+			})
+		},
+		aggregatorapiserver.NewClusterIPServiceResolver(informers.GetClientGoKubeInformers().Core().V1().Services().Lister()),
+	)
 
 	openshiftPluginInitializer := &oadmission.PluginInitializer{
 		OpenshiftInternalAuthorizationClient: authorizationClient,
@@ -178,7 +182,7 @@ func NewPluginInitializer(
 		UserInformers:                        informers.GetUserInformers(),
 	}
 
-	return admission.PluginInitializers{genericInitializer, kubePluginInitializer, openshiftPluginInitializer},
+	return admission.PluginInitializers{genericInitializer, webhookInitializer, kubePluginInitializer, openshiftPluginInitializer},
 		func(context genericapiserver.PostStartHookContext) error {
 			restMapper.Reset()
 			go func() {