From 0ab79baf13c80d257f385d47f020825a69c12ed0 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 14 Aug 2023 18:12:56 +0200 Subject: [PATCH] fix fuzzer and switch *int to int32 for internal wehook config Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 +- .../apis/config/controller/fuzzer/fuzzer.go | 125 ++++++++++++------ internal/apis/config/webhook/fuzzer/fuzzer.go | 12 +- internal/apis/config/webhook/types.go | 4 +- .../apis/config/webhook/v1alpha1/defaults.go | 6 +- .../v1alpha1/zz_generated.conversion.go | 17 ++- .../config/webhook/validation/validation.go | 8 +- .../config/webhook/zz_generated.deepcopy.go | 10 -- internal/webhook/webhook.go | 4 +- pkg/apis/config/webhook/v1alpha1/types.go | 4 +- .../webhook/v1alpha1/zz_generated.deepcopy.go | 4 +- pkg/webhook/options/options.go | 4 +- 13 files changed, 120 insertions(+), 84 deletions(-) diff --git a/go.mod b/go.mod index 515582b86c4..a7a98bf6589 100644 --- a/go.mod +++ b/go.mod @@ -47,7 +47,7 @@ require ( k8s.io/klog/v2 v2.100.1 k8s.io/kube-aggregator v0.27.4 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f - k8s.io/utils v0.0.0-20230711102312-30195339c3c7 + k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.15.0 sigs.k8s.io/controller-tools v0.12.1 sigs.k8s.io/gateway-api v0.7.1 diff --git a/go.sum b/go.sum index 3792e4bc76a..c428da31fca 100644 --- a/go.sum +++ b/go.sum @@ -989,8 +989,8 @@ k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc= k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/utils v0.0.0-20230711102312-30195339c3c7 h1:ZgnF1KZsYxWIifwSNZFZgNtWE89WI5yiP5WwlfDoIyc= -k8s.io/utils v0.0.0-20230711102312-30195339c3c7/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/internal/apis/config/controller/fuzzer/fuzzer.go b/internal/apis/config/controller/fuzzer/fuzzer.go index 4670c7c6116..bc79e7d59c1 100644 --- a/internal/apis/config/controller/fuzzer/fuzzer.go +++ b/internal/apis/config/controller/fuzzer/fuzzer.go @@ -17,11 +17,11 @@ limitations under the License. package fuzzer import ( + "time" + fuzz "github.com/google/gofuzz" runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer" - "k8s.io/component-base/logs" - - "time" + logsapi "k8s.io/component-base/logs/api/v1" "github.com/cert-manager/cert-manager/internal/apis/config/controller" ) @@ -33,46 +33,87 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} { func(s *controller.ControllerConfiguration, c fuzz.Continue) { c.FuzzNoCustom(s) // fuzz self without calling this function again - defaultTime := 60 * time.Second - s.APIServerHost = "defaultHost" - s.KubeConfig = "defaultConfig" - s.KubernetesAPIQPS = 10 - s.KubernetesAPIBurst = 10 - s.ClusterResourceNamespace = "defaultClusterResourceNamespace" - s.Namespace = "defaultNamespace" - s.LeaderElectionConfig.Enabled = true - s.LeaderElectionConfig.Namespace = "defaultLeaderElectionNamespace" - s.LeaderElectionConfig.LeaseDuration = defaultTime - s.LeaderElectionConfig.RenewDeadline = defaultTime - s.LeaderElectionConfig.RetryPeriod = defaultTime - s.Controllers = []string{"*"} - s.ACMEHTTP01Config.SolverImage = "defaultACMEHTTP01SolverImage" - s.ACMEHTTP01Config.SolverResourceRequestCPU = "10m" - s.ACMEHTTP01Config.SolverResourceRequestMemory = "64Mi" - s.ACMEHTTP01Config.SolverResourceLimitsCPU = "100m" - s.ACMEHTTP01Config.SolverResourceLimitsMemory = "64Mi" - s.ACMEHTTP01Config.SolverRunAsNonRoot = true - s.ACMEHTTP01Config.SolverNameservers = []string{"8.8.8.8:53"} - s.ClusterIssuerAmbientCredentials = true - s.IssuerAmbientCredentials = true - s.IngressShimConfig.DefaultIssuerName = "defaultTLSACMEIssuerName" - s.IngressShimConfig.DefaultIssuerKind = "defaultIssuerKind" - s.IngressShimConfig.DefaultIssuerGroup = "defaultTLSACMEIssuerGroup" - s.IngressShimConfig.DefaultAutoCertificateAnnotations = []string{"kubernetes.io/tls-acme"} - s.ACMEDNS01Config.RecursiveNameservers = []string{"8.8.8.8:53"} - s.ACMEDNS01Config.RecursiveNameserversOnly = true - s.EnableCertificateOwnerRef = true - s.NumberOfConcurrentWorkers = 1 - s.MaxConcurrentChallenges = 1 - s.MetricsListenAddress = "0.0.0.0:9402" - s.HealthzListenAddress = "0.0.0.0:9402" - s.LeaderElectionConfig.HealthzTimeout = defaultTime - s.EnablePprof = true - s.PprofAddress = "something:1234" - temp := logs.NewOptions() - s.Logging = *temp - s.CopiedAnnotationPrefixes = []string{"*", "-kubectl.kubernetes.io/", "-fluxcd.io/", "-argocd.argoproj.io/"} + if s.ClusterResourceNamespace == "" { + s.ClusterResourceNamespace = "test-roundtrip" + } + + if len(s.Controllers) == 0 { + s.Controllers = []string{"test-roundtrip"} + } + + if len(s.CopiedAnnotationPrefixes) == 0 { + s.CopiedAnnotationPrefixes = []string{"test-roundtrip"} + } + + if s.MetricsListenAddress == "" { + s.MetricsListenAddress = "test-roundtrip" + } + + if s.HealthzListenAddress == "" { + s.HealthzListenAddress = "test-roundtrip" + } + + if s.PprofAddress == "" { + s.PprofAddress = "test-roundtrip" + } + + logsapi.SetRecommendedLoggingConfiguration(&s.Logging) + + if s.LeaderElectionConfig.Namespace == "" { + s.LeaderElectionConfig.Namespace = "test-roundtrip" + } + + if s.LeaderElectionConfig.LeaseDuration == time.Duration(0) { + s.LeaderElectionConfig.LeaseDuration = time.Second * 8875 + } + + if s.LeaderElectionConfig.RenewDeadline == time.Duration(0) { + s.LeaderElectionConfig.RenewDeadline = time.Second * 8875 + } + + if s.LeaderElectionConfig.RetryPeriod == time.Duration(0) { + s.LeaderElectionConfig.RetryPeriod = time.Second * 8875 + } + + if s.LeaderElectionConfig.HealthzTimeout == time.Duration(0) { + s.LeaderElectionConfig.HealthzTimeout = time.Second * 8875 + } + + if s.IngressShimConfig.DefaultIssuerKind == "" { + s.IngressShimConfig.DefaultIssuerKind = "test-roundtrip" + } + + if s.IngressShimConfig.DefaultIssuerGroup == "" { + s.IngressShimConfig.DefaultIssuerGroup = "test-roundtrip" + } + + if len(s.IngressShimConfig.DefaultAutoCertificateAnnotations) == 0 { + s.IngressShimConfig.DefaultAutoCertificateAnnotations = []string{"test-roundtrip"} + } + + if s.ACMEHTTP01Config.SolverImage == "" { + s.ACMEHTTP01Config.SolverImage = "test-roundtrip" + } + + if s.ACMEHTTP01Config.SolverResourceRequestCPU == "" { + s.ACMEHTTP01Config.SolverResourceRequestCPU = "test-roundtrip" + } + + if s.ACMEHTTP01Config.SolverResourceRequestMemory == "" { + s.ACMEHTTP01Config.SolverResourceRequestMemory = "test-roundtrip" + } + + if s.ACMEHTTP01Config.SolverResourceLimitsCPU == "" { + s.ACMEHTTP01Config.SolverResourceLimitsCPU = "test-roundtrip" + } + + if s.ACMEHTTP01Config.SolverResourceLimitsMemory == "" { + s.ACMEHTTP01Config.SolverResourceLimitsMemory = "test-roundtrip" + } + if s.ACMEDNS01Config.CheckRetryPeriod == time.Duration(0) { + s.ACMEDNS01Config.CheckRetryPeriod = time.Second * 8875 + } }, } } diff --git a/internal/apis/config/webhook/fuzzer/fuzzer.go b/internal/apis/config/webhook/fuzzer/fuzzer.go index f01a704e83f..770c75c6e08 100644 --- a/internal/apis/config/webhook/fuzzer/fuzzer.go +++ b/internal/apis/config/webhook/fuzzer/fuzzer.go @@ -19,7 +19,7 @@ package fuzzer import ( fuzz "github.com/google/gofuzz" runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer" - "k8s.io/utils/pointer" + logsapi "k8s.io/component-base/logs/api/v1" "github.com/cert-manager/cert-manager/internal/apis/config/webhook" ) @@ -30,15 +30,11 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} { func(s *webhook.WebhookConfiguration, c fuzz.Continue) { c.FuzzNoCustom(s) // fuzz self without calling this function again - if s.HealthzPort == nil { - s.HealthzPort = pointer.Int(12) - } - if s.SecurePort == nil { - s.SecurePort = pointer.Int(123) - } if s.PprofAddress == "" { - s.PprofAddress = "something:1234" + s.PprofAddress = "test-roundtrip" } + + logsapi.SetRecommendedLoggingConfiguration(&s.Logging) }, } } diff --git a/internal/apis/config/webhook/types.go b/internal/apis/config/webhook/types.go index 53e6d7e8e54..a1bbccbe958 100644 --- a/internal/apis/config/webhook/types.go +++ b/internal/apis/config/webhook/types.go @@ -28,11 +28,11 @@ type WebhookConfiguration struct { // securePort is the port number to listen on for secure TLS connections from the kube-apiserver. // Defaults to 6443. - SecurePort *int + SecurePort int32 // healthzPort is the port number to listen on (using plaintext HTTP) for healthz connections. // Defaults to 6080. - HealthzPort *int + HealthzPort int32 // tlsConfig is used to configure the secure listener's TLS settings. TLSConfig TLSConfig diff --git a/internal/apis/config/webhook/v1alpha1/defaults.go b/internal/apis/config/webhook/v1alpha1/defaults.go index d698a6f9670..700b8aead85 100644 --- a/internal/apis/config/webhook/v1alpha1/defaults.go +++ b/internal/apis/config/webhook/v1alpha1/defaults.go @@ -19,7 +19,7 @@ package v1alpha1 import ( "k8s.io/apimachinery/pkg/runtime" logsapi "k8s.io/component-base/logs/api/v1" - "k8s.io/utils/pointer" + "k8s.io/utils/ptr" "github.com/cert-manager/cert-manager/pkg/apis/config/webhook/v1alpha1" ) @@ -30,10 +30,10 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error { func SetDefaults_WebhookConfiguration(obj *v1alpha1.WebhookConfiguration) { if obj.SecurePort == nil { - obj.SecurePort = pointer.Int(6443) + obj.SecurePort = ptr.To(int32(6443)) } if obj.HealthzPort == nil { - obj.HealthzPort = pointer.Int(6080) + obj.HealthzPort = ptr.To(int32(6080)) } if obj.PprofAddress == "" { obj.PprofAddress = "localhost:6060" diff --git a/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go b/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go index c1637e1fe8f..0991c333af2 100644 --- a/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go +++ b/internal/apis/config/webhook/v1alpha1/zz_generated.conversion.go @@ -26,6 +26,7 @@ import ( webhook "github.com/cert-manager/cert-manager/internal/apis/config/webhook" v1alpha1 "github.com/cert-manager/cert-manager/pkg/apis/config/webhook/v1alpha1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" conversion "k8s.io/apimachinery/pkg/conversion" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -161,8 +162,12 @@ func Convert_webhook_TLSConfig_To_v1alpha1_TLSConfig(in *webhook.TLSConfig, out } func autoConvert_v1alpha1_WebhookConfiguration_To_webhook_WebhookConfiguration(in *v1alpha1.WebhookConfiguration, out *webhook.WebhookConfiguration, s conversion.Scope) error { - out.SecurePort = (*int)(unsafe.Pointer(in.SecurePort)) - out.HealthzPort = (*int)(unsafe.Pointer(in.HealthzPort)) + if err := v1.Convert_Pointer_int32_To_int32(&in.SecurePort, &out.SecurePort, s); err != nil { + return err + } + if err := v1.Convert_Pointer_int32_To_int32(&in.HealthzPort, &out.HealthzPort, s); err != nil { + return err + } if err := Convert_v1alpha1_TLSConfig_To_webhook_TLSConfig(&in.TLSConfig, &out.TLSConfig, s); err != nil { return err } @@ -181,8 +186,12 @@ func Convert_v1alpha1_WebhookConfiguration_To_webhook_WebhookConfiguration(in *v } func autoConvert_webhook_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(in *webhook.WebhookConfiguration, out *v1alpha1.WebhookConfiguration, s conversion.Scope) error { - out.SecurePort = (*int)(unsafe.Pointer(in.SecurePort)) - out.HealthzPort = (*int)(unsafe.Pointer(in.HealthzPort)) + if err := v1.Convert_int32_To_Pointer_int32(&in.SecurePort, &out.SecurePort, s); err != nil { + return err + } + if err := v1.Convert_int32_To_Pointer_int32(&in.HealthzPort, &out.HealthzPort, s); err != nil { + return err + } if err := Convert_webhook_TLSConfig_To_v1alpha1_TLSConfig(&in.TLSConfig, &out.TLSConfig, s); err != nil { return err } diff --git a/internal/apis/config/webhook/validation/validation.go b/internal/apis/config/webhook/validation/validation.go index 1a130909911..d2535d8a91c 100644 --- a/internal/apis/config/webhook/validation/validation.go +++ b/internal/apis/config/webhook/validation/validation.go @@ -48,11 +48,11 @@ func ValidateWebhookConfiguration(cfg *config.WebhookConfiguration) error { } } } - if cfg.HealthzPort == nil { - allErrors = append(allErrors, fmt.Errorf("invalid configuration: healthzPort must be specified")) + if cfg.HealthzPort < 0 || cfg.HealthzPort > 65535 { + allErrors = append(allErrors, fmt.Errorf("invalid configuration: healthzPort must be a valid port number")) } - if cfg.SecurePort == nil { - allErrors = append(allErrors, fmt.Errorf("invalid configuration: securePort must be specified")) + if cfg.SecurePort < 0 || cfg.SecurePort > 65535 { + allErrors = append(allErrors, fmt.Errorf("invalid configuration: securePort must be a valid port number")) } return utilerrors.NewAggregate(allErrors) } diff --git a/internal/apis/config/webhook/zz_generated.deepcopy.go b/internal/apis/config/webhook/zz_generated.deepcopy.go index 655700ded8e..ad34e289484 100644 --- a/internal/apis/config/webhook/zz_generated.deepcopy.go +++ b/internal/apis/config/webhook/zz_generated.deepcopy.go @@ -89,16 +89,6 @@ func (in *TLSConfig) DeepCopy() *TLSConfig { func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in out.TypeMeta = in.TypeMeta - if in.SecurePort != nil { - in, out := &in.SecurePort, &out.SecurePort - *out = new(int) - **out = **in - } - if in.HealthzPort != nil { - in, out := &in.HealthzPort, &out.HealthzPort - *out = new(int) - **out = **in - } in.TLSConfig.DeepCopyInto(&out.TLSConfig) in.Logging.DeepCopyInto(&out.Logging) if in.FeatureGates != nil { diff --git a/internal/webhook/webhook.go b/internal/webhook/webhook.go index d2bbddce8fa..1983a10dda1 100644 --- a/internal/webhook/webhook.go +++ b/internal/webhook/webhook.go @@ -71,8 +71,8 @@ func NewCertManagerWebhookServer(log logr.Logger, opts config.WebhookConfigurati } s := &server.Server{ - ListenAddr: fmt.Sprintf(":%d", *opts.SecurePort), - HealthzAddr: fmt.Sprintf(":%d", *opts.HealthzPort), + ListenAddr: fmt.Sprintf(":%d", opts.SecurePort), + HealthzAddr: fmt.Sprintf(":%d", opts.HealthzPort), EnablePprof: opts.EnablePprof, PprofAddr: opts.PprofAddress, CertificateSource: buildCertificateSource(log, opts.TLSConfig, restcfg), diff --git a/pkg/apis/config/webhook/v1alpha1/types.go b/pkg/apis/config/webhook/v1alpha1/types.go index 6ef03ddf4a2..1d39615a322 100644 --- a/pkg/apis/config/webhook/v1alpha1/types.go +++ b/pkg/apis/config/webhook/v1alpha1/types.go @@ -28,11 +28,11 @@ type WebhookConfiguration struct { // securePort is the port number to listen on for secure TLS connections from the kube-apiserver. // Defaults to 6443. - SecurePort *int `json:"securePort,omitempty"` + SecurePort *int32 `json:"securePort,omitempty"` // healthzPort is the port number to listen on (using plaintext HTTP) for healthz connections. // Defaults to 6080. - HealthzPort *int `json:"healthzPort,omitempty"` + HealthzPort *int32 `json:"healthzPort,omitempty"` // tlsConfig is used to configure the secure listener's TLS settings. TLSConfig TLSConfig `json:"tlsConfig"` diff --git a/pkg/apis/config/webhook/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/config/webhook/v1alpha1/zz_generated.deepcopy.go index 0484144972b..9fe3d916bbb 100644 --- a/pkg/apis/config/webhook/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/config/webhook/v1alpha1/zz_generated.deepcopy.go @@ -91,12 +91,12 @@ func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { out.TypeMeta = in.TypeMeta if in.SecurePort != nil { in, out := &in.SecurePort, &out.SecurePort - *out = new(int) + *out = new(int32) **out = **in } if in.HealthzPort != nil { in, out := &in.HealthzPort, &out.HealthzPort - *out = new(int) + *out = new(int32) **out = **in } in.TLSConfig.DeepCopyInto(&out.TLSConfig) diff --git a/pkg/webhook/options/options.go b/pkg/webhook/options/options.go index c2941023afc..e2fd19ac7c8 100644 --- a/pkg/webhook/options/options.go +++ b/pkg/webhook/options/options.go @@ -58,8 +58,8 @@ func NewWebhookConfiguration() (*config.WebhookConfiguration, error) { } func AddConfigFlags(fs *pflag.FlagSet, c *config.WebhookConfiguration) { - fs.IntVar(c.SecurePort, "secure-port", *c.SecurePort, "port number to listen on for secure TLS connections") - fs.IntVar(c.HealthzPort, "healthz-port", *c.HealthzPort, "port number to listen on for insecure healthz connections") + fs.Int32Var(&c.SecurePort, "secure-port", c.SecurePort, "port number to listen on for secure TLS connections") + fs.Int32Var(&c.HealthzPort, "healthz-port", c.HealthzPort, "port number to listen on for insecure healthz connections") fs.StringVar(&c.TLSConfig.Filesystem.CertFile, "tls-cert-file", c.TLSConfig.Filesystem.CertFile, "path to the file containing the TLS certificate to serve with") fs.StringVar(&c.TLSConfig.Filesystem.KeyFile, "tls-private-key-file", c.TLSConfig.Filesystem.KeyFile, "path to the file containing the TLS private key to serve with")