fix fuzzer and switch *int to int32 for internal wehook config

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>

go.mod

@@ -47,7 +47,7 @@ require (
 	k8s.io/klog/v2 v2.100.1
 	k8s.io/kube-aggregator v0.27.4
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
-	k8s.io/utils v0.0.0-20230711102312-30195339c3c7
+	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.15.0
 	sigs.k8s.io/controller-tools v0.12.1
 	sigs.k8s.io/gateway-api v0.7.1

go.sum

@@ -989,8 +989,8 @@ k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc=
 k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg=
-k8s.io/utils v0.0.0-20230711102312-30195339c3c7 h1:ZgnF1KZsYxWIifwSNZFZgNtWE89WI5yiP5WwlfDoIyc=
-k8s.io/utils v0.0.0-20230711102312-30195339c3c7/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
+k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

internal/apis/config/controller/fuzzer/fuzzer.go

@@ -17,11 +17,11 @@ limitations under the License.
 package fuzzer
 
 import (
+	"time"
+
 	fuzz "github.com/google/gofuzz"
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/component-base/logs"
-
-	"time"
+	logsapi "k8s.io/component-base/logs/api/v1"
 
 	"github.com/cert-manager/cert-manager/internal/apis/config/controller"
 )
@@ -33,46 +33,87 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 		func(s *controller.ControllerConfiguration, c fuzz.Continue) {
 			c.FuzzNoCustom(s) // fuzz self without calling this function again
 
-			defaultTime := 60 * time.Second
-			s.APIServerHost = "defaultHost"
-			s.KubeConfig = "defaultConfig"
-			s.KubernetesAPIQPS = 10
-			s.KubernetesAPIBurst = 10
-			s.ClusterResourceNamespace = "defaultClusterResourceNamespace"
-			s.Namespace = "defaultNamespace"
-			s.LeaderElectionConfig.Enabled = true
-			s.LeaderElectionConfig.Namespace = "defaultLeaderElectionNamespace"
-			s.LeaderElectionConfig.LeaseDuration = defaultTime
-			s.LeaderElectionConfig.RenewDeadline = defaultTime
-			s.LeaderElectionConfig.RetryPeriod = defaultTime
-			s.Controllers = []string{"*"}
-			s.ACMEHTTP01Config.SolverImage = "defaultACMEHTTP01SolverImage"
-			s.ACMEHTTP01Config.SolverResourceRequestCPU = "10m"
-			s.ACMEHTTP01Config.SolverResourceRequestMemory = "64Mi"
-			s.ACMEHTTP01Config.SolverResourceLimitsCPU = "100m"
-			s.ACMEHTTP01Config.SolverResourceLimitsMemory = "64Mi"
-			s.ACMEHTTP01Config.SolverRunAsNonRoot = true
-			s.ACMEHTTP01Config.SolverNameservers = []string{"8.8.8.8:53"}
-			s.ClusterIssuerAmbientCredentials = true
-			s.IssuerAmbientCredentials = true
-			s.IngressShimConfig.DefaultIssuerName = "defaultTLSACMEIssuerName"
-			s.IngressShimConfig.DefaultIssuerKind = "defaultIssuerKind"
-			s.IngressShimConfig.DefaultIssuerGroup = "defaultTLSACMEIssuerGroup"
-			s.IngressShimConfig.DefaultAutoCertificateAnnotations = []string{"kubernetes.io/tls-acme"}
-			s.ACMEDNS01Config.RecursiveNameservers = []string{"8.8.8.8:53"}
-			s.ACMEDNS01Config.RecursiveNameserversOnly = true
-			s.EnableCertificateOwnerRef = true
-			s.NumberOfConcurrentWorkers = 1
-			s.MaxConcurrentChallenges = 1
-			s.MetricsListenAddress = "0.0.0.0:9402"
-			s.HealthzListenAddress = "0.0.0.0:9402"
-			s.LeaderElectionConfig.HealthzTimeout = defaultTime
-			s.EnablePprof = true
-			s.PprofAddress = "something:1234"
-			temp := logs.NewOptions()
-			s.Logging = *temp
-			s.CopiedAnnotationPrefixes = []string{"*", "-kubectl.kubernetes.io/", "-fluxcd.io/", "-argocd.argoproj.io/"}
+			if s.ClusterResourceNamespace == "" {
+				s.ClusterResourceNamespace = "test-roundtrip"
+			}
+
+			if len(s.Controllers) == 0 {
+				s.Controllers = []string{"test-roundtrip"}
+			}
+
+			if len(s.CopiedAnnotationPrefixes) == 0 {
+				s.CopiedAnnotationPrefixes = []string{"test-roundtrip"}
+			}
+
+			if s.MetricsListenAddress == "" {
+				s.MetricsListenAddress = "test-roundtrip"
+			}
+
+			if s.HealthzListenAddress == "" {
+				s.HealthzListenAddress = "test-roundtrip"
+			}
+
+			if s.PprofAddress == "" {
+				s.PprofAddress = "test-roundtrip"
+			}
+
+			logsapi.SetRecommendedLoggingConfiguration(&s.Logging)
+
+			if s.LeaderElectionConfig.Namespace == "" {
+				s.LeaderElectionConfig.Namespace = "test-roundtrip"
+			}
+
+			if s.LeaderElectionConfig.LeaseDuration == time.Duration(0) {
+				s.LeaderElectionConfig.LeaseDuration = time.Second * 8875
+			}
+
+			if s.LeaderElectionConfig.RenewDeadline == time.Duration(0) {
+				s.LeaderElectionConfig.RenewDeadline = time.Second * 8875
+			}
+
+			if s.LeaderElectionConfig.RetryPeriod == time.Duration(0) {
+				s.LeaderElectionConfig.RetryPeriod = time.Second * 8875
+			}
+
+			if s.LeaderElectionConfig.HealthzTimeout == time.Duration(0) {
+				s.LeaderElectionConfig.HealthzTimeout = time.Second * 8875
+			}
+
+			if s.IngressShimConfig.DefaultIssuerKind == "" {
+				s.IngressShimConfig.DefaultIssuerKind = "test-roundtrip"
+			}
+
+			if s.IngressShimConfig.DefaultIssuerGroup == "" {
+				s.IngressShimConfig.DefaultIssuerGroup = "test-roundtrip"
+			}
+
+			if len(s.IngressShimConfig.DefaultAutoCertificateAnnotations) == 0 {
+				s.IngressShimConfig.DefaultAutoCertificateAnnotations = []string{"test-roundtrip"}
+			}
+
+			if s.ACMEHTTP01Config.SolverImage == "" {
+				s.ACMEHTTP01Config.SolverImage = "test-roundtrip"
+			}
+
+			if s.ACMEHTTP01Config.SolverResourceRequestCPU == "" {
+				s.ACMEHTTP01Config.SolverResourceRequestCPU = "test-roundtrip"
+			}
+
+			if s.ACMEHTTP01Config.SolverResourceRequestMemory == "" {
+				s.ACMEHTTP01Config.SolverResourceRequestMemory = "test-roundtrip"
+			}
+
+			if s.ACMEHTTP01Config.SolverResourceLimitsCPU == "" {
+				s.ACMEHTTP01Config.SolverResourceLimitsCPU = "test-roundtrip"
+			}
+
+			if s.ACMEHTTP01Config.SolverResourceLimitsMemory == "" {
+				s.ACMEHTTP01Config.SolverResourceLimitsMemory = "test-roundtrip"
+			}
 
+			if s.ACMEDNS01Config.CheckRetryPeriod == time.Duration(0) {
+				s.ACMEDNS01Config.CheckRetryPeriod = time.Second * 8875
+			}
 		},
 	}
 }

internal/apis/config/webhook/fuzzer/fuzzer.go

@@ -19,7 +19,7 @@ package fuzzer
 import (
 	fuzz "github.com/google/gofuzz"
 	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
-	"k8s.io/utils/pointer"
+	logsapi "k8s.io/component-base/logs/api/v1"
 
 	"github.com/cert-manager/cert-manager/internal/apis/config/webhook"
 )
@@ -30,15 +30,11 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 		func(s *webhook.WebhookConfiguration, c fuzz.Continue) {
 			c.FuzzNoCustom(s) // fuzz self without calling this function again
 
-			if s.HealthzPort == nil {
-				s.HealthzPort = pointer.Int(12)
-			}
-			if s.SecurePort == nil {
-				s.SecurePort = pointer.Int(123)
-			}
 			if s.PprofAddress == "" {
-				s.PprofAddress = "something:1234"
+				s.PprofAddress = "test-roundtrip"
 			}
+
+			logsapi.SetRecommendedLoggingConfiguration(&s.Logging)
 		},
 	}
 }

internal/apis/config/webhook/types.go

@@ -28,11 +28,11 @@ type WebhookConfiguration struct {
 
 	// securePort is the port number to listen on for secure TLS connections from the kube-apiserver.
 	// Defaults to 6443.
-	SecurePort *int
+	SecurePort int32
 
 	// healthzPort is the port number to listen on (using plaintext HTTP) for healthz connections.
 	// Defaults to 6080.
-	HealthzPort *int
+	HealthzPort int32
 
 	// tlsConfig is used to configure the secure listener's TLS settings.
 	TLSConfig TLSConfig

internal/apis/config/webhook/v1alpha1/defaults.go

@@ -19,7 +19,7 @@ package v1alpha1
 import (
 	"k8s.io/apimachinery/pkg/runtime"
 	logsapi "k8s.io/component-base/logs/api/v1"
-	"k8s.io/utils/pointer"
+	"k8s.io/utils/ptr"
 
 	"github.com/cert-manager/cert-manager/pkg/apis/config/webhook/v1alpha1"
 )
@@ -30,10 +30,10 @@ func addDefaultingFuncs(scheme *runtime.Scheme) error {
 
 func SetDefaults_WebhookConfiguration(obj *v1alpha1.WebhookConfiguration) {
 	if obj.SecurePort == nil {
-		obj.SecurePort = pointer.Int(6443)
+		obj.SecurePort = ptr.To(int32(6443))
 	}
 	if obj.HealthzPort == nil {
-		obj.HealthzPort = pointer.Int(6080)
+		obj.HealthzPort = ptr.To(int32(6080))
 	}
 	if obj.PprofAddress == "" {
 		obj.PprofAddress = "localhost:6060"

internal/apis/config/webhook/validation/validation.go

@@ -48,11 +48,11 @@ func ValidateWebhookConfiguration(cfg *config.WebhookConfiguration) error {
 			}
 		}
 	}
-	if cfg.HealthzPort == nil {
-		allErrors = append(allErrors, fmt.Errorf("invalid configuration: healthzPort must be specified"))
+	if cfg.HealthzPort < 0 || cfg.HealthzPort > 65535 {
+		allErrors = append(allErrors, fmt.Errorf("invalid configuration: healthzPort must be a valid port number"))
 	}
-	if cfg.SecurePort == nil {
-		allErrors = append(allErrors, fmt.Errorf("invalid configuration: securePort must be specified"))
+	if cfg.SecurePort < 0 || cfg.SecurePort > 65535 {
+		allErrors = append(allErrors, fmt.Errorf("invalid configuration: securePort must be a valid port number"))
 	}
 	return utilerrors.NewAggregate(allErrors)
 }

internal/webhook/webhook.go

@@ -71,8 +71,8 @@ func NewCertManagerWebhookServer(log logr.Logger, opts config.WebhookConfigurati
 	}
 
 	s := &server.Server{
-		ListenAddr:        fmt.Sprintf(":%d", *opts.SecurePort),
-		HealthzAddr:       fmt.Sprintf(":%d", *opts.HealthzPort),
+		ListenAddr:        fmt.Sprintf(":%d", opts.SecurePort),
+		HealthzAddr:       fmt.Sprintf(":%d", opts.HealthzPort),
 		EnablePprof:       opts.EnablePprof,
 		PprofAddr:         opts.PprofAddress,
 		CertificateSource: buildCertificateSource(log, opts.TLSConfig, restcfg),

pkg/apis/config/webhook/v1alpha1/types.go

@@ -28,11 +28,11 @@ type WebhookConfiguration struct {
 
 	// securePort is the port number to listen on for secure TLS connections from the kube-apiserver.
 	// Defaults to 6443.
-	SecurePort *int `json:"securePort,omitempty"`
+	SecurePort *int32 `json:"securePort,omitempty"`
 
 	// healthzPort is the port number to listen on (using plaintext HTTP) for healthz connections.
 	// Defaults to 6080.
-	HealthzPort *int `json:"healthzPort,omitempty"`
+	HealthzPort *int32 `json:"healthzPort,omitempty"`
 
 	// tlsConfig is used to configure the secure listener's TLS settings.
 	TLSConfig TLSConfig `json:"tlsConfig"`

pkg/webhook/options/options.go

@@ -58,8 +58,8 @@ func NewWebhookConfiguration() (*config.WebhookConfiguration, error) {
 }
 
 func AddConfigFlags(fs *pflag.FlagSet, c *config.WebhookConfiguration) {
-	fs.IntVar(c.SecurePort, "secure-port", *c.SecurePort, "port number to listen on for secure TLS connections")
-	fs.IntVar(c.HealthzPort, "healthz-port", *c.HealthzPort, "port number to listen on for insecure healthz connections")
+	fs.Int32Var(&c.SecurePort, "secure-port", c.SecurePort, "port number to listen on for secure TLS connections")
+	fs.Int32Var(&c.HealthzPort, "healthz-port", c.HealthzPort, "port number to listen on for insecure healthz connections")
 
 	fs.StringVar(&c.TLSConfig.Filesystem.CertFile, "tls-cert-file", c.TLSConfig.Filesystem.CertFile, "path to the file containing the TLS certificate to serve with")
 	fs.StringVar(&c.TLSConfig.Filesystem.KeyFile, "tls-private-key-file", c.TLSConfig.Filesystem.KeyFile, "path to the file containing the TLS private key to serve with")