From 06989d789729d8384ad1b5ee1fd17a3cdd43ddd4 Mon Sep 17 00:00:00 2001
From: Andi Li <andili@google.com>
Date: Fri, 28 Aug 2020 12:06:28 -0400
Subject: [PATCH] Update documentation.

Minor cleanup and change default fail policy and timeout on webhook
config.
---
 README.md                                          | 10 ++++++++--
 deploy/kubernetes/webhook-example/README.md        |  4 ++--
 .../admission-configuration-template               |  8 ++++----
 pkg/validation-webhook/webhook.go                  | 14 ++++++--------
 4 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/README.md b/README.md
index 668c3073..8fbdae7e 100644
--- a/README.md
+++ b/README.md
@@ -83,12 +83,18 @@ Install CSI Driver:
 
 ### Validating Webhook
 
-The snapshot validating webhook is an HTTP callback which responds to [admission requests](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It is part of a larger [plan](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md) to tighten validation for volume snapshot objects. This webhook introduces the [ratcheting validation](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md#backwards-compatibility) mechanism targeting the tighter validation.
+The snapshot validating webhook is an HTTP callback which responds to [admission requests](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It is part of a larger [plan](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md) to tighten validation for volume snapshot objects. This webhook introduces the [ratcheting validation](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md#backwards-compatibility) mechanism targeting the tighter validation. The cluster admin or Kubernetes distribution admin should install the webhook alongside the snapshot controllers and CRDs.
 
-> :warning: **WARNING**: Choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from `v1beta1` to `v1` volumesnapshot API if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.
+> :warning: **WARNING**: Cluster admins choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from `v1beta1` to `v1` volumesnapshot API, if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.
 
 Read more about how to install the example webhook [here](deploy/kubernetes/webhook-example/README.md).
 
+####  Validating Webhook Command Line Options
+
+* `--tls-cert-file`: File containing the x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). Required.
+* `--tls-private-key-file`: File containing the x509 private key matching --tls-cert-file. Required.
+* `--port`: Secure port that the webhook listens on (default 443)
+
 ### Snapshot controller command line options
 
 #### Important optional arguments that are highly recommended to be used
diff --git a/deploy/kubernetes/webhook-example/README.md b/deploy/kubernetes/webhook-example/README.md
index a1dd4206..05b15bcd 100644
--- a/deploy/kubernetes/webhook-example/README.md
+++ b/deploy/kubernetes/webhook-example/README.md
@@ -1,8 +1,8 @@
 # Validating Webhook
 
-The snapshot validating webhook is an HTTP callback which responds to [admission requests](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It is part of a larger [plan](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md) to tighten validation for volume snapshot objects. This webhook introduces the [ratcheting validation](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md#backwards-compatibility) mechanism targeting the tighter validation.
+The snapshot validating webhook is an HTTP callback which responds to [admission requests](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). It is part of a larger [plan](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md) to tighten validation for volume snapshot objects. This webhook introduces the [ratcheting validation](https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md#backwards-compatibility) mechanism targeting the tighter validation. The cluster admin or Kubernetes distribution admin should install the webhook alongside the snapshot controllers and CRDs.
 
-> :warning: **WARNING**: Choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from `v1beta1` to `v1` volumesnapshot API if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.
+> :warning: **WARNING**: Cluster admins choosing not to install the webhook server and participate in the phased release process can cause future problems when upgrading from `v1beta1` to `v1` volumesnapshot API, if there are currently persisted objects which fail the new stricter validation. Potential impacts include being unable to delete invalid snapshot objects.
 
 ## Prerequisites
 
diff --git a/deploy/kubernetes/webhook-example/admission-configuration-template b/deploy/kubernetes/webhook-example/admission-configuration-template
index 3c331df9..bca65009 100644
--- a/deploy/kubernetes/webhook-example/admission-configuration-template
+++ b/deploy/kubernetes/webhook-example/admission-configuration-template
@@ -1,10 +1,10 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: "validation-webhook.storage.sigs.k8s.io"
+  name: "validation-webhook.snapshot.storage.k8s.io"
   namespace: "default"
 webhooks:
-- name: "snapshot.validation-webhook.storage.sigs.k8s.io"
+- name: "validation-webhook.snapshot.storage.k8s.io"
   rules:
   - apiGroups:   ["snapshot.storage.k8s.io"]
     apiVersions: ["v1beta1"]
@@ -19,5 +19,5 @@ webhooks:
     caBundle: ${CA_BUNDLE}
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
-  failurePolicy: Fail # We recommend switching to Fail only after successful installation of the server and webhook.
-  timeoutSeconds: 10 # This will affect the latency and performance. Finetune this value based on your application's tolerance.
\ No newline at end of file
+  failurePolicy: Ignore # We recommend switching to Fail only after successful installation of the webhook server and webhook.
+  timeoutSeconds: 2 # This will affect the latency and performance. Finetune this value based on your application's tolerance.
\ No newline at end of file
diff --git a/pkg/validation-webhook/webhook.go b/pkg/validation-webhook/webhook.go
index 12433659..69d8b51f 100644
--- a/pkg/validation-webhook/webhook.go
+++ b/pkg/validation-webhook/webhook.go
@@ -28,8 +28,6 @@ import (
 	"k8s.io/api/admission/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/klog"
-	// TODO: try this library to see if it generates correct json patch
-	// https://github.com/mattbaird/jsonpatch
 )
 
 var (
@@ -38,22 +36,22 @@ var (
 	port     int
 )
 
-// CmdWebhook is used by agnhost Cobra.
+// CmdWebhook is used by Cobra.
 var CmdWebhook = &cobra.Command{
 	Use:   "validation-webhook",
-	Short: "Starts a HTTP server, useful for testing MutatingAdmissionWebhook and ValidatingAdmissionWebhook",
-	Long: `Starts a HTTP server, useful for testing MutatingAdmissionWebhook and ValidatingAdmissionWebhook.
+	Short: "Starts a HTTPS server, uses ValidatingAdmissionWebhook to perform ratcheting validation on VolumeSnapshot and VolumeSnapshotContent",
+	Long: `Starts a HTTPS server, uses ValidatingAdmissionWebhook to perform ratcheting validation on VolumeSnapshot and VolumeSnapshotContent.
 After deploying it to Kubernetes cluster, the Administrator needs to create a ValidatingWebhookConfiguration
-in the Kubernetes cluster to register remote webhook admission controllers.`,
+in the Kubernetes cluster to register remote webhook admission controllers. Phase one of https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/177-volume-snapshot/tighten-validation-webhook-crd.md`,
 	Args: cobra.MaximumNArgs(0),
 	Run:  main,
 }
 
 func init() {
 	CmdWebhook.Flags().StringVar(&certFile, "tls-cert-file", "",
-		"File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert).")
+		"File containing the x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). Required.")
 	CmdWebhook.Flags().StringVar(&keyFile, "tls-private-key-file", "",
-		"File containing the default x509 private key matching --tls-cert-file.")
+		"File containing the x509 private key matching --tls-cert-file. Required.")
 	CmdWebhook.Flags().IntVar(&port, "port", 443,
 		"Secure port that the webhook listens on")
 	CmdWebhook.MarkFlagRequired("tls-cert-file")