✨ webhook: add an option to recover from panics in handler

[isitinschi]

Currently, a panic occcurence in a webhook handler is not recovered and crashes the webhook server.

This change adds an option to Webhook to recover panics similar to how it is handled in Reconciler. It ensures that panics are converted to normal error response.

[k8s-ci-robot]

Hi @isitinschi. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[isitinschi]

@vincepri WDYT?

[christopherhein]

/ok-to-test

[FillZpp]

Please sort the imports

[FillZpp]

It will be better if we support to set it in pkg/builder/webhook.go.

[isitinschi]

/test pull-controller-runtime-test-master

[isitinschi]

@FillZpp thank you for the review. I've addressed all your suggestions. PTAL

[FillZpp]

How about just defined as func (blder *WebhookBuilder) RecoverPanic() * WebhookBuilder so that recoverPanic should be true if it is called?

[FillZpp]

I have a little concern about these public API change, not sure if there were some ppl directly use them.

So how about a new func (wh *Webhook) WithRecoverPanic*(enable bool) *Webhook and you can use it in builder/webhook like this return admission.ValidatingWebhookFor(validator).WithRecoverPanic(blder. recoverPanic)

[isitinschi]

@FillZpp is it better like this?

[FillZpp]

/lgtm

/cc @alvaroaleman

[isitinschi]

@alvaroaleman Does it look good to you to be merged?

[vincepri]

Shouldn't this if condition be before the recover()?

[isitinschi]

We won't be able to process the panic if we don't recover from it first. Panic recovery works the same way in controller.go:

controller-runtime/pkg/internal/controller/controller.go

Lines 104 to 122 in 15154aa

	// Reconcile implements reconcile.Reconciler.
	func (c *Controller) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
	defer func() {
	if r := recover(); r != nil {
	if c.RecoverPanic {
	for _, fn := range utilruntime.PanicHandlers {
	fn(r)
	}
	err = fmt.Errorf("panic: %v [recovered]", r)
	return
	}
	log := logf.FromContext(ctx)
	log.Info(fmt.Sprintf("Observed a panic in reconciler: %v", r))
	panic(r)
	}
	}()
	return c.Do.Reconcile(ctx, req)
	}

[alvaroaleman]

But we don't want to process it when RecoverPanic is false? What is done in controller.go seems quite pointless to me and IIRC the r won't contain the stacktrace?

[isitinschi]

Makes sense, let's make RecoverPanic flag more fair and really not process anything if it is set to false. Adjusted my PR accordingly 👍

[isitinschi]

@vincepri @alvaroaleman does it look good to you?

[alvaroaleman]

Suggested change

	defer func() {
	if wh.RecoverPanic {
	if wh.RecoverPanic
	defer func() {

[isitinschi]

Done ✅

[alvaroaleman]

Thank you!
/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, isitinschi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [alvaroaleman]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment