update dependencies (#6267)

Signed-off-by: hongming <coder.scala@gmail.com>

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/decode.go

@@ -26,22 +26,35 @@ import (
 
 // Decoder knows how to decode the contents of an admission
 // request into a concrete object.
-type Decoder struct {
+type Decoder interface {
+	// Decode decodes the inlined object in the AdmissionRequest into the passed-in runtime.Object.
+	// If you want decode the OldObject in the AdmissionRequest, use DecodeRaw.
+	// It errors out if req.Object.Raw is empty i.e. containing 0 raw bytes.
+	Decode(req Request, into runtime.Object) error
+
+	// DecodeRaw decodes a RawExtension object into the passed-in runtime.Object.
+	// It errors out if rawObj is empty i.e. containing 0 raw bytes.
+	DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error
+}
+
+// decoder knows how to decode the contents of an admission
+// request into a concrete object.
+type decoder struct {
 	codecs serializer.CodecFactory
 }
 
-// NewDecoder creates a Decoder given the runtime.Scheme.
-func NewDecoder(scheme *runtime.Scheme) *Decoder {
+// NewDecoder creates a decoder given the runtime.Scheme.
+func NewDecoder(scheme *runtime.Scheme) Decoder {
 	if scheme == nil {
 		panic("scheme should never be nil")
 	}
-	return &Decoder{codecs: serializer.NewCodecFactory(scheme)}
+	return &decoder{codecs: serializer.NewCodecFactory(scheme)}
 }
 
 // Decode decodes the inlined object in the AdmissionRequest into the passed-in runtime.Object.
 // If you want decode the OldObject in the AdmissionRequest, use DecodeRaw.
 // It errors out if req.Object.Raw is empty i.e. containing 0 raw bytes.
-func (d *Decoder) Decode(req Request, into runtime.Object) error {
+func (d *decoder) Decode(req Request, into runtime.Object) error {
 	// we error out if rawObj is an empty object.
 	if len(req.Object.Raw) == 0 {
 		return fmt.Errorf("there is no content to decode")
@@ -51,7 +64,7 @@ func (d *Decoder) Decode(req Request, into runtime.Object) error {
 
 // DecodeRaw decodes a RawExtension object into the passed-in runtime.Object.
 // It errors out if rawObj is empty i.e. containing 0 raw bytes.
-func (d *Decoder) DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error {
+func (d *decoder) DecodeRaw(rawObj runtime.RawExtension, into runtime.Object) error {
 	// NB(directxman12): there's a bug/weird interaction between decoders and
 	// the API server where the API server doesn't send a GVK on the embedded
 	// objects, which means the unstructured decoder refuses to decode.  It

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter.go

@@ -43,7 +43,7 @@ func DefaultingWebhookFor(scheme *runtime.Scheme, defaulter Defaulter) *Webhook
 
 type mutatingHandler struct {
 	defaulter Defaulter
-	decoder   *Decoder
+	decoder   Decoder
 }
 
 // Handle handles admission requests.

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/defaulter_custom.go

@@ -43,7 +43,7 @@ func WithCustomDefaulter(scheme *runtime.Scheme, obj runtime.Object, defaulter C
 type defaulterForType struct {
 	defaulter CustomDefaulter
 	object    runtime.Object
-	decoder   *Decoder
+	decoder   Decoder
 }
 
 // Handle handles admission requests.

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/metrics/metrics.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package metrics
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
+)
+
+var (
+	// WebhookPanics is a prometheus counter metrics which holds the total
+	// number of panics from webhooks.
+	WebhookPanics = prometheus.NewCounterVec(prometheus.CounterOpts{
+		Name: "controller_runtime_webhook_panics_total",
+		Help: "Total number of webhook panics",
+	}, []string{})
+)
+
+func init() {
+	metrics.Registry.MustRegister(
+		WebhookPanics,
+	)
+	// Init metric.
+	WebhookPanics.WithLabelValues().Add(0)
+}

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/validator.go

@@ -63,7 +63,7 @@ func ValidatingWebhookFor(scheme *runtime.Scheme, validator Validator) *Webhook
 
 type validatingHandler struct {
 	validator Validator
-	decoder   *Decoder
+	decoder   Decoder
 }
 
 // Handle handles admission requests.

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/validator_custom.go

@@ -56,7 +56,7 @@ func WithCustomValidator(scheme *runtime.Scheme, obj runtime.Object, validator C
 type validatorForType struct {
 	validator CustomValidator
 	object    runtime.Object
-	decoder   *Decoder
+	decoder   Decoder
 }
 
 // Handle handles admission requests.

vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/webhook.go

@@ -30,6 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/json"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/klog/v2"
+	admissionmetrics "sigs.k8s.io/controller-runtime/pkg/webhook/admission/metrics"
 
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics"
@@ -123,7 +124,8 @@ type Webhook struct {
 	Handler Handler
 
 	// RecoverPanic indicates whether the panic caused by webhook should be recovered.
-	RecoverPanic bool
+	// Defaults to true.
+	RecoverPanic *bool
 
 	// WithContextFunc will allow you to take the http.Request.Context() and
 	// add any additional information such as passing the request path or
@@ -141,8 +143,9 @@ type Webhook struct {
 }
 
 // WithRecoverPanic takes a bool flag which indicates whether the panic caused by webhook should be recovered.
+// Defaults to true.
 func (wh *Webhook) WithRecoverPanic(recoverPanic bool) *Webhook {
-	wh.RecoverPanic = recoverPanic
+	wh.RecoverPanic = &recoverPanic
 	return wh
 }
 
@@ -151,17 +154,26 @@ func (wh *Webhook) WithRecoverPanic(recoverPanic bool) *Webhook {
 // If the webhook is validating type, it delegates the AdmissionRequest to each handler and
 // deny the request if anyone denies.
 func (wh *Webhook) Handle(ctx context.Context, req Request) (response Response) {
-	if wh.RecoverPanic {
-		defer func() {
-			if r := recover(); r != nil {
+	defer func() {
+		if r := recover(); r != nil {
+			admissionmetrics.WebhookPanics.WithLabelValues().Inc()
+
+			if wh.RecoverPanic == nil || *wh.RecoverPanic {
 				for _, fn := range utilruntime.PanicHandlers {
-					fn(r)
+					fn(ctx, r)
 				}
 				response = Errored(http.StatusInternalServerError, fmt.Errorf("panic: %v [recovered]", r))
+				// Note: We explicitly have to set the response UID. Usually that is done via resp.Complete below,
+				// but if we encounter a panic in wh.Handler.Handle we are never going to reach resp.Complete.
+				response.UID = req.UID
 				return
 			}
-		}()
-	}
+
+			log := logf.FromContext(ctx)
+			log.Info(fmt.Sprintf("Observed a panic in webhook: %v", r))
+			panic(r)
+		}
+	}()
 
 	reqLog := wh.getLogger(&req)
 	ctx = logf.IntoContext(ctx, reqLog)
@@ -169,7 +181,10 @@ func (wh *Webhook) Handle(ctx context.Context, req Request) (response Response)
 	resp := wh.Handler.Handle(ctx, req)
 	if err := resp.Complete(req); err != nil {
 		reqLog.Error(err, "unable to encode response")
-		return Errored(http.StatusInternalServerError, errUnableToEncodeResponse)
+		resp := Errored(http.StatusInternalServerError, errUnableToEncodeResponse)
+		// Note: We explicitly have to set the response UID. Usually that is done via resp.Complete.
+		resp.UID = req.UID
+		return resp
 	}
 
 	return resp