Validating webhook (#2)

* Add validating webhook * Add validating webhook
hooksie1 · Jan 9, 2022 · 9ebc4e8 · 9ebc4e8
1 parent c897fb7
commit 9ebc4e8
Show file tree

Hide file tree

Showing 11 changed files with 393 additions and 149 deletions.
diff --git a/cmd/deploy.go b/cmd/deploy.go
@@ -2,12 +2,11 @@ package cmd
 
 import (
 	"fmt"
-	"os"
-
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"gitlab.com/hooksie1/cmsnr/pkg/deployment"
+	"os"
 	"sigs.k8s.io/yaml"
 )
 
@@ -34,7 +33,9 @@ func printKind(i interface{}) {
 
 func generate(cmd *cobra.Command, args []string) {
 	mService := "cmsnr-mutating-webhook"
-	name := viper.GetString("secret")
+	vService := "cmsnr-validating-webhook"
+	mSecret := fmt.Sprintf("mutating-%s", viper.GetString("secret"))
+	vSecret := fmt.Sprintf("validating-%s", viper.GetString("secret"))
 	port := viper.GetInt("port")
 	namespace := viper.GetString("namespace")
 
@@ -44,61 +45,26 @@ func generate(cmd *cobra.Command, args []string) {
 		os.Exit(2)
 	}
 
-	mw := webhookServer{
-		service:   mService,
-		namespace: namespace,
-		name:      name,
-		port:      port,
-		cert:      mCert,
-		key:       mKey,
+	vCert, vKey, err := deployment.GenerateCertificate(vService, namespace)
+	if err != nil {
+		log.Error(err)
+		os.Exit(2)
 	}
 
-	mw.printServiceAccount()
-
-	mw.printClusterRole()
-
-	mw.printClusterRoleBinding()
-
-	mw.printCRD()
-
-	mw.printMutatingDeployment()
-
-	mw.printMutatingService()
-
-	mw.printMutatingSecret()
-
-	mw.printMutatingWebhook()
-
-}
-
-func (w *webhookServer) printServiceAccount() {
-	printKind(deployment.NewSA(w.namespace))
-}
+	mw := deployment.NewMutatingWebhookServer().NamespacedName(mService, namespace).MutatingWebhook(port, mCert).Rules()
+	vw := deployment.NewValidatingWebhookServer().NamespacedName(vService, namespace).ValidatingWebhook(port, vCert).Rules()
 
-func (w *webhookServer) printClusterRole() {
+	printKind(deployment.NewSA(namespace))
 	printKind(deployment.NewClusterRole())
-}
-
-func (w *webhookServer) printClusterRoleBinding() {
-	printKind(deployment.NewClusterRolebinding(w.namespace))
-}
-
-func (w *webhookServer) printCRD() {
+	printKind(deployment.NewClusterRolebinding(namespace))
 	fmt.Println(deployment.NewCRD())
-}
-
-func (w *webhookServer) printMutatingDeployment() {
-	printKind(deployment.NewDeployment(w.service, w.namespace, w.port))
-}
-
-func (w *webhookServer) printMutatingService() {
-	printKind(deployment.NewService(w.service, w.namespace, w.port))
-}
-
-func (w *webhookServer) printMutatingSecret() {
-	printKind(deployment.CertAsSecret(w.cert, w.key, w.name, w.namespace))
-}
+	printKind(deployment.NewDeployment(mService, namespace, "mutating", mSecret, port))
+	printKind(deployment.NewDeployment(vService, namespace, "validating", vSecret, port))
+	printKind(deployment.NewService(mService, namespace, port))
+	printKind(deployment.NewService(vService, namespace, port))
+	printKind(deployment.CertAsSecret(mCert, mKey, mSecret, namespace))
+	printKind(deployment.CertAsSecret(vCert, vKey, vSecret, namespace))
+	printKind(mw.Config)
+	printKind(vw.Config)
 
-func (w *webhookServer) printMutatingWebhook() {
-	printKind(deployment.NewMutatingWebhookConfig(w.service, w.namespace, w.port, w.cert))
 }
diff --git a/cmd/server.go b/cmd/server.go
@@ -23,11 +23,13 @@ func init() {
 }
 
 type webhookServer struct {
-	service   string
-	namespace string
-	name      string
-	port      int
-	cert      []byte
-	key       []byte
-	certPath  string
+	serverType string
+	service    string
+	namespace  string
+	name       string
+	port       int
+	cert       []byte
+	key        []byte
+	certPath   string
+	print      func(interface{}, func(i interface{}))
 }
diff --git a/cmd/validating.go b/cmd/validating.go
@@ -0,0 +1,53 @@
+package cmd
+
+import (
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"gitlab.com/hooksie1/cmsnr/pkg/server"
+	"os"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+// validatingCmd represents the validating command
+var validatingCmd = &cobra.Command{
+	Use:   "validating",
+	Short: "Starts the cmsnr validating webhook",
+	Run:   validateServer,
+}
+
+func init() {
+	startCmd.AddCommand(validatingCmd)
+}
+
+func validateServer(cmd *cobra.Command, args []string) {
+	port := viper.GetInt("port")
+	log.Debugf("validating webhook port: %d", port)
+	log.Info("setting up webhook server")
+	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{})
+	if err != nil {
+		log.Error(err)
+		os.Exit(1)
+	}
+
+	validator := server.Validator{
+		Client: mgr.GetClient(),
+	}
+
+	mgrServer := mgr.GetWebhookServer()
+	mgrServer.Port = port
+	mgrServer.CertDir = "/var/lib/cmsnr"
+	mgrServer.Register("/validate", &webhook.Admission{
+		Handler: &validator,
+	})
+
+	log.Info("starting webhook server")
+	if err := mgrServer.Start(signals.SetupSignalHandler()); err != nil {
+		log.Errorf("unable to start webhook server: %s", err)
+		os.Exit(1)
+	}
+
+}
diff --git a/go.mod b/go.mod
@@ -3,13 +3,13 @@ module gitlab.com/hooksie1/cmsnr
 go 1.16
 
 require (
+	github.com/open-policy-agent/opa v0.35.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/viper v1.9.0
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/tools v0.1.8 // indirect
 	k8s.io/api v0.22.3
-	k8s.io/apiextensions-apiserver v0.22.2 // indirect
 	k8s.io/apimachinery v0.22.3
 	k8s.io/client-go v0.22.3
 	k8s.io/klog/v2 v2.9.0