Set up CI with Azure Pipelines

.cicd/build.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -eox pipefail
+
+. .cicd/env.sh
+
+docker run --rm \
+  -v "$(pwd):/go/src/$mod" \
+  -w "/go/src/$mod"  \
+  -e GO111MODULE=on  \
+  -e CGO_ENABLED=0   \
+  -e GOOS=linux      \
+  -e GOARCH=amd64    \
+  golang:1.12-stretch \
+    go build -mod=vendor -ldflags "-X $mod/core.Version=$vers -X $mod/core.BuildTime=$buildTime"

.cicd/checks.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -eox pipefail
+
+. .cicd/env.sh
+
+command="go fmt ./... && git diff --exit-code;"
+
+docker run --rm \
+  -v "$(pwd):/go/src/$mod" \
+  -w "/go/src/$mod"  \
+  -e GO111MODULE=on  \
+  -e CGO_ENABLED=0   \
+  -e GOOS=linux      \
+  -e GOARCH=amd64    \
+  golang:1.12-stretch \
+    /bin/bash -c "$command"

.cicd/docker.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -eox pipefail
+
+. .cicd/env.sh
+
+docker build . -t $dockerRepo:$vers
+docker run --rm $dockerRepo:$vers version

.cicd/env.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eox pipefail
+
+export dockerRepo="jettech/kube-webhook-certgen"
+export mod="$(head -n 1 go.mod | cut -f 2 -d ' ')"
+export rev=$(git rev-parse HEAD)
+export tag=$(git tag --points-at HEAD)
+export buildTime=$(date -u +%FT%TZ)
+
+# This will break if there are multiple tags set to the same commit, which is what we want
+if [ $tag ]; then
+  export vers=$tag
+  export isTag=true
+else
+  export vers=$rev
+  export isTag=false
+fi
+
+# Azure pipelines requires this invocation to set variables to be available in later steps
+# And then you have to retrieve them in a similar interpolation fashion - i.e. they are _not_
+# environment variables
+echo "##vso[task.setvariable variable=dockerRepo]$dockerRepo"
+echo "##vso[task.setvariable variable=mod]$mod"
+echo "##vso[task.setvariable variable=rev]$rev"
+echo "##vso[task.setvariable variable=vers]$vers"
+echo "##vso[task.setvariable variable=isTag]$isTag"

.cicd/master.azure-pipelines.yml

@@ -0,0 +1,29 @@
+name: $(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+pr: none
+trigger:
+  branches:
+    include:
+      - master
+      - refs/tags/*
+pool:
+  vmImage: 'ubuntu-latest'
+steps:
+- script: .cicd/checks.sh
+  displayName: 'Checks'
+- script: .cicd/test.sh
+  displayName: 'Test'
+- task: PublishTestResults@2
+  displayName: 'Publish Test Results'
+  inputs:
+    testResultsFormat: 'JUnit'
+    testResultsFiles: '**/TEST-*.xml'
+    failTaskOnFailedTests: true
+- script: .cicd/build.sh
+  displayName: 'Build'
+- script: .cicd/docker.sh
+  displayName: 'Docker Build'
+- script: .cicd/push.sh
+  env:
+    jettechPassword: $(jettechPassword)
+  displayName: 'Docker Push'
+  condition: startsWith(variables['isTag'], 'true')

.cicd/pr.azure-pipelines.yml

@@ -0,0 +1,22 @@
+name: $(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+trigger:
+  branches:
+    include:
+      - refs/pull/*
+pool:
+  vmImage: 'ubuntu-latest'
+steps:
+- script: .cicd/checks.sh
+  displayName: 'Checks'
+- script: .cicd/test.sh
+  displayName: 'Test'
+- task: PublishTestResults@2
+  inputs:
+    testResultsFormat: 'JUnit'
+    testResultsFiles: '**/TEST-*.xml'
+    failTaskOnFailedTests: true
+- script: .cicd/build.sh
+  displayName: 'Build'
+- script: .cicd/docker.sh
+  displayName: 'Docker Build'
+  condition: lt(variables['System.PullRequest.PullRequestId'], 1)

.cicd/push.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+. .cicd/env.sh
+
+function exists() {
+    curl --silent -f -lSL https://index.docker.io/v1/repositories/$1/tags/$2 > /dev/null
+}
+
+if exists $dockerRepo $vers; then
+    echo $dockerRepo:$vers already exists, will not overwrite
+    exit 1
+else
+    docker login -u jettech -p $jettechPassword
+    docker push $dockerRepo:$vers
+fi

.cicd/test.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -eox pipefail
+
+. .cicd/env.sh
+
+command="go get -u github.com/jstemmer/go-junit-report; \
+go test -mod=vendor -v ./... 2>&1 | go-junit-report > TEST-ALL.xml"
+
+docker run --rm \
+  -v "$(pwd):/go/src/$mod" \
+  -w "/go/src/$mod"  \
+  -e GO111MODULE=on  \
+  -e CGO_ENABLED=0   \
+  -e GOOS=linux      \
+  -e GOARCH=amd64    \
+  golang:1.12-stretch \
+    /bin/bash -c "$command"

.gitignore

@@ -1 +1,3 @@
 .idea
+kube-webhook-certgen
+TEST-ALL.xml

Dockerfile

@@ -1,13 +1,3 @@
-FROM golang:1.12-alpine AS build
-ARG VERSION=0.0.0
-ARG PACKAGE="github.com/jet/kube-webhook-certgen"
-WORKDIR /go/src/${PACKAGE}
-COPY . .
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
-    go build -o kube-webhook-certgen -ldflags \
-    "-X ${PACKAGE}/core.Version=${VERSION} -X ${PACKAGE}/core.BuildTime=$(date -u +%FT%TZ)"
-RUN mv kube-webhook-certgen /kube-webhook-certgen
-
 FROM gcr.io/distroless/base
-COPY --from=build /kube-webhook-certgen /kube-webhook-certgen
+COPY kube-webhook-certgen /kube-webhook-certgen
 ENTRYPOINT ["/kube-webhook-certgen"]

README.md

@@ -1,7 +1,21 @@
+[![Build Status](https://dev.azure.com/jet-opensource/opensource/_apis/build/status/kube-webhook-certgen/kube-webhook-certgen.master?branchName=master)](https://dev.azure.com/jet-opensource/opensource/_build/latest?definitionId=15&branchName=master)
+[![Go Report Card](https://goreportcard.com/badge/github.com/jet/kube-webhook-certgen)](https://goreportcard.com/report/github.com/jet/kube-webhook-certgen)
+[![Docker Pulls](https://img.shields.io/docker/pulls/jettech/kube-webhook-certgen.svg)](https://hub.docker.com/r/jettech/kube-webhook-certgen)
+
 # Kubernetes webhook certificate generator and patcher
 
-This utility has two functions
+
+## Purpose
+This is a utility to generate certificates with long (100y) expiration, then patch Kubernetes Admission Webhooks with the CA. It is intended to provide a minimal solution for getting admission hooks working.
+
+This tool has two functions
 1. Create a ca, certificate and key and store them in a secret. If the secret already exists, do nothing
-2. Use the secret data to patch a mutating and validating webhook ca field
+2. Use the secret data to patch a mutating and validating webhook `ca` field
+
+The two-part approach is to allow easier working with helm charts, to first provision the certs, then patch the hooks after they are created with helm. If you have an alternative means of creating the certificaes, the tool can still be used to patch the webhooks.
+
+For more information about admission hooks see the [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
+
+## Security Considerations
+This tool may not be adequate in all security environments. If a more complete solution is required, you may want to seek alternatives such as [jetstack/cert-manager](https://github.com/jetstack/cert-manager)
 
-This is broken into two parts to allow easier working with helm charts, to first provision the certs, then patch the hooks after they are created with helm. This is an alternative to using [jetstack/cert-manager](https://github.com/jetstack/cert-manager).

cmd/root.go

@@ -43,6 +43,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&logfmt, "log-format", "text", "Log format: text|json")
 }
 
+// Execute is the main entry point for the program
 func Execute() {
 	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)

cmd/version.go

@@ -14,7 +14,7 @@ var version = &cobra.Command{
 }
 
 func versionCmdRun(cmd *cobra.Command, args []string) {
-	fmt.Printf("v%s\n", core.Version)
+	fmt.Printf("%s\n", core.Version)
 	fmt.Printf("build %s\n", core.BuildTime)
 }
 

go.mod

@@ -13,6 +13,7 @@ require (
 	github.com/imdario/mergo v0.3.7 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.6 // indirect
+	github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/onrik/logrus v0.2.2

go.sum

@@ -35,6 +35,8 @@ github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NH
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/json-iterator/go v1.1.6 h1:MrUvLMLTMxbqFJ9kzlvat/rYZqZnW3u4wkLzWTaFwKs=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 h1:rBMNdlhTLzJjJSDIjNEXX1Pz3Hmwmz91v+zycvx9PJc=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=

pkg/certs/certs_test.go

@@ -39,10 +39,10 @@ func TestCertificateCreation(t *testing.T) {
 
 	client := &http.Client{Transport: tr}
 	res, err := client.Get(ts.URL)
-	defer res.Body.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer res.Body.Close()
 
 	if res.StatusCode != http.StatusOK {
 		t.Errorf("Response code was %v; want 200", res.StatusCode)

pkg/k8s/k8s_test.go

@@ -116,6 +116,10 @@ func TestPatchWebhookConfigurations(t *testing.T) {
 		MutatingWebhookConfigurations().
 		Get(testWebhookName, metav1.GetOptions{})
 
+	if err != nil {
+		t.Error(err)
+	}
+
 	whval, err := client.clientset.
 		AdmissionregistrationV1beta1().
 		MutatingWebhookConfigurations().