add webhook

README.md

@@ -5,13 +5,12 @@ have been moved to a private registry, but _without editing_ the application con
 the image references in the application's pods according to a mapping which is configured using custom resources.
 
 To do:
-- [ ] Configure mutating admission webhook (see below)
 - [ ] Additional features - see [issues](https://github.com/pivotal/kubernetes-image-mapper/issues)
 
 For more context, please see the image relocation repository's [README](https://github.com/pivotal/image-relocation).
 
 ## Details
-This repository consists of a MutatingAdmissionWebhook (under development - see below) which rewrites kubernetes pods to use relocated image
+This repository consists of a MutatingAdmissionWebhook which rewrites kubernetes pods to use relocated image
 references.
 The mapping from original to relocated image references is built by deploying `imagemap` custom resources
 which are processed by a controller also provided by this repository.
@@ -25,16 +24,6 @@ short delay (currently one minute).
 
 If an `imagemap` is updated and this results in the `imagemap` being rejected, the original `imagemap` is undeployed.
 
-## **Webhook Unimplemented**
-
-The webhook is currently not implemented. Current status:
-
-* The webhook from an earlier spike is available [here](https://github.com/pivotal/image-relocation/pull/37).
-* The code is easy to integrate. See [draft PR 14](https://github.com/pivotal/kubernetes-image-mapper/pull/14).
-* The problem is configuring the webhook as the current configuration was generated using kubebuilder, is complex, and uses kustomize.
-
-See [issue 3](https://github.com/pivotal/kubernetes-image-mapper/issues/3) for more detail.
-
 ## Usage
 
 The following was tested using a GKE cluster.
@@ -81,8 +70,6 @@ NAME              AGE
 bootcamp-sample   1m
 ```
 
-# Until the webhook is implemented (see above) the following instructions will do no good
-
 * Create a pod, e.g.:
 ```
 kubectl run kubernetes-bootcamp --image=gcr.io/google-samples/kubernetes-bootcamp:v1 --port=8080

api/v1alpha1/imagemap_types.go

@@ -76,6 +76,7 @@ const (
 
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
+// +kubebuilder:webhook:verbs=create;update,path=/image-mapper,mutating=true,failurePolicy=fail,groups="",resources=pods,versions=v1,name=image-mapper.imagerelocation.pivotal.io
 
 // ImageMap is the Schema for the imagemaps API
 type ImageMap struct {

config/crd/bases/mapper.imagerelocation.pivotal.io_imagemaps.yaml

@@ -3,14 +3,18 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.4
   creationTimestamp: null
   name: imagemaps.mapper.imagerelocation.pivotal.io
 spec:
   group: mapper.imagerelocation.pivotal.io
   names:
     kind: ImageMap
+    listKind: ImageMapList
     plural: imagemaps
-  scope: ""
+    singular: imagemap
+  scope: Namespaced
   subresources:
     status: {}
   validation:

config/default/kustomization.yaml

@@ -9,17 +9,17 @@ namespace: image-mapper-system
 namePrefix: image-mapper-
 
 # Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
+commonLabels:
+  image-mapper-webhook.image-relocation.pivotal.io/enabled: "false"
 
 bases:
 - ../crd
 - ../rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
-#- ../webhook
+- ../webhook
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-#- ../certmanager
+- ../certmanager
 
 patchesStrategicMerge:
   # Protect the /metrics endpoint by putting it behind auth.
@@ -34,39 +34,39 @@ patchesStrategicMerge:
 #- manager_prometheus_metrics_patch.yaml
 
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
-#- manager_webhook_patch.yaml
+- manager_webhook_patch.yaml
 
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
 # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
 # 'CERTMANAGER' needs to be enabled to use ca injection
-#- webhookcainjection_patch.yaml
+- webhookcainjection_patch.yaml
 
 # the following config is for teaching kustomize how to do var substitution
 vars:
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
-#  objref:
-#    kind: Certificate
-#    group: certmanager.k8s.io
-#    version: v1alpha1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: CERTIFICATE_NAME
-#  objref:
-#    kind: Certificate
-#    group: certmanager.k8s.io
-#    version: v1alpha1
-#    name: serving-cert # this name should match the one in certificate.yaml
-#- name: SERVICE_NAMESPACE # namespace of the service
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
-#  fieldref:
-#    fieldpath: metadata.namespace
-#- name: SERVICE_NAME
-#  objref:
-#    kind: Service
-#    version: v1
-#    name: webhook-service
+- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR
+  objref:
+    kind: Certificate
+    group: certmanager.k8s.io
+    version: v1alpha1
+    name: serving-cert # this name should match the one in certificate.yaml
+  fieldref:
+    fieldpath: metadata.namespace
+- name: CERTIFICATE_NAME
+  objref:
+    kind: Certificate
+    group: certmanager.k8s.io
+    version: v1alpha1
+    name: serving-cert # this name should match the one in certificate.yaml
+- name: SERVICE_NAMESPACE # namespace of the service
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service
+  fieldref:
+    fieldpath: metadata.namespace
+- name: SERVICE_NAME
+  objref:
+    kind: Service
+    version: v1
+    name: webhook-service

config/default/webhookcainjection_patch.yaml

@@ -6,10 +6,3 @@ metadata:
   name: mutating-webhook-configuration
   annotations:
     certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
----
-apiVersion: admissionregistration.k8s.io/v1beta1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: validating-webhook-configuration
-  annotations:
-    certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

config/webhook/kustomization.yaml

@@ -4,3 +4,6 @@ resources:
 
 configurations:
 - kustomizeconfig.yaml
+
+patchesStrategicMerge:
+- namespaceselector.yaml

config/webhook/kustomizeconfig.yaml

@@ -7,19 +7,12 @@ nameReference:
   - kind: MutatingWebhookConfiguration
     group: admissionregistration.k8s.io
     path: webhooks/clientConfig/service/name
-  - kind: ValidatingWebhookConfiguration
-    group: admissionregistration.k8s.io
-    path: webhooks/clientConfig/service/name
 
 namespace:
 - kind: MutatingWebhookConfiguration
   group: admissionregistration.k8s.io
   path: webhooks/clientConfig/service/namespace
   create: true
-- kind: ValidatingWebhookConfiguration
-  group: admissionregistration.k8s.io
-  path: webhooks/clientConfig/service/namespace
-  create: true
 
 varReference:
 - path: metadata/annotations

config/webhook/manifests.yaml

@@ -0,0 +1,26 @@
+
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  creationTimestamp: null
+  name: mutating-webhook-configuration
+webhooks:
+- clientConfig:
+    caBundle: Cg==
+    service:
+      name: webhook-service
+      namespace: system
+      path: /image-mapper
+  failurePolicy: Fail
+  name: image-mapper.imagerelocation.pivotal.io
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - pods

config/webhook/namespaceselector.yaml

@@ -0,0 +1,12 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: mutating-webhook-configuration
+webhooks:
+  - name: image-mapper.imagerelocation.pivotal.io
+    namespaceSelector:
+      matchExpressions:
+        - key: image-mapper-webhook.image-relocation.pivotal.io/enabled
+          operator: NotIn
+          values:
+            - "false"

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/go-logr/logr v0.1.0
 	github.com/onsi/ginkgo v1.10.1
 	github.com/onsi/gomega v1.7.0
+	gomodules.xyz/jsonpatch/v2 v2.0.1
 	// equivalent of kubernetes-1.15.4 tag for each k8s.io repo except code-generator
 	k8s.io/api v0.0.0-20190918195907-bd6ac527cfd2
 	k8s.io/apimachinery v0.0.0-20190817020851-f2f3a405f61d

main.go

@@ -18,7 +18,9 @@ package main
 
 import (
 	"flag"
+	relocatingwebhook "github.com/pivotal/kubernetes-image-mapper/pkg/webhook"
 	"os"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"time"
 
 	mapperv1alpha1 "github.com/pivotal/kubernetes-image-mapper/api/v1alpha1"
@@ -77,6 +79,14 @@ func main() {
 	stopCh := ctrl.SetupSignalHandler()
 	comp := unimap.New(stopCh)
 
+	setupLog.Info("setting up webhook server")
+	hookServer := mgr.GetWebhookServer()
+
+	setupLog.Info("registering webhook to the webhook server")
+	hookServer.Register("/image-mapper", &webhook.Admission{
+		Handler: relocatingwebhook.NewLoggingWebhookHandler(relocatingwebhook.NewImageReferenceRelocator(comp), setupLog.WithName("handler"), debug),
+	})
+
 	setupLog.Info("creating controller", "controller", "ImageMap")
 	if err = (&controllers.ImageMapReconciler{
 		Client: mgr.GetClient(),

pkg/webhook/extended_handler.go

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2019-Present Pivotal Software, Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package relocatingwebhook
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+type ExtendedHandler interface {
+	webhook.AdmissionHandler
+	InjectClient(client.Client) error
+	InjectDecoder(*admission.Decoder) error
+}