Migrate the webhook-certgen program to inside ingress repo (#7475)

2021-08-10 17:22:40 -03:00 · 2021-08-10 17:22:40 -03:00 · 492c7b0d94
commit 492c7b0d94
parent 9a9ad47857
18 changed files with 1910 additions and 0 deletions
--- a/images/kube-webhook-certgen/rootfs/cmd/create.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/create.go
@ -0,0 +1,42 @@
+package cmd
+
+import (
+	"github.com/jet/kube-webhook-certgen/pkg/certs"
+	"github.com/jet/kube-webhook-certgen/pkg/k8s"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+var (
+	create = &cobra.Command{
+		Use:    "create",
+		Short:  "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
+		Long:   "Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'",
+		PreRun: configureLogging,
+		Run:    createCommand}
+)
+
+func createCommand(cmd *cobra.Command, args []string) {
+	k := k8s.New(cfg.kubeconfig)
+	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+	if ca == nil {
+		log.Info("creating new secret")
+		newCa, newCert, newKey := certs.GenerateCerts(cfg.host)
+		ca = newCa
+		k.SaveCertsToSecret(cfg.secretName, cfg.namespace, cfg.certName, cfg.keyName, ca, newCert, newKey)
+	} else {
+		log.Info("secret already exists")
+	}
+}
+
+func init() {
+	rootCmd.AddCommand(create)
+	create.Flags().StringVar(&cfg.host, "host", "", "Comma-separated hostnames and IPs to generate a certificate for")
+	create.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be written")
+	create.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be written")
+	create.Flags().StringVar(&cfg.certName, "cert-name", "cert", "Name of cert file in the secret")
+	create.Flags().StringVar(&cfg.keyName, "key-name", "key", "Name of key file in the secret")
+	create.MarkFlagRequired("host")
+	create.MarkFlagRequired("secret-name")
+	create.MarkFlagRequired("namespace")
+}
--- a/images/kube-webhook-certgen/rootfs/cmd/patch.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/patch.go
@ -0,0 +1,62 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/jet/kube-webhook-certgen/pkg/k8s"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+)
+
+var (
+	patch = &cobra.Command{
+		Use:    "patch",
+		Short:  "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
+		Long:   "Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'",
+		PreRun: prePatchCommand,
+		Run:    patchCommand}
+)
+
+func prePatchCommand(cmd *cobra.Command, args []string) {
+	configureLogging(cmd, args)
+	if cfg.patchMutating == false && cfg.patchValidating == false {
+		log.Fatal("patch-validating=false, patch-mutating=false. You must patch at least one kind of webhook, otherwise this command is a no-op")
+		os.Exit(1)
+	}
+	switch cfg.patchFailurePolicy {
+	case "":
+		break
+	case "Ignore":
+	case "Fail":
+		failurePolicy = admissionv1.FailurePolicyType(cfg.patchFailurePolicy)
+		break
+	default:
+		log.Fatalf("patch-failure-policy %s is not valid", cfg.patchFailurePolicy)
+		os.Exit(1)
+	}
+}
+
+func patchCommand(_ *cobra.Command, _ []string) {
+	k := k8s.New(cfg.kubeconfig)
+	ca := k.GetCaFromSecret(cfg.secretName, cfg.namespace)
+
+	if ca == nil {
+		log.Fatalf("no secret with '%s' in '%s'", cfg.secretName, cfg.namespace)
+	}
+
+	k.PatchWebhookConfigurations(cfg.webhookName, ca, &failurePolicy, cfg.patchMutating, cfg.patchValidating)
+}
+
+func init() {
+	rootCmd.AddCommand(patch)
+	patch.Flags().StringVar(&cfg.secretName, "secret-name", "", "Name of the secret where certificate information will be read from")
+	patch.Flags().StringVar(&cfg.namespace, "namespace", "", "Namespace of the secret where certificate information will be read from")
+	patch.Flags().StringVar(&cfg.webhookName, "webhook-name", "", "Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated")
+	patch.Flags().BoolVar(&cfg.patchValidating, "patch-validating", true, "If true, patch validatingwebhookconfiguration")
+	patch.Flags().BoolVar(&cfg.patchMutating, "patch-mutating", true, "If true, patch mutatingwebhookconfiguration")
+	patch.Flags().StringVar(&cfg.patchFailurePolicy, "patch-failure-policy", "", "If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail")
+	patch.MarkFlagRequired("secret-name")
+	patch.MarkFlagRequired("namespace")
+	patch.MarkFlagRequired("webhook-name")
+}
--- a/images/kube-webhook-certgen/rootfs/cmd/root.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/root.go
@ -0,0 +1,83 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/onrik/logrus/filename"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+)
+
+var (
+	rootCmd = &cobra.Command{
+		Use:   "kube-webhook-certgen",
+		Short: "Create certificates and patch them to admission hooks",
+		Long: `Use this to create a ca and signed certificates and patch admission webhooks to allow for quick
+	           installation and configuration of validating and admission webhooks.`,
+		PreRun: configureLogging,
+		Run:    rootCommand,
+	}
+
+	cfg = struct {
+		logLevel           string
+		logfmt             string
+		secretName         string
+		namespace          string
+		certName           string
+		keyName            string
+		host               string
+		webhookName        string
+		patchValidating    bool
+		patchMutating      bool
+		patchFailurePolicy string
+		kubeconfig         string
+	}{}
+
+	failurePolicy admissionv1.FailurePolicyType
+)
+
+// Execute is the main entry point for the program
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
+
+func init() {
+	filenameHook := filename.NewHook()
+	filenameHook.Field = "source"
+	log.AddHook(filenameHook)
+	log.SetOutput(os.Stdout)
+	log.SetLevel(log.TraceLevel)
+	rootCmd.Flags()
+	rootCmd.PersistentFlags().StringVar(&cfg.logLevel, "log-level", "info", "Log level: panic|fatal|error|warn|info|debug|trace")
+	rootCmd.PersistentFlags().StringVar(&cfg.logfmt, "log-format", "json", "Log format: text|json")
+	rootCmd.PersistentFlags().StringVar(&cfg.kubeconfig, "kubeconfig", "", "Path to kubeconfig file: e.g. ~/.kube/kind-config-kind")
+}
+
+func configureLogging(_ *cobra.Command, _ []string) {
+	l, err := log.ParseLevel(cfg.logLevel)
+	if err != nil {
+		log.WithField("err", err).Fatal("Invalid error level")
+	}
+	log.SetLevel(l)
+	log.SetFormatter(getFormatter(cfg.logfmt))
+}
+
+func rootCommand(cmd *cobra.Command, _ []string) {
+	cmd.Help()
+	os.Exit(1)
+}
+
+func getFormatter(logfmt string) log.Formatter {
+	switch logfmt {
+	case "json":
+		return &log.JSONFormatter{}
+	case "text":
+		return &log.TextFormatter{}
+	}
+
+	log.Fatalf("invalid log format '%s'", logfmt)
+	return nil
+}
--- a/images/kube-webhook-certgen/rootfs/cmd/version.go
+++ b/images/kube-webhook-certgen/rootfs/cmd/version.go
@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/jet/kube-webhook-certgen/core"
+	"github.com/spf13/cobra"
+)
+
+var version = &cobra.Command{
+	Use:   "version",
+	Short: "Prints the CLI version information",
+	Run:   versionCmdRun,
+}
+
+func versionCmdRun(cmd *cobra.Command, args []string) {
+	fmt.Printf("%s\n", core.Version)
+	fmt.Printf("build %s\n", core.BuildTime)
+	fmt.Printf("%s\n", runtime.Version())
+}
+
+func init() {
+	rootCmd.AddCommand(version)
+}