Migrate the webhook-certgen program to inside ingress repo (#7475)

2021-08-10 17:22:40 -03:00 · 2021-08-10 17:22:40 -03:00 · 492c7b0d94
commit 492c7b0d94
parent 9a9ad47857
18 changed files with 1910 additions and 0 deletions
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go
@ -0,0 +1,138 @@
+package k8s
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+type k8s struct {
+	clientset kubernetes.Interface
+}
+
+func New(kubeconfig string) *k8s {
+	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+	if err != nil {
+		log.WithError(err).Fatal("error building kubernetes config")
+	}
+
+	c, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.WithError(err).Fatal("error creating kubernetes client")
+	}
+
+	return &k8s{clientset: c}
+}
+
+// PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with
+// the provided ca data. If failurePolicy is provided, patch all webhooks with this value
+func (k8s *k8s) PatchWebhookConfigurations(
+	configurationNames string, ca []byte,
+	failurePolicy *admissionv1.FailurePolicyType,
+	patchMutating bool, patchValidating bool) {
+
+	log.Infof("patching webhook configurations '%s' mutating=%t, validating=%t, failurePolicy=%s", configurationNames, patchMutating, patchValidating, *failurePolicy)
+
+	if patchValidating {
+		valHook, err := k8s.clientset.
+			AdmissionregistrationV1().
+			ValidatingWebhookConfigurations().
+			Get(context.TODO(), configurationNames, metav1.GetOptions{})
+
+		if err != nil {
+			log.WithField("err", err).Fatal("failed getting validating webhook")
+		}
+
+		for i := range valHook.Webhooks {
+			h := &valHook.Webhooks[i]
+			h.ClientConfig.CABundle = ca
+			if *failurePolicy != "" {
+				h.FailurePolicy = failurePolicy
+			}
+		}
+
+		if _, err = k8s.clientset.AdmissionregistrationV1().
+			ValidatingWebhookConfigurations().
+			Update(context.TODO(), valHook, metav1.UpdateOptions{}); err != nil {
+			log.WithField("err", err).Fatal("failed patching validating webhook")
+		}
+		log.Debug("patched validating hook")
+	} else {
+		log.Debug("validating hook patching not required")
+	}
+
+	if patchMutating {
+		mutHook, err := k8s.clientset.
+			AdmissionregistrationV1().
+			MutatingWebhookConfigurations().
+			Get(context.TODO(), configurationNames, metav1.GetOptions{})
+		if err != nil {
+			log.WithField("err", err).Fatal("failed getting validating webhook")
+		}
+
+		for i := range mutHook.Webhooks {
+			h := &mutHook.Webhooks[i]
+			h.ClientConfig.CABundle = ca
+			if *failurePolicy != "" {
+				h.FailurePolicy = failurePolicy
+			}
+		}
+
+		if _, err = k8s.clientset.AdmissionregistrationV1().
+			MutatingWebhookConfigurations().
+			Update(context.TODO(), mutHook, metav1.UpdateOptions{}); err != nil {
+			log.WithField("err", err).Fatal("failed patching validating webhook")
+		}
+		log.Debug("patched mutating hook")
+	} else {
+		log.Debug("mutating hook patching not required")
+	}
+
+	log.Info("Patched hook(s)")
+}
+
+// GetCaFromSecret will check for the presence of a secret. If it exists, will return the content of the
+// "ca" from the secret, otherwise will return nil
+func (k8s *k8s) GetCaFromSecret(secretName string, namespace string) []byte {
+	log.Debugf("getting secret '%s' in namespace '%s'", secretName, namespace)
+	secret, err := k8s.clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			log.WithField("err", err).Info("no secret found")
+			return nil
+		}
+		log.WithField("err", err).Fatal("error getting secret")
+	}
+
+	data := secret.Data["ca"]
+	if data == nil {
+		log.Fatal("got secret, but it did not contain a 'ca' key")
+	}
+	log.Debug("got secret")
+	return data
+}
+
+// SaveCertsToSecret saves the provided ca, cert and key into a secret in the specified namespace.
+func (k8s *k8s) SaveCertsToSecret(secretName, namespace, certName, keyName string, ca, cert, key []byte) {
+
+	log.Debugf("saving to secret '%s' in namespace '%s'", secretName, namespace)
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secretName,
+		},
+		Data: map[string][]byte{"ca": ca, certName: cert, keyName: key},
+	}
+
+	log.Debug("saving secret")
+	_, err := k8s.clientset.CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+	if err != nil {
+		log.WithField("err", err).Fatal("failed creating secret")
+	}
+	log.Debug("saved secret")
+}
--- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
+++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go
@ -0,0 +1,159 @@
+package k8s
+
+import (
+	"bytes"
+	"context"
+	"math/rand"
+	"testing"
+
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+const (
+	testWebhookName = "c7c95710-d8c3-4cc3-a2a8-8d2b46909c76"
+	testSecretName  = "15906410-af2a-4f9b-8a2d-c08ffdd5e129"
+	testNamespace   = "7cad5f92-c0d5-4bc9-87a3-6f44d5a5619d"
+)
+
+var (
+	fail   = admissionv1.Fail
+	ignore = admissionv1.Ignore
+)
+
+func genSecretData() (ca, cert, key []byte) {
+	ca = make([]byte, 4)
+	cert = make([]byte, 4)
+	key = make([]byte, 4)
+	rand.Read(cert)
+	rand.Read(key)
+	return
+}
+
+func newTestSimpleK8s() *k8s {
+	return &k8s{
+		clientset: fake.NewSimpleClientset(),
+	}
+}
+
+func TestGetCaFromCertificate(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, cert, key := genSecretData()
+
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: testSecretName,
+		},
+		Data: map[string][]byte{"ca": ca, "cert": cert, "key": key},
+	}
+
+	k.clientset.CoreV1().Secrets(testNamespace).Create(context.Background(), secret, metav1.CreateOptions{})
+
+	retrievedCa := k.GetCaFromSecret(testSecretName, testNamespace)
+	if !bytes.Equal(retrievedCa, ca) {
+		t.Error("Was not able to retrieve CA information that was saved")
+	}
+}
+
+func TestSaveCertsToSecret(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, cert, key := genSecretData()
+
+	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+
+	secret, _ := k.clientset.CoreV1().Secrets(testNamespace).Get(context.Background(), testSecretName, metav1.GetOptions{})
+
+	if !bytes.Equal(secret.Data["cert"], cert) {
+		t.Error("'cert' saved data does not match retrieved")
+	}
+
+	if !bytes.Equal(secret.Data["key"], key) {
+		t.Error("'key' saved data does not match retrieved")
+	}
+}
+
+func TestSaveThenLoadSecret(t *testing.T) {
+	k := newTestSimpleK8s()
+	ca, cert, key := genSecretData()
+	k.SaveCertsToSecret(testSecretName, testNamespace, "cert", "key", ca, cert, key)
+	retrievedCert := k.GetCaFromSecret(testSecretName, testNamespace)
+	if !bytes.Equal(retrievedCert, ca) {
+		t.Error("Was not able to retrieve CA information that was saved")
+	}
+}
+
+func TestPatchWebhookConfigurations(t *testing.T) {
+	k := newTestSimpleK8s()
+
+	ca, _, _ := genSecretData()
+
+	k.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Create(context.Background(), &admissionv1.MutatingWebhookConfiguration{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testWebhookName,
+			},
+			Webhooks: []admissionv1.MutatingWebhook{{Name: "m1"}, {Name: "m2"}}}, metav1.CreateOptions{})
+
+	k.clientset.
+		AdmissionregistrationV1().
+		ValidatingWebhookConfigurations().
+		Create(context.Background(), &admissionv1.ValidatingWebhookConfiguration{
+			TypeMeta: metav1.TypeMeta{},
+			ObjectMeta: metav1.ObjectMeta{
+				Name: testWebhookName,
+			},
+			Webhooks: []admissionv1.ValidatingWebhook{{Name: "v1"}, {Name: "v2"}}}, metav1.CreateOptions{})
+
+	k.PatchWebhookConfigurations(testWebhookName, ca, &fail, true, true)
+
+	whmut, err := k.clientset.
+		AdmissionregistrationV1().
+		MutatingWebhookConfigurations().
+		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	whval, err := k.clientset.
+		AdmissionregistrationV1beta1().
+		MutatingWebhookConfigurations().
+		Get(context.Background(), testWebhookName, metav1.GetOptions{})
+
+	if err != nil {
+		t.Error(err)
+	}
+
+	if !bytes.Equal(whmut.Webhooks[0].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from first mutating webhook configuration does not match")
+	}
+	if !bytes.Equal(whmut.Webhooks[1].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from second mutating webhook configuration does not match")
+	}
+	if !bytes.Equal(whval.Webhooks[0].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from first validating webhook configuration does not match")
+	}
+	if !bytes.Equal(whval.Webhooks[1].ClientConfig.CABundle, ca) {
+		t.Error("Ca retrieved from second validating webhook configuration does not match")
+	}
+	if whmut.Webhooks[0].FailurePolicy == nil {
+		t.Errorf("Expected first mutating webhook failure policy to be set to %s", fail)
+	}
+	if whmut.Webhooks[1].FailurePolicy == nil {
+		t.Errorf("Expected second mutating webhook failure policy to be set to %s", fail)
+	}
+	if whval.Webhooks[0].FailurePolicy == nil {
+		t.Errorf("Expected first validating webhook failure policy to be set to %s", fail)
+	}
+	if whval.Webhooks[1].FailurePolicy == nil {
+		t.Errorf("Expected second validating webhook failure policy to be set to %s", fail)
+	}
+
+}