kyverno/server/server.go

package server

import (
	"context"
	"crypto/tls"
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"time"

	"github.com/nirmata/kube-policy/config"
	"github.com/nirmata/kube-policy/utils"
	"github.com/nirmata/kube-policy/webhooks"

	v1beta1 "k8s.io/api/admission/v1beta1"
)

// WebhookServer contains configured TLS server with MutationWebhook.
// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
type WebhookServer struct {
	server          http.Server
	mutationWebhook *webhooks.MutationWebhook
	logger          *log.Logger
}

// NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
// Policy Controller and Kubernetes Client should be initialized in configuration
func NewWebhookServer(tlsPair *utils.TlsPemPair, mutationWebhook *webhooks.MutationWebhook, logger *log.Logger) (*WebhookServer, error) {
	if logger == nil {
		logger = log.New(os.Stdout, "HTTPS Server: ", log.LstdFlags|log.Lshortfile)
	}

	if tlsPair == nil || mutationWebhook == nil {
		return nil, errors.New("NewWebhookServer is not initialized properly")
	}

	var tlsConfig tls.Config
	pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)
	if err != nil {
		return nil, err
	}
	tlsConfig.Certificates = []tls.Certificate{pair}

	ws := &WebhookServer{
		logger:          logger,
		mutationWebhook: mutationWebhook,
	}

	mux := http.NewServeMux()
	mux.HandleFunc(config.WebhookServicePath, ws.serve)

	ws.server = http.Server{
		Addr:         ":443", // Listen on port for HTTPS requests
		TLSConfig:    &tlsConfig,
		Handler:      mux,
		ErrorLog:     logger,
		ReadTimeout:  15 * time.Second,
		WriteTimeout: 15 * time.Second,
	}

	return ws, nil
}

// Main server endpoint for all requests
func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
	if r.URL.Path == config.WebhookServicePath {
		admissionReview := ws.parseAdmissionReview(r, w)
		if admissionReview == nil {
			return
		}

		var admissionResponse *v1beta1.AdmissionResponse
		if webhooks.AdmissionIsRequired(admissionReview.Request) {
			admissionResponse = ws.mutationWebhook.Mutate(admissionReview.Request)
		}

		if admissionResponse == nil {
			admissionResponse = &v1beta1.AdmissionResponse{
				Allowed: true,
			}
		}

		admissionReview.Response = admissionResponse
		admissionReview.Response.UID = admissionReview.Request.UID

		responseJson, err := json.Marshal(admissionReview)
		if err != nil {
			http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
			return
		}

		ws.logger.Printf("Response body\n:%v", string(responseJson))
		w.Header().Set("Content-Type", "application/json; charset=utf-8")
		if _, err := w.Write(responseJson); err != nil {
			http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
		}
	} else {
		http.Error(w, fmt.Sprintf("Unexpected method path: %v", r.URL.Path), http.StatusNotFound)
	}
}

// Answers to the http.ResponseWriter if request is not valid
func (ws *WebhookServer) parseAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
	var body []byte
	if request.Body != nil {
		if data, err := ioutil.ReadAll(request.Body); err == nil {
			body = data
		}
	}
	if len(body) == 0 {
		ws.logger.Print("Error: empty body")
		http.Error(writer, "empty body", http.StatusBadRequest)
		return nil
	}

	contentType := request.Header.Get("Content-Type")
	if contentType != "application/json" {
		ws.logger.Printf("Error: invalid Content-Type: %v", contentType)
		http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
		return nil
	}

	admissionReview := &v1beta1.AdmissionReview{}
	if err := json.Unmarshal(body, &admissionReview); err != nil {
		ws.logger.Printf("Error: Can't decode body as AdmissionReview: %v", err)
		http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
		return nil
	} else {
		ws.logger.Printf("Request body:\n%v", string(body))
		return admissionReview
	}
}

// Runs TLS server in separate thread and returns control immediately
func (ws *WebhookServer) RunAsync() {
	go func(ws *WebhookServer) {
		err := ws.server.ListenAndServeTLS("", "")
		if err != nil {
			ws.logger.Fatal(err)
		}
	}(ws)
}

// Stops TLS server and returns control after the server is shut down
func (ws *WebhookServer) Stop() {
	err := ws.server.Shutdown(context.Background())
	if err != nil {
		// Error from closing listeners, or context timeout:
		ws.logger.Printf("Server Shutdown error: %v", err)
		ws.server.Close()
	}
}
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`package server`

			`import (`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`"context"`
			`"crypto/tls"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"io/ioutil"`
			`"log"`
			`"net/http"`
			`"os"`
			`"time"`

NK-31: Refactoring 2019-03-21 18:14:26 +02:00			`"github.com/nirmata/kube-policy/config"`
NK-31: Put constants in separate file. Updated install.yaml definition to create Service and DaemonSet. Fixed bug with webhook registration. 2019-03-21 15:57:30 +02:00			`"github.com/nirmata/kube-policy/utils"`
NK-31: Refactoring 2019-03-21 18:14:26 +02:00			`"github.com/nirmata/kube-policy/webhooks"`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`v1beta1 "k8s.io/api/admission/v1beta1"`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`)`

NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`// WebhookServer contains configured TLS server with MutationWebhook.`
			`// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`type WebhookServer struct {`
NK-47: Implemented webhook deregistration. TLS pair initialization functionality moved to init.go. Separated server and mutation webhook objects, implemented registration of webhook with the creation of corresponding object. Added comments for webhook configuration definitions, changed name of configuration for debug. 2019-03-22 22:11:55 +02:00			`server http.Server`
			`mutationWebhook *webhooks.MutationWebhook`
			`logger *log.Logger`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`

			`// NewWebhookServer creates new instance of WebhookServer accordingly to given configuration`
			`// Policy Controller and Kubernetes Client should be initialized in configuration`
NK-47: Implemented webhook deregistration. TLS pair initialization functionality moved to init.go. Separated server and mutation webhook objects, implemented registration of webhook with the creation of corresponding object. Added comments for webhook configuration definitions, changed name of configuration for debug. 2019-03-22 22:11:55 +02:00			`func NewWebhookServer(tlsPair utils.TlsPemPair, mutationWebhook webhooks.MutationWebhook, logger log.Logger) (WebhookServer, error) {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if logger == nil {`
			`logger = log.New(os.Stdout, "HTTPS Server: ", log.LstdFlags\|log.Lshortfile)`
			`}`

NK-47: Implemented webhook deregistration. TLS pair initialization functionality moved to init.go. Separated server and mutation webhook objects, implemented registration of webhook with the creation of corresponding object. Added comments for webhook configuration definitions, changed name of configuration for debug. 2019-03-22 22:11:55 +02:00			`if tlsPair == nil \|\| mutationWebhook == nil {`
			`return nil, errors.New("NewWebhookServer is not initialized properly")`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`

			`var tlsConfig tls.Config`
NK-47: Implemented webhook deregistration. TLS pair initialization functionality moved to init.go. Separated server and mutation webhook objects, implemented registration of webhook with the creation of corresponding object. Added comments for webhook configuration definitions, changed name of configuration for debug. 2019-03-22 22:11:55 +02:00			`pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if err != nil {`
			`return nil, err`
			`}`
			`tlsConfig.Certificates = []tls.Certificate{pair}`

			`ws := &WebhookServer{`
NK-23: Implemented logging to the policy object/status. Refactored MutationWebhook, modified controller logs. 2019-03-07 17:42:37 +02:00			`logger: logger,`
NK-47: Implemented webhook deregistration. TLS pair initialization functionality moved to init.go. Separated server and mutation webhook objects, implemented registration of webhook with the creation of corresponding object. Added comments for webhook configuration definitions, changed name of configuration for debug. 2019-03-22 22:11:55 +02:00			`mutationWebhook: mutationWebhook,`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`

			`mux := http.NewServeMux()`
NK-31: Renamed constants package to config 2019-03-21 18:09:14 +02:00			`mux.HandleFunc(config.WebhookServicePath, ws.serve)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00
			`ws.server = http.Server{`
			`Addr: ":443", // Listen on port for HTTPS requests`
			`TLSConfig: &tlsConfig,`
			`Handler: mux,`
			`ErrorLog: logger,`
			`ReadTimeout: 15 * time.Second,`
			`WriteTimeout: 15 * time.Second,`
			`}`

			`return ws, nil`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00			`}`

NK-23: Improved comments, commited crd with status subresource. 2019-03-07 17:57:43 +02:00			`// Main server endpoint for all requests`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`func (ws WebhookServer) serve(w http.ResponseWriter, r http.Request) {`
NK-31: Renamed constants package to config 2019-03-21 18:09:14 +02:00			`if r.URL.Path == config.WebhookServicePath {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`admissionReview := ws.parseAdmissionReview(r, w)`
			`if admissionReview == nil {`
			`return`
			`}`

			`var admissionResponse *v1beta1.AdmissionResponse`
			`if webhooks.AdmissionIsRequired(admissionReview.Request) {`
NK-23: Implemented logging to the policy object/status. Refactored MutationWebhook, modified controller logs. 2019-03-07 17:42:37 +02:00			`admissionResponse = ws.mutationWebhook.Mutate(admissionReview.Request)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`

			`if admissionResponse == nil {`
			`admissionResponse = &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`}`

			`admissionReview.Response = admissionResponse`
			`admissionReview.Response.UID = admissionReview.Request.UID`

			`responseJson, err := json.Marshal(admissionReview)`
			`if err != nil {`
			`http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)`
			`return`
			`}`

			`ws.logger.Printf("Response body\n:%v", string(responseJson))`
			`w.Header().Set("Content-Type", "application/json; charset=utf-8")`
			`if _, err := w.Write(responseJson); err != nil {`
			`http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)`
			`}`
			`} else {`
			`http.Error(w, fmt.Sprintf("Unexpected method path: %v", r.URL.Path), http.StatusNotFound)`
			`}`
NK-10: Implemented basic logic for mutation, added logs 2019-02-15 20:00:49 +02:00			`}`

			`// Answers to the http.ResponseWriter if request is not valid`
			`func (ws WebhookServer) parseAdmissionReview(request http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`var body []byte`
			`if request.Body != nil {`
			`if data, err := ioutil.ReadAll(request.Body); err == nil {`
			`body = data`
			`}`
			`}`
			`if len(body) == 0 {`
			`ws.logger.Print("Error: empty body")`
			`http.Error(writer, "empty body", http.StatusBadRequest)`
			`return nil`
			`}`

			`contentType := request.Header.Get("Content-Type")`
			`if contentType != "application/json" {`
			`ws.logger.Printf("Error: invalid Content-Type: %v", contentType)`
			http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
			`return nil`
			`}`

			`admissionReview := &v1beta1.AdmissionReview{}`
			`if err := json.Unmarshal(body, &admissionReview); err != nil {`
			`ws.logger.Printf("Error: Can't decode body as AdmissionReview: %v", err)`
			`http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)`
			`return nil`
			`} else {`
			`ws.logger.Printf("Request body:\n%v", string(body))`
			`return admissionReview`
			`}`
NK-10: Implemented basic logic for mutation, added logs 2019-02-15 20:00:49 +02:00			`}`

NK-23: Improved comments, commited crd with status subresource. 2019-03-07 17:57:43 +02:00			`// Runs TLS server in separate thread and returns control immediately`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`func (ws *WebhookServer) RunAsync() {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`go func(ws *WebhookServer) {`
			`err := ws.server.ListenAndServeTLS("", "")`
			`if err != nil {`
			`ws.logger.Fatal(err)`
			`}`
			`}(ws)`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`}`

NK-23: Improved comments, commited crd with status subresource. 2019-03-07 17:57:43 +02:00			`// Stops TLS server and returns control after the server is shut down`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`func (ws *WebhookServer) Stop() {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`err := ws.server.Shutdown(context.Background())`
			`if err != nil {`
			`// Error from closing listeners, or context timeout:`
			`ws.logger.Printf("Server Shutdown error: %v", err)`
			`ws.server.Close()`
			`}`
NK-8: Implemented simple webserver with empty mutation handler 2019-02-07 19:22:04 +02:00			`}`