kyverno/pkg/webhooks/registration.go

package webhooks

import (
	"errors"
	"io/ioutil"

	"github.com/nirmata/kyverno/pkg/dclient"
	"github.com/nirmata/kyverno/pkg/config"

	admregapi "k8s.io/api/admissionregistration/v1beta1"
	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
	admregclient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"
	rest "k8s.io/client-go/rest"
)

// WebhookRegistrationClient is client for registration webhooks on cluster
type WebhookRegistrationClient struct {
	registrationClient *admregclient.AdmissionregistrationV1beta1Client
	client             *client.Client
	clientConfig       *rest.Config
}

// NewWebhookRegistrationClient creates new WebhookRegistrationClient instance
func NewWebhookRegistrationClient(clientConfig *rest.Config, client *client.Client) (*WebhookRegistrationClient, error) {
	registrationClient, err := admregclient.NewForConfig(clientConfig)
	if err != nil {
		return nil, err
	}

	return &WebhookRegistrationClient{
		registrationClient: registrationClient,
		client:             client,
		clientConfig:       clientConfig,
	}, nil
}

// Register creates admission webhooks configs on cluster
func (wrc *WebhookRegistrationClient) Register() error {
	// For the case if cluster already has this configs
	wrc.Deregister()

	mutatingWebhookConfig, err := wrc.constructMutatingWebhookConfig(wrc.clientConfig)
	if err != nil {
		return err
	}

	_, err = wrc.registrationClient.MutatingWebhookConfigurations().Create(mutatingWebhookConfig)
	if err != nil {
		return err
	}

	validationWebhookConfig, err := wrc.constructValidatingWebhookConfig(wrc.clientConfig)
	if err != nil {
		return err
	}

	_, err = wrc.registrationClient.ValidatingWebhookConfigurations().Create(validationWebhookConfig)
	if err != nil {
		return err
	}

	return nil
}

// Deregister deletes webhook configs from cluster
// This function does not fail on error:
// Register will fail if the config exists, so there is no need to fail on error
func (wrc *WebhookRegistrationClient) Deregister() {
	wrc.registrationClient.MutatingWebhookConfigurations().Delete(config.MutatingWebhookConfigurationName, &meta.DeleteOptions{})
	wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.ValidatingWebhookConfigurationName, &meta.DeleteOptions{})
}

func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(configuration *rest.Config) (*admregapi.MutatingWebhookConfiguration, error) {
	var caData []byte
	// Check if ca is defined in the secret tls-ca
	// assume the key and signed cert have been defined in secret tls.kyverno
	caData = wrc.client.ReadRootCASecret()
	if len(caData) == 0 {
		// load the CA from kubeconfig
		caData = extractCA(configuration)
	}
	if len(caData) == 0 {
		return nil, errors.New("Unable to extract CA data from configuration")
	}

	return &admregapi.MutatingWebhookConfiguration{
		ObjectMeta: meta.ObjectMeta{
			Name:   config.MutatingWebhookConfigurationName,
			Labels: config.KubePolicyAppLabels,
			OwnerReferences: []meta.OwnerReference{
				wrc.constructOwner(),
			},
		},
		Webhooks: []admregapi.Webhook{
			constructWebhook(
				config.MutatingWebhookName,
				config.MutatingWebhookServicePath,
				caData),
		},
	}, nil
}

func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(configuration *rest.Config) (*admregapi.ValidatingWebhookConfiguration, error) {
	// Check if ca is defined in the secret tls-ca
	// assume the key and signed cert have been defined in secret tls.kyverno
	caData := wrc.client.ReadRootCASecret()
	if len(caData) == 0 {
		// load the CA from kubeconfig
		caData = extractCA(configuration)
	}
	if len(caData) == 0 {
		return nil, errors.New("Unable to extract CA data from configuration")
	}

	return &admregapi.ValidatingWebhookConfiguration{
		ObjectMeta: meta.ObjectMeta{
			Name:   config.ValidatingWebhookConfigurationName,
			Labels: config.KubePolicyAppLabels,
			OwnerReferences: []meta.OwnerReference{
				wrc.constructOwner(),
			},
		},
		Webhooks: []admregapi.Webhook{
			constructWebhook(
				config.ValidatingWebhookName,
				config.ValidatingWebhookServicePath,
				caData),
		},
	}, nil
}

func constructWebhook(name, servicePath string, caData []byte) admregapi.Webhook {
	return admregapi.Webhook{
		Name: name,
		ClientConfig: admregapi.WebhookClientConfig{
			Service: &admregapi.ServiceReference{
				Namespace: config.KubePolicyNamespace,
				Name:      config.WebhookServiceName,
				Path:      &servicePath,
			},
			CABundle: caData,
		},
		Rules: []admregapi.RuleWithOperations{
			admregapi.RuleWithOperations{
				Operations: []admregapi.OperationType{
					admregapi.Create,
				},
				Rule: admregapi.Rule{
					APIGroups: []string{
						"*",
					},
					APIVersions: []string{
						"*",
					},
					Resources: []string{
						"*/*",
					},
				},
			},
		},
	}
}

func (wrc *WebhookRegistrationClient) constructOwner() meta.OwnerReference {
	kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()

	if err != nil {
		return meta.OwnerReference{}
	}

	return meta.OwnerReference{
		APIVersion: config.DeploymentAPIVersion,
		Kind:       config.DeploymentKind,
		Name:       kubePolicyDeployment.ObjectMeta.Name,
		UID:        kubePolicyDeployment.ObjectMeta.UID,
	}
}

// ExtractCA used for extraction CA from config
func extractCA(config *rest.Config) (result []byte) {
	fileName := config.TLSClientConfig.CAFile

	if fileName != "" {
		result, err := ioutil.ReadFile(fileName)

		if err != nil {
			return nil
		}

		return result
	}

	return config.TLSClientConfig.CAData
}
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`package webhooks`
NK-31: Put constants in separate file. Updated install.yaml definition to create Service and DaemonSet. Fixed bug with webhook registration. 2019-03-21 15:57:30 +02:00
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`import (`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`"errors"`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`"io/ioutil"`

move client to pkg, helper script for self-signed certs & update documentation 2019-05-29 14:12:09 -07:00			`"github.com/nirmata/kyverno/pkg/dclient"`
rename pkg to kyverno 2019-05-21 11:00:09 -07:00			`"github.com/nirmata/kyverno/pkg/config"`
NK-31: Put constants in separate file. Updated install.yaml definition to create Service and DaemonSet. Fixed bug with webhook registration. 2019-03-21 15:57:30 +02:00
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`admregapi "k8s.io/api/admissionregistration/v1beta1"`
NK-31: Refactoring 2019-03-21 18:14:26 +02:00			`meta "k8s.io/apimachinery/pkg/apis/meta/v1"`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`admregclient "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1"`
NK-31: Refactoring 2019-03-21 18:14:26 +02:00			`rest "k8s.io/client-go/rest"`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`)`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`// WebhookRegistrationClient is client for registration webhooks on cluster`
			`type WebhookRegistrationClient struct {`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`registrationClient *admregclient.AdmissionregistrationV1beta1Client`
rebase with develop 2019-05-15 11:24:27 -07:00			`client *client.Client`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`clientConfig *rest.Config`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`// NewWebhookRegistrationClient creates new WebhookRegistrationClient instance`
rebase with develop 2019-05-15 11:24:27 -07:00			`func NewWebhookRegistrationClient(clientConfig rest.Config, client client.Client) (*WebhookRegistrationClient, error) {`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`registrationClient, err := admregclient.NewForConfig(clientConfig)`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`if err != nil {`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`return nil, err`
			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`return &WebhookRegistrationClient{`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`registrationClient: registrationClient,`
rebase with develop 2019-05-15 11:24:27 -07:00			`client: client,`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`clientConfig: clientConfig,`
			`}, nil`
			`}`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`// Register creates admission webhooks configs on cluster`
			`func (wrc *WebhookRegistrationClient) Register() error {`
			`// For the case if cluster already has this configs`
			`wrc.Deregister()`

			`mutatingWebhookConfig, err := wrc.constructMutatingWebhookConfig(wrc.clientConfig)`
			`if err != nil {`
			`return err`
			`}`

			`_, err = wrc.registrationClient.MutatingWebhookConfigurations().Create(mutatingWebhookConfig)`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`if err != nil {`
			`return err`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`validationWebhookConfig, err := wrc.constructValidatingWebhookConfig(wrc.clientConfig)`
			`if err != nil {`
			`return err`
			`}`

			`_, err = wrc.registrationClient.ValidatingWebhookConfigurations().Create(validationWebhookConfig)`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`if err != nil {`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`return err`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`}`

NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`return nil`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`// Deregister deletes webhook configs from cluster`
			`// This function does not fail on error:`
			`// Register will fail if the config exists, so there is no need to fail on error`
			`func (wrc *WebhookRegistrationClient) Deregister() {`
			`wrc.registrationClient.MutatingWebhookConfigurations().Delete(config.MutatingWebhookConfigurationName, &meta.DeleteOptions{})`
			`wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.ValidatingWebhookConfigurationName, &meta.DeleteOptions{})`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`func (wrc WebhookRegistrationClient) constructMutatingWebhookConfig(configuration rest.Config) (*admregapi.MutatingWebhookConfiguration, error) {`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			`var caData []byte`
			`// Check if ca is defined in the secret tls-ca`
			`// assume the key and signed cert have been defined in secret tls.kyverno`
use single secret for tlsPair, check for secret annotation for self-signed cert & change type of secret from generic to tls 2019-05-29 12:36:03 -07:00			`caData = wrc.client.ReadRootCASecret()`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			`if len(caData) == 0 {`
			`// load the CA from kubeconfig`
			`caData = extractCA(configuration)`
			`}`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`if len(caData) == 0 {`
			`return nil, errors.New("Unable to extract CA data from configuration")`
			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`return &admregapi.MutatingWebhookConfiguration{`
			`ObjectMeta: meta.ObjectMeta{`
			`Name: config.MutatingWebhookConfigurationName,`
			`Labels: config.KubePolicyAppLabels,`
			`OwnerReferences: []meta.OwnerReference{`
			`wrc.constructOwner(),`
			`},`
			`},`
			`Webhooks: []admregapi.Webhook{`
			`constructWebhook(`
			`config.MutatingWebhookName,`
			`config.MutatingWebhookServicePath,`
			`caData),`
			`},`
			`}, nil`
			`}`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`func (wrc WebhookRegistrationClient) constructValidatingWebhookConfig(configuration rest.Config) (*admregapi.ValidatingWebhookConfiguration, error) {`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			`// Check if ca is defined in the secret tls-ca`
			`// assume the key and signed cert have been defined in secret tls.kyverno`
use single secret for tlsPair, check for secret annotation for self-signed cert & change type of secret from generic to tls 2019-05-29 12:36:03 -07:00			`caData := wrc.client.ReadRootCASecret()`
support self-signed certificates via secrets 2019-05-28 18:16:22 -07:00			`if len(caData) == 0 {`
			`// load the CA from kubeconfig`
			`caData = extractCA(configuration)`
			`}`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`if len(caData) == 0 {`
			`return nil, errors.New("Unable to extract CA data from configuration")`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`return &admregapi.ValidatingWebhookConfiguration{`
NK-31: Refactoring 2019-03-21 18:14:26 +02:00			`ObjectMeta: meta.ObjectMeta{`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`Name: config.ValidatingWebhookConfigurationName,`
			`Labels: config.KubePolicyAppLabels,`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`OwnerReferences: []meta.OwnerReference{`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`wrc.constructOwner(),`
NK-51: Added Deployment as owner of MutatingWebhookConfiguration. This allows kubernetes to delete webhook config, when deployment deletes. 2019-03-25 15:44:53 +02:00			`},`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`},`
NK-47: Added missed files 2019-03-25 10:11:50 +02:00			`Webhooks: []admregapi.Webhook{`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`constructWebhook(`
			`config.ValidatingWebhookName,`
			`config.ValidatingWebhookServicePath,`
			`caData),`
			`},`
			`}, nil`
			`}`

			`func constructWebhook(name, servicePath string, caData []byte) admregapi.Webhook {`
			`return admregapi.Webhook{`
			`Name: name,`
			`ClientConfig: admregapi.WebhookClientConfig{`
			`Service: &admregapi.ServiceReference{`
			`Namespace: config.KubePolicyNamespace,`
			`Name: config.WebhookServiceName,`
			`Path: &servicePath,`
			`},`
			`CABundle: caData,`
			`},`
			`Rules: []admregapi.RuleWithOperations{`
			`admregapi.RuleWithOperations{`
			`Operations: []admregapi.OperationType{`
			`admregapi.Create,`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`},`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`Rule: admregapi.Rule{`
			`APIGroups: []string{`
			`"*",`
			`},`
			`APIVersions: []string{`
			`"*",`
			`},`
			`Resources: []string{`
			`"/",`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`},`
			`},`
			`},`
			`},`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`}`
			`}`

			`func (wrc *WebhookRegistrationClient) constructOwner() meta.OwnerReference {`
rebase with develop 2019-05-15 11:24:27 -07:00			`kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment()`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00
			`if err != nil {`
			`return meta.OwnerReference{}`
			`}`

			`return meta.OwnerReference{`
			`APIVersion: config.DeploymentAPIVersion,`
			`Kind: config.DeploymentKind,`
			`Name: kubePolicyDeployment.ObjectMeta.Name,`
			`UID: kubePolicyDeployment.ObjectMeta.UID,`
			`}`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`// ExtractCA used for extraction CA from config`
			`func extractCA(config *rest.Config) (result []byte) {`
NK-31: Added tests for CA extraction from clientset 2019-03-20 12:37:05 +02:00			`fileName := config.TLSClientConfig.CAFile`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00
NK-31: Fixed indentation 2019-03-21 16:56:03 +02:00			`if fileName != "" {`
NK-31: Added tests for CA extraction from clientset 2019-03-20 12:37:05 +02:00			`result, err := ioutil.ReadFile(fileName)`
NK-31: Refactoring 2019-03-21 18:14:26 +02:00
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`if err != nil {`
			`return nil`
			`}`

NK-31: Added tests for CA extraction from clientset 2019-03-20 12:37:05 +02:00			`return result`
NK-31: Implemented webhook registration logic. 2019-03-19 21:32:31 +02:00			`}`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00
			`return config.TLSClientConfig.CAData`
NK-31: Refactoring 2019-03-21 18:14:26 +02:00			`}`