/
admission.go
113 lines (96 loc) · 3.38 KB
/
admission.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
// SPDX-License-Identifier: Apache-2.0
// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
// Package http provides a http server for the webhook and proxy.
package http
import (
"encoding/json"
"fmt"
"io"
"net/http"
"github.com/defenseunicorns/zarf/src/config/lang"
"github.com/defenseunicorns/zarf/src/internal/agent/operations"
"github.com/defenseunicorns/zarf/src/pkg/message"
v1 "k8s.io/api/admission/v1"
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
)
// admissionHandler represents the HTTP handler for an admission webhook.
type admissionHandler struct {
decoder runtime.Decoder
}
// newAdmissionHandler returns an instance of AdmissionHandler.
func newAdmissionHandler() *admissionHandler {
return &admissionHandler{
decoder: serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer(),
}
}
// Serve returns a http.HandlerFunc for an admission webhook.
func (h *admissionHandler) Serve(hook operations.Hook) http.HandlerFunc {
message.Debugf("http.Serve(%#v)", hook)
return func(w http.ResponseWriter, r *http.Request) {
message.Debugf("http.Serve()(writer, %#v)", r.URL)
w.Header().Set("Content-Type", "application/json")
if r.Method != http.MethodPost {
http.Error(w, lang.AgentErrInvalidMethod, http.StatusMethodNotAllowed)
return
}
if contentType := r.Header.Get("Content-Type"); contentType != "application/json" {
http.Error(w, lang.AgentErrInvalidType, http.StatusBadRequest)
return
}
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, fmt.Sprintf(lang.AgentErrBadRequest, err), http.StatusBadRequest)
return
}
var review v1.AdmissionReview
if _, _, err := h.decoder.Decode(body, nil, &review); err != nil {
http.Error(w, fmt.Sprintf(lang.AgentErrCouldNotDeserializeReq, err), http.StatusBadRequest)
return
}
if review.Request == nil {
http.Error(w, lang.AgentErrNilReq, http.StatusBadRequest)
return
}
result, err := hook.Execute(review.Request)
if err != nil {
message.WarnErr(err, lang.AgentErrBindHandler)
w.WriteHeader(http.StatusInternalServerError)
return
}
admissionResponse := v1.AdmissionReview{
TypeMeta: meta.TypeMeta{
APIVersion: v1.SchemeGroupVersion.String(),
Kind: "AdmissionReview",
},
Response: &v1.AdmissionResponse{
UID: review.Request.UID,
Allowed: result.Allowed,
Result: &meta.Status{Message: result.Msg},
},
}
// set the patch operations for mutating admission
if len(result.PatchOps) > 0 {
jsonPatchType := v1.PatchTypeJSONPatch
patchBytes, err := json.Marshal(result.PatchOps)
if err != nil {
message.WarnErr(err, lang.AgentErrMarshallJSONPatch)
http.Error(w, lang.AgentErrMarshallJSONPatch, http.StatusInternalServerError)
}
admissionResponse.Response.Patch = patchBytes
admissionResponse.Response.PatchType = &jsonPatchType
}
jsonResponse, err := json.Marshal(admissionResponse)
if err != nil {
message.WarnErr(err, lang.AgentErrMarshalResponse)
http.Error(w, lang.AgentErrMarshalResponse, http.StatusInternalServerError)
return
}
message.Debug("PATCH: ", string(admissionResponse.Response.Patch))
message.Debug("RESPONSE: ", string(jsonResponse))
message.Infof(lang.AgentInfoWebhookAllowed, r.URL.Path, review.Request.Operation, result.Allowed)
w.WriteHeader(http.StatusOK)
w.Write(jsonResponse)
}
}