refactor (#15)

Signed-off-by: Maksim Paskal <paskal.maksim@gmail.com>

.github/workflows/chart-release.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Configure Git

.github/workflows/chart-test.yml

@@ -5,7 +5,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -14,7 +14,7 @@ jobs:
         with:
           version: v3.8.1
 
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v4
         with:
           python-version: 3.7
 

.github/workflows/e2e.yml

@@ -0,0 +1,30 @@
+on: pull_request
+
+jobs:
+  e2e:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        k3s_version: ["v1.26.11+k3s2","v1.27.8+k3s2","v1.28.4+k3s2"]
+        helm_version: ["v3.8.1"]
+    steps:
+    - name: Setup Kubernetes
+      run: curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION="${{ matrix.k3s_version }}" K3S_KUBECONFIG_MODE=777 sh -
+    - name: Setup Helm
+      uses: azure/setup-helm@v3
+      with:
+        version: ${{ matrix.helm_version }}
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Setup Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.21'
+    - name: Build
+      run: go run github.com/goreleaser/goreleaser@latest build --clean --snapshot --skip=validate
+    - name: Copy binary
+      run: mv ./dist/pod-admission-controller_linux_amd64_v1/pod-admission-controller ./pod-admission-controller
+    - name: Test binary
+      run: ./pod-admission-controller -version
+    - name: Run tests
+      run: make e2e KUBECONFIG=/etc/rancher/k3s/k3s.yaml image=alpine:latest helm_args=--values=./e2e/values.yaml

.github/workflows/release.yml

@@ -11,13 +11,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Remove Git Tags with Charts
       run: git tag -d $(git tag -l "helm-chart-*")
     - name: Set up Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v4
       with:
         go-version: '1.21'
     - name: Login to Docker Hub

.github/workflows/test.yml

@@ -6,9 +6,9 @@ jobs:
     name: test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-go@v2
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v4
       with:
-        stable: 'false'
         go-version: '1.21'
-    - run: make test
+    - run: make test
+    - uses: codecov/codecov-action@v3

.github/workflows/validate-license.yml

@@ -10,5 +10,5 @@ jobs:
     name: validate-license
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - run: ./scripts/validate-license.sh

.gitignore

@@ -4,4 +4,5 @@
 coverage.out
 /deploy-*
 /config.yaml
-/.cr-*
+/.cr-*
+/patch.json

.golangci.yml

@@ -10,4 +10,5 @@ linters:
   - exhaustruct
   - varnamelen
   - musttag
-  - depguard
+  - depguard
+  - maligned

Makefile

@@ -3,6 +3,10 @@ tag=dev
 image=paskalmaksim/pod-admission-controller:$(tag)
 config=config.yaml
 testnamespace=test-pod-admission-controller
+helm_args=
+
+namespace=
+pod=
 
 test:
 	./scripts/validate-license.sh
@@ -22,8 +26,8 @@ e2e:
 	kubectl create ns $(testnamespace)
 	kubectl label ns $(testnamespace) environment=dev
 	kubectl -n $(testnamespace) apply -f ./e2e/testdata/pods
-	kubectl -n $(testnamespace) wait --for=condition=Ready=true pods -lapp=test-pod-admission-controller --timeout=600s
-	go test --race ./e2e -kubeconfig=$(KUBECONFIG)
+	kubectl -n $(testnamespace) wait --for=condition=Ready=true pods -lapp=test-pod-admission-controller --timeout=60s
+	go test -v ./e2e -kubeconfig=$(KUBECONFIG)
 	kubectl delete ns $(testnamespace)
 
 testChart:
@@ -38,7 +42,9 @@ run:
 	-cert=./certs/server.crt \
 	-key=./certs/server.key \
 	-listen=127.0.0.1:8443 \
-	-metrics.listen=127.0.0.1:31080
+	-metrics.listen=127.0.0.1:31080 \
+	-test.pod=$(pod) \
+	-test.namespace=$(namespace)
 
 sslInit:
 	rm -rf ./certs
@@ -59,16 +65,18 @@ restart:
 
 deploy:
 	kubectl -n pod-admission-controller scale deploy --all --replicas=0 || true
-	
+
 	helm upgrade pod-admission-controller \
 	--install \
 	--namespace pod-admission-controller \
 	--create-namespace \
 	./charts/pod-admission-controller \
-	--set registry.image=paskalmaksim/pod-admission-controller:dev \
+	--set registry.image=$(image) \
 	--set registry.imagePullPolicy=Always \
-	--set-file config=$(config)
-	kubectl -n pod-admission-controller wait pod --for=condition=ready --all --timeout=600s
+	--set-file config=$(config) $(helm_args)
+
+	kubectl -n pod-admission-controller wait --for=condition=available deployment/pod-admission-controller --timeout=60s
+	kubectl -n pod-admission-controller wait --for=condition=ready pod -lapp=pod-admission-controller --timeout=60s
 
 clean:
 	helm uninstall pod-admission-controller --namespace pod-admission-controller || true

charts/pod-admission-controller/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 icon: https://helm.sh/img/helm.svg
 name: pod-admission-controller
-version: 0.0.4
+version: 0.0.5
 description: pod mutating admission controller
 maintainers:
 - name: maksim-paskal  # Maksim Paskal

charts/pod-admission-controller/templates/deployment.yaml

@@ -37,6 +37,9 @@ spec:
       - name: config
         configMap:
           name: {{ .Release.Name }}-config
+{{ if .Values.extraVolumes }}
+{{ toYaml .Values.extraVolumes | indent 6 }}
+{{ end }}
       containers:
       - name: {{ .Release.Name }}
         image: {{ .Values.registry.image }}
@@ -54,6 +57,10 @@ spec:
 {{ if .Values.env }}
         env:
 {{ toYaml .Values.env | indent 8 }}
+{{ end }}
+{{ if .Values.command }}
+        command:
+{{ toYaml .Values.command | indent 8 }}
 {{ end }}
         args:
         - -config=/config/config.yaml
@@ -63,24 +70,29 @@ spec:
 {{ toYaml .Values.args | indent 8 }}
 {{ end }}
         ports:
-        - containerPort: 8443
-        - containerPort: 31080
+        - name: https
+          containerPort: 8443
+        - name: metrics
+          containerPort: 31080
         volumeMounts:
         - name: config
           mountPath: /config
+{{ if .Values.extraVolumeMounts }}
+{{ toYaml .Values.extraVolumeMounts | indent 8 }}
+{{ end }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         readinessProbe:
           httpGet:
             scheme: HTTPS
             path: /ready
-            port: 8443
+            port: https
           initialDelaySeconds: 3
           periodSeconds: 5
         livenessProbe:
           httpGet:
             scheme: HTTPS
             path: /healthz
-            port: 8443
+            port: https
           initialDelaySeconds: 10
           periodSeconds: 10

charts/pod-admission-controller/templates/rbac.yaml

@@ -11,6 +11,9 @@ rules:
 - apiGroups: [""]
   resources: ["namespaces"]
   verbs: ["get"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get","delete","create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/pod-admission-controller/templates/webhook.yaml

@@ -6,7 +6,7 @@ metadata:
     app: pod-admission-controller
 webhooks:
 - name: pod-admission-controller.pod-admission-controller.svc.cluster.local
-  failurePolicy: Ignore
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
   clientConfig:
     caBundle: {{ tpl .Values.webhook.caBundle . | quote }}
     service:
@@ -18,6 +18,10 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
+  - operations: ["UPDATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["namespaces"]
   admissionReviewVersions: ["v1"]
   sideEffects: None
   timeoutSeconds: 5

charts/pod-admission-controller/values.yaml

@@ -28,6 +28,9 @@ tolerations: []
 # application config
 config: ""
 
+extraVolumes: []
+extraVolumeMounts: []
+
 # certificates for dev purpuses, generate new certificates
 certificates:
   caCert: |
@@ -110,6 +113,8 @@ certificates:
 
 webhook:
   caBundle: "{{ b64enc .Values.certificates.caCert }}"
+  # Fail/Ignore
+  failurePolicy: Ignore
   namespaceSelector:
   - key: environment
     operator: In

e2e/testdata/config.yaml

@@ -25,4 +25,19 @@ rules:
   - name: TEST_PORT
     value: "6831"
   - name: SERVICE_NAME
-    value: "{{ .Image.Slug }}"
+    value: "{{ .Image.Slug }}"
+
+- name: "rule-replaceContainerImageHost-1"
+  replaceContainerImageHost:
+    enabled: true
+    to: docker.io
+  conditions:
+  - key: .Image.Domain
+    operator: regexp
+    value: ^(test-fake.test.com)$
+
+- name: "rule-replaceContainerImageHost-2"
+  replaceContainerImageHost:
+    enabled: true
+    from: test.test.com
+    to: docker.io