refactor

Signed-off-by: Maksim Paskal <paskal.maksim@gmail.com>

.gitignore

@@ -4,4 +4,5 @@
 coverage.out
 /deploy-*
 /config.yaml
-/.cr-*
+/.cr-*
+/patch.json

.golangci.yml

@@ -10,4 +10,5 @@ linters:
   - exhaustruct
   - varnamelen
   - musttag
-  - depguard
+  - depguard
+  - maligned

Makefile

@@ -4,6 +4,9 @@ image=paskalmaksim/pod-admission-controller:$(tag)
 config=config.yaml
 testnamespace=test-pod-admission-controller
 
+namespace=
+pod=
+
 test:
 	./scripts/validate-license.sh
 	go mod tidy
@@ -38,7 +41,9 @@ run:
 	-cert=./certs/server.crt \
 	-key=./certs/server.key \
 	-listen=127.0.0.1:8443 \
-	-metrics.listen=127.0.0.1:31080
+	-metrics.listen=127.0.0.1:31080 \
+	-test.pod=$(pod) \
+	-test.namespace=$(namespace)
 
 sslInit:
 	rm -rf ./certs

charts/pod-admission-controller/templates/deployment.yaml

@@ -63,8 +63,10 @@ spec:
 {{ toYaml .Values.args | indent 8 }}
 {{ end }}
         ports:
-        - containerPort: 8443
-        - containerPort: 31080
+        - name: https
+          containerPort: 8443
+        - name: metrics
+          containerPort: 31080
         volumeMounts:
         - name: config
           mountPath: /config
@@ -74,13 +76,13 @@ spec:
           httpGet:
             scheme: HTTPS
             path: /ready
-            port: 8443
+            port: https
           initialDelaySeconds: 3
           periodSeconds: 5
         livenessProbe:
           httpGet:
             scheme: HTTPS
             path: /healthz
-            port: 8443
+            port: https
           initialDelaySeconds: 10
           periodSeconds: 10

charts/pod-admission-controller/templates/rbac.yaml

@@ -11,6 +11,9 @@ rules:
 - apiGroups: [""]
   resources: ["namespaces"]
   verbs: ["get"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get","delete","create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/pod-admission-controller/templates/webhook.yaml

@@ -18,6 +18,10 @@ webhooks:
     apiGroups: [""]
     apiVersions: ["v1"]
     resources: ["pods"]
+  - operations: ["UPDATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["namespaces"]
   admissionReviewVersions: ["v1"]
   sideEffects: None
   timeoutSeconds: 5

e2e/testdata/config.yaml

@@ -25,4 +25,19 @@ rules:
   - name: TEST_PORT
     value: "6831"
   - name: SERVICE_NAME
-    value: "{{ .Image.Slug }}"
+    value: "{{ .Image.Slug }}"
+
+- name: "rule-replaceContainerImageHost-1"
+  replaceContainerImageHost:
+    enabled: true
+    to: docker.io
+  conditions:
+  - key: .Image.Domain
+    operator: regexp
+    value: ^(test-fake.test.com)$
+
+- name: "rule-replaceContainerImageHost-2"
+  replaceContainerImageHost:
+    enabled: true
+    from: test.test.com
+    to: docker.io

e2e/testdata/pods/test-pod-1.yaml

@@ -15,14 +15,14 @@ spec:
   initContainers:
   # init containers must be unchanged
   - name: test-init-0
-    image: alpine:latest
+    image: test.test.com/alpine:latest
     securityContext:
       runAsUser: 1002
     command:
     - echo
     - ok
   - name: test-init-1
-    image: alpine:latest
+    image: test-fake.test.com/alpine:latest
     env:
     - name: TEST
       value: ok
@@ -39,7 +39,7 @@ spec:
   # 2. new memory limit
   # 3. securitycontext
   - name: test-0
-    image: alpine:latest
+    image: test.test.com/alpine:latest
     command:
     - sleep
     - 1d
@@ -56,7 +56,7 @@ spec:
   # 2. do not change memory limit (pod-admission-controller/ignoreAddDefaultResources)
   # 3. securitycontext
   - name: test-1
-    image: alpine:latest
+    image: test.test.com/alpine:latest
     command:
     - sleep
     - 1d
@@ -72,7 +72,7 @@ spec:
   # 2. new resources
   # 3. securitycontext without change (pod-admission-controller/ignoreRunAsNonRoot)
   - name: test-2
-    image: alpine:latest
+    image: test.test.com/alpine:latest
     command:
     - sleep
     - 1d
@@ -82,7 +82,7 @@ spec:
   # 2. do not change memory limit (pod-admission-controller/ignoreAddDefaultResources)
   # 3. securitycontext without change (pod-admission-controller/ignoreRunAsNonRoot)
   - name: test-3
-    image: alpine:latest
+    image: test.test.com/alpine:latest
     command:
     - sleep
     - 1d
@@ -92,7 +92,7 @@ spec:
   # 2. new resources
   # 3. securitycontext, replace runAsUser=0 to runAsUser=82
   - name: test-4
-    image: alpine:latest
+    image: test.test.com/alpine:latest
     command:
     - sleep
     - 1d

internal/internal.go

@@ -15,16 +15,16 @@ package internal
 import (
 	"context"
 	"crypto/tls"
+	"flag"
 	"net/http"
+	"os"
 	"time"
 
 	logrushooksentry "github.com/maksim-paskal/logrus-hook-sentry"
 	"github.com/maksim-paskal/pod-admission-controller/pkg/api"
 	"github.com/maksim-paskal/pod-admission-controller/pkg/config"
 	"github.com/maksim-paskal/pod-admission-controller/pkg/metrics"
 	"github.com/maksim-paskal/pod-admission-controller/pkg/sentry"
-	"github.com/maksim-paskal/pod-admission-controller/pkg/types"
-	"github.com/maksim-paskal/pod-admission-controller/pkg/utils"
 	"github.com/maksim-paskal/pod-admission-controller/pkg/web"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
@@ -33,6 +33,11 @@ import (
 // webhook spec timeoutSeconds.
 const serverTimeout = 5 * time.Second
 
+var (
+	testPod       = flag.String("test.pod", "", "test pod")
+	testNamespace = flag.String("test.namespace", "", "test namespace")
+)
+
 func Start(ctx context.Context) error {
 	hook, err := logrushooksentry.NewHook(ctx, logrushooksentry.Options{
 		SentryDSN: *config.Get().SentryDSN,
@@ -46,14 +51,27 @@ func Start(ctx context.Context) error {
 
 	log.Infof("Starting %s...", config.GetVersion())
 
-	if err := CheckConfigRules(); err != nil {
-		return errors.Wrap(err, "error in config rules")
-	}
-
 	if err := sentry.CreateCache(ctx); err != nil {
 		return errors.Wrap(err, "failed to create sentry cache")
 	}
 
+	if len(*testPod)+len(*testNamespace) > 0 {
+		patchBytes, err := api.TestPOD(ctx, *testNamespace, *testPod)
+		if err != nil {
+			log.WithError(err).Error()
+		}
+
+		log.Info("Creating patch.json...")
+
+		if err := os.WriteFile("patch.json", patchBytes, 0o600); err != nil { //nolint:gomnd
+			log.WithError(err).Error()
+		}
+
+		os.Exit(0)
+
+		return nil
+	}
+
 	sCert, err := tls.LoadX509KeyPair(*config.Get().CertFile, *config.Get().KeyFile)
 	if err != nil {
 		return errors.Wrap(err, "can not load certificates")
@@ -89,7 +107,7 @@ func startServerTLS(ctx context.Context, sCert tls.Certificate) {
 
 	log.Infof("Listening on address %s", server.Addr)
 
-	if err := server.ListenAndServeTLS("", ""); err != nil {
+	if err := server.ListenAndServeTLS("", ""); err != nil && ctx.Err() == nil {
 		log.WithError(err).Fatal()
 	}
 }
@@ -118,28 +136,7 @@ func startMetricsServer(ctx context.Context) {
 
 	log.Infof("Listening metrics on address %s", server.Addr)
 
-	if err := server.ListenAndServe(); err != nil {
+	if err := server.ListenAndServe(); err != nil && ctx.Err() == nil {
 		log.WithError(err).Fatal()
 	}
 }
-
-// check config for templating errors.
-func CheckConfigRules() error {
-	for _, containerConfig := range config.Get().Rules {
-		containerInfo := types.ContainerInfo{
-			Image: &types.ContainerImage{},
-		}
-
-		_, err := utils.CheckConditions(containerInfo, containerConfig.Conditions)
-		if err != nil {
-			return errors.Wrap(err, "error in conditions")
-		}
-
-		_, err = api.FormatEnv(containerInfo, containerConfig.Env)
-		if err != nil {
-			return errors.Wrap(err, "error in env")
-		}
-	}
-
-	return nil
-}