/
validating_handler.go
103 lines (84 loc) · 3.28 KB
/
validating_handler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
/*
Copyright 2021. The KubeVela Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policydefinition
import (
"context"
"fmt"
"net/http"
admissionv1 "k8s.io/api/admission/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/manager"
"sigs.k8s.io/controller-runtime/pkg/runtime/inject"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"github.com/oam-dev/kubevela/apis/core.oam.dev/v1beta1"
"github.com/oam-dev/kubevela/pkg/oam"
webhookutils "github.com/oam-dev/kubevela/pkg/webhook/utils"
)
var policyDefGVR = v1beta1.SchemeGroupVersion.WithResource("policydefinitions")
// ValidatingHandler handles validation of policy definition
type ValidatingHandler struct {
// Decoder decodes object
Decoder *admission.Decoder
Client client.Client
}
var _ inject.Client = &ValidatingHandler{}
// InjectClient injects the client into the ApplicationValidateHandler
func (h *ValidatingHandler) InjectClient(c client.Client) error {
if h.Client != nil {
return nil
}
h.Client = c
return nil
}
var _ admission.Handler = &ValidatingHandler{}
// Handle validate component definition
func (h *ValidatingHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
obj := &v1beta1.PolicyDefinition{}
if req.Resource.String() != policyDefGVR.String() {
return admission.Errored(http.StatusBadRequest, fmt.Errorf("expect resource to be %s", policyDefGVR))
}
if req.Operation == admissionv1.Create || req.Operation == admissionv1.Update {
err := h.Decoder.Decode(req, obj)
if err != nil {
return admission.Errored(http.StatusBadRequest, err)
}
// validate cueTemplate
if obj.Spec.Schematic != nil && obj.Spec.Schematic.CUE != nil {
err = webhookutils.ValidateCueTemplate(obj.Spec.Schematic.CUE.Template)
if err != nil {
return admission.Denied(err.Error())
}
}
revisionName := obj.GetAnnotations()[oam.AnnotationDefinitionRevisionName]
if len(revisionName) != 0 {
defRevName := fmt.Sprintf("%s-v%s", obj.Name, revisionName)
err = webhookutils.ValidateDefinitionRevision(ctx, h.Client, obj, client.ObjectKey{Namespace: obj.Namespace, Name: defRevName})
if err != nil {
return admission.Denied(err.Error())
}
}
}
return admission.ValidationResponse(true, "")
}
var _ admission.DecoderInjector = &ValidatingHandler{}
// InjectDecoder injects the decoder into the ValidatingHandler
func (h *ValidatingHandler) InjectDecoder(d *admission.Decoder) error {
h.Decoder = d
return nil
}
// RegisterValidatingHandler will register ComponentDefinition validation to webhook
func RegisterValidatingHandler(mgr manager.Manager) {
server := mgr.GetWebhookServer()
server.Register("/validating-core-oam-dev-v1beta1-policydefinitions", &webhook.Admission{Handler: &ValidatingHandler{}})
}