test: wip

charts/datree-admission-webhook-awsmp/values.yaml

@@ -44,21 +44,21 @@ datree:
 # The Datree webhook-server image to use.
 image:
   # Image repository
-  repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/awsmp-datree-admission-webhook #localhost:5000/datree-admission-webhook
+  repository: localhost:5000/datree-admission-webhook #709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/awsmp-datree-admission-webhook
   # Image tag
   tag: 1.0-rc.2
   # Image pull policy
   pullPolicy: Always
 
 initContainer:
-  repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/datree-cert-generator #localhost:5000/cert-generator
-  tag: 0.1.1-rc.1
+  repository: localhost:5000/gen-cert #709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/datree-cert-generator
+  tag: 0.1.2-rc.1 #0.1.1-rc.1
 
 imageWebhook:
   # Image repository
-  repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/datree-webhook-init #localhost:5000/webhook-init
+  repository: localhost:5000/webhook-init #709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/datree-webhook-init
   # Image tag
-  tag: 0.1.1-rc.2 #1.0-rc.19
+  tag: 0.1.1-rc.2
 
 # Security context for the containers
 securityContext:
@@ -82,8 +82,8 @@ hooks:
   timeoutTime:
   # The image for running kubectl commands
   image:
-    repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/bitnami-kubectl #bitnami/kubectl
-    sha: sha256:2c963c1aae87f544a53242348d64dce4bc39739211989394833322d29364b73c #sha256:1841cb16fddd9660c34f9b5bcec51f8c77bedba76c56381537753976b24649df
+    repository: bitnami/kubectl #709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/bitnami-kubectl
+    sha: sha256:1841cb16fddd9660c34f9b5bcec51f8c77bedba76c56381537753976b24649df #sha256:2c963c1aae87f544a53242348d64dce4bc39739211989394833322d29364b73c
     pullPolicy: IfNotPresent
 
 # AWS Marketplace configuration

cmd/webhook-init/k8s-client/k8sclient.go

@@ -0,0 +1,188 @@
+package k8sclient
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/datreeio/admission-webhook-datree/cmd/webhook-init/utils"
+	"github.com/datreeio/admission-webhook-datree/pkg/loggerUtil"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/kubernetes"
+
+	admissionregistrationV1 "k8s.io/api/admissionregistration/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+type K8sClient struct {
+	clientset kubernetes.Interface
+}
+
+func New(c kubernetes.Interface) *K8sClient {
+	if c != nil {
+		return &K8sClient{
+			clientset: c,
+		}
+	}
+
+	c, err := kubernetes.NewForConfig(ctrl.GetConfigOrDie())
+	if err != nil {
+		return nil
+	}
+
+	return &K8sClient{
+		clientset: c,
+	}
+
+}
+
+type ValidatingWebhookOpts struct {
+	MetaName    string
+	CaBundle    []byte
+	ServiceName string
+	Selector    string
+	WebhookName string
+}
+
+func (k *K8sClient) CreateValidatingWebhookConfiguration(namespace string, cfg *ValidatingWebhookOpts) (*admissionregistrationV1.ValidatingWebhookConfiguration, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("invalid ValidatingWebhookOpts")
+	}
+
+	path := "/validate"
+	sideEffects := admissionregistrationV1.SideEffectClassNone
+
+	vw := &admissionregistrationV1.ValidatingWebhookConfiguration{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: cfg.MetaName,
+		},
+		Webhooks: []admissionregistrationV1.ValidatingWebhook{{
+			Name: cfg.WebhookName,
+			ClientConfig: admissionregistrationV1.WebhookClientConfig{
+				CABundle: cfg.CaBundle, // CA bundle created earlier
+				Service: &admissionregistrationV1.ServiceReference{
+					Name:      cfg.ServiceName, // datree-webhook-server
+					Namespace: namespace,
+					Path:      &path,
+				},
+			},
+			Rules: []admissionregistrationV1.RuleWithOperations{{Operations: []admissionregistrationV1.OperationType{
+				admissionregistrationV1.Create,
+				admissionregistrationV1.Update,
+			},
+				Rule: admissionregistrationV1.Rule{
+					APIGroups:   []string{"*"},
+					APIVersions: []string{"*"},
+					Resources:   []string{"*"},
+				},
+			}},
+			SideEffects:             &sideEffects,
+			AdmissionReviewVersions: []string{"v1", "v1beta1"},
+			TimeoutSeconds:          &[]int32{30}[0],
+			NamespaceSelector: &metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{ // only validate pods in namespaces with the label "admission.datree/validate"
+						Key:      cfg.Selector,
+						Operator: metav1.LabelSelectorOpDoesNotExist,
+					},
+				},
+			},
+		}},
+	}
+
+	vw, err := k.clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.Background(), vw, metav1.CreateOptions{})
+	if err != nil {
+		return nil, err
+	}
+
+	loggerUtil.Debugf("created validating webhook configuration: %v", vw)
+	return vw, nil
+}
+
+// search for validating webhook and delete if exists
+func (k *K8sClient) DeleteExistingValidatingWebhook(name string) error {
+	vw := k.GetValidatingWebhookConfiguration(name)
+	if vw != nil {
+		return k.DeleteValidatingWebhookConfiguration(name)
+	}
+	return nil
+}
+
+func (k *K8sClient) DeleteValidatingWebhookConfiguration(name string) error {
+	return k.clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(context.Background(), name, metav1.DeleteOptions{})
+}
+
+func (k *K8sClient) GetValidatingWebhookConfiguration(name string) *admissionregistrationV1.ValidatingWebhookConfiguration {
+	vw, err := k.clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.Background(), name, metav1.GetOptions{})
+	if (vw != nil && vw.Name == name) && err == nil {
+		return vw
+	}
+
+	return nil
+}
+
+func (k *K8sClient) CreatePodWatcher(ctx context.Context, namespace string, selector string) (watch.Interface, error) {
+	labelSelector := fmt.Sprint(selector)
+
+	opts := metav1.ListOptions{
+		TypeMeta:      metav1.TypeMeta{},
+		LabelSelector: labelSelector,
+		FieldSelector: "",
+	}
+
+	return k.clientset.CoreV1().Pods(namespace).Watch(ctx, opts)
+}
+
+func (k *K8sClient) WaitUntilPodsAreRunning(ctx context.Context, namespace string, selector string, replicas int) error {
+	loggerUtil.Debugf("creating watcher for POD with label:%s ...", selector)
+	watcher, err := k.CreatePodWatcher(ctx, namespace, selector)
+	if err != nil {
+		return err
+	}
+
+	loggerUtil.Debug("watch out! Succuessfuly created watcher for PODs.")
+	defer watcher.Stop()
+
+	count := 0
+	for {
+		select {
+		case event := <-watcher.ResultChan():
+			pod := event.Object.(*v1.Pod)
+
+			if pod.Status.Phase == v1.PodRunning {
+				if k.IsPodReady(pod) {
+					count++
+					loggerUtil.Debugf("the POD \"%s\" is running", selector)
+					if count == replicas {
+						loggerUtil.Debug("all PODs are running")
+						return nil
+					}
+				}
+
+			}
+
+		case <-time.After(180 * time.Second):
+			loggerUtil.Debug("exit from waitPodRunning for POD \"%s\" because the time is over")
+			return nil
+
+		case <-ctx.Done():
+			loggerUtil.Debugf("exit from waitPodRunning for POD \"%s\" because the context is done", selector)
+			return nil
+		}
+	}
+}
+
+func (k *K8sClient) IsPodReady(pod *v1.Pod) bool {
+	checkPodReadyCondition := func(condition v1.PodCondition) bool {
+		return condition.Type == v1.PodReady && condition.Status == "True"
+	}
+
+	checkPodContainersCondition := func(condition v1.PodCondition) bool {
+		return condition.Type == v1.ContainersReady && condition.Status == "True"
+	}
+
+	return utils.FindIndex(checkPodReadyCondition, pod.Status.Conditions) > 0 && utils.FindIndex(checkPodContainersCondition, pod.Status.Conditions) > 0
+}

cmd/webhook-init/k8s-client/k8sclient_test.go

@@ -0,0 +1,91 @@
+package k8sclient
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	admissionregistrationV1 "k8s.io/api/admissionregistration/v1"
+	testclient "k8s.io/client-go/kubernetes/fake"
+)
+
+type condition[T any] struct {
+	compareFn func(actual T) bool
+	msg       string
+}
+
+type output struct {
+	err     *condition[error]
+	webhook *condition[*admissionregistrationV1.ValidatingWebhookConfiguration]
+}
+
+type input struct {
+	namespace string
+	cfg       *ValidatingWebhookOpts
+}
+
+type test struct {
+	name     string
+	args     input
+	expected output
+}
+
+func TestCreateValidatingWebhookConfiguration(t *testing.T) {
+	tests := []test{
+		{
+			name: "should create validating webhook configuration",
+			args: input{
+				namespace: "datree",
+				cfg: &ValidatingWebhookOpts{
+					MetaName:    "datree-webhook",
+					ServiceName: "webhook-server",
+					CaBundle:    []byte("caBundle"),
+					Selector:    "app=webhook-server",
+					WebhookName: "webhook-server.datree.svc",
+				}},
+			expected: output{
+				err: &condition[error]{compareFn: func(actual error) bool { return actual == nil }, msg: "should not return error"},
+				webhook: &condition[*admissionregistrationV1.ValidatingWebhookConfiguration]{compareFn: func(actual *admissionregistrationV1.ValidatingWebhookConfiguration) bool {
+					return actual != nil && actual.Name == "datree-webhook" && actual.Webhooks[0].Name == "webhook-server.datree.svc" && actual.Webhooks[0].ClientConfig.Service.Name == "webhook-server" && actual.Webhooks[0].ClientConfig.Service.Namespace == "datree" && actual.Webhooks[0].ClientConfig.Service.Path != nil && *actual.Webhooks[0].ClientConfig.Service.Path == "/validate" && actual.Webhooks[0].ClientConfig.CABundle != nil && string(actual.Webhooks[0].ClientConfig.CABundle) == "caBundle"
+				}, msg: "should return webhook configuration"},
+			},
+		},
+		{
+			name: "should not return error when namespace is empty",
+			args: input{
+				namespace: "",
+				cfg: &ValidatingWebhookOpts{
+					MetaName:    "datree-webhook",
+					ServiceName: "webhook-server",
+					CaBundle:    []byte("caBundle"),
+					Selector:    "app=webhook-server",
+					WebhookName: "webhook-server.datree.svc",
+				},
+			},
+			expected: output{err: &condition[error]{compareFn: func(actual error) bool { return actual == nil }, msg: "should return error"}},
+		},
+		{
+			name: "should return error when cfg is nil",
+			args: input{
+				namespace: "datree",
+				cfg:       nil,
+			},
+			expected: output{err: &condition[error]{compareFn: func(actual error) bool { return actual != nil }, msg: "should return error"}},
+		},
+	}
+
+	for _, ts := range tests {
+		t.Run(ts.name, func(t *testing.T) {
+			client := testclient.NewSimpleClientset()
+
+			k8sClient := New(client)
+
+			actualVW, actualErr := k8sClient.CreateValidatingWebhookConfiguration(ts.args.namespace, ts.args.cfg)
+			if ts.expected.err != nil {
+				assert.Condition(t, func() bool { return ts.expected.err.compareFn(actualErr) }, ts.expected.err.msg)
+			}
+			if ts.expected.webhook != nil {
+				assert.Condition(t, func() bool { return ts.expected.webhook.compareFn(actualVW) }, ts.expected.webhook.msg)
+			}
+		})
+	}
+}