first draft, generating the certificate if it is missing and activati…

…ng the validatingwebhookconfiguration

charts/datree-admission-webhook/templates/webhook-with-cert-secrets.yaml

@@ -1,37 +1,4 @@
-{{- $ca := genCA "/CN=Admission Controller Webhook Demo CA" 1827 -}}
 {{- $svcHost := printf "datree-webhook-server.%s.svc" ( include "datree.namespace" . ) -}}
-{{- $altNames := list ( $svcHost ) -}}
-{{- $cert := genSignedCert (printf "/CN=%s" $svcHost) nil $altNames 1827 $ca -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: datree-ca-tls
-  labels: {{ include "datree.labels" . | nindent 4 }}
-  namespace: {{ template "datree.namespace" . }}
-  {{- with .Values.customAnnotations }}
-  annotations: {{ toYaml . | nindent 4 }}
-  {{- end }}
-type: kubernetes.io/tls
-data:
-  tls.key: {{ $ca.Key | b64enc }}
-  tls.crt: {{ $ca.Cert | b64enc }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: webhook-server-tls
-  labels: {{ include "datree.labels" . | nindent 4 }}
-  namespace: {{ template "datree.namespace" . }}
-  annotations:
-    self-signed-cert: "true"
-    {{- with .Values.customAnnotations }}
-    {{ toYaml . }}
-    {{- end }}
-type: kubernetes.io/tls
-data:
-  tls.key: {{ $cert.Key | b64enc }}
-  tls.crt: {{ $cert.Cert | b64enc }}
----
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -59,7 +26,7 @@ webhooks:
         name: datree-webhook-server
         namespace: {{ template "datree.namespace" . }}
         path: "/validate"
-      caBundle: {{ $ca.Cert | b64enc }}
+      caBundle: {{ "PLACEHOLDER" | b64enc }}
     namespaceSelector:
       matchExpressions:
         - key: admission.datree/validate

go.mod

@@ -7,8 +7,10 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/google/go-cmp v0.5.9
 	github.com/lithammer/shortuuid v3.0.0+incompatible
+	github.com/openshift/api v0.0.0-20230705144233-e28cd4dd28a8
 	github.com/openshift/client-go v0.0.0-20230705133330-7f808ad59404
 	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.1
 	go.uber.org/zap v1.10.0
 	k8s.io/api v0.27.2
@@ -33,7 +35,6 @@ require (
 	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/mikefarah/yq/v4 v4.27.3 // indirect
 	github.com/open-policy-agent/opa v0.49.2 // indirect
-	github.com/openshift/api v0.0.0-20230705144233-e28cd4dd28a8 // indirect
 	github.com/owenrumney/go-sarif/v2 v2.1.2 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect

go.sum

@@ -226,6 +226,7 @@ github.com/santhosh-tekuri/jsonschema/v5 v5.0.0/go.mod h1:FKdcjfQW6rpZSnxxUvEA5H
 github.com/shirou/gopsutil/v3 v3.22.5 h1:atX36I/IXgFiB81687vSiBI5zrMsxcIBkP9cQMJQoJA=
 github.com/shirou/gopsutil/v3 v3.22.5/go.mod h1:so9G9VzeHt/hsd0YwqprnjHnfARAUktauykSbr+y2gA=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
@@ -327,6 +328,7 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/startup/startup.go

@@ -3,6 +3,8 @@ package startup
 import (
 	"errors"
 	"fmt"
+	cert_manager "github.com/datreeio/admission-webhook-datree/pkg/cert-manager"
+	"github.com/datreeio/admission-webhook-datree/pkg/k8sClient2"
 	"github.com/datreeio/admission-webhook-datree/pkg/openshiftService"
 
 	"net/http"
@@ -87,9 +89,18 @@ func Start() {
 	if err != nil {
 		fmt.Printf("Failed init skip list: %s \n", err.Error())
 	}
-	certPath, keyPath, err := server.ValidateCertificate()
+
+	err = cert_manager.GenerateCertificatesIfTheyAreMissing()
+	if err != nil {
+		fmt.Printf("Failed to generate certificates: %s \n", err.Error())
+	}
+	k8sClient2Instance, err := k8sClient2.NewK8sClient()
+	if err != nil {
+		fmt.Printf("Failed to create k8s client: %s \n", err.Error())
+	}
+	err = k8sClient2Instance.ActivateValidatingWebhookConfiguration(cert_manager.CaCertPath)
 	if err != nil {
-		panic(err)
+		fmt.Printf("Failed to activate validating webhook configuration: %s \n", err.Error())
 	}
 
 	validationController := controllers.NewValidationController(basicCliClient, state, errorReporter, k8sMetadataUtilInstance, &internalLogger, openshiftServiceInstance)
@@ -105,7 +116,7 @@ func Start() {
 	internalLogger.LogInfo(fmt.Sprintf("server starting in webhook-version: %s", config.WebhookVersion))
 
 	// start server
-	if err := http.ListenAndServeTLS(":"+port, certPath, keyPath, nil); err != nil {
+	if err := http.ListenAndServeTLS(":"+port, cert_manager.CertPath, cert_manager.KeyPath, nil); err != nil {
 		err = http.ListenAndServe(":"+port, nil)
 		if err != nil {
 			fmt.Println("Failed to start http server", err.Error())

pkg/k8sClient2/k8sClient2.go

@@ -0,0 +1,66 @@
+package k8sClient2
+
+import (
+	"context"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+type k8sClientInterface interface {
+	doesValidatingWebhookConfigurationExist() (any, error)
+	applyValidatingWebhookConfiguration() (any, error)
+}
+
+type k8sClient struct {
+	clientset *kubernetes.Clientset
+}
+
+func NewK8sClient() (*k8sClient, error) {
+	// creates the in-cluster config
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+	// creates the clientset
+	clientsetInstance, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	return &k8sClient{
+		clientset: clientsetInstance,
+	}, nil
+}
+
+func (kc *k8sClient) ActivateValidatingWebhookConfiguration(certPath string) error {
+	//certificateContent, readFileError := os.ReadFile(certPath)
+	//if readFileError != nil {
+	//	return readFileError
+	//}
+
+	result, err := kc.clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(context.TODO(), "datree-webhook", metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	// update the CABundle from PLACEHOLDER to the actual certificate from cert-manager
+	//result.Webhooks[0].ClientConfig.CABundle = certificateContent
+
+	// remove the match expression at index 1, which is responsible for disabling the webhook
+	matchExpressions := result.Webhooks[0].NamespaceSelector.MatchExpressions
+	if len(matchExpressions) > 1 {
+		result.Webhooks[0].NamespaceSelector.MatchExpressions = append(matchExpressions[:1], matchExpressions[2:]...)
+	}
+
+	_, err = kc.clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().Update(context.TODO(), result, metav1.UpdateOptions{})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (kc *k8sClient) applyValidatingWebhookConfiguration() error {
+	return nil
+}