wip

Dockerfile

@@ -2,7 +2,6 @@ FROM golang:1.18-alpine AS builder
 
 ARG BUILD_ENVIRONMENT
 ARG WEBHOOK_VERSION
-ARG BINARY_PATH
 
 WORKDIR /go/src/app
 
@@ -11,10 +10,12 @@ COPY go.* .
 RUN go mod download
 
 COPY . .
-# cache the build
-RUN --mount=type=cache,target=/root/.cache/go-build go build ./cmd/cert-generator -tags $BUILD_ENVIRONMENT -ldflags="-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=$WEBHOOK_VERSION" -o webhook-datree
+# cache the build, 
+## map the /root/.cache/go-build to your host go build cache folder
+# RUN --mount=type=cache,target=/root/.cache/go-build go build ./cmd/webhook-datree -tags $BUILD_ENVIRONMENT -ldflags="-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=$WEBHOOK_VERSION" -o webhook-datree
+RUN go build ./cmd/webhook-server
 
 FROM alpine:3.14
-COPY --from=builder /go/src/app/webhook-datree /
+COPY --from=builder /go/src/app/webhook-server /
 EXPOSE 8443
-ENTRYPOINT ["/webhook-datree"]
+ENTRYPOINT ["/webhook-server"]

Dockerfile.init

@@ -0,0 +1,24 @@
+FROM golang:1.18-alpine AS builder
+
+ARG BUILD_ENVIRONMENT
+ARG WEBHOOK_VERSION
+
+WORKDIR /go/src/app
+
+
+
+# download dependencies in a separate step to allow caching
+COPY go.* .
+RUN go mod download
+
+COPY . .
+# cache the build
+# RUN --mount=type=cache,target=/root/.cache/go-build go build cmd/webhook-server -o webhook-server
+RUN go build ./cmd/cert-generator
+
+# RUN --mount=type=cache,target=/root/.cache/go-build go build -tags $BUILD_ENVIRONMENT -ldflags="-X github.com/datreeio/admission-webhook-datree/pkg/config.WebhookVersion=$WEBHOOK_VERSION" -o webhook-datree
+
+FROM alpine:3.14
+COPY --from=builder /go/src/app/cert-generator /
+EXPOSE 8443
+ENTRYPOINT ["/cert-generator"]

charts/datree-admission-webhook-awsmp/ignore/namespace-post-delete.yaml

@@ -0,0 +1 @@
+# {{- include "datree-lib.namespace-post-delete" .}}

charts/datree-admission-webhook-awsmp/ignore/namespace-post-install.yaml

@@ -0,0 +1 @@
+# {{- include "datree-lib.namespace-post-install" .}}

charts/datree-admission-webhook-awsmp/templates/deployment.yaml

@@ -6,8 +6,11 @@ metadata:
   labels: {{ include "datree.labels" . | nindent 4 }}
     owner: datree
     app: "datree-webhook-server"
+  annotations: 
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
   {{- if .Values.customAnnotations }}
-  annotations: {{- toYaml .Values.customAnnotations | nindent 4 }}
+    {{- toYaml .Values.customAnnotations | nindent 4 }}
   {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
@@ -23,88 +26,89 @@ spec:
       {{- end }}
     spec:
       serviceAccountName: {{.Values.rbac.serviceAccount.name}}
-      initContainers:
-        image: <webhook init-image name>
-        imagePullPolicy: IfNotPresent
-        name: webhook-init
-        volumeMounts:
-            - mountPath: /etc/webhook/certs
-              name: webhook-certs
-        env:
-            - name: WEBHOOK_NAMESPACE
-              value: {{ template "datree.namespace" . }}
-            - name: WEBHOOK_SERVICE
-              value: "datree-webhook-server"
       containers:
-        - name: server
-          securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
-          livenessProbe:
+      - name: server
+        securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
+        livenessProbe:
             httpGet:
-              path: /health
-              port: 8443
-              scheme: HTTPS
+                path: /health
+                port: 8443
+                scheme: HTTPS
             initialDelaySeconds: 5
             periodSeconds: 10
-          readinessProbe:
+        readinessProbe:
             httpGet:
-              path: /ready
-              port: 8443
-              scheme: HTTPS
+                path: /ready
+                port: 8443
+                scheme: HTTPS
             initialDelaySeconds: 5
             periodSeconds: 10
-          resources: {{- toYaml .Values.resources | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{.Values.image.pullPolicy}}
-          ports:
-            - containerPort: 8443
-              name: webhook-api
-          # caution: don't change the order of the environment variables
-          # changing the order will harm resource patching
-          env:
-            - name: DEBUG
-              value: "{{ .Values.debug }}"
-            # Datree webhook varaibles
-            - name: DATREE_TOKEN
-              value: {{.Values.datree.token}}
-            - name: DATREE_POLICY
-              value: {{.Values.datree.policy}}
-            - name: DATREE_VERBOSE
-              value: {{.Values.datree.verbose}}
-            - name: DATREE_OUTPUT
-              value: {{.Values.datree.output}}
-            - name: DATREE_NO_RECORD
-              value: {{.Values.datree.noRecord}}
-            # AWS Marketplace varaibles
-            - name: AWS_MP_PRODUCT_ID
-              value: {{ .Values.aws.productId }}
-            - name: AWS_MP_KEY_FINGERPRINT
-              value: {{ .Values.aws.issuerKey }}
-            - name: AWS_MP_ENABLE_CHECK_ENTITLEMENT
-              value: "{{.Values.aws.enableCheckEntitlement}}"
-            - name: AWS_MP_REGION
-              value: {{.Values.aws.region}}
-            {{- if .Values.aws.licenseConfigSecretName }}
-            - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
-              value: "/var/run/secrets/awsmp-product-license/license_token"
-            - name: AWS_ROLE_ARN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.aws.licenseConfigSecretName }}
-                  key: iam_role
-            {{- end}}
-          # add aws marketplace license config to the licensed container application env
-          volumeMounts:
-            - mountPath: /etc/webhook/certs
-              name: webhook-certs
-              readOnly: true
-          {{- if .Values.aws.licenseConfigSecretName }}
-            - name: awsmp-product-license
-              mountPath: "/var/run/secrets/awsmp-product-license"
-          {{- end}}
+        resources: {{- toYaml .Values.resources | nindent 12 }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{.Values.image.pullPolicy}}
+        ports:
+        - containerPort: 8443
+          name: webhook-api
+        # caution: don't change the order of the environment variables
+        # changing the order will harm resource patching
+        env:
+        - name: DEBUG
+          value: "{{ .Values.debug }}"
+        # Datree webhook varaibles
+        - name: DATREE_TOKEN
+          value: {{.Values.datree.token}}
+        - name: DATREE_POLICY
+          value: {{.Values.datree.policy}}
+        - name: DATREE_VERBOSE
+          value: {{.Values.datree.verbose}}
+        - name: DATREE_OUTPUT
+          value: {{.Values.datree.output}}
+        - name: DATREE_NO_RECORD
+          value: {{.Values.datree.noRecord}}
+         # AWS Marketplace varaibles
+        - name: AWS_MP_PRODUCT_ID
+          value: {{ .Values.aws.productId }}
+        - name: AWS_MP_KEY_FINGERPRINT
+          value: {{ .Values.aws.issuerKey }}
+        - name: AWS_MP_ENABLE_CHECK_ENTITLEMENT
+          value: "{{.Values.aws.enableCheckEntitlement}}"
+        - name: AWS_MP_REGION
+          value: {{.Values.aws.region}}
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE
+          value: "/var/run/secrets/awsmp-product-license/license_token"
+        - name: AWS_ROLE_ARN
+          valueFrom:
+            secretKeyRef:
+                name: {{ .Values.aws.licenseConfigSecretName }}
+                key: iam_role
+        {{- end}}
+        # add aws marketplace license config to the licensed container application env
+        volumeMounts:
+        - mountPath: /etc/webhook/certs
+          name: webhook-certs
+          readOnly: true
+        {{- if .Values.aws.licenseConfigSecretName }}
+        - name: awsmp-product-license
+          mountPath: "/var/run/secrets/awsmp-product-license"
+        {{- end}}
+      volumes:
         - name: webhook-certs
           emptyDir: {}
-      {{- if .Values.aws.licenseConfigSecretName }}
+        {{- if .Values.aws.licenseConfigSecretName }}
         - name: awsmp-product-license
           secret:
             secretName: {{ .Values.aws.licenseConfigSecretName }}
-      {{- end}}
+        {{- end}}
+      initContainers:
+        - name: webhook-init
+          image: "{{ .Values.initContainer.repository }}@{{ .Values.initContainer.sha }}"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /etc/webhook/certs
+              name: webhook-certs
+          env:
+            - name: WEBHOOK_NAMESPACE
+              value: {{ template "datree.namespace" . }}
+            - name: WEBHOOK_SERVICE
+              value: "datree-webhook-server"

charts/datree-admission-webhook-awsmp/values.yaml

@@ -44,12 +44,16 @@ datree:
 # The Datree webhook-server image to use.
 image:
   # Image repository
-  repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/datree-admission-webhook-awsmp
+  repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/awsmp-datree-admission-webhook
   # Image tag
-  tag: 0.1.24-rc.1
+  tag: 0.1.25-rc.3
   # Image pull policy
   pullPolicy: Always
 
+initContainer:
+  repository: 709825985650.dkr.ecr.us-east-1.amazonaws.com/datree/awsmp-datree-admission-webhook
+  sha: sha256:694cc1a664315582bb9414f3ef255f3cbd730d361b6dfa2bea2be45dd1801d37
+
 # Security context for the containers
 securityContext:
   allowPrivilegeEscalation: false

charts/datree-lib/templates/_clusterrole.yaml

@@ -11,12 +11,19 @@ metadata:
 rules:
   - apiGroups:
       - ""
+      - "admissionregistration.k8s.io"
     resources:
       - "nodes"
       - "namespaces"
+      - "validatingwebhookconfigurations"
     verbs:
       - "get"
       - "list"
+      - "create"
+      - "delete"
+      - "patch"
+      - "update"
+      - "watch"
 {{- end}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1

cmd/cert-generator/main.go

@@ -22,15 +22,22 @@ import (
 )
 
 func main() {
+	loggerUtil.Log("starting cert-generator")
 	caCert, _ := generateSelfSignedCAAndSignWebhookServerCertificate()
-	createValidationWebhookConfig(caCert)
+	loggerUtil.Log(fmt.Sprintf("created ca certificate, caCert: %v", caCert))
+	err := createValidationWebhookConfig(caCert)
+	if err != nil {
+		loggerUtil.Log(fmt.Sprintf("failed to create validation webhook config, err: %v", err))
+	} else {
+		loggerUtil.Log("created validating webhook configuration")
+	}
 }
 
-func createValidationWebhookConfig(caCert *bytes.Buffer) {
+func createValidationWebhookConfig(caCert *bytes.Buffer) error {
 	config := ctrl.GetConfigOrDie()
 	kubeClient, err := kubernetes.NewForConfig(config)
 	if err != nil {
-		panic("failed to set go -client")
+		return err // panic("failed to set go -client")
 	}
 
 	webhookNamespace, _ := os.LookupEnv("WEBHOOK_NAMESPACE")
@@ -49,7 +56,7 @@ func createValidationWebhookConfig(caCert *bytes.Buffer) {
 			ClientConfig: admissionregistrationv1.WebhookClientConfig{
 				CABundle: caCert.Bytes(), // CA bundle created earlier
 				Service: &admissionregistrationv1.ServiceReference{
-					Name:      webhookService,
+					Name:      webhookService, // datree-webhook-server
 					Namespace: webhookNamespace,
 					Path:      &path,
 				},
@@ -79,8 +86,10 @@ func createValidationWebhookConfig(caCert *bytes.Buffer) {
 	}
 
 	if _, err = kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations().Create(context.Background(), validationWebhookConfig, metav1.CreateOptions{}); err != nil {
-		panic(err)
+		return err
 	}
+
+	return nil
 }
 
 func generateSelfSignedCAAndSignWebhookServerCertificate() (*bytes.Buffer, error) {
@@ -100,11 +109,9 @@ func generateSelfSignedCAAndSignWebhookServerCertificate() (*bytes.Buffer, error
 		Bytes: caBytes,
 	})
 
-	dnsNames := []string{"datree-webhook-server",
-		"datree-webhook-server.default",
-		"datree-webhook-server.default.svc",
-		"datree-webhook-server.datree",
-		"datree-webhook-server.datree.svc",
+	webhookNamespace, _ := os.LookupEnv("WEBHOOK_NAMESPACE")
+	dnsNames := []string{
+		fmt.Sprintf("datree-webhook-server.%s.svc", webhookNamespace),
 	}
 
 	commonName := "/CN=datree-webhook-server.datree.svc"

cmd/webhook-server/main.go

@@ -9,6 +9,7 @@ import (
 	"github.com/datreeio/admission-webhook-datree/pkg/controllers"
 	"github.com/datreeio/admission-webhook-datree/pkg/errorReporter"
 	"github.com/datreeio/admission-webhook-datree/pkg/k8sMetadataUtil"
+	"github.com/datreeio/admission-webhook-datree/pkg/loggerUtil"
 	"github.com/datreeio/admission-webhook-datree/pkg/server"
 	"github.com/datreeio/datree/pkg/cliClient"
 	"github.com/datreeio/datree/pkg/deploymentConfig"
@@ -43,6 +44,7 @@ func start(port string) {
 		}
 	}()
 
+	loggerUtil.Log("initializing k8s metadata")
 	k8sMetadataUtil.InitK8sMetadataUtil()
 
 	certPath, keyPath, err := server.ValidateCertificate()
@@ -58,6 +60,7 @@ func start(port string) {
 	http.HandleFunc("/ready", healthController.Ready)
 
 	// start server
+	loggerUtil.Log("strting server")
 	if err := http.ListenAndServeTLS(":"+port, certPath, keyPath, nil); err != nil {
 		http.ListenAndServe(":"+port, nil)
 	}

go.mod

@@ -3,7 +3,7 @@ module github.com/datreeio/admission-webhook-datree
 go 1.18
 
 require (
-	github.com/datreeio/datree v1.7.1
+	github.com/datreeio/datree v1.6.6
 	github.com/ghodss/yaml v1.0.0
 	github.com/lithammer/shortuuid v3.0.0+incompatible
 	github.com/stretchr/testify v1.7.1

pkg/server/server.go

@@ -10,7 +10,7 @@ import (
 )
 
 func ValidateCertificate() (certPath string, keyPath string, err error) {
-	tlsDir := `/etc/webhook/certs/`
+	tlsDir := `/etc/webhook/certs`
 	tlsCertFile := `tls.crt`
 	tlsKeyFile := `tls.key`
 

pkg/services/validationService.go

@@ -3,12 +3,13 @@ package services
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/datreeio/admission-webhook-datree/pkg/loggerUtil"
 	"net/http"
 	"os"
 	"strings"
 	"time"
 
+	"github.com/datreeio/admission-webhook-datree/pkg/loggerUtil"
+
 	cliDefaultRules "github.com/datreeio/datree/pkg/defaultRules"
 
 	"k8s.io/utils/strings/slices"