-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.go
More file actions
353 lines (341 loc) · 10.8 KB
/
main.go
File metadata and controls
353 lines (341 loc) · 10.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
package main
import (
"context"
"encoding/json"
"flag"
"fmt"
"net/http"
"os"
"strings"
"github.com/bombsimon/logrusr/v4"
log "github.com/sirupsen/logrus"
"gopkg.in/yaml.v3"
v1 "k8s.io/api/core/v1"
klog "sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/manager/signals"
"sigs.k8s.io/controller-runtime/pkg/webhook"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
var (
operatorName = os.Getenv("OPERATOR_NAME")
operatorDomain = os.Getenv("OPERATOR_DOMAIN")
)
func init() {
ll, err := log.ParseLevel(os.Getenv("LOG_LEVEL"))
if err != nil {
ll = log.InfoLevel
}
log.SetLevel(ll)
logr := logrusr.New(log.StandardLogger())
klog.SetLogger(logr)
setDefaults()
}
func setDefaults() {
if operatorName == "" {
operatorName = "cainjector"
}
if operatorDomain == "" {
operatorDomain = "lestak.sh"
}
}
type Options struct {
Inject string `json:"inject" yaml:"inject"`
Secret string `json:"secret" yaml:"secret"`
ConfigMap string `json:"configMap" yaml:"configMap"`
CertFileName string `json:"certFile" yaml:"certFile"`
MountPath string `json:"mountPath" yaml:"mountPath"`
SetEnvVar string `json:"setEnvVar" yaml:"setEnvVar"`
IncludeNamespaces []string `json:"includeNamespaces" yaml:"includeNamespaces"`
ExcludeContainers []string `json:"excludeContainers" yaml:"excludeContainers"`
ExcludeNamespaces []string `json:"excludeNamespaces" yaml:"excludeNamespaces"`
}
func (m *mutator) parsePodOptions(annotations map[string]string) Options {
l := log.WithFields(log.Fields{
"fn": "parsePodOptions",
})
l.Debug("parsing pod options")
var opts Options
opDomain := operatorName + "." + operatorDomain
if annotations[opDomain+"/inject"] != "" {
l.Debug("found inject annotation")
opts.Inject = annotations[opDomain+"/inject"]
}
if annotations[opDomain+"/secret"] != "" {
l.Debug("found secret annotation")
opts.Secret = annotations[opDomain+"/secret"]
}
if annotations[opDomain+"/configMap"] != "" {
l.Debug("found configMap annotation")
opts.ConfigMap = annotations[opDomain+"/configMap"]
}
if annotations[opDomain+"/mountPath"] != "" {
l.Debug("found mountPath annotation")
opts.MountPath = annotations[opDomain+"/mountPath"]
}
if annotations[opDomain+"/certFile"] != "" {
l.Debug("found certFile annotation")
opts.CertFileName = annotations[opDomain+"/certFile"]
}
if annotations[opDomain+"/setEnvVar"] != "" {
l.Debug("found setEnvVar annotation")
opts.SetEnvVar = annotations[opDomain+"/setEnvVar"]
}
if annotations[opDomain+"/excludeContainers"] != "" {
l.Debug("found excludeContainers annotation")
sv := strings.Split(annotations[opDomain+"/excludeContainers"], ",")
for _, s := range sv {
opts.ExcludeContainers = append(opts.ExcludeContainers, strings.TrimSpace(s))
}
}
if annotations[opDomain+"/excludeNamespaces"] != "" {
l.Debug("found excludeNamespaces annotation")
sv := strings.Split(annotations[opDomain+"/excludeNamespaces"], ",")
for _, s := range sv {
opts.ExcludeNamespaces = append(opts.ExcludeNamespaces, strings.TrimSpace(s))
}
}
if annotations[opDomain+"/includeNamespaces"] != "" {
l.Debug("found includeNamespaces annotation")
sv := strings.Split(annotations[opDomain+"/includeNamespaces"], ",")
for _, s := range sv {
opts.IncludeNamespaces = append(opts.IncludeNamespaces, strings.TrimSpace(s))
}
}
// set defaults
if opts.Inject == "" {
l.Debug("inject not set, using default")
opts.Inject = m.Options.Inject
}
if opts.Secret == "" && opts.ConfigMap == "" {
l.Debug("secret not set, using default")
opts.Secret = m.Options.Secret
}
if opts.ConfigMap == "" && opts.Secret == "" {
l.Debug("configMap not set, using default")
opts.ConfigMap = m.Options.ConfigMap
}
if opts.MountPath == "" {
l.Debug("mountPath not set, using default")
opts.MountPath = m.Options.MountPath
}
if opts.CertFileName == "" {
l.Debug("certFileName not set, using default")
opts.CertFileName = m.Options.CertFileName
}
if opts.SetEnvVar == "" {
l.Debug("setEnvVar not set, using default")
opts.SetEnvVar = m.Options.SetEnvVar
}
if len(opts.ExcludeContainers) == 0 {
l.Debug("excludeContainers not set, using default")
opts.ExcludeContainers = m.Options.ExcludeContainers
}
if len(opts.ExcludeNamespaces) == 0 {
l.Debug("excludeNamespaces not set, using default")
opts.ExcludeNamespaces = m.Options.ExcludeNamespaces
}
if len(opts.IncludeNamespaces) == 0 {
l.Debug("includeNamespaces not set, using default")
opts.IncludeNamespaces = m.Options.IncludeNamespaces
}
l.WithField("opts", fmt.Sprintf("%+v", opts)).Debug("parsed options")
return opts
}
type mutator struct {
Options Options `json:"options"`
}
func (m *mutator) loadConfig(f string) error {
l := log.WithFields(log.Fields{
"fn": "loadConfig",
})
l.Info("loading config")
// if file does not exist, skip
if _, err := os.Stat(f); os.IsNotExist(err) {
l.Debug("config file does not exist, skipping")
return nil
}
// load the config file
b, err := os.ReadFile(f)
if err != nil {
l.WithError(err).Error("failed to read config file")
return err
}
// unmarshal the config file
if err := json.Unmarshal(b, &m.Options); err != nil {
l.WithError(err).Debug("failed to unmarshal config file as json")
// try as yaml
if err := yaml.Unmarshal(b, &m.Options); err != nil {
l.WithError(err).Error("failed to unmarshal config file as yaml")
return err
}
}
return nil
}
func (m *mutator) Handle(ctx context.Context, req admission.Request) admission.Response {
l := log.WithFields(log.Fields{
"fn": "Handle",
})
l.Info("handling request")
// if the object is not a Pod, skip mutation
if req.Kind.Kind != "Pod" {
l.Debug("not a pod, skipping")
return admission.Allowed("ok")
}
l.Debug("mutating pod")
if req.AdmissionRequest.Object.Raw == nil {
l.Debug("no raw object, skipping")
return admission.Allowed("ok")
}
pod := &v1.Pod{}
if err := json.Unmarshal(req.AdmissionRequest.Object.Raw, pod); err != nil {
l.WithError(err).Error("failed to unmarshal pod")
return admission.Errored(http.StatusBadRequest, err)
}
l = l.WithFields(log.Fields{
"namespace": req.AdmissionRequest.Namespace,
})
l.Info("evaluating pod")
opts := m.parsePodOptions(pod.Annotations)
if opts.Inject == "false" {
l.Debug("inject is false, skipping")
return admission.Allowed("ok")
}
// if includeNamespaces is greater than 0 and the pod is not in an enabled namespace, skip
if len(opts.IncludeNamespaces) > 0 {
l.Debug("includeNamespaces is greater than 0")
var enabled bool
RangeEnabledNamespaces:
for _, ns := range opts.IncludeNamespaces {
if strings.EqualFold(req.AdmissionRequest.Namespace, ns) {
l.Debug("pod is in an enabled namespace, continuing")
enabled = true
break RangeEnabledNamespaces
}
}
if !enabled {
l.Debug("pod is not in an enabled namespace, skipping")
return admission.Allowed("ok")
}
}
// if the pod is in a excluded namespace, skip
if len(opts.ExcludeNamespaces) > 0 {
l.Debug("excludeNamespaces is greater than 0")
for _, ns := range opts.ExcludeNamespaces {
if strings.EqualFold(req.AdmissionRequest.Namespace, ns) {
l.Debug("pod is in a excluded namespace, skipping")
return admission.Allowed("ok")
}
}
}
// if both a secret and a configMap are specified, error
if opts.Secret != "" && opts.ConfigMap != "" {
l.Error("both secret and configMap specified, skipping")
return admission.Errored(http.StatusBadRequest, fmt.Errorf("both secret and configMap specified"))
}
l.Info("pod is enabled for injection")
volumeName := fmt.Sprintf("%s-%s", operatorName, opts.Secret)
if opts.Secret != "" {
l.Debug("injecting secret")
pod.Spec.Volumes = append(pod.Spec.Volumes, v1.Volume{
Name: volumeName,
VolumeSource: v1.VolumeSource{
Secret: &v1.SecretVolumeSource{
SecretName: opts.Secret,
},
},
})
} else if opts.ConfigMap != "" {
l.Debug("injecting configMap")
volumeName = fmt.Sprintf("%s-%s", operatorName, opts.ConfigMap)
pod.Spec.Volumes = append(pod.Spec.Volumes, v1.Volume{
Name: volumeName,
VolumeSource: v1.VolumeSource{
ConfigMap: &v1.ConfigMapVolumeSource{
LocalObjectReference: v1.LocalObjectReference{
Name: opts.ConfigMap,
},
},
},
})
}
RangeContainers:
for i, c := range pod.Spec.Containers {
if len(opts.ExcludeContainers) > 0 {
for _, dc := range opts.ExcludeContainers {
if c.Name == dc {
l.WithField("container", c.Name).Debug("container excluded, skipping")
continue RangeContainers
}
}
}
// add the volume mount if it is not already there
if c.VolumeMounts == nil {
c.VolumeMounts = []v1.VolumeMount{}
}
for _, vm := range c.VolumeMounts {
if vm.Name == volumeName {
l.WithField("container", c.Name).Debug("volume mount already exists, skipping")
continue RangeContainers
}
if vm.MountPath == opts.MountPath {
l.WithField("container", c.Name).Debug("mount path already exists, skipping")
continue RangeContainers
}
}
pod.Spec.Containers[i].VolumeMounts = append(c.VolumeMounts, v1.VolumeMount{
Name: volumeName,
MountPath: opts.MountPath,
})
// add the env var
if opts.SetEnvVar == "false" {
continue RangeContainers
}
pod.Spec.Containers[i].Env = append(c.Env, v1.EnvVar{
Name: "SSL_CERT_FILE",
Value: fmt.Sprintf("%s/%s", opts.MountPath, opts.CertFileName),
})
}
// marshal the mutated pod
raw, err := json.Marshal(pod)
if err != nil {
l.WithError(err).Error("failed to marshal pod")
return admission.Errored(http.StatusBadRequest, err)
}
// return the mutated pod
l.Info("pod mutated")
return admission.PatchResponseFromRaw(req.AdmissionRequest.Object.Raw, raw)
}
func main() {
l := log.WithFields(log.Fields{
"fn": "main",
})
l.Info("starting...")
port := flag.Int("port", 8443, "port to listen on")
certDir := flag.String("cert-dir", "/etc/webhook/certs", "directory containing TLS certs and keys")
configFile := flag.String("config", "/etc/webhook/config.yaml", "path to config file")
logLevel := flag.String("log-level", log.GetLevel().String(), "log level")
opName := flag.String("operator-name", operatorName, "name of the operator")
opDomain := flag.String("operator-domain", operatorDomain, "domain of the operator")
flag.Parse()
ll, err := log.ParseLevel(*logLevel)
if err != nil {
l.WithError(err).Fatal("failed to parse log level")
}
log.SetLevel(ll)
operatorName = *opName
operatorDomain = *opDomain
opts := webhook.Options{
Port: *port,
CertDir: *certDir,
}
server := webhook.NewServer(opts)
l.Info("registering webhook")
m := &mutator{}
if err := m.loadConfig(*configFile); err != nil {
l.WithError(err).Fatal("failed to load config")
}
server.Register("/mutate", &webhook.Admission{Handler: m})
if err := server.Start(signals.SetupSignalHandler()); err != nil {
l.WithError(err).Fatal("failed to start server")
}
}