webhook

package
v0.104.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2024 License: Apache-2.0 Imports: 31 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	JSONPatchAddOperation     = "add"
	JSONPatchReplaceOperation = "replace"
	JSONPatchRemoveOperation  = "remove"

	DefaultWebhookTimeoutSeconds = 15

	// forwarded for easier consumption
	CREATE = admissionregistrationv1.Create
	UPDATE = admissionregistrationv1.Update
	DELETE = admissionregistrationv1.Delete

	ValidatingWebhookBasePath = "/webhook/validate"
	MutatingWebhookBasePath   = "/webhook/mutate"
)

Variables

This section is empty.

Functions

func AllOperations 

func AllOperations() []admissionregistrationv1.OperationType

AllOperations is an alias for Operations(CREATE, UPDATE, DELETE)

func ApplyWebhooks 

func ApplyWebhooks(ctx context.Context, opts *ApplyWebhooksOptions) error

ApplyWebhooks is an auxiliary function which groups the commands that are usually required to make webhooks work in the cluster. This includes: - generating certificates, if the certificates in the options are nil - creating a MutatingWebhookConfiguration, if the registry contains any non-disabled mutating webhooks, deleting it otherwise - creating a ValidatingWebhookConfiguration, if the registry contains any non-disabled validating webhooks, deleting it otherwise - registering all non-disabled webhooks at the webhook server

This function does not: - instantiate a webhook server, this has to happen before - start the webhook server, this has to be done afterwards

func DeleteWebhookConfiguration 

func DeleteWebhookConfiguration(ctx context.Context, wt WebhookType, kubeClient client.Client, name string) error

DeleteValidatingWebhookConfiguration deletes a ValidatingWebhookConfiguration or MutatingWebhookConfiguration.

func GeDNSNamesFromNamespacedName 

func GeDNSNamesFromNamespacedName(namespace, name string) []string

GeDNSNamesFromNamespacedName creates a list of DNS names derived from a service name and namespace.

func GenerateCertificates 

func GenerateCertificates(ctx context.Context, kubeClient client.Client, certDir, namespace, name, certSecretName string,
	dnsNames []string) (*certificates.Certificate, *certificates.Certificate, error)

GenerateCertificates generates the certificates that are required for a webhook. It returns the generated certificates, and it stores the server certificate and key locally on the file system. The first return value is the CA certificate, the second one the server certificate.

func GetCachelessClient 

func GetCachelessClient(restConfig *rest.Config, installFuncs ...func(*runtime.Scheme)) (client.Client, error)

GetCachelessClient is a helper function that returns a client that can be used before the manager is started. It calls all given installFuncs on the created scheme.

func GetDNSNamesFromURL 

func GetDNSNamesFromURL(rawurl string) ([]string, error)

GetDNSNamesFromURL creates a list of DNS names derived from a URL.

func Operations 

func Operations(ops ...admissionregistrationv1.OperationType) []admissionregistrationv1.OperationType

Operations returns the given arguments as slice. This is an auxiliary function which removes the need for importing admissionregistration/v1 in the calling file.

func StringArrayIncludes 

func StringArrayIncludes(list []string, expects ...string) bool

func UpdateWebhookConfiguration 

func UpdateWebhookConfiguration(ctx context.Context, wt WebhookType, kubeClient client.Client, wr WebhookRegistry, o *ConfigOptions) error

UpdateWebhookConfiguration will create or update a ValidatingWebhookConfiguration or MutatingWebhookConfiguration.

Types

type ApplyWebhooksOptions 

type ApplyWebhooksOptions struct {
	// NameValidating contains the naming rules for the ValidatingWebhookConfiguration, if any.
	// If nil, no ValidatingWebhookConfiguration will be created or deleted.
	NameValidating *WebhookNaming
	// NameMutating contains the naming rules for the MutatingWebhookConfiguration, if any.
	// If nil, no MutatingWebhookConfiguration will be created or deleted.
	NameMutating *WebhookNaming
	// Server is the webhook server to which the webhooks will be registered.
	Server ctrlwebhook.Server
	// Client is the k8s client, used to create the Validating-/MutatingWebhookConfiguration.
	Client client.Client
	// Registry is the webhook registry.
	// Will be filtered with the disabled webhooks provided in the WebhookFlags object.
	Registry WebhookRegistry
	// Flags contains the configuration received via CLI flags.
	// Note that the ApplyWebhooks function can only handle single clusters.
	// For multi-cluster configurations, call the ApplyWebhooks function multiple times and pass in a single-cluster configuration,
	// which can be generated by calling the WebhookFlag's ForSingleCluster method.
	Flags *WebhookFlags
	// CertName is the name to be used for the certificates.
	// Will also be used as name for the secret, with a "-certs" suffix, so it has to adhere to the k8s naming rules for secrets.
	// This field is only evaluated if the certificates are generated and not passed in.
	CertName string
	// CertDir is the path to the directory which stores the certificates.
	// This has to be the same that was given to the webhook server.
	// This field is only evaluated if the certificates are generated and not passed in.
	CertDir string
	// CACert is the CA certificate.
	// Can be passed in if the certificates have been generated beforehand, otherwise it will be generated.
	// Setting only one of CACert and ServerCert to nil is not supported at the moment, either both or none have to be specified.
	CACert *certificates.Certificate
	// ServerCert is the server certificate.
	// Can be passed in if the certificates have been generated beforehand, otherwise it will be generated.
	// Setting only one of CACert and ServerCert to nil is not supported at the moment, either both or none have to be specified.
	ServerCert *certificates.Certificate
}

ApplyWebhooksOptions is a helper struct to organize the arguments to the ApplyWebhooks function.

type ClusterID 

type ClusterID struct {
	ID   string
	Name string
}

ClusterID is a helper struct to identify a cluster. It should always be created by using the ID function! Note that ID and name must both be unique across all ClusterID objects. There must not be two ClusterID resources with the same ID, nor two ClusterID resources with the same name!

func ID 

func ID(id, name string) *ClusterID

ID returns a cluster ID. It ensures uniqueness of cluster IDs - basically, calling this function multiple times with the same id will always return a pointer to the same object. The given name is only relevant if the function is called for the first time with the given ID. This means that the name in the returned object can actually differ from the one given, but only if cluster IDs are used in the wrong way.

type ConfigOptions 

type ConfigOptions struct {
	// Name of the WebhookConfiguration that will be created.
	WebhookConfigurationName string
	// WebhookNameSuffix will be appended to the webhooks' names.
	WebhookNameSuffix string
	// ServiceConfig is the configuration for reaching a webhook exposed via a service (running in the same cluster).
	// It is mutually exclusive with WebhookURL.
	Service *WebhookServiceOptions
	// WebhookURL is used for reaching a webhook running outside of the cluster.
	// It is mutually exclusive with Service.
	WebhookURL string
	// CABundle contains the certificates for the webhook.
	CABundle []byte
}

ConfigOptions contains the configuration that is necessary to create a ValidatingWebhookConfiguration or MutatingWebhookConfiguration.

type MultiWebhookFlags 

type MultiWebhookFlags struct {
	WebhookServiceNamespaceName string                 // webhook service namespace and name in the format <namespace>/<name>
	WebhookServicePort          int32                  // port of the webhook service
	WebhookService              *WebhookServiceOptions // transformed version of the webhook service flags
	CertNamespace               string                 // the namespace in which the webhook credentials are being created/updated
	WebhookURL                  string                 // URL of the webhook server if running outside of cluster
}

MultiWebhookFlags contain flags which need to be added multiple times if multiple clusters need to reach the webhook server. It is automatically instantiated with the NewWebhookFlags function as part of the returned WebhookFlags object.

type Webhook 

type Webhook struct {
	// (usually) statically defined fields
	// Name is the name of the webhook. Used for logging, webhook path, and inside Validating-/MutatingWebhookConfigurations.
	Name string
	// Type is the type, whether the webhook is a validating or a mutating webhook.
	Type WebhookType
	// APIGroup is the api group of the resource watched by this webhook.
	APIGroup string
	// APIVersions are the api versions watched by this webhook.
	APIVersions []string
	// ResourceName is the name of the resource watched by this webhook.
	ResourceName string
	// Operations lists the operations on which this webhook should react.
	Operations []admissionregistrationv1.OperationType
	// Timeout is the timeout for the webhook in seconds.
	Timeout int
	// Process is the function which holds the actual webhook logic.
	// Note that it is wrapped in some additional logic which logs the result.
	Process WebhookLogic
	// Labels is a custom set of labels.
	// This field is not evaluated by the webhook library.
	// It can be used to group webhooks in combination with the WebhookRegistry's 'Filter' method.
	Labels map[string]string
	// LabelSelector allows to filter resources by labels.
	LabelSelector *metav1.LabelSelector

	// dynamic fields
	// Decoder is used to decode the raw object in the webhook's request into a structured object.
	Decoder runtime.Decoder
	// Log is the logger.
	Log logging.Logger
	// contains filtered or unexported fields
}

func (*Webhook) Handle 

func (w *Webhook) Handle(ctx context.Context, req admission.Request) admission.Response

func (*Webhook) Initialize 

func (w *Webhook) Initialize(log logging.Logger, scheme *runtime.Scheme) error

Initialize validates the webhook fields, defaults some of them and sets the dynamic fields. Is a no-op if called more than once.

func (*Webhook) Path 

func (w *Webhook) Path() string

Path returns the path under which this webhook can be reached. It's a combination of the base path and the webhook's name.

type WebhookFlags 

type WebhookFlags struct {
	*MultiWebhookFlags // contains the configuration if isMulti is false

	Port                int                               // port where the webhook server is running
	DisabledWebhooksRaw string                            // lists disabled webhooks as a comma-separated string
	DisabledWebhooks    sets.Set[string]                  // transformed version of DisabledWebhooksRaw
	MultiCluster        map[*ClusterID]*MultiWebhookFlags // contains the configuration if isMulti is true
}

WebhookFlags is a helper struct for making the webhook server configuration configurable via command-line flags. It should be instantiated using the NewWebhookFlags function.

Accessing cluster-specific configuration: Single-cluster example (getting the certificate namespace from a WebhookFlags object named 'wf'): 

wf.CertNamespace (or: wf.MultiWebhookFlags.CertNamespace)

Multi-cluster example (getting the certificate namespace for a cluster with ClusterID 'cid' from a WebhookFlags object named 'wf'): 

wf.MultiCluster[cid].CertNamespace

func NewWebhookFlags 

func NewWebhookFlags(clusters ...*ClusterID) *WebhookFlags

NewWebhookFlags returns a new WebhookFlags object.

How this is supposed to work:

If you have only one cluster, from which the webhook server must be reachable, call this function without any arguments. In the returned object, the cluster-specific configuration is contained in the embedded MultiWebhookFlags struct. Example (getting the certificate namespace from a WebhookFlags object named 'wf'): 

wf.CertNamespace (or: wf.MultiWebhookFlags.CertNamespace)

If the webhook server must be reachable from multiple clusters, create a cluster ID for each cluster via the ID(id, name) function and pass all of them as arguments. In the returned object, the cluster-specific configuration is contained in the MultiCluster map, with the previously created ClusterID object serving as key. Example (getting the certificate namespace for a cluster with ClusterID 'cid' from a WebhookFlags object named 'wf'): 

wf.MultiCluster[cid].CertNamespace

func (*WebhookFlags) AddFlags 

func (wf *WebhookFlags) AddFlags(fs *flag.FlagSet)

func (*WebhookFlags) Complete 

func (wf *WebhookFlags) Complete(wr WebhookRegistry) error

Complete transforms and validates the arguments given via the CLI. The registry argument may be nil (or empty), then the values for the disabled webhooks flag cannot be validated.

func (*WebhookFlags) ForSingleCluster 

func (wf *WebhookFlags) ForSingleCluster(cid *ClusterID) (*WebhookFlags, error)

ForSingleCluster returns the webhook flags for a single cluster. Cluster id may be nil if and only if wf.IsMultiCluster() == false. If the given cluster id is nil, the receiver object is returned as is. Otherwise, a new WebhookFlags object is created with IsMultiCluster set to 'false' and the embedded MultiWebhookFlags object's fields set to the values from MultiCluster[cid]. Returns an error if cid and wf.IsMultiCluster() don't fit together, or when no matching configuration for the given cluster id is found.

func (*WebhookFlags) IsMultiCluster 

func (wf *WebhookFlags) IsMultiCluster() bool

IsMultiCluster returns true if the webhook flags object contains configuration for multiple clusters (or modified the object accordingly afterwards).

type WebhookLogic 

type WebhookLogic func(context.Context, admission.Request, runtime.Decoder) admission.Response

WebhookLogic represents the actual logic of a webhook. It is similar to admission.Handler.Handle, but in addition, a default decoder is passed in. The decoder is derived from the scheme which was passed in during webhook initialization.

type WebhookNaming 

type WebhookNaming struct {
	// Name is used as the name of the Validating-/MutatingWebhookConfiguration.
	Name string
	// WebhookSuffix is appended to the webhook names from the registered webhooks.
	WebhookSuffix string
}

WebhookNaming is a helper struct which stores naming rules for Validating-/MutatingWebhookConfigurations and their webhooks.

type WebhookRegistry 

type WebhookRegistry map[string]*Webhook

WebhookRegistry is a helper struct for listing webhooks which can be instantiated automatically from flags.

func NewWebhookRegistry 

func NewWebhookRegistry() WebhookRegistry

NewWebhookRegistry returns a new webhook registry. Alternatively, the Registry() function can be used to get a singleton registry.

func Registry 

func Registry() WebhookRegistry

Registry returns a singleton registry. Use NewWebhookRegistry instead if you want to run multiple webhook servers with different sets of webhooks or can't use a singleton for some other reason.

func (WebhookRegistry) AddToServer 

func (wr WebhookRegistry) AddToServer(ctx context.Context, webhookServer ctrlwebhook.Server, scheme *runtime.Scheme) error

AddToServer initializes all webhooks of the registry and registers them at the given webhook server. No-op if the webhook registry is empty or nil.

func (WebhookRegistry) Filter 

func (wr WebhookRegistry) Filter(filters ...WebhookRegistryFilter) WebhookRegistry

Filter returns a new WebhookRegistry containing only the webhooks for which a filter returned true. Note that the filters are ORed. To AND filters, call the function multiples times: reg.Filter(f1).Filter(f2)

func (WebhookRegistry) GetEnabledWebhooks 

func (wr WebhookRegistry) GetEnabledWebhooks(disabled sets.Set[string]) WebhookRegistry

GetEnabledWebhooks takes a set of webhook names and returns a registry containing only the webhooks whose names were NOT in the set. If the set contains an entry 'all', an empty registry is returned.

func (WebhookRegistry) InitializeAll 

func (wr WebhookRegistry) InitializeAll(ctx context.Context, scheme *runtime.Scheme) error

InitializeAll calls Initialize on all webhooks in the registry. No-op if the registry is empty.

func (WebhookRegistry) Register 

func (wr WebhookRegistry) Register(webhook *Webhook) WebhookRegistry

Register is an alias for registry[webhook.name] = webhook. Returns the registry for chaining.

type WebhookRegistryFilter 

type WebhookRegistryFilter func(*Webhook) bool

WebhookRegistryFilter is a filter function which can be used to filter the registry for webhooks with specific properties.

func LabelFilter 

func LabelFilter(key string, value *string) WebhookRegistryFilter

LabelFilter returns a filter that can be used with the WebhookRegistry's Filter method. The returned filter returns true if the webhook has a corresponding label. If the second argument is non-nil, true is only returned if the label's value matches it, otherwise only existence of the label is checked.

func MutatingWebhooksFilter 

func MutatingWebhooksFilter() WebhookRegistryFilter

MutatingWebhooksFilter returns a predefined filter to be used with the WebhookRegistry's Filter method. The returned filter returns true for webhooks which have the type MutatingWebhook.

func Not 

func Not(f WebhookRegistryFilter) WebhookRegistryFilter

Not negates the result of the passed filter.

func ValidatingWebhooksFilter 

func ValidatingWebhooksFilter() WebhookRegistryFilter

ValidatingWebhooksFilter returns a predefined filter to be used with the WebhookRegistry's Filter method. The returned filter returns true for webhooks which have the type ValidatingWebhook.

type WebhookServiceOptions 

type WebhookServiceOptions struct {
	// Name is the name of the service under which the webhook can be reached.
	Name string
	// Namespace is the namespace of the webhook service.
	Namespace string
	// Port is the port of the webhook service.
	Port int32
}

WebhookServiceOptions contains the configuration for reaching a webhook which is running in the same cluster and exposed via a service. If the webhook server is running in a different cluster, WebhookURL must be used instead.

type WebhookType 

type WebhookType string
const (
	ValidatingWebhook WebhookType = "ValidatingWebhook"
	MutatingWebhook   WebhookType = "MutatingWebhook"
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.