admission

package
v3.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2024 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ErrTextAdminAPIUnavailable                = "could not talk to Kong admin API"
	ErrTextConsumerCredentialSecretNotFound   = "consumer referenced non-existent credentials secret"
	ErrTextConsumerCredentialValidationFailed = "consumer credential failed validation"
	ErrTextConsumerExists                     = "consumer already exists"
	ErrTextConsumerUnretrievable              = "failed to fetch consumer from kong"
	ErrTextConsumerGroupUnsupported           = "consumer group support requires Kong Enterprise"
	ErrTextConsumerGroupUnlicensed            = "consumer group support requires a valid Kong Enterprise license"
	ErrTextConsumerGroupUnexpected            = "unexpected error during checking support for consumer group"
	ErrTextFailedToRetrieveSecret             = "could not retrieve secrets from the kubernetes API" //nolint:revive,gosec
	ErrTextPluginConfigInvalid                = "could not parse plugin configuration"
	ErrTextPluginConfigValidationFailed       = "unable to validate plugin schema"
	ErrTextPluginConfigViolatesSchema         = "plugin failed schema validation: %s"
	ErrTextPluginSecretConfigUnretrievable    = "could not load secret plugin configuration"
	ErrTextVaultConfigUnmarshalFailed         = "failed to unmarshal vault configuration: %v"
	ErrTextVaultUnableToValidate              = "unable to validate vault on Kong gateway"
	ErrTextVaultConfigValidationResultInvalid = "vault configuration in invalid: %s"
)
View Source 
const (
	ErrTextCantRetrieveGatewayClass    = "gatewayclass for this gateway could not be retrieved"
	ErrTextInvalidGatewayConfiguration = "gateway metadata and/or spec are invalid"
)
View Source 
const (
	KindKongPlugin        = "KongPlugin"
	KindKongClusterPlugin = "KongClusterPlugin"
)
View Source 
const (
	DefaultAdmissionWebhookCertPath = "/admission-webhook/tls.crt"
	DefaultAdmissionWebhookKeyPath  = "/admission-webhook/tls.key"
)

Variables

This section is empty.

Functions

func MakeTLSServer 

func MakeTLSServer(
	ctx context.Context,
	config *ServerConfig,
	handler http.Handler,
	logger logr.Logger,
) (*http.Server, error)

Types

type AdminAPIServicesProvider 

type AdminAPIServicesProvider interface {
	GetConsumersService() (kong.AbstractConsumerService, bool)
	GetPluginsService() (kong.AbstractPluginService, bool)
	GetConsumerGroupsService() (kong.AbstractConsumerGroupService, bool)
	GetInfoService() (kong.AbstractInfoService, bool)
	GetRoutesService() (kong.AbstractRouteService, bool)
	GetVaultsService() (kong.AbstractVaultService, bool)
}

AdminAPIServicesProvider provides KongHTTPValidator with Kong Admin API services that are needed to perform validation against entities stored by the Gateway.

type ConsumerGetter 

type ConsumerGetter interface {
	ListAllConsumers(ctx context.Context) ([]kongv1.KongConsumer, error)
}

ConsumerGetter is an interface for retrieving KongConsumers.

type DefaultAdminAPIServicesProvider 

type DefaultAdminAPIServicesProvider struct {
	// contains filtered or unexported fields
}

DefaultAdminAPIServicesProvider allows getting Admin API services that require having at least one Gateway discovered. In the case there's no Gateways, it will return `false` from every method, signalling there's no Gateway available.

func NewDefaultAdminAPIServicesProvider 

func NewDefaultAdminAPIServicesProvider(gatewaysProvider GatewayClientsProvider) *DefaultAdminAPIServicesProvider

func (DefaultAdminAPIServicesProvider) GetConsumerGroupsService 

func (p DefaultAdminAPIServicesProvider) GetConsumerGroupsService() (kong.AbstractConsumerGroupService, bool)

func (DefaultAdminAPIServicesProvider) GetConsumersService 

func (p DefaultAdminAPIServicesProvider) GetConsumersService() (kong.AbstractConsumerService, bool)

func (DefaultAdminAPIServicesProvider) GetInfoService 

func (p DefaultAdminAPIServicesProvider) GetInfoService() (kong.AbstractInfoService, bool)

func (DefaultAdminAPIServicesProvider) GetPluginsService 

func (p DefaultAdminAPIServicesProvider) GetPluginsService() (kong.AbstractPluginService, bool)

func (DefaultAdminAPIServicesProvider) GetRoutesService 

func (p DefaultAdminAPIServicesProvider) GetRoutesService() (kong.AbstractRouteService, bool)

func (DefaultAdminAPIServicesProvider) GetVaultsService added in v3.1.0 

func (p DefaultAdminAPIServicesProvider) GetVaultsService() (kong.AbstractVaultService, bool)

type GatewayClientsProvider 

type GatewayClientsProvider interface {
	GatewayClients() []*adminapi.Client
}

GatewayClientsProvider returns the most recent set of Gateway Admin API clients.

type KongHTTPValidator 

type KongHTTPValidator struct {
	Logger                   logr.Logger
	SecretGetter             kongstate.SecretGetter
	ConsumerGetter           ConsumerGetter
	Storer                   store.Storer
	ManagerClient            client.Client
	AdminAPIServicesProvider AdminAPIServicesProvider
	TranslatorFeatures       translator.FeatureFlags
	// contains filtered or unexported fields
}

KongHTTPValidator implements KongValidator interface to validate Kong entities using the Admin API of Kong.

func NewKongHTTPValidator 

func NewKongHTTPValidator(
	logger logr.Logger,
	managerClient client.Client,
	ingressClass string,
	servicesProvider AdminAPIServicesProvider,
	translatorFeatures translator.FeatureFlags,
	storer store.Storer,
) KongHTTPValidator

NewKongHTTPValidator provides a new KongHTTPValidator object provided a controller-runtime client which will be used to retrieve reference objects such as consumer credentials secrets. If you do not pass a cached client here, the performance of this validator can get very poor at high scales.

func (KongHTTPValidator) ValidateClusterPlugin 

func (validator KongHTTPValidator) ValidateClusterPlugin(
	ctx context.Context,
	k8sPlugin kongv1.KongClusterPlugin,
	overrideSecrets []*corev1.Secret,
) (bool, string, error)

ValidateClusterPlugin transfers relevant fields from a KongClusterPlugin into a KongPlugin and then returns the result of ValidatePlugin for the derived KongPlugin.

func (KongHTTPValidator) ValidateConsumer 

func (validator KongHTTPValidator) ValidateConsumer(
	ctx context.Context,
	consumer kongv1.KongConsumer,
) (bool, string, error)

ValidateConsumer checks if consumer has a Username and a consumer with the same username doesn't exist in Kong. If an error occurs during validation, it is returned as the last argument. The first boolean communicates if the consumer is valid or not and string holds a message if the entity is not valid.

func (KongHTTPValidator) ValidateConsumerGroup 

func (validator KongHTTPValidator) ValidateConsumerGroup(
	ctx context.Context,
	consumerGroup kongv1beta1.KongConsumerGroup,
) (bool, string, error)

func (KongHTTPValidator) ValidateCredential 

func (validator KongHTTPValidator) ValidateCredential(ctx context.Context, secret corev1.Secret) (bool, string)

ValidateCredential checks if the secret contains a credential meant to be installed in Kong. If so, then it verifies if all the required fields are present in it or not. If valid, it returns true with an empty string, else it returns false with the error message. If an error happens during validation, error is returned.

func (KongHTTPValidator) ValidateGateway 

func (validator KongHTTPValidator) ValidateGateway(
	ctx context.Context, gateway gatewayapi.Gateway,
) (bool, string, error)

func (KongHTTPValidator) ValidateHTTPRoute 

func (validator KongHTTPValidator) ValidateHTTPRoute(
	ctx context.Context, httproute gatewayapi.HTTPRoute,
) (bool, string, error)

func (KongHTTPValidator) ValidateIngress 

func (validator KongHTTPValidator) ValidateIngress(
	ctx context.Context, ingress netv1.Ingress,
) (bool, string, error)

func (KongHTTPValidator) ValidatePlugin 

func (validator KongHTTPValidator) ValidatePlugin(
	ctx context.Context,
	k8sPlugin kongv1.KongPlugin,
	overrideSecrets []*corev1.Secret,
) (bool, string, error)

ValidatePlugin checks if k8sPlugin is valid. It does so by performing an HTTP request to Kong's Admin API entity validation endpoints. If an error occurs during validation, it is returned as the last argument. The first boolean communicates if k8sPluign is valid or not and string holds a message if the entity is not valid.

func (KongHTTPValidator) ValidateVault added in v3.1.0 

func (validator KongHTTPValidator) ValidateVault(ctx context.Context, k8sKongVault kongv1alpha1.KongVault) (bool, string, error)

type KongValidator 

type KongValidator interface {
	ValidateConsumer(ctx context.Context, consumer kongv1.KongConsumer) (bool, string, error)
	ValidateConsumerGroup(ctx context.Context, consumerGroup kongv1beta1.KongConsumerGroup) (bool, string, error)
	ValidatePlugin(ctx context.Context, plugin kongv1.KongPlugin, overrideSecrets []*corev1.Secret) (bool, string, error)
	ValidateClusterPlugin(ctx context.Context, plugin kongv1.KongClusterPlugin, overrideSecrets []*corev1.Secret) (bool, string, error)
	ValidateVault(ctx context.Context, vault kongv1alpha1.KongVault) (bool, string, error)
	ValidateCredential(ctx context.Context, secret corev1.Secret) (bool, string)
	ValidateGateway(ctx context.Context, gateway gatewayapi.Gateway) (bool, string, error)
	ValidateHTTPRoute(ctx context.Context, httproute gatewayapi.HTTPRoute) (bool, string, error)
	ValidateIngress(ctx context.Context, ingress netv1.Ingress) (bool, string, error)
}

KongValidator validates Kong entities.

type RequestHandler 

type RequestHandler struct {
	// Validator validates the entities that the k8s API-server asks
	// it the server to validate.
	Validator KongValidator
	// ReferenceIndexers gets the resources (KongPlugin and KongClusterPlugin)
	// referring the validated resource (Secret) to check the changes on
	// referred Secret will produce invalid configuration of the plugins.
	ReferenceIndexers ctrlref.CacheIndexers

	Logger logr.Logger
}

RequestHandler is an HTTP server that can validate Kong Ingress Controllers' Custom Resources using Kubernetes Admission Webhooks.

func (RequestHandler) ServeHTTP 

func (h RequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP parses AdmissionReview requests and responds back with the validation result of the entity.

type ResponseBuilder 

type ResponseBuilder struct {
	// contains filtered or unexported fields
}

func NewResponseBuilder 

func NewResponseBuilder(uid k8stypes.UID) *ResponseBuilder

func (*ResponseBuilder) Allowed 

func (r *ResponseBuilder) Allowed(allowed bool) *ResponseBuilder

func (*ResponseBuilder) Build 

func (r *ResponseBuilder) Build() *admissionv1.AdmissionResponse

func (*ResponseBuilder) WithMessage 

func (r *ResponseBuilder) WithMessage(msg string) *ResponseBuilder

func (*ResponseBuilder) WithWarning 

func (r *ResponseBuilder) WithWarning(warning string) *ResponseBuilder

type SecretGetterWithOverride added in v3.1.0 

type SecretGetterWithOverride struct {
	// contains filtered or unexported fields
}

SecretGetterWithOverride returns the override secrets in the list if the namespace and name matches, or use the nested secretGetter to fetch the secret otherwise. Used for validating changes of secrets to override existing the one in cache with the one to be updated.

func NewSecretGetterWithOverride added in v3.1.0 

func NewSecretGetterWithOverride(s kongstate.SecretGetter, overrideSecrets []*corev1.Secret) *SecretGetterWithOverride

NewSecretGetterWithOverride returns a secret getter with given override secrets.

func (*SecretGetterWithOverride) GetSecret added in v3.1.0 

func (s *SecretGetterWithOverride) GetSecret(namespace, name string) (*corev1.Secret, error)

type ServerConfig 

type ServerConfig struct {
	ListenAddr string

	CertPath string
	Cert     string

	KeyPath string
	Key     string
}

Source Files

View all Source files

Directories

Path Synopsis
consumers/credentials
Package credentials includes validators for the credentials provided for KongConsumers.
 Package credentials includes validators for the credentials provided for KongConsumers.
gateway
ingress

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.