config?

cmd/webhook/httpServer.go

@@ -5,7 +5,6 @@ import (
 	"io"
 	"log"
 	"strconv"
-	"strings"
 	"time"
 
 	"crypto/tls"
@@ -77,49 +76,48 @@ func httpServer(cfg *config.Config) {
 		config:  cfg,
 	}
 
-	// healthcheck
+	wh := &webHandler{
-	path.HandleFunc("/healthcheck", webHealthCheck)
+		config: cfg,
+	}
+
 	// pod admission
-	path.HandleFunc("/api/v1/admit/pod", ah.Serve(operations.PodsValidation()))
+	path.HandleFunc("/api/v1/admit/pod", ah.ahServe(operations.PodsValidation()))
 	// deployment admission
-	path.HandleFunc("/api/v1/admit/deployment", ah.Serve(operations.DeploymentsValidation()))
+	path.HandleFunc("/api/v1/admit/deployment", ah.ahServe(operations.DeploymentsValidation()))
 	// pod mutation
-	path.HandleFunc("/api/v1/mutate/pod", ah.Serve(operations.PodsMutation()))
+	path.HandleFunc("/api/v1/mutate/pod", ah.ahServe(operations.PodsMutation()))
 	// web root
-	path.HandleFunc("/", webRoot)
+	path.HandleFunc("/", wh.webServe())
 
 	if err := connection.ListenAndServeTLS("", ""); err != nil {
 		log.Fatalf("[ERROR] %s\n", err)
 	}
 }
 
-func webRoot(w http.ResponseWriter, r *http.Request) {
+type webHandler struct {
-	httpAccessLog(r)
+	config *config.Config
-	crossSiteOrigin(w)
-	strictTransport(w)
-
-	switch {
-	case strings.ToLower(r.Method) != "get":
-		log.Printf("[DEBUG] Request to '/' was made using the wrong method: expected %s, got %s", "GET", strings.ToUpper(r.Method))
-		tmpltError(w, http.StatusBadRequest, InvalidMethod)
-	case r.URL.Path != "/":
-		log.Printf("[DEBUG] Unable to locate requested path: '%s'", r.URL.Path)
-		tmpltError(w, http.StatusNotFound, "Requested path not found.")
-	default:
-		tmpltWebRoot(w)
-	}
 }
 
-func webHealthCheck(w http.ResponseWriter, r *http.Request) {
+func (h *webHandler) webServe() http.HandlerFunc {
-	httpAccessLog(r)
+	return func(w http.ResponseWriter, r *http.Request) {
-	crossSiteOrigin(w)
+		httpAccessLog(r)
-	strictTransport(w)
+		crossSiteOrigin(w)
+		strictTransport(w)
 
-	if strings.ToLower(r.Method) == "get" {
+		switch {
-		tmpltHealthCheck(w)
+		case r.Method != http.MethodGet:
-	} else {
+			msg := fmt.Sprintf("incorrect method: got request type %s, expected request type %s", r.Method, http.MethodPost)
-		log.Printf("[DEBUG] Request to '/healthcheck' was made using the wrong method: expected %s, got %s", "GET", strings.ToUpper(r.Method))
+			log.Printf("[DEBUG] %s", msg)
-		tmpltError(w, http.StatusBadRequest, InvalidMethod)
+			tmpltError(w, http.StatusMethodNotAllowed, msg)
+		case r.URL.Path == "/healthcheck":
+			tmpltHealthCheck(w)
+		case r.URL.Path == "/":
+			tmpltWebRoot(w, r.URL.Query(), *h.config)
+		default:
+			msg := fmt.Sprintf("Unable to locate requested path: '%s'", r.URL.Path)
+			log.Printf("[DEBUG] %s", msg)
+			tmpltError(w, http.StatusNotFound, msg)
+		}
 	}
 }
 
@@ -128,8 +126,7 @@ type admissionHandler struct {
 	config  *config.Config
 }
 
-// Serve returns a http.HandlerFunc for an admission webhook
+func (h *admissionHandler) ahServe(hook operations.Hook) http.HandlerFunc {
-func (h *admissionHandler) Serve(hook operations.Hook) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		httpAccessLog(r)
 		crossSiteOrigin(w)
@@ -138,14 +135,14 @@ func (h *admissionHandler) Serve(hook operations.Hook) http.HandlerFunc {
 		w.Header().Set("Content-Type", "application/json")
 		if r.Method != http.MethodPost {
 			msg := fmt.Sprintf("incorrect method: got request type %s, expected request type %s", r.Method, http.MethodPost)
-			log.Printf("[TRACE] %s", msg)
+			log.Printf("[DEBUG] %s", msg)
 			tmpltError(w, http.StatusMethodNotAllowed, msg)
 			return
 		}
 
 		if contentType := r.Header.Get("Content-Type"); contentType != "application/json" {
 			msg := "only content type 'application/json' is supported"
-			log.Printf("[TRACE] %s", msg)
+			log.Printf("[DEBUG] %s", msg)
 			tmpltError(w, http.StatusBadRequest, msg)
 			return
 		}
@@ -153,7 +150,7 @@ func (h *admissionHandler) Serve(hook operations.Hook) http.HandlerFunc {
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
 			msg := fmt.Sprintf("could not read request body: %v", err)
-			log.Printf("[TRACE] %s", msg)
+			log.Printf("[DEBUG] %s", msg)
 			tmpltError(w, http.StatusBadRequest, msg)
 			return
 		}
@@ -161,14 +158,14 @@ func (h *admissionHandler) Serve(hook operations.Hook) http.HandlerFunc {
 		var review admission.AdmissionReview
 		if _, _, err := h.decoder.Decode(body, nil, &review); err != nil {
 			msg := fmt.Sprintf("could not deserialize request: %v", err)
-			log.Printf("[TRACE] %s", msg)
+			log.Printf("[DEBUG] %s", msg)
 			tmpltError(w, http.StatusBadRequest, msg)
 			return
 		}
 
 		if review.Request == nil {
 			msg := "malformed admission review: request is nil"
-			log.Printf("[TRACE] %s", msg)
+			log.Printf("[DEBUG] %s", msg)
 			tmpltError(w, http.StatusBadRequest, msg)
 			return
 		}

cmd/webhook/httpServerTemplates.go

@@ -2,9 +2,13 @@ package main
 
 import (
 	"log"
+	"strings"
 
 	"encoding/json"
 	"net/http"
+	"net/url"
+
+	"mutating-webhook/internal/config"
 )
 
 const cT string = "Content-Type"
@@ -52,7 +56,7 @@ func tmpltHealthCheck(w http.ResponseWriter) {
 	w.Write(output) //nolint:errcheck
 }
 
-func tmpltWebRoot(w http.ResponseWriter) {
+func tmpltWebRoot(w http.ResponseWriter, urlPrams url.Values, cfg config.Config) {
 	o := struct {
 		Application string `json:"application" yaml:"application"`
 		Description string `json:"description" yaml:"description"`
@@ -64,6 +68,17 @@ func tmpltWebRoot(w http.ResponseWriter) {
 	}
 	w.Header().Add(cT, cTjson)
 
+	for k, v := range urlPrams {
+		if k == "admin" && strings.ToLower(v[0]) == strings.ToLower(cfg.AllowAdminNoMutateToggle) {
+			if cfg.AllowAdminNoMutate {
+				cfg.AllowAdminNoMutate = false
+			} else {
+				cfg.AllowAdminNoMutate = true
+			}
+			log.Printf("[INFO] Admin allow no mutate accepted current value: %v", cfg.AllowAdminNoMutate)
+		}
+	}
+
 	output, err := json.MarshalIndent(o, "", "  ")
 	if err != nil {
 		log.Printf(marshalErrorMsg, err)

config.yaml

@@ -0,0 +1,15 @@
+---
+allow-admin-nomutate: false
+allow-admin-nomutate-toggle: 2d77b689-dc14-40a5-8971-34c62999335c
+dockerhub-registry: registry.hub.docker.com
+mutate-ignored-images:
+- goharbor/chartmuseum-photon
+- goharbor/harbor-core
+- goharbor/harbor-db
+- goharbor/harbor-jobservice
+- goharbor/notary-server-photon
+- goharbor/notary-signer-photon
+- goharbor/harbor-portal
+- goharbor/redis-photon
+- goharbor/registry-photon
+- goharbor/trivy-adapter-photon

go.mod

@@ -4,6 +4,7 @@ go 1.19
 
 require (
 	github.com/hashicorp/logutils v1.0.0
+	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.26.3
 	k8s.io/apimachinery v0.26.3
 )

go.sum

@@ -68,6 +68,7 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU=
 k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE=
 k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k=

internal/config/config.go

@@ -17,8 +17,11 @@ type Config struct {
 	TZoneLocal    *time.Location `ignored:"true"`
 	TZoneUTC      *time.Location `ignored:"true"`
 
+	// config file
+	ConfigFile string `env:"config_file" default:"./config.yaml"`
+
 	// logging
-	LogLevel int                   `env:"LOG_LEVEL" default:"50"`
+	LogLevel int                   `env:"log_level" default:"50"`
 	Log      *logutils.LevelFilter `ignored:"true"`
 
 	// webserver
@@ -31,7 +34,10 @@ type Config struct {
 	WebServerIdleTimeout  int    `env:"webserver_idle_timeout" default:"2"`
 
 	// mutation configuration
-	AllowAdminNoMutate	bool `env:"allow_admin_nomutate" default:"false"`
+	AllowAdminNoMutate       bool     `env:"allow_admin_nomutate" default:"false"`
+	AllowAdminNoMutateToggle string   `env:"allow_admin_nomutate_toggle" default:"2d77b689-dc14-40a5-8971-34c62999335c"`
+	DockerhubRegistry        string   `env:"dockerhub_registry" default:"registry.hub.docker.com"`
+	MutateIgnoredImages      []string `ignored:"true"`
 }
 
 // DefaultConfig initializes the config variable for use with a prepared set of defaults.

internal/config/configFile.go

@@ -0,0 +1,35 @@
+package config
+
+import (
+	"os"
+
+	"io/ioutil"
+
+	"gopkg.in/yaml.v3"
+)
+
+type configFileStruct struct {
+	AllowAdminNoMutate       bool     `yaml:"allow-admin-nomutate"`
+	AllowAdminNoMutateToggle string   `yaml:"allow-admin-nomutate-toggle"`
+	DockerhubRegistry        string   `yaml:"dockerhub-registry"`
+	MutateIgnoredImages      []string `yaml:"mutate-ignored-images"`
+}
+
+func getConfigFileData(fileLocation string) (configFileStruct, error) {
+	// does file exist
+	if _, err := os.Stat(fileLocation); os.IsNotExist(err) {
+		return configFileStruct{}, err
+	}
+	// read file
+	rd, err := ioutil.ReadFile(fileLocation)
+	if err != nil {
+		return configFileStruct{}, err
+	}
+	// convert config file data to struct
+	var output configFileStruct
+	if err := yaml.Unmarshal(rd, &output); err != nil {
+		return output, err
+	}
+
+	return output, nil
+}

internal/config/initialize.go

@@ -73,6 +73,22 @@ func Init() *Config {
 	// print running config
 	cfg.printRunningConfig(cfgInfo)
 
+	// read config file
+	configFileData, err := getConfigFileData(cfg.ConfigFile)
+	if err != nil {
+		log.Fatalf("[FATAL] Unable to read configuration file")
+	}
+	if cfg.AllowAdminNoMutate == false {
+		cfg.AllowAdminNoMutate = configFileData.AllowAdminNoMutate
+	}
+	if cfg.AllowAdminNoMutateToggle == "2d77b689-dc14-40a5-8971-34c62999335c" {
+		cfg.AllowAdminNoMutateToggle = configFileData.AllowAdminNoMutateToggle
+	}
+	if cfg.DockerhubRegistry == "registry.hub.docker.com" {
+		cfg.DockerhubRegistry = configFileData.DockerhubRegistry
+	}
+	cfg.MutateIgnoredImages = configFileData.MutateIgnoredImages
+
 	log.Println("[INFO] initialization sequence complete")
 	return cfg
 }

internal/operations/podsValidation.go

@@ -11,8 +11,10 @@ import (
 
 func PodsValidation() Hook {
 	return Hook{
-		Create: podValidationCreate(),
 		// default allow
+		Create: func(r *admission.AdmissionRequest, cfg config.Config) (*Result, error) {
+			return &Result{Allowed: true}, nil
+		},
 		Delete: func(r *admission.AdmissionRequest, cfg config.Config) (*Result, error) {
 			return &Result{Allowed: true}, nil
 		},