nhyatt/mutating-webhook
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dynamic host creation

Browse Source
This commit is contained in:
Hyatt 2023-03-26 10:13:33 -05:00
parent 8375c8bb20
commit a9a8c49b34
Signed by: nhyatt
GPG Key ID: C50D0BBB5BC40BEA
5 changed files with 41 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config.yaml
View File

@ -13,3 +13,6 @@ mutate-ignored-images:
- goharbor/redis-photon - goharbor/redis-photon
- goharbor/registry-photon - goharbor/registry-photon
- goharbor/trivy-adapter-photon - goharbor/trivy-adapter-photon
kubernetes:
namespace: ingress-nginx
service-name: webhook

13
internal/certificate/create-csr.go
View File

@ -11,7 +11,9 @@ import (
"encoding/pem" "encoding/pem"
) )
func CreateCSR(privateKey string) (string, error) { func CreateCSR(privateKey string, dnsNames []string) (string, error) {
dnsNames = append(dnsNames, "*.svc.cluster.local")
csr := x509.CertificateRequest{ csr := x509.CertificateRequest{
Subject: pkix.Name{ Subject: pkix.Name{
Organization: []string{"Kubernetes Mutating Webserver"}, Organization: []string{"Kubernetes Mutating Webserver"},
@ -21,14 +23,7 @@ func CreateCSR(privateKey string) (string, error) {
//StreetAddress: []string{""}, //StreetAddress: []string{""},
//PostalCode: []string{""}, //PostalCode: []string{""},
}, },
DNSNames: []string{ DNSNames: dnsNames,
"webhook",
"webhook.ingress-nginx",
"webhook.ingress-nginx.svc",
"webhook.ingress-nginx.svc.cluster",
"webhook.ingress-nginx.svc.cluster.local",
"*.svc.cluster.local",
},
SignatureAlgorithm: x509.SHA384WithRSA, SignatureAlgorithm: x509.SHA384WithRSA,
} }

4
internal/config/config.go
View File

@ -44,6 +44,10 @@ type Config struct {
CAPrivateKey string `env:"ca_private_key"` CAPrivateKey string `env:"ca_private_key"`
CertCert string `env:"cert_cert"` CertCert string `env:"cert_cert"`
CertPrivateKey string `env:"cert_private_key"` CertPrivateKey string `env:"cert_private_key"`
// kubernetes configuration
NameSpace string `env:"namespace" default:"ingress-nginx"`
ServiceName string `env:"service_name" default:"webhook"`
} }
// DefaultConfig initializes the config variable for use with a prepared set of defaults. // DefaultConfig initializes the config variable for use with a prepared set of defaults.

18
internal/config/configFile.go
View File

@ -9,12 +9,13 @@ import (
) )
type configFileStruct struct { type configFileStruct struct {
AllowAdminNoMutate bool `yaml:"allow-admin-nomutate"` AllowAdminNoMutate bool `yaml:"allow-admin-nomutate"`
AllowAdminNoMutateToggle string `yaml:"allow-admin-nomutate-toggle"` AllowAdminNoMutateToggle string `yaml:"allow-admin-nomutate-toggle"`
DockerhubRegistry string `yaml:"dockerhub-registry"` DockerhubRegistry string `yaml:"dockerhub-registry"`
MutateIgnoredImages []string `yaml:"mutate-ignored-images"` MutateIgnoredImages []string `yaml:"mutate-ignored-images"`
CertificateAuthority CertStruct `yaml:"certificate-authority"` CertificateAuthority CertStruct `yaml:"certificate-authority"`
Certificate CertStruct `yaml:"certificate"` Certificate CertStruct `yaml:"certificate"`
Kubernetes KubernetesStruct `yaml:"kubernetes"`
} }
type CertStruct struct { type CertStruct struct {
@ -23,6 +24,11 @@ type CertStruct struct {
PublicKey string `yaml:"public-key"` PublicKey string `yaml:"public-key"`
} }
type KubernetesStruct struct {
Namespace string `yaml:"namespace"`
ServiceName string `yaml:"service-name"`
}
func getConfigFileData(fileLocation string) (configFileStruct, error) { func getConfigFileData(fileLocation string) (configFileStruct, error) {
// does file exist // does file exist
if _, err := os.Stat(fileLocation); os.IsNotExist(err) { if _, err := os.Stat(fileLocation); os.IsNotExist(err) {

19
internal/config/initialize.go
View File

@ -104,6 +104,12 @@ func updateValues(cfg *Config, configFileData configFileStruct) {
if cfg.DockerhubRegistry == "registry.hub.docker.com" && configFileData.DockerhubRegistry != "registry.hub.docker.com" { if cfg.DockerhubRegistry == "registry.hub.docker.com" && configFileData.DockerhubRegistry != "registry.hub.docker.com" {
cfg.DockerhubRegistry = configFileData.DockerhubRegistry cfg.DockerhubRegistry = configFileData.DockerhubRegistry
} }
if cfg.NameSpace == "ingress-nginx" && configFileData.Kubernetes.Namespace != "ingress-nginx" {
cfg.NameSpace = configFileData.Kubernetes.Namespace
}
if cfg.ServiceName == "webhook" && configFileData.Kubernetes.ServiceName != "webhook" {
cfg.ServiceName = configFileData.Kubernetes.ServiceName
}
if len(configFileData.MutateIgnoredImages) != 0 { if len(configFileData.MutateIgnoredImages) != 0 {
cfg.MutateIgnoredImages = configFileData.MutateIgnoredImages cfg.MutateIgnoredImages = configFileData.MutateIgnoredImages
} }
@ -167,7 +173,7 @@ func certificateInit(cfg *Config) error {
// certificate certificate is missing, create it // certificate certificate is missing, create it
if len(cfg.CertCert) == 0 { if len(cfg.CertCert) == 0 {
log.Printf("[TRACE] No server certificate detected") log.Printf("[TRACE] No server certificate detected")
csr, err := certificate.CreateCSR(cfg.CertPrivateKey) csr, err := certificate.CreateCSR(cfg.CertPrivateKey, getDNSNames(cfg.NameSpace, cfg.ServiceName))
if err != nil { if err != nil {
return fmt.Errorf("Create CSR (%v)", err) return fmt.Errorf("Create CSR (%v)", err)
} }
@ -180,3 +186,14 @@ func certificateInit(cfg *Config) error {
return nil return nil
} }
func getDNSNames(ns, service string) []string {
return []string{
fmt.Sprintf("%s", service),
fmt.Sprintf("%s.%s", service, ns),
fmt.Sprintf("%s.%s", service, ns),
fmt.Sprintf("%s.%s.svc", service, ns),
fmt.Sprintf("%s.%s.svc.cluster", service, ns),
fmt.Sprintf("%s.%s.svc.cluster.local", service, ns),
}
}