commit c6118649ab5a5e068c5b68593a8620557651665f
author Serge Bazanski <q3k@hackerspace.pl> Sun Jan 31 01:17:38 2021 +0100
committer Serge Bazanski <q3k@hackerspace.pl> Sun Jan 31 12:18:16 2021 +0100
tree 8589688a244ba94e640e2a7d295035e075b6d540
parent 5d2c8fcda0f0cf31608bf80780b9f247bd1f398d

cluster/admitomatic: finish up service

This turns admitomatic into a self-standing service that can be used as
an admission controller.

I've tested this E2E on a local k3s server, and have some early test
code for that - but that'll land up in a follow up CR, as it first needs
to be cleaned up.

Change-Id: I46da0fc49f9d1a3a1a96700a36deb82e5057249b

cluster/admitomatic/service.go

diff --git a/cluster/admitomatic/service.go b/cluster/admitomatic/service.go
new file mode 100644
index 0000000..8fa2698
--- /dev/null
+++ b/cluster/admitomatic/service.go
@@ -0,0 +1,105 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/golang/glog"
+	"google.golang.org/protobuf/encoding/prototext"
+	admission "k8s.io/api/admission/v1beta1"
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	pb "code.hackerspace.pl/hscloud/cluster/admitomatic/config"
+)
+
+type service struct {
+	ingress ingressFilter
+}
+
+// newService creates an admitomatic service from a given prototext config.
+func newService(configuration []byte) (*service, error) {
+	var cfg pb.Config
+	if err := prototext.Unmarshal(configuration, &cfg); err != nil {
+		return nil, fmt.Errorf("parsing config: %v", err)
+	}
+
+	s := service{}
+
+	for i, ad := range cfg.AllowDomain {
+		if ad.Namespace == "" {
+			ad.Namespace = "default"
+		}
+		if ad.Dns == "" {
+			return nil, fmt.Errorf("config entry %d: dns must be set", i)
+		}
+		if err := s.ingress.allow(ad.Namespace, ad.Dns); err != nil {
+			return nil, fmt.Errorf("config entry %d: %v", i, err)
+		}
+		glog.Infof("Ingress: allowing %s in %s", ad.Dns, ad.Namespace)
+	}
+	return &s, nil
+}
+
+// handler is the main HTTP handler of the admitomatic service. It servers the
+// AdmissionReview API, and is called by the Kubernetes API server to
+// permit/deny creation/updating of resources.
+func (s *service) handler(w http.ResponseWriter, r *http.Request) {
+	var body []byte
+	if r.Body != nil {
+		if data, err := ioutil.ReadAll(r.Body); err == nil {
+			body = data
+		}
+	}
+
+	if r.Method != "POST" {
+		glog.Errorf("%s %s: invalid method", r.Method, r.URL)
+		return
+	}
+
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "application/json" {
+		glog.Errorf("%s %s: invalid content-type", r.Method, r.URL)
+		return
+	}
+
+	var review admission.AdmissionReview
+	if err := json.Unmarshal(body, &review); err != nil {
+		glog.Errorf("%s %s: cannot decode: %v", r.Method, r.URL, err)
+		return
+	}
+
+	if review.Kind != "AdmissionReview" {
+		glog.Errorf("%s %s: invalid Kind (%q)", r.Method, r.URL, review.Kind)
+		return
+	}
+
+	var err error
+	req := review.Request
+	resp := &admission.AdmissionResponse{
+		UID:     req.UID,
+		Allowed: true,
+	}
+	switch {
+	case req.Kind.Group == "networking.k8s.io" && req.Kind.Kind == "Ingress":
+		resp, err = s.ingress.admit(req)
+		if err != nil {
+			glog.Errorf("%s %s %s: %v", req.Operation, req.Name, req.Namespace, err)
+			// Fail safe.
+			// TODO(q3k): monitor this?
+			resp = &admission.AdmissionResponse{
+				UID:     req.UID,
+				Allowed: false,
+				Result: &meta.Status{
+					Code:    500,
+					Message: "admitomatic: internal server error",
+				},
+			}
+		}
+	}
+
+	glog.Infof("%s %s %s in %s: %v (%v)", req.Operation, req.Kind.Kind, req.Name, req.Namespace, resp.Allowed, resp.Result)
+	review.Response = resp
+	json.NewEncoder(w).Encode(review)
+}