diff --git a/webhook/Dockerfile b/webhook/Dockerfile deleted file mode 100644 index 7237a773f..000000000 --- a/webhook/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM golang:1.10 as builder - -RUN go get github.com/Masterminds/glide - -ENV PKG_NAME=github.com/intel/multus-cni/webhook -ENV PKG_PATH=$GOPATH/src/$PKG_NAME -WORKDIR $PKG_PATH - -COPY *.go glide.yaml $PKG_PATH/ -RUN glide install -v -RUN go build -v -o webhook - -FROM golang:1.10 -ENV PKG_NAME=github.com/intel/multus-cni/webhook -ENV PKG_PATH=$GOPATH/src/$PKG_NAME -RUN mkdir /webhook -COPY --from=builder $PKG_PATH/webhook /webhook/ -WORKDIR /webhook -CMD ["./webhook"] diff --git a/webhook/build b/webhook/build deleted file mode 100755 index a4de2ad1c..000000000 --- a/webhook/build +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env bash -set -e - -docker build --build-arg http_proxy=${http_proxy} \ - --build-arg HTTP_PROXY=${HTTP_PROXY} \ - --build-arg https_proxy=${https_proxy} \ - --build-arg HTTPS_PROXY=${HTTPS_PROXY} \ - --build-arg no_proxy=${no_proxy} \ - --build-arg NO_PROXY=${NO_PROXY} \ - -t multus-webhook . diff --git a/webhook/glide.yaml b/webhook/glide.yaml deleted file mode 100644 index e55de86d2..000000000 --- a/webhook/glide.yaml +++ /dev/null @@ -1,26 +0,0 @@ -package: github.com/intel/multus-cni/webhook -import: -- package: github.com/containernetworking/cni - version: ~0.7.0-alpha1 - subpackages: - - libcni -- package: github.com/intel/multus-cni - version: ~3.1.0 - subpackages: - - logging - - types -- package: k8s.io/api - subpackages: - - admission/v1beta1 -- package: k8s.io/apimachinery - subpackages: - - pkg/apis/meta/v1 - - pkg/runtime - - pkg/runtime/serializer -testImport: -- package: github.com/onsi/ginkgo - version: ~1.6.0 - subpackages: - - extensions/table -- package: github.com/onsi/gomega - version: ~1.4.1 diff --git a/webhook/webhook.go b/webhook/webhook.go deleted file mode 100644 index 3c8a6d357..000000000 --- a/webhook/webhook.go +++ /dev/null @@ -1,203 +0,0 @@ -// Copyright (c) 2018 Intel Corporation -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "encoding/json" - "flag" - "fmt" - "io/ioutil" - "net/http" - "regexp" - - "github.com/intel/multus-cni/logging" - "github.com/intel/multus-cni/types" - - "github.com/containernetworking/cni/libcni" - "k8s.io/api/admission/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/serializer" -) - -func validateNetworkAttachmentDefinition(netAttachDef types.NetworkAttachmentDefinition) (bool, error) { - nameRegex := `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` - isNameCorrect, err := regexp.MatchString(nameRegex, netAttachDef.Metadata.Name) - if !isNameCorrect { - logging.Errorf("Invalid name.") - return false, fmt.Errorf("Invalid name") - } - if err != nil { - logging.Errorf("Error validating name: %s.", err) - return false, err - } - - if netAttachDef.Spec.Config == "" { - logging.Errorf("Network Config is empty.") - return false, fmt.Errorf("Network Config is empty") - } - - logging.Printf(logging.DebugLevel, "Validating network config spec: %s", netAttachDef.Spec.Config) - - /* try to unmarshal config into NetworkConfig or NetworkConfigList - using actual code from libcni - if succesful, it means that the config - will be accepted by CNI itseld as well */ - confBytes := []byte(netAttachDef.Spec.Config) - _, err = libcni.ConfListFromBytes(confBytes) - if err != nil { - logging.Printf(logging.DebugLevel, "Spec is not a valid network config: %s. Trying to parse into config list", err) - _, err = libcni.ConfFromBytes(confBytes) - if err != nil { - logging.Printf(logging.DebugLevel, "Spec is not a valid network config list: %s", err) - logging.Errorf("Invalid config: %s", err) - return false, fmt.Errorf("Invalid network config spec") - } - } - - logging.Printf(logging.DebugLevel, "Network Attachment Defintion is valid. Admission Review request allowed") - return true, nil -} - -func prepareAdmissionReviewResponse(allowed bool, message string, ar *v1beta1.AdmissionReview) error { - if ar.Request != nil { - ar.Response = &v1beta1.AdmissionResponse{ - UID: ar.Request.UID, - Allowed: allowed, - } - if message != "" { - ar.Response.Result = &metav1.Status{ - Message: message, - } - } - return nil - } else { - return fmt.Errorf("AdmissionReview request empty") - } -} - -func deserializeAdmissionReview(body []byte) (v1beta1.AdmissionReview, error) { - ar := v1beta1.AdmissionReview{} - runtimeScheme := runtime.NewScheme() - codecs := serializer.NewCodecFactory(runtimeScheme) - deserializer := codecs.UniversalDeserializer() - _, _, err := deserializer.Decode(body, nil, &ar) - - /* Decode() won't return an error if the data wasn't actual AdmissionReview */ - if err == nil && ar.TypeMeta.Kind != "AdmissionReview" { - err = fmt.Errorf("Object is not an AdmissionReview") - } - - return ar, err -} - -func deserializeNetworkAttachmentDefinition(ar v1beta1.AdmissionReview) (types.NetworkAttachmentDefinition, error) { - /* unmarshal NetworkAttachmentDefinition from AdmissionReview request */ - netAttachDef := types.NetworkAttachmentDefinition{} - err := json.Unmarshal(ar.Request.Object.Raw, &netAttachDef) - return netAttachDef, err -} - -func handleValidationError(w http.ResponseWriter, ar v1beta1.AdmissionReview, orgErr error) { - err := prepareAdmissionReviewResponse(false, orgErr.Error(), &ar) - if err != nil { - logging.Errorf("Error preparing AdmissionResponse: %s", err.Error()) - http.Error(w, fmt.Sprintf("Error preparing AdmissionResponse: %s", err.Error()), http.StatusBadRequest) - return - } - writeResponse(w, ar) -} - -func writeResponse(w http.ResponseWriter, ar v1beta1.AdmissionReview) { - logging.Printf(logging.DebugLevel, "Sending response to the API server") - resp, _ := json.Marshal(ar) - w.Write(resp) -} - -func validateHandler(w http.ResponseWriter, req *http.Request) { - var body []byte - - if req.Body != nil { - if data, err := ioutil.ReadAll(req.Body); err == nil { - body = data - } - } - - if len(body) == 0 { - logging.Errorf("Error reading HTTP request: empty body") - http.Error(w, "Error reading HTTP request: empty body", http.StatusBadRequest) - return - } - - /* validate HTTP request headers */ - contentType := req.Header.Get("Content-Type") - if contentType != "application/json" { - logging.Errorf("Invalid Content-Type='%s', expected 'application/json'", contentType) - http.Error(w, "Invalid Content-Type='%s', expected 'application/json'", http.StatusUnsupportedMediaType) - return - } - - /* read AdmissionReview from the request body */ - ar, err := deserializeAdmissionReview(body) - if err != nil { - logging.Errorf("Error deserializing AdmissionReview: %s", err.Error()) - http.Error(w, fmt.Sprintf("Error deserializing AdmissionReview: %s", err.Error()), http.StatusBadRequest) - return - } - - netAttachDef, err := deserializeNetworkAttachmentDefinition(ar) - if err != nil { - handleValidationError(w, ar, err) - return - } - - /* perform actual object validation */ - allowed, err := validateNetworkAttachmentDefinition(netAttachDef) - if err != nil { - handleValidationError(w, ar, err) - return - } - - err = prepareAdmissionReviewResponse(allowed, "", &ar) - if err != nil { - logging.Errorf(err.Error()) - http.Error(w, err.Error(), http.StatusBadRequest) - return - } - - writeResponse(w, ar) -} - -func main() { - /* load configuration */ - port := flag.Int("port", 443, "The port on which to serve.") - address := flag.String("bind-address", "0.0.0.0", "The IP address on which to listen for the --port port.") - cert := flag.String("tls-cert-file", "cert.pem", "File containing the default x509 Certificate for HTTPS.") - key := flag.String("tls-private-key-file", "key.pem", "File containing the default x509 private key matching --tls-cert-file.") - flag.Parse() - - /* enable logging */ - logging.SetLogLevel("debug") - logging.Printf(logging.DebugLevel, "Starting Multus webhook server") - - /* register handlers */ - http.HandleFunc("/validate", validateHandler) - - /* start serving */ - err := http.ListenAndServeTLS(fmt.Sprintf("%s:%d", *address, *port), *cert, *key, nil) - if err != nil { - logging.Errorf("Error starting web server: %s", err.Error()) - return - } -} diff --git a/webhook/webhook_suite_test.go b/webhook/webhook_suite_test.go deleted file mode 100644 index 7d0e7f09f..000000000 --- a/webhook/webhook_suite_test.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright (c) 2017 Intel Corporation -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "testing" - - . "github.com/onsi/ginkgo" - . "github.com/onsi/gomega" -) - -func TestWebhook(t *testing.T) { - RegisterFailHandler(Fail) - RunSpecs(t, "Webhook Suite") -} diff --git a/webhook/webhook_test.go b/webhook/webhook_test.go deleted file mode 100644 index feebd123e..000000000 --- a/webhook/webhook_test.go +++ /dev/null @@ -1,187 +0,0 @@ -// Copyright (c) 2017 Intel Corporation -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - . "github.com/onsi/ginkgo" - . "github.com/onsi/ginkgo/extensions/table" - . "github.com/onsi/gomega" - - "bytes" - "net/http" - "net/http/httptest" - - "k8s.io/api/admission/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/intel/multus-cni/types" -) - -var _ = Describe("Webhook", func() { - - Describe("Preparing Admission Review Response", func() { - Context("Admission Review Request is nil", func() { - It("should return error", func() { - ar := &v1beta1.AdmissionReview{} - ar.Request = nil - Expect(prepareAdmissionReviewResponse(false, "", ar)).To(HaveOccurred()) - }) - }) - Context("Message is not empty", func() { - It("should set message in the response", func() { - ar := &v1beta1.AdmissionReview{} - ar.Request = &v1beta1.AdmissionRequest{ - UID: "fake-uid", - } - err := prepareAdmissionReviewResponse(false, "some message", ar) - Expect(err).NotTo(HaveOccurred()) - Expect(ar.Response.Result.Message).To(Equal("some message")) - }) - }) - }) - - Describe("Deserializing Admission Review", func() { - Context("It's not an Admission Review", func() { - It("should return an error", func() { - body := []byte("some-invalid-body") - _, err := deserializeAdmissionReview(body) - Expect(err).To(HaveOccurred()) - }) - }) - }) - - Describe("Deserializing Network Attachment Definition", func() { - Context("It's not an Network Attachment Definition", func() { - It("should return an error", func() { - ar := &v1beta1.AdmissionReview{} - ar.Request = &v1beta1.AdmissionRequest{} - _, err := deserializeNetworkAttachmentDefinition(*ar) - Expect(err).To(HaveOccurred()) - }) - }) - }) - - Describe("Handling validation request", func() { - Context("Request body is empty", func() { - It("should return an error", func() { - req := httptest.NewRequest("POST", "https://fakewebhook/validate", nil) - w := httptest.NewRecorder() - validateHandler(w, req) - resp := w.Result() - Expect(resp.StatusCode).To(Equal(http.StatusBadRequest)) - }) - }) - - Context("Content type is not application/json", func() { - It("should return an error", func() { - req := httptest.NewRequest("POST", "https://fakewebhook/validate", bytes.NewBufferString("fake-body")) - req.Header.Set("Content-Type", "invalid-type") - w := httptest.NewRecorder() - validateHandler(w, req) - resp := w.Result() - Expect(resp.StatusCode).To(Equal(http.StatusUnsupportedMediaType)) - }) - }) - }) - - DescribeTable("Network Attachment Definition validation", - func(in types.NetworkAttachmentDefinition, out bool, shouldFail bool) { - actualOut, err := validateNetworkAttachmentDefinition(in) - Expect(actualOut).To(Equal(out)) - if shouldFail { - Expect(err).To(HaveOccurred()) - } - }, - Entry( - "empty config", - types.NetworkAttachmentDefinition{ - Metadata: metav1.ObjectMeta{ - Name: "some-valid-name", - }, - }, - false, true, - ), - Entry( - "invalid name", - types.NetworkAttachmentDefinition{ - Metadata: metav1.ObjectMeta{ - Name: "some_invalid_name", - }, - }, - false, true, - ), - Entry( - "invalid network config", - types.NetworkAttachmentDefinition{ - Metadata: metav1.ObjectMeta{ - Name: "some-valid-name", - }, - Spec: types.NetworkAttachmentDefinitionSpec{ - Config: `{"some-invalid": "config"}`, - }, - }, - false, true, - ), - Entry( - "valid network config", - types.NetworkAttachmentDefinition{ - Metadata: metav1.ObjectMeta{ - Name: "some-valid-name", - }, - Spec: types.NetworkAttachmentDefinitionSpec{ - Config: `{ - "cniVersion": "0.3.0", - "type": "some-plugin" - }`, - }, - }, - true, false, - ), - Entry( - "valid network config list", - types.NetworkAttachmentDefinition{ - Metadata: metav1.ObjectMeta{ - Name: "some-valid-name", - }, - Spec: types.NetworkAttachmentDefinitionSpec{ - Config: `{ - "cniVersion": "0.3.0", - "name": "some-bridge-network", - "plugins": [ - { - "type": "bridge", - "bridge": "br0", - "ipam": { - "type": "host-local", - "subnet": "192.168.1.0/24" - } - }, - { - "type": "some-plugin" - }, - { - "type": "another-plugin", - "sysctl": { - "net.ipv4.conf.all.log_martians": "1" - } - } - ] - }`, - }, - }, - true, false, - ), - ) -})