Merge remote-tracking branch 'upstream/master'

webhook/Dockerfile

@@ -1,19 +0,0 @@
-FROM golang:1.10 as builder
-
-RUN go get github.com/Masterminds/glide
-
-ENV PKG_NAME=github.com/intel/multus-cni/webhook
-ENV PKG_PATH=$GOPATH/src/$PKG_NAME
-WORKDIR $PKG_PATH
-
-COPY *.go glide.yaml $PKG_PATH/
-RUN glide install -v
-RUN go build -v -o webhook
-
-FROM golang:1.10
-ENV PKG_NAME=github.com/intel/multus-cni/webhook
-ENV PKG_PATH=$GOPATH/src/$PKG_NAME
-RUN mkdir /webhook
-COPY --from=builder $PKG_PATH/webhook /webhook/
-WORKDIR /webhook
-CMD ["./webhook"]

webhook/build

@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-docker build --build-arg http_proxy=${http_proxy} \
-             --build-arg HTTP_PROXY=${HTTP_PROXY} \
-             --build-arg https_proxy=${https_proxy} \
-             --build-arg HTTPS_PROXY=${HTTPS_PROXY} \
-             --build-arg no_proxy=${no_proxy} \
-             --build-arg NO_PROXY=${NO_PROXY} \
-             -t multus-webhook .

webhook/glide.yaml

@@ -1,26 +0,0 @@
-package: github.com/intel/multus-cni/webhook
-import:
-- package: github.com/containernetworking/cni
-  version: ~0.7.0-alpha1
-  subpackages:
-  - libcni
-- package: github.com/intel/multus-cni
-  version: ~3.1.0
-  subpackages:
-  - logging
-  - types
-- package: k8s.io/api
-  subpackages:
-  - admission/v1beta1
-- package: k8s.io/apimachinery
-  subpackages:
-  - pkg/apis/meta/v1
-  - pkg/runtime
-  - pkg/runtime/serializer
-testImport:
-- package: github.com/onsi/ginkgo
-  version: ~1.6.0
-  subpackages:
-  - extensions/table
-- package: github.com/onsi/gomega
-  version: ~1.4.1

webhook/webhook.go

@@ -1,203 +0,0 @@
-// Copyright (c) 2018 Intel Corporation
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package main
-
-import (
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"regexp"
-
-	"github.com/intel/multus-cni/logging"
-	"github.com/intel/multus-cni/types"
-
-	"github.com/containernetworking/cni/libcni"
-	"k8s.io/api/admission/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/serializer"
-)
-
-func validateNetworkAttachmentDefinition(netAttachDef types.NetworkAttachmentDefinition) (bool, error) {
-	nameRegex := `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
-	isNameCorrect, err := regexp.MatchString(nameRegex, netAttachDef.Metadata.Name)
-	if !isNameCorrect {
-		logging.Errorf("Invalid name.")
-		return false, fmt.Errorf("Invalid name")
-	}
-	if err != nil {
-		logging.Errorf("Error validating name: %s.", err)
-		return false, err
-	}
-
-	if netAttachDef.Spec.Config == "" {
-		logging.Errorf("Network Config is empty.")
-		return false, fmt.Errorf("Network Config is empty")
-	}
-
-	logging.Printf(logging.DebugLevel, "Validating network config spec: %s", netAttachDef.Spec.Config)
-
-	/* try to unmarshal config into NetworkConfig or NetworkConfigList
-	   using actual code from libcni - if succesful, it means that the config
-		 will be accepted by CNI itseld as well */
-	confBytes := []byte(netAttachDef.Spec.Config)
-	_, err = libcni.ConfListFromBytes(confBytes)
-	if err != nil {
-		logging.Printf(logging.DebugLevel, "Spec is not a valid network config: %s. Trying to parse into config list", err)
-		_, err = libcni.ConfFromBytes(confBytes)
-		if err != nil {
-			logging.Printf(logging.DebugLevel, "Spec is not a valid network config list: %s", err)
-			logging.Errorf("Invalid config: %s", err)
-			return false, fmt.Errorf("Invalid network config spec")
-		}
-	}
-
-	logging.Printf(logging.DebugLevel, "Network Attachment Defintion is valid. Admission Review request allowed")
-	return true, nil
-}
-
-func prepareAdmissionReviewResponse(allowed bool, message string, ar *v1beta1.AdmissionReview) error {
-	if ar.Request != nil {
-		ar.Response = &v1beta1.AdmissionResponse{
-			UID:     ar.Request.UID,
-			Allowed: allowed,
-		}
-		if message != "" {
-			ar.Response.Result = &metav1.Status{
-				Message: message,
-			}
-		}
-		return nil
-	} else {
-		return fmt.Errorf("AdmissionReview request empty")
-	}
-}
-
-func deserializeAdmissionReview(body []byte) (v1beta1.AdmissionReview, error) {
-	ar := v1beta1.AdmissionReview{}
-	runtimeScheme := runtime.NewScheme()
-	codecs := serializer.NewCodecFactory(runtimeScheme)
-	deserializer := codecs.UniversalDeserializer()
-	_, _, err := deserializer.Decode(body, nil, &ar)
-
-	/* Decode() won't return an error if the data wasn't actual AdmissionReview */
-	if err == nil && ar.TypeMeta.Kind != "AdmissionReview" {
-		err = fmt.Errorf("Object is not an AdmissionReview")
-	}
-
-	return ar, err
-}
-
-func deserializeNetworkAttachmentDefinition(ar v1beta1.AdmissionReview) (types.NetworkAttachmentDefinition, error) {
-	/* unmarshal NetworkAttachmentDefinition from AdmissionReview request */
-	netAttachDef := types.NetworkAttachmentDefinition{}
-	err := json.Unmarshal(ar.Request.Object.Raw, &netAttachDef)
-	return netAttachDef, err
-}
-
-func handleValidationError(w http.ResponseWriter, ar v1beta1.AdmissionReview, orgErr error) {
-	err := prepareAdmissionReviewResponse(false, orgErr.Error(), &ar)
-	if err != nil {
-		logging.Errorf("Error preparing AdmissionResponse: %s", err.Error())
-		http.Error(w, fmt.Sprintf("Error preparing AdmissionResponse: %s", err.Error()), http.StatusBadRequest)
-		return
-	}
-	writeResponse(w, ar)
-}
-
-func writeResponse(w http.ResponseWriter, ar v1beta1.AdmissionReview) {
-	logging.Printf(logging.DebugLevel, "Sending response to the API server")
-	resp, _ := json.Marshal(ar)
-	w.Write(resp)
-}
-
-func validateHandler(w http.ResponseWriter, req *http.Request) {
-	var body []byte
-
-	if req.Body != nil {
-		if data, err := ioutil.ReadAll(req.Body); err == nil {
-			body = data
-		}
-	}
-
-	if len(body) == 0 {
-		logging.Errorf("Error reading HTTP request: empty body")
-		http.Error(w, "Error reading HTTP request: empty body", http.StatusBadRequest)
-		return
-	}
-
-	/* validate HTTP request headers */
-	contentType := req.Header.Get("Content-Type")
-	if contentType != "application/json" {
-		logging.Errorf("Invalid Content-Type='%s', expected 'application/json'", contentType)
-		http.Error(w, "Invalid Content-Type='%s', expected 'application/json'", http.StatusUnsupportedMediaType)
-		return
-	}
-
-	/* read AdmissionReview from the request body */
-	ar, err := deserializeAdmissionReview(body)
-	if err != nil {
-		logging.Errorf("Error deserializing AdmissionReview: %s", err.Error())
-		http.Error(w, fmt.Sprintf("Error deserializing AdmissionReview: %s", err.Error()), http.StatusBadRequest)
-		return
-	}
-
-	netAttachDef, err := deserializeNetworkAttachmentDefinition(ar)
-	if err != nil {
-		handleValidationError(w, ar, err)
-		return
-	}
-
-	/* perform actual object validation */
-	allowed, err := validateNetworkAttachmentDefinition(netAttachDef)
-	if err != nil {
-		handleValidationError(w, ar, err)
-		return
-	}
-
-	err = prepareAdmissionReviewResponse(allowed, "", &ar)
-	if err != nil {
-		logging.Errorf(err.Error())
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
-	writeResponse(w, ar)
-}
-
-func main() {
-	/* load configuration */
-	port := flag.Int("port", 443, "The port on which to serve.")
-	address := flag.String("bind-address", "0.0.0.0", "The IP address on which to listen for the --port port.")
-	cert := flag.String("tls-cert-file", "cert.pem", "File containing the default x509 Certificate for HTTPS.")
-	key := flag.String("tls-private-key-file", "key.pem", "File containing the default x509 private key matching --tls-cert-file.")
-	flag.Parse()
-
-	/* enable logging */
-	logging.SetLogLevel("debug")
-	logging.Printf(logging.DebugLevel, "Starting Multus webhook server")
-
-	/* register handlers */
-	http.HandleFunc("/validate", validateHandler)
-
-	/* start serving */
-	err := http.ListenAndServeTLS(fmt.Sprintf("%s:%d", *address, *port), *cert, *key, nil)
-	if err != nil {
-		logging.Errorf("Error starting web server: %s", err.Error())
-		return
-	}
-}

webhook/webhook_suite_test.go

@@ -1,27 +0,0 @@
-// Copyright (c) 2017 Intel Corporation
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package main
-
-import (
-	"testing"
-
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-)
-
-func TestWebhook(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "Webhook Suite")
-}

webhook/webhook_test.go

@@ -1,187 +0,0 @@
-// Copyright (c) 2017 Intel Corporation
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package main
-
-import (
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/ginkgo/extensions/table"
-	. "github.com/onsi/gomega"
-
-	"bytes"
-	"net/http"
-	"net/http/httptest"
-
-	"k8s.io/api/admission/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/intel/multus-cni/types"
-)
-
-var _ = Describe("Webhook", func() {
-
-	Describe("Preparing Admission Review Response", func() {
-		Context("Admission Review Request is nil", func() {
-			It("should return error", func() {
-				ar := &v1beta1.AdmissionReview{}
-				ar.Request = nil
-				Expect(prepareAdmissionReviewResponse(false, "", ar)).To(HaveOccurred())
-			})
-		})
-		Context("Message is not empty", func() {
-			It("should set message in the response", func() {
-				ar := &v1beta1.AdmissionReview{}
-				ar.Request = &v1beta1.AdmissionRequest{
-					UID: "fake-uid",
-				}
-				err := prepareAdmissionReviewResponse(false, "some message", ar)
-				Expect(err).NotTo(HaveOccurred())
-				Expect(ar.Response.Result.Message).To(Equal("some message"))
-			})
-		})
-	})
-
-	Describe("Deserializing Admission Review", func() {
-		Context("It's not an Admission Review", func() {
-			It("should return an error", func() {
-				body := []byte("some-invalid-body")
-				_, err := deserializeAdmissionReview(body)
-				Expect(err).To(HaveOccurred())
-			})
-		})
-	})
-
-	Describe("Deserializing Network Attachment Definition", func() {
-		Context("It's not an Network Attachment Definition", func() {
-			It("should return an error", func() {
-				ar := &v1beta1.AdmissionReview{}
-				ar.Request = &v1beta1.AdmissionRequest{}
-				_, err := deserializeNetworkAttachmentDefinition(*ar)
-				Expect(err).To(HaveOccurred())
-			})
-		})
-	})
-
-	Describe("Handling validation request", func() {
-		Context("Request body is empty", func() {
-			It("should return an error", func() {
-				req := httptest.NewRequest("POST", "https://fakewebhook/validate", nil)
-				w := httptest.NewRecorder()
-				validateHandler(w, req)
-				resp := w.Result()
-				Expect(resp.StatusCode).To(Equal(http.StatusBadRequest))
-			})
-		})
-
-		Context("Content type is not application/json", func() {
-			It("should return an error", func() {
-				req := httptest.NewRequest("POST", "https://fakewebhook/validate", bytes.NewBufferString("fake-body"))
-				req.Header.Set("Content-Type", "invalid-type")
-				w := httptest.NewRecorder()
-				validateHandler(w, req)
-				resp := w.Result()
-				Expect(resp.StatusCode).To(Equal(http.StatusUnsupportedMediaType))
-			})
-		})
-	})
-
-	DescribeTable("Network Attachment Definition validation",
-		func(in types.NetworkAttachmentDefinition, out bool, shouldFail bool) {
-			actualOut, err := validateNetworkAttachmentDefinition(in)
-			Expect(actualOut).To(Equal(out))
-			if shouldFail {
-				Expect(err).To(HaveOccurred())
-			}
-		},
-		Entry(
-			"empty config",
-			types.NetworkAttachmentDefinition{
-				Metadata: metav1.ObjectMeta{
-					Name: "some-valid-name",
-				},
-			},
-			false, true,
-		),
-		Entry(
-			"invalid name",
-			types.NetworkAttachmentDefinition{
-				Metadata: metav1.ObjectMeta{
-					Name: "some_invalid_name",
-				},
-			},
-			false, true,
-		),
-		Entry(
-			"invalid network config",
-			types.NetworkAttachmentDefinition{
-				Metadata: metav1.ObjectMeta{
-					Name: "some-valid-name",
-				},
-				Spec: types.NetworkAttachmentDefinitionSpec{
-					Config: `{"some-invalid": "config"}`,
-				},
-			},
-			false, true,
-		),
-		Entry(
-			"valid network config",
-			types.NetworkAttachmentDefinition{
-				Metadata: metav1.ObjectMeta{
-					Name: "some-valid-name",
-				},
-				Spec: types.NetworkAttachmentDefinitionSpec{
-					Config: `{
-            "cniVersion": "0.3.0",
-            "type": "some-plugin"
-          }`,
-				},
-			},
-			true, false,
-		),
-		Entry(
-			"valid network config list",
-			types.NetworkAttachmentDefinition{
-				Metadata: metav1.ObjectMeta{
-					Name: "some-valid-name",
-				},
-				Spec: types.NetworkAttachmentDefinitionSpec{
-					Config: `{
-            "cniVersion": "0.3.0",
-            "name": "some-bridge-network",
-            "plugins": [
-              {
-                "type": "bridge",
-                "bridge": "br0",
-                "ipam": {
-                  "type": "host-local",
-                  "subnet": "192.168.1.0/24"
-                }
-              },
-              {
-                "type": "some-plugin"
-              },
-              {
-                "type": "another-plugin",
-                "sysctl": {
-                  "net.ipv4.conf.all.log_martians": "1"
-                }
-              }
-            ]
-          }`,
-				},
-			},
-			true, false,
-		),
-	)
-})