Skip to content

Commit

Permalink
feat(jspolicy): Allow webhook URL to be specified
Browse files Browse the repository at this point in the history
Allow the webhook URL to be specified, and if it is, don't use a service
reference.
  • Loading branch information
ratschance committed Dec 7, 2023
1 parent 13c7ae3 commit e39a0fd
Show file tree
Hide file tree
Showing 3 changed files with 64 additions and 10 deletions.
30 changes: 20 additions & 10 deletions pkg/controllers/jspolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -541,11 +541,16 @@ func (r *JsPolicyReconciler) syncMutatingWebhookConfiguration(ctx context.Contex
// Ensure webhook fields
webhook.Webhooks[0].Name = jsPolicy.Name
path := "/policy/" + jsPolicy.Name
webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
Name: clienthelper.ServiceName(),
Namespace: namespace,
Path: &path,
Port: &port,
if url := clienthelper.WebhookURL(); url != "" {
url = url + path
webhook.Webhooks[0].ClientConfig.URL = &url
} else {
webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
Name: clienthelper.ServiceName(),
Namespace: namespace,
Path: &path,
Port: &port,
}
}
webhook.Webhooks[0].ClientConfig.CABundle = r.CaBundle
if len(webhook.Webhooks[0].Rules) != 1 {
Expand Down Expand Up @@ -639,11 +644,16 @@ func (r *JsPolicyReconciler) syncValidatingWebhookConfiguration(ctx context.Cont
// Ensure webhook fields
webhook.Webhooks[0].Name = jsPolicy.Name
path := "/policy/" + jsPolicy.Name
webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
Name: clienthelper.ServiceName(),
Namespace: namespace,
Path: &path,
Port: &port,
if url := clienthelper.WebhookURL(); url != "" {
url = url + path
webhook.Webhooks[0].ClientConfig.URL = &url
} else {
webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
Name: clienthelper.ServiceName(),
Namespace: namespace,
Path: &path,
Port: &port,
}
}
webhook.Webhooks[0].ClientConfig.CABundle = r.CaBundle
if len(webhook.Webhooks[0].Rules) != 1 {
Expand Down
35 changes: 35 additions & 0 deletions pkg/controllers/jspolicy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ func TestSimple(t *testing2.T) {
err = fakeClient.List(context.TODO(), list)
assert.NilError(t, err)
assert.Equal(t, len(list.Items), 1)
var expectedURL *string
assert.Equal(t, list.Items[0].Webhooks[0].ClientConfig.URL, expectedURL, "the webhook url should be nil when JS_POLICY_WEBHOOK_URL is not set")
mList := &admissionregistrationv1.MutatingWebhookConfigurationList{}
err = fakeClient.List(context.TODO(), mList)
assert.NilError(t, err)
Expand All @@ -104,6 +106,39 @@ func TestSimple(t *testing2.T) {
assert.NilError(t, err)
assert.Equal(t, len(mList.Items), 1)
}
func TestSimpleURL(t *testing2.T) {
err := os.Setenv("KUBE_NAMESPACE", "default")
assert.NilError(t, err)
err = os.Setenv("JS_POLICY_WEBHOOK_URL", "https://testurl.example.local")
assert.NilError(t, err)

scheme := testing.NewScheme()
fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects(testPolicy).Build()

controller := &JsPolicyReconciler{
Client: fakeClient,
Log: loghelper.New("test"),
Scheme: scheme,
Bundler: nil,
ControllerPolicyManager: nil,
controllerPolicyHash: map[string]string{},
CaBundle: []byte("any"),
}

// sync the webhook
err = controller.syncWebhook(context.Background(), testPolicy)
assert.NilError(t, err)

// check if there was a validating webhook created
list := &admissionregistrationv1.ValidatingWebhookConfigurationList{}
err = fakeClient.List(context.TODO(), list)
assert.NilError(t, err)
assert.Equal(t, len(list.Items), 1)

// confirm that the webhook url is set correctly
expectedURL := "https://testurl.example.local" + "/policy/test.test.com"
assert.Equal(t, *list.Items[0].Webhooks[0].ClientConfig.URL, expectedURL)
}

type fakeBundler struct {
bundle []byte
Expand Down
9 changes: 9 additions & 0 deletions pkg/util/clienthelper/helper.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,15 @@ func ServiceName() string {
return "jspolicy"
}

// WebhookURL returns the URL of the webhook service if it is set in the environment variable JS_POLICY_WEBHOOK_URL.
// Otherwise, it returns an empty string which means a webhook service reference should be used.
func WebhookURL() string {
if os.Getenv("JS_POLICY_WEBHOOK_URL") != "" {
return os.Getenv("JS_POLICY_WEBHOOK_URL")
}
return ""
}

func CurrentNamespace() (string, error) {
envNamespace := os.Getenv("KUBE_NAMESPACE")
if envNamespace != "" {
Expand Down

0 comments on commit e39a0fd

Please sign in to comment.