...
Code Block | ||||
---|---|---|---|---|
| ||||
package main import ( "encoding/json" "errors" "flag" "fmt" "io/ioutil" "k8s.io/api/admission/v1beta1" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" "log" "net/http" "strconv" ) type ServerParameters struct { port int // webhook server port certFile string // path to the x509 cert keyFile string // path to the x509 private key } type patchOperation struct { Op string `json:"op"` Path string `json:"path"` Value interface{} `json:"value,omitempty"` } var parameters ServerParameters var ( universalDeserializer = serializer.NewCodecFactory(runtime.NewScheme()).UniversalDeserializer() ) func main() { flag.IntVar(¶meters.port, "port", 8443, "Webhook server port.") flag.StringVar(¶meters.certFile, "tlsCertFile", "/certs/tls.crt", "File containing the x509 certificate") flag.StringVar(¶meters.keyFile, "tlsKeyFile", "/certs/tls.key", "File containing the x509 private key") flag.Parse() http.HandleFunc("/inject-sidecar", HandleSideCarInjection) log.Fatal(http.ListenAndServeTLS(":"+strconv.Itoa(parameters.port), parameters.certFile, parameters.keyFile, nil)) } func HandleSideCarInjection(w http.ResponseWriter, r *http.Request) { body, err := ioutil.ReadAll(r.Body) err = ioutil.WriteFile("/tmp/request", body, 0644) if err != nil { panic(err.Error()) } var admissionReviewReq v1beta1.AdmissionReview if _, _, err := universalDeserializer.Decode(body, nil, &admissionReviewReq); err != nil { w.WriteHeader(http.StatusBadRequest) fmt.Errorf("Could not deserialize request: %v", err) } else if admissionReviewReq.Request == nil { w.WriteHeader(http.StatusBadRequest) errors.New("Malformed admission review - request is empty") } fmt.Printf("Received Admission Review Request - Type: %v \t Event: %v \t Name: %v \n", admissionReviewReq.Request.Kind, admissionReviewReq.Request.Operation, admissionReviewReq.Request.Name, ) var pod v1.Pod err = json.Unmarshal(admissionReviewReq.Request.Object.Raw, &pod) if err != nil { fmt.Errorf("Could not unmarshal pod from admission request: %v", err) } var patches []patchOperation labels := pod.ObjectMeta.Labels labels["sidecar-injection-webhook"] = "jwt-proxy" patches = append(patches, patchOperation{ Op: "add", Path: "/metadata/labels", Value: labels, }) var containers []v1.Container containers = append(containers, pod.Spec.Containers...) container := v1.Container{ Name: "jwt-proxy", Image: "ktimoney/rapps-jwt", ImagePullPolicy: v1.PullIfNotPresent, Ports: []v1.ContainerPort{ { Name: "http", Protocol: v1.ProtocolTCP, ContainerPort: 8888, }, }, VolumeMounts: []v1.VolumeMount{ { Name: "certsdir", MountPath: "/certs", ReadOnly: true, }, }, } containers = append(containers, container) fmt.Println(containers) patches = append(patches, patchOperation{ Op: "add", Path: "/spec/containers", Value: containers, }) pathType := v1.HostPathDirectoryOrCreate pathTypePtr := &pathType var volumes []v1.Volume volumes = append(volumes, pod.Spec.Volumes...) volume := v1.Volume{ Name: "certsdir", VolumeSource: v1.VolumeSource{ HostPath: &v1.HostPathVolumeSource{ Path: "/var/rapps/certs", Type: pathTypePtr, }, }, } volumes = append(volumes, volume) fmt.Println(volumes) patches = append(patches, patchOperation{ Op: "add", Path: "/spec/volumes", Value: volumes, }) fmt.Println(patches) patchBytes, err := json.Marshal(patches) if err != nil { fmt.Errorf("Error occurred when trying to marshal JSON patch: %v", err) } admissionReviewResponse := v1beta1.AdmissionReview{ Response: &v1beta1.AdmissionResponse{ UID: admissionReviewReq.Request.UID, Allowed: true, }, } admissionReviewResponse.Response.Patch = patchBytes bytes, err := json.Marshal(&admissionReviewResponse) if err != nil { fmt.Errorf("Error occurred when trying to marshal Aadmission Review response: %v", err) } w.Write(bytes) } |
MutatingWebhookConfiguration.yaml
Note: You'll need to configure your deployment to include a tls.crt and tls.key secret. Your MutatingWebhookConfiguration will need to include the corresponding ca bubdle.
2) Envoyfilter to update request header with jwt token.
...