feat: Add webhook

orange-cloudavenue · Sep 23, 2024 · 8f6a155 · 8f6a155
1 parent d06a18d
commit 8f6a155
Show file tree

Hide file tree

Showing 7 changed files with 290 additions and 436 deletions.
diff --git a/Makefile b/Makefile
@@ -82,7 +82,11 @@ lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 build: manifests generate fmt vet ## Build manager binary.
 	go build -o bin/operator cmd/operator/main.go
 	go build -o bin/kimup cmd/kimup/main.go
-	go build -o bin/webhook cmd/webhook/main.go
+	go build -o bin/webhook cmd/webhook/*
+
+.PHONY: build
+build-webhook: manifests generate fmt vet
+	go build -o bin/webhook cmd/webhook/*
 
 .PHONY: run-operator
 run-operator: manifests generate fmt vet ## Run a controller from your host.
@@ -94,7 +98,7 @@ run-kimup: manifests generate fmt vet ## Run the image updater from your host.
 
 .PHONY: run-webhook
 run-webhook: manifests generate fmt vet ## Run the webhook from your host.
-	go run ./cmd/webhook/main.go
+	go run ./cmd/webhook/
 
 # If you wish to build the manager image targeting other platforms you can use the --platform flag.
 # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it.

diff --git a/cmd/webhook/cert.go.old → cmd/webhook/certificate.go b/cmd/webhook/cert.go.old → cmd/webhook/certificate.go
@@ -4,15 +4,45 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"math/big"
 	"time"
 )
 
-// generateCert generate a self-signed CA for given organization
-// and sign certificate with the CA for given common name and dns names
+// generateTLS generates a self-signed certificate for the webhook server
+// and returns the certificate and the CA certificate
+// The certificate is generated with the following DNS names:
+// - webhookServiceName
+// - webhookServiceName.webhookNamespace
+// - webhookServiceName.webhookNamespace.svc
+func generateTLS() (tls.Certificate, *bytes.Buffer) {
+	// generate dns names
+	dnsNames := []string{
+		webhookServiceName,
+		webhookServiceName + "." + webhookNamespace,
+		webhookServiceName + "." + webhookNamespace + ".svc",
+	}
+	commonName := webhookServiceName + "." + webhookNamespace + ".svc"
+
+	caPEM, certPEM, certKeyPEM, err := generateCert([]string{admissionWebhookAnnotationBase}, dnsNames, commonName)
+	if err != nil {
+		errorLogger.Fatalf("Failed to generate ca and certificate key pair: %v", err)
+	}
+
+	pair, err := tls.X509KeyPair(certPEM.Bytes(), certKeyPEM.Bytes())
+	if err != nil {
+		errorLogger.Fatalf("Failed to load certificate key pair: %v", err)
+	}
+	return pair, caPEM
+}
+
+// generateCert generates a self-signed certificate with the given organizations, DNS names, and common name
+// The certificate is valid for 1 year
+// The certificate is signed by the CA certificate
+// The CA certificate is generated with the given organizations
 // it resurns the CA, certificate and private key in PEM format.
 func generateCert(orgs, dnsNames []string, commonName string) (*bytes.Buffer, *bytes.Buffer, *bytes.Buffer, error) {
 	// init CA config