Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package main
- import (
- "encoding/json"
- "fmt"
- "github.com/networkservicemesh/networkservicemesh/pkg/tools"
- "github.com/networkservicemesh/networkservicemesh/sdk/client"
- "github.com/sirupsen/logrus"
- admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
- corev1 "k8s.io/api/core/v1"
- "k8s.io/apimachinery/pkg/api/resource"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- "k8s.io/apimachinery/pkg/runtime"
- "k8s.io/apimachinery/pkg/runtime/serializer"
- "k8s.io/kubernetes/pkg/apis/core/v1"
- )
- const (
- certFile = "/etc/webhook/certs/cert.pem"
- keyFile = "/etc/webhook/certs/key.pem"
- )
- type patchOperation struct {
- Op string `json:"op"`
- Path string `json:"path"`
- Value interface{} `json:"value,omitempty"`
- }
- var (
- deserializer runtime.Decoder
- ignoredNamespaces = []string{
- metav1.NamespaceSystem,
- metav1.NamespacePublic,
- }
- repo string
- initContainer string
- tag string
- )
- const (
- nsmAnnotationKey = "ns.networkservicemesh.io"
- repoEnv = "REPO"
- initContainerEnv = "INITCONTAINER"
- tagEnv = "TAG"
- repoDefault = "networkservicemesh"
- initContainerDefault = "nsm-init"
- tagDefault = "latest"
- initContainerName = "nsm-init-container"
- pathDeploymentSpec = "/spec/template/spec"
- pathPodSpec = "/spec"
- )
- func init() {
- runtimeScheme := runtime.NewScheme()
- _ = corev1.AddToScheme(runtimeScheme)
- _ = admissionregistrationv1beta1.AddToScheme(runtimeScheme)
- // defaulting with webhooks:
- // https://github.com/kubernetes/kubernetes/issues/57982
- _ = v1.AddToScheme(runtimeScheme)
- deserializer = serializer.NewCodecFactory(runtimeScheme).UniversalDeserializer()
- }
- func getAnnotationValue(ignoredNamespaceList []string, metadata *metav1.ObjectMeta, spec *corev1.PodSpec) (string, bool) {
- // check if InitContainer already injected
- for i := range spec.InitContainers {
- c := &spec.InitContainers[i]
- if c.Name == initContainerName {
- return "", false
- }
- }
- // skip special kubernetes system namespaces
- for _, namespace := range ignoredNamespaceList {
- if metadata.Namespace == namespace {
- logrus.Infof("Skip validation for %v for it's in special namespace:%v", metadata.Name, metadata.Namespace)
- return "", false
- }
- }
- annotations := metadata.GetAnnotations()
- if annotations == nil {
- return "", false
- }
- value, ok := annotations[nsmAnnotationKey]
- return value, ok
- }
- func validateAnnotationValue(value string) error {
- urls, err := tools.ParseAnnotationValue(value)
- logrus.Infof("Annotation nsurls: %v", urls)
- return err
- }
- func createPatch(podSpec *corev1.PodSpec, annotationValue, pathToSpec string) ([]byte, error) {
- var patch []patchOperation
- patch = append(patch, patchOperation{
- Op: "add",
- Path: pathToSpec + "/initContainers",
- Value: []corev1.Container{
- {
- Name: initContainerName,
- Image: fmt.Sprintf("%s/%s:%s", repo, initContainer, tag),
- ImagePullPolicy: corev1.PullIfNotPresent,
- Env: []corev1.EnvVar{
- {
- Name: client.AnnotationEnv,
- Value: annotationValue,
- },
- },
- VolumeMounts: []corev1.VolumeMount{
- {
- Name: "spire-agent-socket",
- MountPath: "/run/spire/sockets",
- ReadOnly: true,
- },
- },
- Resources: corev1.ResourceRequirements{
- Limits: corev1.ResourceList{
- "networkservicemesh.io/socket": resource.NewQuantity(1, resource.DecimalSI).DeepCopy(),
- },
- },
- },
- },
- })
- ht := new(corev1.HostPathType)
- *ht = corev1.HostPathDirectoryOrCreate
- patch = append(patch, addVolume(podSpec.Volumes, []corev1.Volume{
- {
- Name: "spire-agent-socket",
- VolumeSource: corev1.VolumeSource{
- HostPath: &corev1.HostPathVolumeSource{
- Path: "/run/spire/sockets",
- Type: ht,
- },
- },
- },
- }, pathToSpec+"/volumes")...)
- return json.Marshal(patch)
- }
- func addVolume(target, added []corev1.Volume, basePath string) (patch []patchOperation) {
- first := len(target) == 0
- var value interface{}
- for _, add := range added {
- value = add
- path := basePath
- if first {
- first = false
- value = []corev1.Volume{add}
- } else {
- path = path + "/-"
- }
- patch = append(patch, patchOperation{
- Op: "add",
- Path: path,
- Value: value,
- })
- }
- return patch
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement