forked from openshift/managed-cluster-validating-webhooks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathutils.go
107 lines (96 loc) · 2.88 KB
/
utils.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package utils
import (
"errors"
"fmt"
"io"
"net/http"
"regexp"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
admissionctl "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
)
const validContentType string = "application/json"
var (
admissionScheme = runtime.NewScheme()
admissionCodecs = serializer.NewCodecFactory(admissionScheme)
)
func DefaultLabelSelector() metav1.LabelSelector {
return metav1.LabelSelector{
MatchLabels: map[string]string{
"api.openshift.com/managed": "true",
},
}
}
func SliceContains(needle string, haystack []string) bool {
for _, check := range haystack {
if needle == check {
return true
}
}
return false
}
func RegexSliceContains(needle string, haystack []string) bool {
for _, check := range haystack {
checkRe := regexp.MustCompile(check)
if checkRe.Match([]byte(needle)) {
return true
}
}
return false
}
func ParseHTTPRequest(r *http.Request) (admissionctl.Request, admissionctl.Response, error) {
var resp admissionctl.Response
var req admissionctl.Request
var err error
var body []byte
if r.Body != nil {
if body, err = io.ReadAll(r.Body); err != nil {
resp = admissionctl.Errored(http.StatusBadRequest, err)
return req, resp, err
}
} else {
err := errors.New("request body is nil")
resp = admissionctl.Errored(http.StatusBadRequest, err)
return req, resp, err
}
if len(body) == 0 {
err := errors.New("request body is empty")
resp = admissionctl.Errored(http.StatusBadRequest, err)
return req, resp, err
}
contentType := r.Header.Get("Content-Type")
if contentType != validContentType {
err := fmt.Errorf("contentType=%s, expected application/json", contentType)
resp = admissionctl.Errored(http.StatusBadRequest, err)
return req, resp, err
}
ar := admissionv1.AdmissionReview{}
if _, _, err := admissionCodecs.UniversalDeserializer().Decode(body, nil, &ar); err != nil {
resp = admissionctl.Errored(http.StatusBadRequest, err)
return req, resp, err
}
// Copy for tracking
if ar.Request == nil {
err = fmt.Errorf("No request in request body")
resp = admissionctl.Errored(http.StatusBadRequest, err)
return req, resp, err
}
resp.UID = ar.Request.UID
req = admissionctl.Request{
AdmissionRequest: *ar.Request,
}
return req, resp, nil
}
// WebhookResponse assembles an allowed or denied admission response with the same UID as the provided request.
// The reason for allowed admission responses is not shown to the end user and is commonly empty string: ""
func WebhookResponse(request admissionctl.Request, allowed bool, reason string) admissionctl.Response {
resp := admissionctl.ValidationResponse(allowed, reason)
resp.UID = request.UID
return resp
}
func init() {
utilruntime.Must(admissionv1.AddToScheme(admissionScheme))
}