feat: make webhook dryRun-aware

snapp-incubator · Nov 4, 2023 · 7380bc9 · 7380bc9
1 parent 6dda97f
commit 7380bc9
Show file tree

Hide file tree

Showing 3 changed files with 415 additions and 24 deletions.
diff --git a/internal/webhook/rule_fqdn.go b/internal/webhook/rule_fqdn.go
@@ -11,9 +11,10 @@ import (
 )
 
 type checkRequest struct {
-	new   *contourv1.HTTPProxy
-	old   *contourv1.HTTPProxy
-	cache *cache.Cache
+	newObj *contourv1.HTTPProxy
+	oldObj *contourv1.HTTPProxy
+	dryRun *bool
+	cache  *cache.Cache
 }
 
 type checkFqdnOnCreate struct {
@@ -30,18 +31,24 @@ type checkFqdnOnDelete struct {
 
 //nolint:varnamelen
 func (cfoc checkFqdnOnCreate) check(cr *checkRequest) (*admissionv1.AdmissionResponse, error) {
+	var dryRun bool
+
+	if cr.dryRun != nil {
+		dryRun = *cr.dryRun
+	}
+
 	cr.cache.Mu.Lock()
 	defer cr.cache.Mu.Unlock()
 
-	if cr.new.Spec.VirtualHost == nil {
+	if cr.newObj.Spec.VirtualHost == nil {
 		if cfoc.next != nil {
 			return cfoc.next.check(cr)
 		}
 
 		return &admissionv1.AdmissionResponse{Allowed: true}, nil
 	}
 
-	fqdn := cr.new.Spec.VirtualHost.Fqdn
+	fqdn := cr.newObj.Spec.VirtualHost.Fqdn
 
 	_, acquired := cr.cache.FqdnMap[fqdn]
 	if acquired {
@@ -53,7 +60,9 @@ func (cfoc checkFqdnOnCreate) check(cr *checkRequest) (*admissionv1.AdmissionRes
 			}}, nil
 	}
 
-	cr.cache.FqdnMap[fqdn] = &types.NamespacedName{Namespace: cr.new.Namespace, Name: cr.new.Name}
+	if !dryRun {
+		cr.cache.FqdnMap[fqdn] = &types.NamespacedName{Namespace: cr.newObj.Namespace, Name: cr.newObj.Name}
+	}
 
 	if cfoc.next != nil {
 		return cfoc.next.check(cr)
@@ -68,28 +77,36 @@ func (cfoc *checkFqdnOnCreate) setNext(c checker) {
 
 //nolint:varnamelen
 func (cfou checkFqdnOnUpdate) check(cr *checkRequest) (*admissionv1.AdmissionResponse, error) {
+	var dryRun bool
+
+	if cr.dryRun != nil {
+		dryRun = *cr.dryRun
+	}
+
 	cr.cache.Mu.Lock()
 	defer cr.cache.Mu.Unlock()
 
 	//nolint:nestif
-	if cr.new.Spec.VirtualHost == nil && cr.old.Spec.VirtualHost == nil {
+	if cr.newObj.Spec.VirtualHost == nil && cr.oldObj.Spec.VirtualHost == nil {
 		if cfou.next != nil {
 			return cfou.next.check(cr)
 		}
 
 		return &admissionv1.AdmissionResponse{Allowed: true}, nil
-	} else if cr.new.Spec.VirtualHost == nil && cr.old.Spec.VirtualHost != nil {
-		oldFqdn := cr.old.Spec.VirtualHost.Fqdn
+	} else if cr.newObj.Spec.VirtualHost == nil && cr.oldObj.Spec.VirtualHost != nil {
+		oldFqdn := cr.oldObj.Spec.VirtualHost.Fqdn
 
-		delete(cr.cache.FqdnMap, oldFqdn)
+		if !dryRun {
+			delete(cr.cache.FqdnMap, oldFqdn)
+		}
 
 		if cfou.next != nil {
 			return cfou.next.check(cr)
 		}
 
 		return &admissionv1.AdmissionResponse{Allowed: true}, nil
-	} else if cr.new.Spec.VirtualHost != nil && cr.old.Spec.VirtualHost == nil {
-		fqdn := cr.new.Spec.VirtualHost.Fqdn
+	} else if cr.newObj.Spec.VirtualHost != nil && cr.oldObj.Spec.VirtualHost == nil {
+		fqdn := cr.newObj.Spec.VirtualHost.Fqdn
 
 		_, acquired := cr.cache.FqdnMap[fqdn]
 		if acquired {
@@ -101,7 +118,9 @@ func (cfou checkFqdnOnUpdate) check(cr *checkRequest) (*admissionv1.AdmissionRes
 				}}, nil
 		}
 
-		cr.cache.FqdnMap[fqdn] = &types.NamespacedName{Namespace: cr.new.Namespace, Name: cr.new.Name}
+		if !dryRun {
+			cr.cache.FqdnMap[fqdn] = &types.NamespacedName{Namespace: cr.newObj.Namespace, Name: cr.newObj.Name}
+		}
 
 		if cfou.next != nil {
 			return cfou.next.check(cr)
@@ -110,8 +129,8 @@ func (cfou checkFqdnOnUpdate) check(cr *checkRequest) (*admissionv1.AdmissionRes
 		return &admissionv1.AdmissionResponse{Allowed: true}, nil
 	}
 
-	fqdn := cr.new.Spec.VirtualHost.Fqdn
-	oldFqdn := cr.old.Spec.VirtualHost.Fqdn
+	fqdn := cr.newObj.Spec.VirtualHost.Fqdn
+	oldFqdn := cr.oldObj.Spec.VirtualHost.Fqdn
 
 	if fqdn == oldFqdn {
 		if cfou.next != nil {
@@ -131,9 +150,10 @@ func (cfou checkFqdnOnUpdate) check(cr *checkRequest) (*admissionv1.AdmissionRes
 			}}, nil
 	}
 
-	cr.cache.FqdnMap[fqdn] = &types.NamespacedName{Namespace: cr.new.Namespace, Name: cr.new.Name}
-
-	delete(cr.cache.FqdnMap, oldFqdn)
+	if !dryRun {
+		cr.cache.FqdnMap[fqdn] = &types.NamespacedName{Namespace: cr.newObj.Namespace, Name: cr.newObj.Name}
+		delete(cr.cache.FqdnMap, oldFqdn)
+	}
 
 	if cfou.next != nil {
 		return cfou.next.check(cr)
@@ -148,20 +168,28 @@ func (cfou *checkFqdnOnUpdate) setNext(c checker) {
 
 //nolint:varnamelen
 func (cfod checkFqdnOnDelete) check(cr *checkRequest) (*admissionv1.AdmissionResponse, error) {
+	var dryRun bool
+
+	if cr.dryRun != nil {
+		dryRun = *cr.dryRun
+	}
+
 	cr.cache.Mu.Lock()
 	defer cr.cache.Mu.Unlock()
 
-	if cr.old.Spec.VirtualHost == nil {
+	if cr.oldObj.Spec.VirtualHost == nil {
 		if cfod.next != nil {
 			return cfod.next.check(cr)
 		}
 
 		return &admissionv1.AdmissionResponse{Allowed: true}, nil
 	}
 
-	oldFqdn := cr.old.Spec.VirtualHost.Fqdn
+	oldFqdn := cr.oldObj.Spec.VirtualHost.Fqdn
 
-	delete(cr.cache.FqdnMap, oldFqdn)
+	if !dryRun {
+		delete(cr.cache.FqdnMap, oldFqdn)
+	}
 
 	if cfod.next != nil {
 		return cfod.next.check(cr)

diff --git a/internal/webhook/validate.go b/internal/webhook/validate.go
@@ -39,9 +39,10 @@ func validateV1(ar admissionv1.AdmissionReview, cache *cache.Cache) (*admissionv
 	}
 
 	cr := &checkRequest{
-		new:   httpproxy,
-		old:   httpproxyOld,
-		cache: cache,
+		newObj: httpproxy,
+		oldObj: httpproxyOld,
+		dryRun: ar.Request.DryRun,
+		cache:  cache,
 	}
 
 	switch ar.Request.Operation {