Initial commit

.dockerignore

@@ -0,0 +1,4 @@
+# More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
+# Ignore build and test binaries.
+bin/
+testbin/

.github/workflows/check.yaml

@@ -0,0 +1,19 @@
+name: Checks
+
+on:
+  push:
+    branches:
+      - main
+  pull_request: {}
+
+jobs:
+  checks:
+    name: checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '^1.21.0'
+      - name: Run checks with make
+        run: make check

.github/workflows/image.yaml

@@ -0,0 +1,34 @@
+name: Build Container Image
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  docker:
+    name: docker
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+        with:
+          platforms: amd64
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
+      - uses: docker/build-push-action@v5
+        with:
+          file: "Dockerfile"
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -0,0 +1,26 @@
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+bin
+testbin/*
+Dockerfile.cross
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Kubernetes Generated files - skip generated files, except for vendored files
+
+!vendor/**/zz_generated.*
+
+# editor and IDE paraphernalia
+.idea
+*.swp
+*.swo
+*~

.golangci.yml

@@ -0,0 +1,41 @@
+run:
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  deadline: 5m
+  # include test files or not, default is true
+  tests: false
+output:
+  option: value
+linters:
+  disable-all: true
+  enable:
+    - errcheck
+    - goconst
+    - godot
+    - godox
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nestif
+    - nilerr
+    - nlreturn
+    - nolintlint
+    - nonamedreturns
+    - prealloc
+    - predeclared
+    - reassign
+    # - revive
+    - staticcheck
+    - tagalign
+    - tagliatelle
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - varnamelen
+    - wastedassign
+    - whitespace
+    - wsl

Dockerfile

@@ -0,0 +1,32 @@
+# Build the manager binary
+FROM golang:1.21.0 as builder
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+RUN go mod download
+
+# Copy the go source
+COPY cmd/main.go cmd/main.go
+COPY internal/ internal/
+
+# Build
+# the GOARCH has not a default value to allow the binary be built according to the host where the command
+# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
+# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
+# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} make build
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/bin/contour-admission-webhook .
+USER 65532:65532
+
+ENTRYPOINT ["/contour-admission-webhook"]

LICENSE

@@ -0,0 +1,12 @@
+Copyright SnappCloud Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

Makefile

@@ -0,0 +1,53 @@
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+BIN := contour-admission-webhook
+VERSION := $(shell git describe --exact-match 2>/dev/null || basename $$(git describe --all --long 2>/dev/null))
+
+GO_BUILD_LDFLAGS := \
+	-s \
+	-w
+
+# Image URL to use all building/pushing image targets
+IMG ?= $(BIN):$(VERSION)
+
+all: build
+
+test: check
+
+.PHONY: check
+check: fmt vet lint
+	go test ./... -coverprofile cover.out
+
+.PHONY: build
+build: fmt vet lint
+	go build -mod=readonly -ldflags "$(GO_BUILD_LDFLAGS)" -a -o bin/$(BIN) cmd/main.go
+
+.PHONY: fmt
+fmt:
+	go fmt -mod=readonly ./...
+
+.PHONY: vet
+vet:
+	go vet -mod=readonly -ldflags "$(GO_BUILD_LDFLAGS)" ./...
+
+.PHONY: lint
+lint:
+	go run github.com/golangci/golangci-lint/cmd/[email protected] run -v --exclude-use-default=false
+
+.PHONY: docker-build
+docker-build:
+	docker build -t ${IMG} -f Dockerfile .
+
+.PHONY: docker-push
+docker-push:
+	docker push ${IMG}
+
+.PHONY: clean
+clean:
+	@rm -rf cover.out
+	@rm -rf bin

README.md

@@ -0,0 +1,69 @@
+# contour-admission-webhook
+
+## Introduction
+`contour-admission-webhook` is a Kubernetes admission webhook server designed to assist in the validation of HTTPProxy objects. The primary objective of this webhook is to prevent the existence of duplicate Fully Qualified Domain Names (FQDNs) across HTTPProxy objects, but it also offers the flexibility to be expanded with multiple chained rules.
+When duplicates occur, all the related HTTPProxy objects turn invalid, leading to HTTP 404 errors because the associated configurations are removed from the Envoy proxy.
+
+## How It Works
+
+### Overview:
+The `contour-admission-webhook` server relies on an in-memory cache, initialized at startup, to maintain a map of FQDNs to their respective owner references before it begins processing requests. At the forefront of the rule chain is the FQDN validation rule, which leverages this in-memory cache.
+
+### FQDN Validation Flow:
+- CREATE/UPDATE Operations:
+
+  When attempting to create or update an HTTPProxy object, the webhook first checks the requested FQDN against the built-in cache. If a match is found, the webhook operation is declined, accompanied by a message detailing the reason.
+  If no match is found, the FQDN is added to the cache and the operation gets approved.
+  For UPDATE operations specifically, any previous FQDN associated with the object is removed from the cache.
+
+- DELETE Operations:
+
+  Upon executing a DELETE operation, the corresponding FQDN entry is purged from the cache and the operation gets approved.
+
+<!-- ## Getting Started -->
+
+## Contributing Guide
+We appreciate your interest in contributing to our `contour-admission-webhook` project! This guide will walk you through the process of building upon our foundation, crafted using the Chain of Responsibility pattern.
+
+### Rule Chain
+The rule chain contains rules that are executed in the order set to validate the request. This pattern allows us to have great isolation between each rule. It also gives us the possibility to re-order the rules if what the webhook is supposed to do changes.
+
+### Adding a New Validating Rule
+1. Create a new rule file:
+
+   Inside the `internal/webhook` directory, create a new Go file named after your rule, e.g. `rule_example.go`.
+
+2. Implement the `checker` Interface:
+    ```Go
+    type checker interface {
+	    check(cr *checkRequest) (*admissionv1.AdmissionResponse, error)
+	    setNext(checker)
+    }
+    ```
+
+1. Write your rule logic:
+
+    ```Go
+    type exampleRule struct {
+        next Rule
+    }
+
+    func (e *exampleRule) check(cr *checkRequest) (*admissionv1.AdmissionResponse, error) {
+        // Your rule logic here
+        // ...
+
+        if e.next != nil {
+            return e.next.check(cr)
+        }
+
+        return &admissionv1.AdmissionResponse{Allowed: true}, nil
+    }
+
+    func (e *exampleRule) setNext(c checker) {
+        e.next = c
+    }
+    ```
+
+4. Add your rule to the chain:
+
+   Modify the chain initialiser in include your rule.

cmd/main.go

@@ -0,0 +1,48 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"flag"
+
+	"github.com/snapp-incubator/contour-admission-webhook/internal/cache"
+	"github.com/snapp-incubator/contour-admission-webhook/internal/client"
+	"github.com/snapp-incubator/contour-admission-webhook/internal/webhook"
+	"k8s.io/klog/v2"
+)
+
+func init() {
+	klog.InitFlags(nil)
+}
+
+func main() {
+	var address, tlsKeyPath, tlsCertPath string
+
+	flag.StringVar(&address, "address", ":8443", "Server listen address")
+	flag.StringVar(&tlsKeyPath, "tls-key-path", "./tls.key", "Path to the TLS key")
+	flag.StringVar(&tlsCertPath, "tls-cert-path", "./tls.crt", "Path to the TLS certificate")
+	flag.Parse()
+
+	client, err := client.NewK8sClient()
+	if err != nil {
+		klog.Fatalf("K8s client setup failed: %s", err)
+	}
+
+	cache := cache.NewCache()
+
+	if err := cache.PopulateInitialCache(client); err != nil {
+		klog.Fatalf("Cache initialization failed: %s", err)
+	}
+
+	webhook.Setup(address, tlsCertPath, tlsKeyPath, cache)
+}