From 29b8f4e831a94c5a6dc095a3bcaef90736067bda Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 11:47:13 +0000 Subject: [PATCH 01/14] [TEST] adding print --- vault.go | 4 +++- webhook.go | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/vault.go b/vault.go index 3a2948d..668cecb 100644 --- a/vault.go +++ b/vault.go @@ -24,6 +24,7 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] initContainers := []corev1.Container{} for _, databaseInfo := range databases { + //* These are fields from the CRD! database := databaseInfo.database role := databaseInfo.role serviceAccount := pod.Spec.ServiceAccountName @@ -52,7 +53,7 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] vaultContainer := corev1.Container{ Image: sidecarImage, - ImagePullPolicy: "Always", + ImagePullPolicy: "Always", // TODO: Change to IfNotPresent? https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy Resources: corev1.ResourceRequirements{ Requests: requests, Limits: limits, @@ -102,6 +103,7 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] }, } + // TODO: remember not to have preStop hook in the init container. initContainer := vaultContainer jobLikeOwnerReferencesKinds := map[string]bool{"Job": true, "Workflow": true} diff --git a/webhook.go b/webhook.go index 731e85e..767c7f4 100644 --- a/webhook.go +++ b/webhook.go @@ -99,6 +99,7 @@ func (srv webHookServer) serve(w http.ResponseWriter, r *http.Request) { } +// This handles the admission review sent by k8s and mutates the pod func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse { req := ar.Request @@ -121,7 +122,9 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR log.Infof("AdmissionReview for Kind=%v, Namespace=%v Name=%v UID=%v patchOperation=%v UserInfo=%v", ownerKind, req.Namespace, ownerName, req.UID, req.Operation, req.UserInfo) + // 'binds' is the list of database credential bindings binds, err := srv.bindings.List() + log.Info(" -----> Database bindings: %+v", binds) if err != nil { return &v1beta1.AdmissionResponse{ Result: &metav1.Status{ @@ -138,6 +141,7 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR } } + // TODO: This is were we build database bindings for the pod databases := matchBindings(filteredBindings, pod.Spec.ServiceAccountName) if len(databases) == 0 { log.Infof("Skipping mutation for %s/%s due to policy check", req.Namespace, ownerName) @@ -176,6 +180,7 @@ func filterBindings(bindings []v1alpha1.DatabaseCredentialBinding, namespace str return filteredBindings } +// TODO: This is were we build database bindings for the pod func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount string) []database { matchedBindings := []database{} for _, binding := range bindings { From bee03f910ea847bd6f16e29731c3a370c28a3153 Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 11:53:48 +0000 Subject: [PATCH 02/14] [TEST] adding print --- webhook.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webhook.go b/webhook.go index 767c7f4..18d78de 100644 --- a/webhook.go +++ b/webhook.go @@ -124,7 +124,7 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR // 'binds' is the list of database credential bindings binds, err := srv.bindings.List() - log.Info(" -----> Database bindings: %+v", binds) + log.Infof(" -----> Database bindings: %+v", binds) if err != nil { return &v1beta1.AdmissionResponse{ Result: &metav1.Status{ From 2fd8922d1136a6b69516e942cd6acedf64375c2f Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 12:19:23 +0000 Subject: [PATCH 03/14] feat(): expand CRD --- .../v1alpha1/types.go | 27 +++++++++++++++---- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index 38a4816..ef2397d 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -15,11 +15,12 @@ type DatabaseCredentialBinding struct { } type DatabaseCredentialBindingSpec struct { - Database string `json:"database"` - Role string `json:"role"` - OutputPath string `json:"outputPath"` - OutputFile string `json:"outputFile"` - ServiceAccount string `json:"serviceAccount"` + Database string `json:"database"` + Role string `json:"role"` + OutputPath string `json:"outputPath"` + OutputFile string `json:"outputFile"` + ServiceAccount string `json:"serviceAccount"` + Container *Container `json:"container,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -30,3 +31,19 @@ type DatabaseCredentialBindingList struct { Items []DatabaseCredentialBinding `json:"items"` } + +type Container struct { + Lifecycle *Lifecycle `json:"lifecycle,omitempty"` +} + +type Lifecycle struct { + PreStop *LifecycleHandler `json:"preStop,omitempty"` +} + +type LifecycleHandler struct { + Exec *ExecAction `json:"exec,omitempty"` +} + +type ExecAction struct { + Command []string `json:"command,omitempty"` +} From 915a7a363b5fad6298e143877c03b7e8fef0f098 Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 12:42:25 +0000 Subject: [PATCH 04/14] feat(expand CRDs): Changed type to point to Container rather than a pointer --- .../vaultwebhook.uswitch.com/v1alpha1/types.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index ef2397d..fac09b3 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -15,12 +15,12 @@ type DatabaseCredentialBinding struct { } type DatabaseCredentialBindingSpec struct { - Database string `json:"database"` - Role string `json:"role"` - OutputPath string `json:"outputPath"` - OutputFile string `json:"outputFile"` - ServiceAccount string `json:"serviceAccount"` - Container *Container `json:"container,omitempty"` + Database string `json:"database"` + Role string `json:"role"` + OutputPath string `json:"outputPath"` + OutputFile string `json:"outputFile"` + ServiceAccount string `json:"serviceAccount"` + Container Container `json:"container,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -33,15 +33,15 @@ type DatabaseCredentialBindingList struct { } type Container struct { - Lifecycle *Lifecycle `json:"lifecycle,omitempty"` + Lifecycle Lifecycle `json:"lifecycle,omitempty"` } type Lifecycle struct { - PreStop *LifecycleHandler `json:"preStop,omitempty"` + PreStop LifecycleHandler `json:"preStop,omitempty"` } type LifecycleHandler struct { - Exec *ExecAction `json:"exec,omitempty"` + Exec ExecAction `json:"exec,omitempty"` } type ExecAction struct { From cc4c859e7f273a12bf43f8ca0a2b8361949af19b Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 13:25:50 +0000 Subject: [PATCH 05/14] feat(expand CRDs): Added support for InitContainer specs. Modified the database slice object by adding the 2 new fields. Printing test --- .../v1alpha1/types.go | 1 + webhook.go | 44 ++++++++++++++----- 2 files changed, 35 insertions(+), 10 deletions(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index fac09b3..0db404d 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -21,6 +21,7 @@ type DatabaseCredentialBindingSpec struct { OutputFile string `json:"outputFile"` ServiceAccount string `json:"serviceAccount"` Container Container `json:"container,omitempty"` + InitContainer Container `json:"initcontainer,omitempty"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/webhook.go b/webhook.go index 18d78de..1efd880 100644 --- a/webhook.go +++ b/webhook.go @@ -38,10 +38,12 @@ type patchOperation struct { } type database struct { - database string - role string - outputPath string - outputFile string + database string + role string + outputPath string + outputFile string + vaultContainer v1alpha1.Container + initVaultContainer v1alpha1.Container } func (srv webHookServer) serve(w http.ResponseWriter, r *http.Request) { @@ -122,9 +124,9 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR log.Infof("AdmissionReview for Kind=%v, Namespace=%v Name=%v UID=%v patchOperation=%v UserInfo=%v", ownerKind, req.Namespace, ownerName, req.UID, req.Operation, req.UserInfo) - // 'binds' is the list of database credential bindings + // A list of ALL the bindings. binds, err := srv.bindings.List() - log.Infof(" -----> Database bindings: %+v", binds) + log.Infof("[mutate] List of all bindings: %+v", binds) if err != nil { return &v1beta1.AdmissionResponse{ Result: &metav1.Status{ @@ -133,6 +135,7 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR } } + // Filter out the bindings that are not in the target namespace filteredBindings := filterBindings(binds, req.Namespace) if len(filteredBindings) == 0 { log.Infof("Skipping mutation for %s/%s, no database credential bindings in namespace", req.Namespace, ownerName) @@ -141,7 +144,7 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR } } - // TODO: This is were we build database bindings for the pod + // Identify bindings with ServiceAccount field matching the pod's ServiceAccountName databases := matchBindings(filteredBindings, pod.Spec.ServiceAccountName) if len(databases) == 0 { log.Infof("Skipping mutation for %s/%s due to policy check", req.Namespace, ownerName) @@ -170,6 +173,7 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR } } +// For all the bindings, we need to find the ones in the target namespace func filterBindings(bindings []v1alpha1.DatabaseCredentialBinding, namespace string) []v1alpha1.DatabaseCredentialBinding { filteredBindings := []v1alpha1.DatabaseCredentialBinding{} for _, binding := range bindings { @@ -180,7 +184,12 @@ func filterBindings(bindings []v1alpha1.DatabaseCredentialBinding, namespace str return filteredBindings } -// TODO: This is were we build database bindings for the pod +/* + For all the bindings in the namespace, check which one has a ServiceeAccount that matches the pod's ServiceAccount + - We could have multiple database specifications to be attached to a single pod. + - This means that we could also have different VaultContainer specs for each DatabaseCredentialBinding. + - As a consequence, to keep things consistent and easy to follow, we are appending into the `database` slice. +*/ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount string) []database { matchedBindings := []database{} for _, binding := range bindings { @@ -189,7 +198,18 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount if output == "" { output = "/etc/database" } - matchedBindings = appendIfMissing(matchedBindings, database{role: binding.Spec.Role, database: binding.Spec.Database, outputPath: output, outputFile: binding.Spec.OutputFile}) + // TODO: REMOVE THE BELOW LOGS + log.Infof("[matchBindings] Printing content of Container: %+v", binding.Spec.Container) + log.Infof("[matchBindings] Printing content of InitContainer: %+v", binding.Spec.InitContainer) + + matchedBindings = appendIfMissing(matchedBindings, database{ + role: binding.Spec.Role, + database: binding.Spec.Database, + outputPath: output, + outputFile: binding.Spec.OutputFile, + vaultContainer: binding.Spec.Container, + initVaultContainer: binding.Spec.InitContainer, + }) } } return matchedBindings @@ -197,7 +217,11 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount func appendIfMissing(slice []database, d database) []database { for _, ele := range slice { - if ele == d { + // No need to compare the Container and InitContainer fields. + if ele.role == d.role && + ele.database == d.database && + ele.outputPath == d.outputPath && + ele.outputFile == d.outputFile { return slice } } From 2aff79a0a84fc05ce3b361cc228389626cc2343a Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 16:27:23 +0000 Subject: [PATCH 06/14] feat(expand CRDs): Add Lifecycle hook in container spec --- vault.go | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/vault.go b/vault.go index 668cecb..8abbef8 100644 --- a/vault.go +++ b/vault.go @@ -24,7 +24,9 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] initContainers := []corev1.Container{} for _, databaseInfo := range databases { - //* These are fields from the CRD! + vaultContainerSpec := databaseInfo.vaultContainer + initVaultContainerSpec := databaseInfo.initVaultContainer + database := databaseInfo.database role := databaseInfo.role serviceAccount := pod.Spec.ServiceAccountName @@ -53,7 +55,7 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] vaultContainer := corev1.Container{ Image: sidecarImage, - ImagePullPolicy: "Always", // TODO: Change to IfNotPresent? https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + ImagePullPolicy: "Always", Resources: corev1.ResourceRequirements{ Requests: requests, Limits: limits, @@ -103,9 +105,32 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] }, } - // TODO: remember not to have preStop hook in the init container. initContainer := vaultContainer + // TODO: This is likely to be in a function by itself + // Conditionally set Lifecycle if it exists in containerSpec + if vaultContainerSpec.Lifecycle.PreStop.Exec.Command != nil { + vaultContainer.Lifecycle = &corev1.Lifecycle{ + PreStop: &corev1.LifecycleHandler{ + Exec: &corev1.ExecAction{ + Command: vaultContainerSpec.Lifecycle.PreStop.Exec.Command, + }, + }, + } + } + + // Conditionally set Lifecycle if it exists in InitContainerSpec + if initVaultContainerSpec.Lifecycle.PreStop.Exec.Command != nil { + initContainer.Lifecycle = &corev1.Lifecycle{ + PreStop: &corev1.LifecycleHandler{ + Exec: &corev1.ExecAction{ + Command: initVaultContainerSpec.Lifecycle.PreStop.Exec.Command, + }, + }, + } + } + // TODO: End function to wrap + jobLikeOwnerReferencesKinds := map[string]bool{"Job": true, "Workflow": true} if len(pod.ObjectMeta.OwnerReferences) != 0 { ownerKind := pod.ObjectMeta.OwnerReferences[0].Kind From 01145b4ce89063c75c4700114881058929a4fc4e Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Fri, 7 Feb 2025 16:39:51 +0000 Subject: [PATCH 07/14] feat(expand CRDs): Moved comparison into its own function and updated how condition is evaluated for []string fix(expand CRDs): Updated go dependencies and fixed issue with init container's lifecycle hooks support --- go.mod | 60 ++++++++++++++++++++++++++++++-------------------------- go.sum | 42 +++++++++++++++++++++++++++++++++++++++ vault.go | 47 ++++++++++++++++++++++---------------------- 3 files changed, 98 insertions(+), 51 deletions(-) diff --git a/go.mod b/go.mod index 7723702..a80f9c3 100644 --- a/go.mod +++ b/go.mod @@ -1,14 +1,16 @@ module github.com/uswitch/vault-webhook -go 1.20 +go 1.23.0 + +toolchain go1.23.6 require ( github.com/prometheus/client_golang v1.15.1 github.com/sirupsen/logrus v1.9.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/fsnotify.v1 v1.4.7 - k8s.io/api v0.24.15 - k8s.io/apimachinery v0.24.15 + k8s.io/api v0.32.1 + k8s.io/apimachinery v0.32.1 k8s.io/client-go v0.24.15 k8s.io/code-generator v0.24.15 sigs.k8s.io/controller-runtime v0.12.3 @@ -19,21 +21,22 @@ require ( github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/go-logr/logr v1.2.4 // indirect - github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.1 // indirect - github.com/go-openapi/swag v0.22.3 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect + github.com/go-logr/logr v1.4.2 // indirect + github.com/go-openapi/jsonpointer v0.21.0 // indirect + github.com/go-openapi/jsonreference v0.20.2 // indirect + github.com/go-openapi/swag v0.23.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.9 // indirect - github.com/google/gofuzz v1.1.0 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/google/gofuzz v1.2.0 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -46,29 +49,30 @@ require ( github.com/prometheus/client_model v0.4.0 // indirect github.com/prometheus/common v0.42.0 // indirect github.com/prometheus/procfs v0.9.0 // indirect - github.com/rogpeppe/go-internal v1.11.0 // indirect + github.com/rogpeppe/go-internal v1.12.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect + github.com/x448/float16 v0.8.4 // indirect + golang.org/x/mod v0.21.0 // indirect + golang.org/x/net v0.34.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect - golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.9.1 // indirect + golang.org/x/sys v0.29.0 // indirect + golang.org/x/term v0.28.0 // indirect + golang.org/x/text v0.22.0 // indirect + golang.org/x/time v0.7.0 // indirect + golang.org/x/tools v0.26.0 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.35.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.24.15 // indirect k8s.io/component-base v0.24.15 // indirect k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect - k8s.io/klog/v2 v2.90.1 // indirect - k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect - k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect - sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect - sigs.k8s.io/yaml v1.3.0 // indirect + k8s.io/klog/v2 v2.130.1 // indirect + k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect + k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect + sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index a783a80..0d0d5d9 100644 --- a/go.sum +++ b/go.sum @@ -14,26 +14,35 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.0 h1:n4JnPI1T3Qq1SFEi/F8rwLrZERp2bso19PJZDB9dayk= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= +github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -53,6 +62,7 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -62,11 +72,15 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -112,6 +126,7 @@ github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJf github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -128,6 +143,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= @@ -145,6 +162,7 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -156,6 +174,8 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= +golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= @@ -174,15 +194,20 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -194,6 +219,7 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -223,6 +249,7 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -247,10 +274,14 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.24.15 h1:5Zz9fnII9fR2Pouj8YMnsB2BEg9fzXRHo2Ed9Js62GU= k8s.io/api v0.24.15/go.mod h1:lPoMB2MmzSUa3R8iGI4GapLCYnOcbFT2SHPBR4mPt6E= +k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc= +k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k= k8s.io/apiextensions-apiserver v0.24.15 h1:pucsd2ktWmDNSnHNnkerbrlRM2yWffjW4xP7SCvemyQ= k8s.io/apiextensions-apiserver v0.24.15/go.mod h1:zyMke4waTm2IX79y6qOehGZNYoaVtVtdyCkfa/nIzp8= k8s.io/apimachinery v0.24.15 h1:yyPEqYqYNAZL+ybqyCo4pzfxQLYezRJITFiaTmEFr7M= k8s.io/apimachinery v0.24.15/go.mod h1:kSzhCwldu9XB172NDdLffRN0sJ3x95RR7Bmyc4SHhs0= +k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs= +k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= k8s.io/client-go v0.24.15 h1:0gPvSAykRxvl8vD7kPA8JvAWQJuwrSEZkfgSNb1T7q8= k8s.io/client-go v0.24.15/go.mod h1:200/+zvHmX6fL97NBMa/ndRbJzc3Kwh5um0U2KgCiTA= k8s.io/code-generator v0.24.15 h1:I8iyUiIXFKDhVoxMRgdpqSk4NfDQrA1Aiqumr41X2vE= @@ -262,16 +293,27 @@ k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= +k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio= sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= +sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.5.0 h1:nbCitCK2hfnhyiKo6uf2HxUPTCodY6Qaf85SbDIaMBk= +sigs.k8s.io/structured-merge-diff/v4 v4.5.0/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/vault.go b/vault.go index 8abbef8..121e108 100644 --- a/vault.go +++ b/vault.go @@ -5,6 +5,7 @@ import ( "fmt" "strings" + "github.com/uswitch/vault-webhook/pkg/apis/vaultwebhook.uswitch.com/v1alpha1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" ) @@ -107,29 +108,9 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] initContainer := vaultContainer - // TODO: This is likely to be in a function by itself - // Conditionally set Lifecycle if it exists in containerSpec - if vaultContainerSpec.Lifecycle.PreStop.Exec.Command != nil { - vaultContainer.Lifecycle = &corev1.Lifecycle{ - PreStop: &corev1.LifecycleHandler{ - Exec: &corev1.ExecAction{ - Command: vaultContainerSpec.Lifecycle.PreStop.Exec.Command, - }, - }, - } - } - - // Conditionally set Lifecycle if it exists in InitContainerSpec - if initVaultContainerSpec.Lifecycle.PreStop.Exec.Command != nil { - initContainer.Lifecycle = &corev1.Lifecycle{ - PreStop: &corev1.LifecycleHandler{ - Exec: &corev1.ExecAction{ - Command: initVaultContainerSpec.Lifecycle.PreStop.Exec.Command, - }, - }, - } - } - // TODO: End function to wrap + // Configure Lifecycle Hooks if spec exists + initContainer = addLifecycleHook(initContainer, initVaultContainerSpec, true) + vaultContainer = addLifecycleHook(vaultContainer, vaultContainerSpec, false) jobLikeOwnerReferencesKinds := map[string]bool{"Job": true, "Workflow": true} if len(pod.ObjectMeta.OwnerReferences) != 0 { @@ -139,6 +120,7 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] } } + // Append the new Vault container spec into the Pod Spec generated by the client Deployment/Daemonset/etc pod.Spec.Containers = append(pod.Spec.Containers, vaultContainer) initContainer.Args = append(initContainer.Args, "--init") @@ -224,3 +206,22 @@ func appendVolumeMountIfMissing(slice []corev1.VolumeMount, v corev1.VolumeMount } return append(slice, v) } + +func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Container, isInit bool) corev1.Container { + // Conditionally set Lifecycle if it exists in containerSpec + if len(containerSpec.Lifecycle.PreStop.Exec.Command) > 0 { + container.Lifecycle = &corev1.Lifecycle{ + PreStop: &corev1.LifecycleHandler{ + Exec: &corev1.ExecAction{ + Command: containerSpec.Lifecycle.PreStop.Exec.Command, + }, + }, + } + // Init containers must have RestartPolicy=Always to be able to support Lifecycle hooks + if isInit { + restartPolicy := corev1.ContainerRestartPolicyAlways + container.RestartPolicy = &restartPolicy + } + } + return container +} From 72fce7b62a969770d7000d91b8c77502f030592f Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Mon, 10 Feb 2025 12:07:06 +0000 Subject: [PATCH 08/14] fix(expand CRDs): Updating Go dependencies to latest, brings some additional issues. Let's split the problem into 2 smaller ones. Temporarily removed support for InitContainer lifecyle hooks --- go.mod | 62 +++++++++---------- go.sum | 44 +------------ .../v1alpha1/types.go | 2 +- vault.go | 17 ++--- webhook.go | 29 +++++---- 5 files changed, 54 insertions(+), 100 deletions(-) diff --git a/go.mod b/go.mod index a80f9c3..8d81a1b 100644 --- a/go.mod +++ b/go.mod @@ -1,16 +1,14 @@ module github.com/uswitch/vault-webhook -go 1.23.0 - -toolchain go1.23.6 +go 1.20 require ( github.com/prometheus/client_golang v1.15.1 github.com/sirupsen/logrus v1.9.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 gopkg.in/fsnotify.v1 v1.4.7 - k8s.io/api v0.32.1 - k8s.io/apimachinery v0.32.1 + k8s.io/api v0.24.15 + k8s.io/apimachinery v0.24.15 k8s.io/client-go v0.24.15 k8s.io/code-generator v0.24.15 sigs.k8s.io/controller-runtime v0.12.3 @@ -21,22 +19,21 @@ require ( github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect - github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect - github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/emicklei/go-restful/v3 v3.9.0 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/fsnotify/fsnotify v1.6.0 // indirect - github.com/fxamacker/cbor/v2 v2.7.0 // indirect - github.com/go-logr/logr v1.4.2 // indirect - github.com/go-openapi/jsonpointer v0.21.0 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/swag v0.23.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/swag v0.22.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.4 // indirect + github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.6.0 // indirect - github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.6.0 // indirect + github.com/google/go-cmp v0.5.9 // indirect + github.com/google/gofuzz v1.1.0 // indirect + github.com/google/uuid v1.3.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect @@ -49,30 +46,29 @@ require ( github.com/prometheus/client_model v0.4.0 // indirect github.com/prometheus/common v0.42.0 // indirect github.com/prometheus/procfs v0.9.0 // indirect - github.com/rogpeppe/go-internal v1.12.0 // indirect + github.com/rogpeppe/go-internal v1.11.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/x448/float16 v0.8.4 // indirect - golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.34.0 // indirect + golang.org/x/mod v0.10.0 // indirect + golang.org/x/net v0.10.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.29.0 // indirect - golang.org/x/term v0.28.0 // indirect - golang.org/x/text v0.22.0 // indirect - golang.org/x/time v0.7.0 // indirect - golang.org/x/tools v0.26.0 // indirect + golang.org/x/sys v0.8.0 // indirect + golang.org/x/term v0.8.0 // indirect + golang.org/x/text v0.9.0 // indirect + golang.org/x/time v0.3.0 // indirect + golang.org/x/tools v0.9.1 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.35.1 // indirect + google.golang.org/protobuf v1.30.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.24.15 // indirect k8s.io/component-base v0.24.15 // indirect k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect - k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect - k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect - sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect - sigs.k8s.io/yaml v1.4.0 // indirect -) + k8s.io/klog/v2 v2.90.1 // indirect + k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect +) \ No newline at end of file diff --git a/go.sum b/go.sum index 0d0d5d9..4aa2499 100644 --- a/go.sum +++ b/go.sum @@ -14,35 +14,26 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= -github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.0 h1:n4JnPI1T3Qq1SFEi/F8rwLrZERp2bso19PJZDB9dayk= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -62,7 +53,6 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -72,15 +62,11 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= -github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU= github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -126,7 +112,6 @@ github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJf github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= -github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -143,8 +128,6 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= -github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= @@ -162,7 +145,6 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -174,8 +156,6 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= -golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= @@ -194,20 +174,15 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= -golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -219,7 +194,6 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= -golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -249,7 +223,6 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -274,14 +247,10 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= k8s.io/api v0.24.15 h1:5Zz9fnII9fR2Pouj8YMnsB2BEg9fzXRHo2Ed9Js62GU= k8s.io/api v0.24.15/go.mod h1:lPoMB2MmzSUa3R8iGI4GapLCYnOcbFT2SHPBR4mPt6E= -k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc= -k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k= k8s.io/apiextensions-apiserver v0.24.15 h1:pucsd2ktWmDNSnHNnkerbrlRM2yWffjW4xP7SCvemyQ= k8s.io/apiextensions-apiserver v0.24.15/go.mod h1:zyMke4waTm2IX79y6qOehGZNYoaVtVtdyCkfa/nIzp8= k8s.io/apimachinery v0.24.15 h1:yyPEqYqYNAZL+ybqyCo4pzfxQLYezRJITFiaTmEFr7M= k8s.io/apimachinery v0.24.15/go.mod h1:kSzhCwldu9XB172NDdLffRN0sJ3x95RR7Bmyc4SHhs0= -k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs= -k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= k8s.io/client-go v0.24.15 h1:0gPvSAykRxvl8vD7kPA8JvAWQJuwrSEZkfgSNb1T7q8= k8s.io/client-go v0.24.15/go.mod h1:200/+zvHmX6fL97NBMa/ndRbJzc3Kwh5um0U2KgCiTA= k8s.io/code-generator v0.24.15 h1:I8iyUiIXFKDhVoxMRgdpqSk4NfDQrA1Aiqumr41X2vE= @@ -293,27 +262,16 @@ k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAE k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= -k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJJI8IUa1AmH/qa0= -k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/controller-runtime v0.12.3 h1:FCM8xeY/FI8hoAfh/V4XbbYMY20gElh9yh+A98usMio= sigs.k8s.io/controller-runtime v0.12.3/go.mod h1:qKsk4WE6zW2Hfj0G4v10EnNB2jMG1C+NTb8h+DwCoU0= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= -sigs.k8s.io/structured-merge-diff/v4 v4.5.0 h1:nbCitCK2hfnhyiKo6uf2HxUPTCodY6Qaf85SbDIaMBk= -sigs.k8s.io/structured-merge-diff/v4 v4.5.0/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= -sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= -sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= \ No newline at end of file diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index 0db404d..bd499ec 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -21,7 +21,7 @@ type DatabaseCredentialBindingSpec struct { OutputFile string `json:"outputFile"` ServiceAccount string `json:"serviceAccount"` Container Container `json:"container,omitempty"` - InitContainer Container `json:"initcontainer,omitempty"` + // InitContainer Container `json:"initcontainer,omitempty"` // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vault.go b/vault.go index 121e108..1392eec 100644 --- a/vault.go +++ b/vault.go @@ -26,7 +26,7 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] for _, databaseInfo := range databases { vaultContainerSpec := databaseInfo.vaultContainer - initVaultContainerSpec := databaseInfo.initVaultContainer + //initVaultContainerSpec := databaseInfo.initVaultContainer // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) database := databaseInfo.database role := databaseInfo.role @@ -109,8 +109,8 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] initContainer := vaultContainer // Configure Lifecycle Hooks if spec exists - initContainer = addLifecycleHook(initContainer, initVaultContainerSpec, true) - vaultContainer = addLifecycleHook(vaultContainer, vaultContainerSpec, false) + // initContainer = addLifecycleHook(initContainer, initVaultContainerSpec) // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) + vaultContainer = addLifecycleHook(vaultContainer, vaultContainerSpec) jobLikeOwnerReferencesKinds := map[string]bool{"Job": true, "Workflow": true} if len(pod.ObjectMeta.OwnerReferences) != 0 { @@ -207,7 +207,7 @@ func appendVolumeMountIfMissing(slice []corev1.VolumeMount, v corev1.VolumeMount return append(slice, v) } -func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Container, isInit bool) corev1.Container { +func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Container) corev1.Container { // Conditionally set Lifecycle if it exists in containerSpec if len(containerSpec.Lifecycle.PreStop.Exec.Command) > 0 { container.Lifecycle = &corev1.Lifecycle{ @@ -217,11 +217,12 @@ func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Contain }, }, } + // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) // Init containers must have RestartPolicy=Always to be able to support Lifecycle hooks - if isInit { - restartPolicy := corev1.ContainerRestartPolicyAlways - container.RestartPolicy = &restartPolicy - } + // if isInit { + // restartPolicy := corev1.ContainerRestartPolicyAlways + // container.RestartPolicy = &restartPolicy + // } } return container } diff --git a/webhook.go b/webhook.go index 1efd880..5550ee3 100644 --- a/webhook.go +++ b/webhook.go @@ -38,12 +38,12 @@ type patchOperation struct { } type database struct { - database string - role string - outputPath string - outputFile string - vaultContainer v1alpha1.Container - initVaultContainer v1alpha1.Container + database string + role string + outputPath string + outputFile string + vaultContainer v1alpha1.Container + // initVaultContainer v1alpha1.Container // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) } func (srv webHookServer) serve(w http.ResponseWriter, r *http.Request) { @@ -198,17 +198,16 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount if output == "" { output = "/etc/database" } - // TODO: REMOVE THE BELOW LOGS - log.Infof("[matchBindings] Printing content of Container: %+v", binding.Spec.Container) - log.Infof("[matchBindings] Printing content of InitContainer: %+v", binding.Spec.InitContainer) + //log.Infof("[matchBindings] Printing content of Container: %+v", binding.Spec.Container) + //log.Infof("[matchBindings] Printing content of InitContainer: %+v", binding.Spec.InitContainer) matchedBindings = appendIfMissing(matchedBindings, database{ - role: binding.Spec.Role, - database: binding.Spec.Database, - outputPath: output, - outputFile: binding.Spec.OutputFile, - vaultContainer: binding.Spec.Container, - initVaultContainer: binding.Spec.InitContainer, + role: binding.Spec.Role, + database: binding.Spec.Database, + outputPath: output, + outputFile: binding.Spec.OutputFile, + vaultContainer: binding.Spec.Container, + //initVaultContainer: binding.Spec.InitContainer, // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) }) } } From c2ad8fb0fa8dc827ee6f4de6db14b682bad24828 Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Mon, 10 Feb 2025 15:28:15 +0000 Subject: [PATCH 09/14] feat(expand CRDs): Changed typing of CRD object to simplify data handling --- .../v1alpha1/types.go | 15 ++--------- vault.go | 25 ++++++++----------- webhook.go | 2 +- 3 files changed, 13 insertions(+), 29 deletions(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index bd499ec..e12d9dd 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -1,6 +1,7 @@ package v1alpha1 import ( + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -34,17 +35,5 @@ type DatabaseCredentialBindingList struct { } type Container struct { - Lifecycle Lifecycle `json:"lifecycle,omitempty"` -} - -type Lifecycle struct { - PreStop LifecycleHandler `json:"preStop,omitempty"` -} - -type LifecycleHandler struct { - Exec ExecAction `json:"exec,omitempty"` -} - -type ExecAction struct { - Command []string `json:"command,omitempty"` + Lifecycle corev1.Lifecycle `json:"lifecycle,omitempty"` } diff --git a/vault.go b/vault.go index 1392eec..129bf25 100644 --- a/vault.go +++ b/vault.go @@ -207,22 +207,17 @@ func appendVolumeMountIfMissing(slice []corev1.VolumeMount, v corev1.VolumeMount return append(slice, v) } +// Conditionally set Lifecycle if it exists in containerSpec func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Container) corev1.Container { - // Conditionally set Lifecycle if it exists in containerSpec - if len(containerSpec.Lifecycle.PreStop.Exec.Command) > 0 { - container.Lifecycle = &corev1.Lifecycle{ - PreStop: &corev1.LifecycleHandler{ - Exec: &corev1.ExecAction{ - Command: containerSpec.Lifecycle.PreStop.Exec.Command, - }, - }, - } - // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) - // Init containers must have RestartPolicy=Always to be able to support Lifecycle hooks - // if isInit { - // restartPolicy := corev1.ContainerRestartPolicyAlways - // container.RestartPolicy = &restartPolicy - // } + if container.Lifecycle != nil { + container.Lifecycle = &containerSpec.Lifecycle } + // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) + // Init containers must have RestartPolicy=Always to be able to support Lifecycle hooks + // if isInit { + // restartPolicy := corev1.ContainerRestartPolicyAlways + // container.RestartPolicy = &restartPolicy + // } + //} return container } diff --git a/webhook.go b/webhook.go index 5550ee3..60f71d6 100644 --- a/webhook.go +++ b/webhook.go @@ -198,7 +198,7 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount if output == "" { output = "/etc/database" } - //log.Infof("[matchBindings] Printing content of Container: %+v", binding.Spec.Container) + log.Infof("[matchBindings] Printing content of Container: %+v", binding.Spec.Container) //log.Infof("[matchBindings] Printing content of InitContainer: %+v", binding.Spec.InitContainer) matchedBindings = appendIfMissing(matchedBindings, database{ From 08cc8b6aa1e8d6aea8eaeb8daa3bbf1374d9137a Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Mon, 10 Feb 2025 16:26:04 +0000 Subject: [PATCH 10/14] fix(expand CRDs): Incorrect conditional check --- vault.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vault.go b/vault.go index 129bf25..0409c3f 100644 --- a/vault.go +++ b/vault.go @@ -209,7 +209,9 @@ func appendVolumeMountIfMissing(slice []corev1.VolumeMount, v corev1.VolumeMount // Conditionally set Lifecycle if it exists in containerSpec func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Container) corev1.Container { - if container.Lifecycle != nil { + + emptyLifecycle := corev1.Lifecycle{} + if containerSpec.Lifecycle != emptyLifecycle { container.Lifecycle = &containerSpec.Lifecycle } // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) From 86edf36577a277ab7de460a4032caee60b5a0891 Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Mon, 10 Feb 2025 17:10:17 +0000 Subject: [PATCH 11/14] fix(expand CRDs): Improved checks by using struct methods --- .../v1alpha1/types.go | 24 +++++++++++++++++++ vault.go | 8 ++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index e12d9dd..5581830 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -37,3 +37,27 @@ type DatabaseCredentialBindingList struct { type Container struct { Lifecycle corev1.Lifecycle `json:"lifecycle,omitempty"` } + +/* +Check if Container.Lifecycle.PreStop is valid. +This is to avoid mishandling incomplete inputs like the below: + +https://pkg.go.dev/k8s.io/api/core/v1#LifecycleHandler +{ + + "Lifecycle": { + "PostStart": null, + "PreStop": { + "Exec": null, # <----- Missing Command!! + "HTTPGet": null, + "TCPSocket": null + } + } + +} +*/ +func (c Container) HasValidPreStop() bool { + return c.Lifecycle.PreStop != nil && + c.Lifecycle.PreStop.Exec != nil && + len(c.Lifecycle.PreStop.Exec.Command) > 0 +} diff --git a/vault.go b/vault.go index 0409c3f..acc9544 100644 --- a/vault.go +++ b/vault.go @@ -210,9 +210,15 @@ func appendVolumeMountIfMissing(slice []corev1.VolumeMount, v corev1.VolumeMount // Conditionally set Lifecycle if it exists in containerSpec func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Container) corev1.Container { + // Check DatabaseCredentialBindingSpec.Container.Lifecycle is not empty emptyLifecycle := corev1.Lifecycle{} if containerSpec.Lifecycle != emptyLifecycle { - container.Lifecycle = &containerSpec.Lifecycle + + // Check for a complete PreStop hook + if containerSpec.HasValidPreStop() { + container.Lifecycle = &containerSpec.Lifecycle + } + } // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) // Init containers must have RestartPolicy=Always to be able to support Lifecycle hooks From 33e6f9fc192ec5eb6ac9edf97df17a2a8fb8c18e Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Tue, 11 Feb 2025 12:21:29 +0000 Subject: [PATCH 12/14] feat(expand CRDs): Added unit tests --- .../v1alpha1/types.go | 20 ++---- vault_test.go | 69 ++++++++++++++++++- 2 files changed, 74 insertions(+), 15 deletions(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index 5581830..4e26ca3 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -39,22 +39,14 @@ type Container struct { } /* -Check if Container.Lifecycle.PreStop is valid. -This is to avoid mishandling incomplete inputs like the below: - https://pkg.go.dev/k8s.io/api/core/v1#LifecycleHandler -{ - - "Lifecycle": { - "PostStart": null, - "PreStop": { - "Exec": null, # <----- Missing Command!! - "HTTPGet": null, - "TCPSocket": null - } - } +Check if Container.Lifecycle.PreStop is valid. This is to avoid mishandling incomplete inputs like the below: -} + { "Lifecycle": { + "PostStart": null, + "PreStop": { + "Exec": null, # <----- Missing Command!! + "HTTPGet": null,"TCPSocket": null}}} */ func (c Container) HasValidPreStop() bool { return c.Lifecycle.PreStop != nil && diff --git a/vault_test.go b/vault_test.go index d534e74..e8b505e 100644 --- a/vault_test.go +++ b/vault_test.go @@ -1,10 +1,12 @@ package main import ( + "fmt" "strings" "testing" - "k8s.io/api/core/v1" + "github.com/uswitch/vault-webhook/pkg/apis/vaultwebhook.uswitch.com/v1alpha1" + v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -183,3 +185,68 @@ func TestVaultJobMode(t *testing.T) { }) } } + +// Can we add a preStop hook to the vault container? +func TestAddLifecyclePreStopHook(t *testing.T) { + + // Define test cases + var tests = []struct { + scenario string + lifecycleObj v1alpha1.Container + answer bool + }{ + { + scenario: "Test passing a complete lifecyle config", + lifecycleObj: v1alpha1.Container{ + Lifecycle: v1.Lifecycle{ + PreStop: &v1.LifecycleHandler{ + Exec: &v1.ExecAction{ + Command: []string{"echo", "hello"}, + }, + }, + }, + }, + answer: true, + }, + { + scenario: "Test passing an incomplete lifecycle config", + lifecycleObj: v1alpha1.Container{ + Lifecycle: v1.Lifecycle{ + PreStop: &v1.LifecycleHandler{ + Exec: nil, + }, + }, + }, + answer: false, + }, + { + // v1alpha1.Container{}, comes from corev1.Container{} and this ALWAYS have a c.Lifecycle object. The latter, always has pointers to PostStart and PreStop handlers ( but no further down the struct since they are pointers ) + // if our dcb input does not specify a container object, the received input will look like this: {Lifecycle:{PostStart:nil PreStop:nil}} + scenario: "Test passing no lifecycle config", + lifecycleObj: v1alpha1.Container{ + Lifecycle: v1.Lifecycle{ + PreStop: nil, + }, + }, + answer: false, + }, + } + + // Run tests + for _, tt := range tests { + // t.Run enables running "subtests", one for each table entry. These are shown separately when executing `go test -v`. + vaultContainer := v1.Container{} // Define a Vault sidecar Container + testname := fmt.Sprintf("%v", tt.scenario) + t.Run(testname, func(t *testing.T) { + ans := addLifecycleHook(vaultContainer, tt.lifecycleObj) + + //log.Printf("%+v", ans) + isValid := ans.Lifecycle != nil && ans.Lifecycle.PreStop != nil && ans.Lifecycle.PreStop.Exec != nil && len(ans.Lifecycle.PreStop.Exec.Command) > 0 + + if isValid != tt.answer { + t.Errorf("got %v, want %v", isValid, tt.answer) + } + }) + } + +} From 8ecc71c5dd6c5fa7cce80eed55fe616da4505da2 Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Tue, 11 Feb 2025 12:24:19 +0000 Subject: [PATCH 13/14] feat(expand CRDs): Updated example CRD --- crd.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/crd.yaml b/crd.yaml index 7dfa814..1d2041b 100644 --- a/crd.yaml +++ b/crd.yaml @@ -6,12 +6,19 @@ spec: group: vaultwebhook.uswitch.com versions: - name: v1alpha1 + # Each version can be enabled/disabled by Served flag. served: true + # One and only one version must be marked as the storage version. storage: true schema: openAPIV3Schema: + type: object + description: |- + A MutatingAdmissionController that will add the vault-creds container to your pod + for you when your pod is created (assuming that vault webhook is enabled on your namespace properties: spec: + type: object properties: database: type: string @@ -20,7 +27,29 @@ spec: outputPath: type: string outputFile: + type: string + serviceAccount: type: string + container: + description: Specification of the container that will be created as part of this binding. + type: object + properties: + lifecycle: + description: Specification of the lifecycle hooks of the container. https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ + type: object + properties: + preStop: + description: This hook is called immediately before a container is terminated due to an API request or management event such as a liveness/startup probe failure, preemption, resource contention and others + type: object + properties: + exec: + description: Executes a specific command, inside the cgroups and namespaces of the Container. + type: object + properties: + command: + type: array + items: + type: string names: kind: DatabaseCredentialBinding plural: databasecredentialbindings From e9a5a92579f23d81d2a4b9fbd05b5bc0592b78b6 Mon Sep 17 00:00:00 2001 From: Matteo Mori Date: Tue, 11 Feb 2025 13:47:25 +0000 Subject: [PATCH 14/14] doc(expand CRDs): Clean comments --- pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go | 1 - vault.go | 9 --------- webhook.go | 5 +---- 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go index 4e26ca3..a39b23f 100644 --- a/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go +++ b/pkg/apis/vaultwebhook.uswitch.com/v1alpha1/types.go @@ -22,7 +22,6 @@ type DatabaseCredentialBindingSpec struct { OutputFile string `json:"outputFile"` ServiceAccount string `json:"serviceAccount"` Container Container `json:"container,omitempty"` - // InitContainer Container `json:"initcontainer,omitempty"` // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/vault.go b/vault.go index acc9544..4f8f8c7 100644 --- a/vault.go +++ b/vault.go @@ -26,7 +26,6 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] for _, databaseInfo := range databases { vaultContainerSpec := databaseInfo.vaultContainer - //initVaultContainerSpec := databaseInfo.initVaultContainer // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) database := databaseInfo.database role := databaseInfo.role @@ -109,7 +108,6 @@ func addVault(pod *corev1.Pod, namespace string, databases []database) (patch [] initContainer := vaultContainer // Configure Lifecycle Hooks if spec exists - // initContainer = addLifecycleHook(initContainer, initVaultContainerSpec) // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) vaultContainer = addLifecycleHook(vaultContainer, vaultContainerSpec) jobLikeOwnerReferencesKinds := map[string]bool{"Job": true, "Workflow": true} @@ -220,12 +218,5 @@ func addLifecycleHook(container corev1.Container, containerSpec v1alpha1.Contain } } - // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) - // Init containers must have RestartPolicy=Always to be able to support Lifecycle hooks - // if isInit { - // restartPolicy := corev1.ContainerRestartPolicyAlways - // container.RestartPolicy = &restartPolicy - // } - //} return container } diff --git a/webhook.go b/webhook.go index 60f71d6..eac5e6d 100644 --- a/webhook.go +++ b/webhook.go @@ -43,7 +43,6 @@ type database struct { outputPath string outputFile string vaultContainer v1alpha1.Container - // initVaultContainer v1alpha1.Container // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) } func (srv webHookServer) serve(w http.ResponseWriter, r *http.Request) { @@ -199,7 +198,6 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount output = "/etc/database" } log.Infof("[matchBindings] Printing content of Container: %+v", binding.Spec.Container) - //log.Infof("[matchBindings] Printing content of InitContainer: %+v", binding.Spec.InitContainer) matchedBindings = appendIfMissing(matchedBindings, database{ role: binding.Spec.Role, @@ -207,7 +205,6 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount outputPath: output, outputFile: binding.Spec.OutputFile, vaultContainer: binding.Spec.Container, - //initVaultContainer: binding.Spec.InitContainer, // TODO: Fix support for initcontainer's Lifecycle hooks ( Go dep to be updated ) }) } } @@ -216,7 +213,7 @@ func matchBindings(bindings []v1alpha1.DatabaseCredentialBinding, serviceAccount func appendIfMissing(slice []database, d database) []database { for _, ele := range slice { - // No need to compare the Container and InitContainer fields. + // No need to compare Container fields. if ele.role == d.role && ele.database == d.database && ele.outputPath == d.outputPath &&