Add implmentation for tkr-infra-machine-webhook (vmware-tanzu#1638)

Signed-off-by: PremKumar Kalle <pkalle@vmware.com>

Review comments addressed

Signed-off-by: PremKumar Kalle <pkalle@vmware.com>

Author: prkalle

Makefile

@@ -670,7 +670,7 @@ e2e-tkgpackageclient-docker: $(GINKGO) generate-embedproviders ## Run ginkgo tkg
 # These are the components in this repo that need to have a docker image built.
 # This variable refers to directory paths that contain a Makefile with `docker-build`, `docker-publish` and
 # `kbld-image-replace` targets that can build and push a docker image for that component.
-COMPONENTS := pkg/v1/sdk/features addons cliplugins
+COMPONENTS := pkg/v1/sdk/features addons cliplugins pkg/v2/tkr/webhook/infra-machine
 
 .PHONY: docker-build
 docker-build: TARGET=docker-build

go.mod

@@ -95,6 +95,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	gomodules.xyz/jsonpatch/v2 v2.2.0
 	google.golang.org/api v0.62.0
 	google.golang.org/grpc v1.42.0
 	gopkg.in/yaml.v2 v2.4.0
@@ -226,7 +227,6 @@ require (
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/tools v0.1.5 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
 	google.golang.org/protobuf v1.27.1 // indirect

pkg/v2/tkr/webhook/infra-machine/Dockerfile

@@ -0,0 +1,35 @@
+# Copyright 2022 VMware, Inc. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Build from publicly reachable source by default, but allow people to re-build images on
+# top of their own trusted images.
+ARG BUILDER_BASE_IMAGE=golang:1.17
+
+# Build the manager binary
+FROM $BUILDER_BASE_IMAGE as builder
+
+WORKDIR /workspace
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+RUN  go mod download
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+
+# Copy the go source
+COPY ./ ./
+
+# Build
+ARG LD_FLAGS
+ENV LD_FLAGS="$LD_FLAGS "'-extldflags "-static"'
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -ldflags "$LD_FLAGS" -o manager ./main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/manager .
+USER nonroot:nonroot
+
+ENTRYPOINT ["/manager"]

pkg/v2/tkr/webhook/infra-machine/Makefile

@@ -0,0 +1,53 @@
+# Copyright 2022 VMware, Inc. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+include ../../../../../common.mk
+
+IMG_DEFAULT_NAME := tkr-infra-machine-webhook
+IMG_DEFAULT_TAG := latest
+IMG_DEFAULT_NAME_TAG := $(IMG_DEFAULT_NAME):$(IMG_DEFAULT_TAG)
+
+IMG_VERSION_OVERRIDE ?= $(IMG_DEFAULT_TAG)
+
+ifeq ($(strip $(OCI_REGISTRY)),)
+	IMG ?= $(IMG_DEFAULT_NAME):$(IMG_VERSION_OVERRIDE)
+else
+	IMG ?= $(OCI_REGISTRY)/$(IMG_DEFAULT_NAME):$(IMG_VERSION_OVERRIDE)
+endif
+
+all: manager
+
+# Run tests
+test: fmt vet manifests
+	go test ./... -coverprofile cover.out
+
+# Build manager binary
+manager: fmt vet
+	go build -ldflags "$(LD_FLAGS)" -o bin/manager ./main.go
+
+# Run go fmt against code
+fmt:
+	go fmt ./...
+
+# Run go vet against code
+vet:
+	go vet ./...
+
+.PHONY: docker-build
+docker-build: ## Build docker image
+	cd ../../../../../ && docker build -t $(IMG) -f pkg/v2/tkr/webhook/infra-machine/Dockerfile --build-arg LD_FLAGS="$(LD_FLAGS)" .
+
+.PHONY: docker-publish
+docker-publish: ## Publish docker image
+	docker push $(IMG)
+
+.PHONY: kbld-image-replace
+kbld-image-replace: ## Add newImage in kbld-config.yaml
+	cd ../../../../../hack/packages/kbld-image-replace && $(MAKE) run IMAGE=$(IMG_DEFAULT_NAME_TAG) NEW_IMAGE=$(IMG)
+
+.PHONY: docker-image-names
+docker-image-names:
+	@echo $(IMG)
+
+.PHONY: docker-build-and-publish
+docker-build-and-publish: docker-build docker-publish kbld-image-replace

pkg/v2/tkr/webhook/infra-machine/fieldsetter/fieldsetter.go

@@ -0,0 +1,111 @@
+// Copyright 2022 VMware, Inc. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+// Package fieldsetter defines methods to set the fields of <Infra>Machine resource
+package fieldsetter
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/go-logr/logr"
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+const (
+	osImageRefAnnotationKey = "run.tanzu.vmware.com/os-image-ref"
+)
+
+// FieldSetter mutates <infra>Machine
+type FieldSetter struct {
+	decoder      *admission.Decoder
+	Log          logr.Logger
+	FieldPathMap map[string]string
+}
+
+// Handle will handle the infra admission request
+func (fs *FieldSetter) Handle(ctx context.Context, req admission.Request) admission.Response { // nolint:gocritic // suppress linter error: hugeParam: req is heavy (400 bytes); consider passing by pointer (gocritic)
+	fs.Log.Info("Received the infra machine admission request")
+	infraMachine := &unstructured.Unstructured{}
+	err := fs.decoder.Decode(req, infraMachine)
+	if err != nil {
+		fs.Log.Error(err, "Failed to decode infra machine admission request")
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	annotationValues, err := getOSImageRefAnnotation(infraMachine)
+	if err != nil {
+		fs.Log.Error(err, "Failed to get 'run.tanzu.vmware.com/os-image-ref' annotation")
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+	// if 'run.tanzu.vmware.com/os-image-ref' annotation is not set, nothing to update
+	if annotationValues == nil {
+		return admission.ValidationResponse(true, "")
+	}
+
+	err = fs.setFields(infraMachine, annotationValues)
+	if err != nil {
+		fs.Log.Error(err, "Failed to set the fields using the 'run.tanzu.vmware.com/os-image-ref' annotation")
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	marshalledInfraMachine, err := json.Marshal(infraMachine)
+	if err != nil {
+		fs.Log.Error(err, "Failed to marshal infraMachine object")
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+	return admission.PatchResponseFromRaw(req.Object.Raw, marshalledInfraMachine)
+}
+
+func getOSImageRefAnnotation(infraMachine *unstructured.Unstructured) (map[string]interface{}, error) {
+	annotations := infraMachine.GetAnnotations()
+	if annotations == nil {
+		return nil, nil
+	}
+
+	osImageRefAnnotationValue, exists := annotations[osImageRefAnnotationKey]
+	if !exists {
+		return nil, nil
+	}
+	annotationValues := make(map[string]interface{}, 1)
+	err := yaml.Unmarshal([]byte(osImageRefAnnotationValue), &annotationValues)
+	if err != nil {
+		return nil, errors.New("failed to unmarshal 'run.tanzu.vmware.com/os-image-ref' annotation")
+	}
+	return annotationValues, nil
+}
+
+// SetFields sets the <Infra>Machine fields using the annotation values
+func (fs *FieldSetter) setFields(o *unstructured.Unstructured, annotationValues map[string]interface{}) error {
+	for field, value := range annotationValues {
+		path, exists := fs.FieldPathMap[field]
+		if !exists {
+			fs.Log.Info(fmt.Sprintf("os Image reference annotation value's field %q doesn't match with any entry in field path map configured", field))
+			continue
+		}
+		fieldPath := strings.Split(path, ".")
+		// check if the field path exists
+		if _, exists, _ := unstructured.NestedFieldNoCopy(o.UnstructuredContent(), fieldPath...); !exists {
+			fs.Log.Info(fmt.Sprintf("Field path %q doesn't exists in the request object", path))
+			return fmt.Errorf("field path %q doesn't exists in the request object", path)
+		}
+
+		err := unstructured.SetNestedField(o.UnstructuredContent(), value, fieldPath...)
+		if err != nil {
+			return errors.Wrapf(err, "failed to set the %q value to %v", fieldPath, value)
+		}
+	}
+	return nil
+}
+
+// InjectDecoder injects the decoder. A decoder will be automatically injected.
+func (fs *FieldSetter) InjectDecoder(d *admission.Decoder) error {
+	fs.decoder = d
+	return nil
+}

pkg/v2/tkr/webhook/infra-machine/fieldsetter/fieldsetter_test.go

@@ -0,0 +1,153 @@
+// Copyright 2022 VMware, Inc. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package fieldsetter
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	jsonpatch "gomodules.xyz/jsonpatch/v2"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/kubernetes/scheme"
+	ctrllog "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func TestAPIs(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Infra Machine webhook test")
+}
+
+var _ = Describe("Infra Machine webhook", func() {
+	var (
+		fieldPathMap           map[string]string
+		infraMachineObj        *unstructured.Unstructured
+		infraMachineAnnotation map[string]string
+
+		fs  *FieldSetter
+		err error
+	)
+	BeforeEach(func() {
+		fs = &FieldSetter{
+			Log:          ctrllog.Log,
+			FieldPathMap: map[string]string{},
+		}
+		decoder, err := admission.NewDecoder(scheme.Scheme)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(decoder).NotTo(BeNil())
+		err = fs.InjectDecoder(decoder)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	Describe("fieldSetter Handle tests", func() {
+		var req admission.Request
+		var resp admission.Response
+		BeforeEach(func() {
+			infraMachineObj = &unstructured.Unstructured{
+				Object: map[string]interface{}{
+					"spec": map[string]interface{}{
+						"image": map[string]interface{}{
+							"id": "image-id-to-be-replaced",
+						},
+					},
+				},
+			}
+			Expect(err).ToNot(HaveOccurred())
+		})
+		JustBeforeEach(func() {
+			infraMachineObj.SetAnnotations(infraMachineAnnotation)
+			req.Object.Raw, err = json.Marshal(infraMachineObj)
+
+			resp = fs.Handle(context.Background(), req)
+		})
+		Context("when the Infra machine annotations is not set", func() {
+			BeforeEach(func() {
+				infraMachineAnnotation = nil
+			})
+			It("should admit the request and should not set any fields(zero patches)", func() {
+				Expect(resp.Allowed).To(Equal(true))
+				Expect(len(resp.Patches)).To(Equal(0))
+				Expect(len(resp.Result.Reason)).To(Equal(0))
+			})
+		})
+		Context("when the Infra machine annotations doesn't have os Image reference annotation", func() {
+			BeforeEach(func() {
+				infraMachineAnnotation = map[string]string{
+					"fake-key": "fake-value",
+				}
+			})
+			It("should admit the request and should not set any fields(zero patches)", func() {
+				Expect(resp.Allowed).To(Equal(true))
+				Expect(len(resp.Patches)).To(Equal(0))
+				Expect(len(string(resp.Result.Reason))).To(Equal(0))
+			})
+		})
+		Context("when os Image reference annotation is not a valid yaml", func() {
+			BeforeEach(func() {
+				infraMachineAnnotation = map[string]string{
+					osImageRefAnnotationKey: "invalid_yaml",
+				}
+			})
+			It("should not admit the request with the message set and should not set any fields(zero patches)", func() {
+				Expect(resp.Allowed).To(Equal(false))
+				Expect(len(resp.Patches)).To(Equal(0))
+				Expect(resp.Result.Message).To(ContainSubstring("failed to unmarshal 'run.tanzu.vmware.com/os-image-ref' annotation"))
+			})
+		})
+		Context("when the os image reference annotation value's field doesn't have corresponding entry in the fieldPathMap", func() {
+			BeforeEach(func() {
+				infraMachineAnnotation = map[string]string{
+					osImageRefAnnotationKey: "id: image-value",
+				}
+				fieldPathMap = map[string]string{
+					"invalidID": "spec.image.id",
+				}
+				fs.FieldPathMap = fieldPathMap
+			})
+			It("should admit the request and should not set any fields(zero patches)", func() {
+				Expect(resp.Allowed).To(Equal(true))
+				Expect(len(resp.Patches)).To(Equal(0))
+			})
+		})
+		Context("when the fieldPathMap value has incorrect path", func() {
+			BeforeEach(func() {
+				infraMachineAnnotation = map[string]string{
+					osImageRefAnnotationKey: "id: image-value",
+				}
+				fieldPathMap = map[string]string{
+					"id": "wrong.path.id",
+				}
+				fs.FieldPathMap = fieldPathMap
+			})
+			It("should not admit the request with the message set and and should not set any fields(zero patches)", func() {
+				Expect(resp.Allowed).To(Equal(false))
+				Expect(len(resp.Patches)).To(Equal(0))
+				Expect(resp.Result.Message).To(ContainSubstring(`field path "wrong.path.id" doesn't exists in the request object`))
+			})
+		})
+		Context("when os image reference annotation value's field matches the fieldPathMap's field and has correct path", func() {
+			BeforeEach(func() {
+				infraMachineAnnotation = map[string]string{
+					osImageRefAnnotationKey: "id: image-value-updated",
+				}
+				fieldPathMap = map[string]string{
+					"id": "spec.image.id",
+				}
+				fs.FieldPathMap = fieldPathMap
+			})
+			It("should admit the request with patch to update the value ", func() {
+				Expect(resp.Allowed).To(Equal(true))
+				Expect(len(resp.Patches)).To(Equal(1))
+				Expect(resp.Patches[0]).To(Equal(jsonpatch.Operation{
+					Operation: "replace",
+					Path:      "/spec/image/id",
+					Value:     "image-value-updated"}))
+			})
+		})
+	})
+})