diff options
Diffstat (limited to 'webhook')
| -rw-r--r-- | webhook/BUILD | 28 | ||||
| -rw-r--r-- | webhook/pkg/cli/BUILD | 17 | ||||
| -rw-r--r-- | webhook/pkg/cli/cli_state_autogen.go | 3 | ||||
| -rw-r--r-- | webhook/pkg/injector/BUILD | 34 | ||||
| -rw-r--r-- | webhook/pkg/injector/certs.go | 97 | ||||
| -rwxr-xr-x | webhook/pkg/injector/gencerts.sh | 71 | ||||
| -rw-r--r-- | webhook/pkg/injector/injector_state_autogen.go | 3 |
7 files changed, 103 insertions, 150 deletions
diff --git a/webhook/BUILD b/webhook/BUILD deleted file mode 100644 index 33c585504..000000000 --- a/webhook/BUILD +++ /dev/null @@ -1,28 +0,0 @@ -load("//images:defs.bzl", "docker_image") -load("//tools:defs.bzl", "go_binary", "pkg_tar") - -package(licenses = ["notice"]) - -docker_image( - name = "webhook_image", - data = ":files", - statements = ['ENTRYPOINT ["/webhook"]'], -) - -# files is the full file system of the webhook container. It is simply: -# / -# └─ webhook -pkg_tar( - name = "files", - srcs = [":webhook"], - extension = "tgz", - strip_prefix = "/third_party/gvisor/webhook", -) - -go_binary( - name = "webhook", - srcs = ["main.go"], - pure = "on", - static = "on", - deps = ["//webhook/pkg/cli"], -) diff --git a/webhook/pkg/cli/BUILD b/webhook/pkg/cli/BUILD deleted file mode 100644 index ac093c556..000000000 --- a/webhook/pkg/cli/BUILD +++ /dev/null @@ -1,17 +0,0 @@ -load("//tools:defs.bzl", "go_library") - -package(licenses = ["notice"]) - -go_library( - name = "cli", - srcs = ["cli.go"], - visibility = ["//:sandbox"], - deps = [ - "//pkg/log", - "//webhook/pkg/injector", - "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library", - "@io_k8s_apimachinery//pkg/util/net:go_default_library", - "@io_k8s_client_go//kubernetes:go_default_library", - "@io_k8s_client_go//rest:go_default_library", - ], -) diff --git a/webhook/pkg/cli/cli_state_autogen.go b/webhook/pkg/cli/cli_state_autogen.go new file mode 100644 index 000000000..e81991e0b --- /dev/null +++ b/webhook/pkg/cli/cli_state_autogen.go @@ -0,0 +1,3 @@ +// automatically generated by stateify. + +package cli diff --git a/webhook/pkg/injector/BUILD b/webhook/pkg/injector/BUILD deleted file mode 100644 index d296981be..000000000 --- a/webhook/pkg/injector/BUILD +++ /dev/null @@ -1,34 +0,0 @@ -load("//tools:defs.bzl", "go_library") - -package(licenses = ["notice"]) - -go_library( - name = "injector", - srcs = [ - "certs.go", - "webhook.go", - ], - visibility = ["//:sandbox"], - deps = [ - "//pkg/log", - "@com_github_mattbaird_jsonpatch//:go_default_library", - "@io_k8s_api//admission/v1beta1:go_default_library", - "@io_k8s_api//admissionregistration/v1beta1:go_default_library", - "@io_k8s_api//core/v1:go_default_library", - "@io_k8s_apimachinery//pkg/api/errors:go_default_library", - "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library", - "@io_k8s_client_go//kubernetes:go_default_library", - ], -) - -genrule( - name = "certs", - srcs = [":gencerts"], - outs = ["certs.go"], - cmd = "$$(cut -d ' ' -f 1 <<< \"$(locations :gencerts)\") $@", -) - -sh_binary( - name = "gencerts", - srcs = ["gencerts.sh"], -) diff --git a/webhook/pkg/injector/certs.go b/webhook/pkg/injector/certs.go new file mode 100644 index 000000000..96a270137 --- /dev/null +++ b/webhook/pkg/injector/certs.go @@ -0,0 +1,97 @@ +package injector + +// This file was generated using openssl by the gencerts.sh script. + +var caKey = []byte(`-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtUYj/tDPDDHTlSJpZLIjZ5dUZ4MD3IdwBJLUwTXdDr0TWVhY +MX7FSJVeKW+hGpx1xZ1R+TdCwzSyfoFFCzttcqnKJ1Kl+FYDBMsIDFZw4BiAAPVK +sviCMYVtgR+YU4Z1WzudCX8RUbxK5ueifXSf8GbRteu6mCv2uMuDrA+XfZnNWyr+ +6sgU1kzTAUgUMt6VKR069ayClv8P42VRDb9Rw2Hma5x4AnMCF2WaxBN8kLRpqHRd +it80d5oidY6xpxcBPOismo76U4RpIXtCEBvgvZInhW3qz2rxFYG0PJnw0ovOvCdP +fcz5sktrerreet3sDiTwU6TM1KSJX+uGmnetnwIDAQABAoIBAAYaDFAhezav3q1g +cSfAj0yHXYH2eQTNUkn1H1A5ne1HFAWn4aAY4k8lJ/xBE60vow850m6PG6Iyfeeg +NlDAeViounNEZu3LB2L76pNvvXDtojFmEFOh5dAA68Sy6Y+2MPEXOpv9OPoFWogX +N/L9H/0ZmOmEu80vfaiOwSnjhHfnzOeWr4AuPpZyQP0/fioZPEYcdBmZMT9hP+gb +lgz/43QJ/XICO1jypiFUuLz/Z1WsZAuTgjkL1u9AI0Lb5iwA2kp50d8/ebRF24ME +VhLZNuCGf1/h1oMUq1nf0cvnqR8X/xf2nJganOvCCFWIv05dOiF1pwa0g6UOTMok +esEx9EECgYEA5Z0QmvGcjZi3jpGpGJhUMCxt/icisG6+TrFEgMDOCbxHpy9joX1O +zd2k9/ho5LcGdClxV2oE93YeYqEzpdN9C/rp1B5mBPVd7kN04Gvppg2ahgN0/N8d +egr4sW8y/Q4TsQHJ2gt5iOFyOZ7d4W/rVfUubnf2N9GR7Of3cQXHJ5ECgYEAyhr9 +BS2nJTdzcnLQfLINQJ/DLFJzNajGhhYah1rgDcfOLg93HSwEg5qrRnRh6LnqGqKS +8hqUJebmdA0Vh8a3ocgiFWbiDyjRyl/IhIzWWgzgqkiBH4AQX8TFZMcy2A+Ju8nz +GEsxqwdHqTShPiHc8bHwLzDp9SYgFzHyH5k/yi8CgYAoPfTRExNbBa71/7VhKCFp +KABHENjVjzMvW4YkAqaZsjPkqzuM7AdJsVTeWN0ZaLJq3XCN33jrXfpJUvNYVs6N +sPYWRRWgPNivj4cGZiNXBP9WCXkRcJEb+JxJjLGlBDiTRzr3SheM0+ZPDvbYMeNO +91+h4Mh4U/R9TtJhLqAO4QKBgDoQyPMM68HAjbWrEQVSboZLoFqCkcEv7WGmxhZv +YIH1DuKi5NkHxYA+FslWNK8VgxIF9WwDgN7m2P0sqSvqRuX/RvOZLIeodaXMISMc +B5W1r3KdBCQVuh6ZvRC4Pn5e8HZ4jhRDvlBh9g/CJDViq0Txl40nY4BgZMXlPqgf +cnlXAoGAGNaUmN85FxTc6AIPwmX+iY74ktmAsyKb2kVvur4VtjfwLQlM0+d4muFp +CLZiaejLdfle7St5SVEVHrjoUlbErsnElWGiNODpne2euHsothLQwiZtnktQD3Qp +vAYf7xflC2sDJT6bs1j2m5Sf58NKqOKMwT/SqjVl9503aQQq66g= +-----END RSA PRIVATE KEY-----`) + +var caCert = []byte(`-----BEGIN CERTIFICATE----- +MIICqzCCAZMCFHOPDPhe8VHPQBU9eZ4k3biL33tvMA0GCSqGSIb3DQEBCwUAMBEx +DzANBgNVBAMMBmUyZV9jYTAgFw0yMDEyMzAwMTQ1NTlaGA8yMjk0MTAxNTAxNDU1 +OVowETEPMA0GA1UEAwwGZTJlX2NhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAtUYj/tDPDDHTlSJpZLIjZ5dUZ4MD3IdwBJLUwTXdDr0TWVhYMX7FSJVe +KW+hGpx1xZ1R+TdCwzSyfoFFCzttcqnKJ1Kl+FYDBMsIDFZw4BiAAPVKsviCMYVt +gR+YU4Z1WzudCX8RUbxK5ueifXSf8GbRteu6mCv2uMuDrA+XfZnNWyr+6sgU1kzT +AUgUMt6VKR069ayClv8P42VRDb9Rw2Hma5x4AnMCF2WaxBN8kLRpqHRdit80d5oi +dY6xpxcBPOismo76U4RpIXtCEBvgvZInhW3qz2rxFYG0PJnw0ovOvCdPfcz5sktr +erreet3sDiTwU6TM1KSJX+uGmnetnwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAm +52DD59yJDsbzK2dTTnBYgUtXkYeEvnQmcQ9nY2209MAP3u8nFk/SbeRiRND4ZH44 +QluVyAB64sLEDgL09+Ag5oKo0HaMfbFRFl9zqu/9e5ew6CyIwCsAOSGe0UMn6Wwk +xmnoCs7N/rMllPSfVQY2Se7VDwD/2qJZwAARlfhMUGDrYNFuEYg9LWCTmIljmmjw +uKeRvG0goezmkkDKbuFiEM2uT/R0FpTiEn2qaYvDNXKVGLK9JhUeScbThL42jV9m +Jq86HNWl0lQvmq3UElmal8EAW+fupyFcNWamlNaRLNIEg0BYyS+Bc14cGQ4e20hP +ANxAnoVTDxatLx6IgF+l +-----END CERTIFICATE-----`) + +var serverKey = []byte(`-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvjyW06g28A1Jarin5OSG4wR0uvUteE3+ZTgawezJvdi4T4RW +zcz1TKvgHBg4zI20SqjLS8m85fIWrmL0xnRYeQR9cK5S9DFvjbSbYmH98/WeDsVF +iY3G4NnnAZDb9HegXdZLWiAXAE64mVhCFPw1obsRYPVTN+ZbNp3UELB5HC2YrLCR +XXPLh5YERPpPCmO19FRCKayusHz0YuAGf9+W7oz2gSmnlgymJoO2mDqgNxw1uM20 +2ogB0+QV2phpGQGvVh6ZsilwLMFEwdtAJn331EmslkbXdxROd1g38ERFP0tsAclT +MuOufhaFU7PkHygdCgUlxmHrOPGt3swVXbmBOwIDAQABAoIBAQCi8HhrP4gWofrB +GvpLFeXmqhllTLyub3c2sRBSC4NcRTTQftRun193VTu2NJTpt3G2BM9j0Z4nAeyl +XwKyvFJPDSZ4DgflOjaHFCuG39HJVBYWJqeBwtqWGm0/LRkIUjIcTYDq59NrowF/ +7lVjbgZtyTGAb3/gwEBeDl7mEJEbLQPJBgSjU4NIDnds7XdwshUtkWUePOP2qwy/ +FWHqHZPyfNnqBqX5/Fr9zd5NiQw5XrpM6OKkEV+mXTwaccapmh5qqZHLX6Hwe5jO +NtXmXtSHAmLZPF6hrmd+gdX9DEqkKvPIes99ZOMWrBEeAy5kHIcb9pOVtSPpwxlV +vcBf4IChAoGBAOxvN3eIDG6spmtqeh0ynTRpWPytJJuIO2ylJ1IuA6pnxPEQGvue +4JBVYDvsmoop8B0OTYXC1I8DWagmH276b7guUQwtXI8cudkBavu7ekqa+BqFh/Yy +UoF8xFI31uw9k7VEmPEa3yTiRy+gtsQniIrvFKEhvTDpxKijg/kxtBbRAoGBAM36 +sEWhy5xp5erUFaFOxKQte2vMEX1An4kzK4NKg6c92WQHauoT9Qn2lhdPt/UYPInv +Rg+qbKfXhNugPgfkBIXjtW8tZ1TbC8w6OfM030dsSKC9E28crtLAwJ3F4S8HZJMJ +ZNSHAwaZLqp3dTsdfFt7EI3IAfGMNKnertPt4jJLAoGADwPZH+wx7e1k/Dlc2/HU +7fkqv5E3W/FA5NtwLdXiQbYpWa3OKOCkHkZtwCB8h/211AKOhcojuZla3kTdhiy9 +X5MBbqaK1EPcwZ1HcAkt8QL6cqS8R7RWbQbBaP9G1OXsNXzPwbAVL8B3CN1J/hcM +otYgF0OPQkX2SUdpIDA54aECgYAKy8fvbmKIqThGzaTwlntSC5w7cy+7e+agv1DZ +ic9KtcAuMQFWkYM3aXhGcoQ20XVi2Wq3qXwWdAJfrI9zxGzEQ8IfuKaA2RZONwMQ +j0XgrXlFC4P4P+2d2EKAQn3iBCYuWsCxLv5mmyLKBobbeVkqRlIAzGnlqi6cdLJ/ +IynG7wKBgQDGYvQLBIN7StLBlVVZAbTaDGloNXo2jifFbbHu1yh1UvFhtZFglz/r +WXCZxvzaMKxnuMZs2PpggM/tgaoxOWPpFtI4gaUFD5+CgikjWpApM93yP4Zvnwo0 +4EiHPQQiQ6yBgVOHckKRYMJs38dUt433kq9g0HDMkc+ajfKNw5yZMA== +-----END RSA PRIVATE KEY-----`) + +var serverCert = []byte(`-----BEGIN CERTIFICATE----- +MIIDDzCCAfegAwIBAgIUYw+kvxKk5J0Q1nAtF7WFIUNuxvQwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGZTJlX2NhMCAXDTIwMTIzMDAxNDYwMFoYDzIyOTQxMDE1 +MDE0NjAwWjA1MTMwMQYDVQQDDCpndmlzb3ItaW5qZWN0aW9uLWFkbWlzc2lvbi13 +ZWJob29rLmUyZS5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+ +PJbTqDbwDUlquKfk5IbjBHS69S14Tf5lOBrB7Mm92LhPhFbNzPVMq+AcGDjMjbRK +qMtLybzl8hauYvTGdFh5BH1wrlL0MW+NtJtiYf3z9Z4OxUWJjcbg2ecBkNv0d6Bd +1ktaIBcATriZWEIU/DWhuxFg9VM35ls2ndQQsHkcLZissJFdc8uHlgRE+k8KY7X0 +VEIprK6wfPRi4AZ/35bujPaBKaeWDKYmg7aYOqA3HDW4zbTaiAHT5BXamGkZAa9W +HpmyKXAswUTB20AmfffUSayWRtd3FE53WDfwREU/S2wByVMy465+FoVTs+QfKB0K +BSXGYes48a3ezBVduYE7AgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXg +MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOC +AQEAerR4SLGytdufaftX8wXhp5/8TN5uwsrfifYbYYD7eP1uGxbGHEmsDNmQuPxh +PAs8emeTlxDDV6oJI8BtjXT0MW4YYDEFVnPynrG9Mu29Qju7lqX+wWUTb37dLmPo +ISZBi9CvF3a6dCMytOwx7UX2lHn7PuhhN6P1x3IDO3798ED/c42p9m0s+GDHifxS +NSD27id1LTx3peqJinacRAr1HMHgeoH6Si/HWoKOaapI7rVjpeiK5legQzcfq68r +Sq3c+NsxCRVrhsj3oyUuPFDuE340NG5qGY4SCSAd/4J4LNScL/uvP4SYmAdrp+nC +HEP3jklV4cN/EZwyjhQX/lHV/w== +-----END CERTIFICATE-----`) diff --git a/webhook/pkg/injector/gencerts.sh b/webhook/pkg/injector/gencerts.sh deleted file mode 100755 index f7fda4b63..000000000 --- a/webhook/pkg/injector/gencerts.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash - -# Copyright 2020 The gVisor Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# Generates the a CA cert, a server key, and a server cert signed by the CA. -# reference: -# https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/testcerts/gencerts.sh -set -euo pipefail - -# Do all the work in TMPDIR, then copy out generated code and delete TMPDIR. -declare -r OUTDIR="$(readlink -e .)" -declare -r TMPDIR="$(mktemp -d)" -cd "${TMPDIR}" -function cleanup() { - cd "${OUTDIR}" - rm -rf "${TMPDIR}" -} -trap cleanup EXIT - -declare -r CN_BASE="e2e" -declare -r CN="gvisor-injection-admission-webhook.e2e.svc" - -cat > server.conf << EOF -[req] -req_extensions = v3_req -distinguished_name = req_distinguished_name -[req_distinguished_name] -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = clientAuth, serverAuth -EOF - -declare -r OUTFILE="${TMPDIR}/certs.go" - -# We depend on OpenSSL being present. - -# Create a certificate authority. -openssl genrsa -out caKey.pem 2048 -openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca" -config server.conf - -# Create a server certificate. -openssl genrsa -out serverKey.pem 2048 -# Note the CN is the DNS name of the service of the webhook. -openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN}" -config server.conf -openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf - -echo "package injector" > "${OUTFILE}" -echo "" >> "${OUTFILE}" -echo "// This file was generated using openssl by the gencerts.sh script." >> "${OUTFILE}" -for file in caKey caCert serverKey serverCert; do - DATA=$(cat "${file}.pem") - echo "" >> "${OUTFILE}" - echo "var $file = []byte(\`$DATA\`)" >> "${OUTFILE}" -done - -# Copy generated code into the output directory. -cp "${OUTFILE}" "${OUTDIR}/$1" diff --git a/webhook/pkg/injector/injector_state_autogen.go b/webhook/pkg/injector/injector_state_autogen.go new file mode 100644 index 000000000..2c994b7c9 --- /dev/null +++ b/webhook/pkg/injector/injector_state_autogen.go @@ -0,0 +1,3 @@ +// automatically generated by stateify. + +package injector |