Initial module build (#1)

duckhawk · web-flow · commit bb372f06dd3c · 2025-05-27T09:02:06.000+03:00
Signed-off-by: v.oleynikov &lt;vasily.oleynikov@flant.com&gt;
diff --git a/.helmignore b/.helmignore
@@ -1,7 +1,12 @@
 crds
 docs
-images
+enabled
 hooks
+images
+lib
+Makefile
 openapi
-template_tests
-enabled
+*.md
+release.yaml
+werf*.yaml
+NOTES.txt
diff --git a/hooks/go/030-snapshot-validation-webhook-certs/webhook-certs.go b/hooks/go/030-snapshot-validation-webhook-certs/webhook-certs.go
@@ -35,5 +35,5 @@ var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLS
 		// %CLUSTER_DOMAIN%:// is a special value to generate SAN like 'svc_name.svc_namespace.svc.cluster.local'
 		fmt.Sprintf("%%CLUSTER_DOMAIN%%://%s.%s.svc", consts.WebhookCertCn, consts.ModuleNamespace),
 	}),
-	FullValuesPathPrefix: fmt.Sprintf("%s.internal.customWebhookCert", consts.ModuleName),
+	FullValuesPathPrefix: fmt.Sprintf("%s.internal.snapshotValidationWebhookCert", consts.ModuleName),
 })
diff --git a/hooks/go/consts/consts.go b/hooks/go/consts/consts.go
@@ -20,5 +20,5 @@ const (
 	ModuleName      	string = "snapshotController"
 	ModuleNamespace 	string = "d8-snapshot-controller"
 	ModulePluralName	string = "snapshot-controller"
-	WebhookCertCn   	string = "webhooks"
+	WebhookCertCn   	string = "snapshot-validation-webhook"
 )
diff --git a/hooks/go/go.mod b/hooks/go/go.mod
@@ -2,18 +2,7 @@ module github.com/deckhouse/snapshot-controller/hooks/go
 
 go 1.24.2
 
-require (
-	github.com/deckhouse/csi-ceph/api v0.0.0-20250207141553-9b2c9a45ba22
-	github.com/deckhouse/module-sdk v0.2.0
-	github.com/deckhouse/sds-common-lib v0.0.0-20250331104837-4ed70c9f1a83
-	github.com/google/go-cmp v0.7.0
-	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0
-	k8s.io/api v0.32.3
-	k8s.io/apiextensions-apiserver v0.32.2
-	k8s.io/apimachinery v0.32.3
-	k8s.io/client-go v0.32.3
-	sigs.k8s.io/controller-runtime v0.20.4
-)
+require github.com/deckhouse/module-sdk v0.2.0
 
 require (
 	github.com/DataDog/gostackparse v0.7.0 // indirect
@@ -42,6 +31,7 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/certificate-transparency-go v1.1.7 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-containerregistry v0.20.3 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -90,13 +80,16 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.32.3 // indirect
+	k8s.io/apiextensions-apiserver v0.32.2 // indirect
+	k8s.io/apimachinery v0.32.3 // indirect
+	k8s.io/client-go v0.32.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
+	sigs.k8s.io/controller-runtime v0.20.4 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
-
-replace github.com/deckhouse/csi-ceph/api => ../../api
diff --git a/hooks/go/go.sum b/hooks/go/go.sum
@@ -19,8 +19,6 @@ github.com/deckhouse/deckhouse/pkg/log v0.0.0-20250320042525-77d066cf8f00 h1:KRh
 github.com/deckhouse/deckhouse/pkg/log v0.0.0-20250320042525-77d066cf8f00/go.mod h1:pbAxTSDcPmwyl3wwKDcEB3qdxHnRxqTV+J0K+sha8bw=
 github.com/deckhouse/module-sdk v0.2.0 h1:MOK03UZ88T7T52bk+lmAz0bRJiljtN5ysq7y8FjEF3s=
 github.com/deckhouse/module-sdk v0.2.0/go.mod h1:fbs0X7myE8zrPKxs3eoIoFWf68E7r1tZ64uJfYJCsKc=
-github.com/deckhouse/sds-common-lib v0.0.0-20250331104837-4ed70c9f1a83 h1:TLrWAauXH4AdROgCwpTnTZqSxgAF+NMYpeIm+e9ZaqA=
-github.com/deckhouse/sds-common-lib v0.0.0-20250331104837-4ed70c9f1a83/go.mod h1:Ap+s6LamZwRMAuzhMVJkmsvQpI1O4yxgFgsTu7QQ5qI=
 github.com/docker/cli v28.0.2+incompatible h1:cRPZ77FK3/IXTAIQQj1vmhlxiLS5m+MIUDwS6f57lrE=
 github.com/docker/cli v28.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
@@ -105,8 +103,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0 h1:Q3jQ1NkFqv5o+F8dMmHd8SfEmlcwNeo1immFApntEwE=
-github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0/go.mod h1:E3vdYxHj2C2q6qo8/Da4g7P+IcwqRZyy3gJBzYybV9Y=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
diff --git a/hooks/go/main.go b/hooks/go/main.go
@@ -18,7 +18,7 @@ package main
 
 import (
 	"github.com/deckhouse/module-sdk/pkg/app"
-	_ "github.com/deckhouse/snapshot-controller/hooks/go/020-webhook-certs"
+	_ "github.com/deckhouse/snapshot-controller/hooks/go/030-snapshot-validation-webhook-certs"
 )
 
 func main() {
diff --git a/images/go-hooks/werf.inc.yaml b/images/go-hooks/werf.inc.yaml
@@ -0,0 +1,27 @@
+---
+image: {{ $.ImageName }}-artifact
+fromImage: builder/golang-alpine
+final: false
+
+git:
+  - add: /hooks/go
+    to: /usr/src/app/hooks/go
+    stageDependencies:
+      install:
+        - '**/go.mod'
+        - '**/go.sum'
+      beforeSetup:
+        - '**/*.go'
+
+mount:
+- fromPath: ~/go-pkg-cache
+  to: /go/pkg
+
+shell:
+  install:
+    - cd /usr/src/app/hooks/go
+    - go mod download
+  beforeSetup:
+    - |
+      cd /usr/src/app/hooks/go;
+      CGO_ENABLED=0 go build -a -gcflags=all="-l -B" -ldflags="-w -s" -o /usr/local/bin/go-hooks *.go;
diff --git a/images/snapshot-controller/patches/001-go-mod.patch b/images/snapshot-controller/patches/001-go-mod.patch
@@ -0,0 +1,57 @@
+diff --git a/go.mod b/go.mod
+index 459123086..575dc5706 100644
+--- a/go.mod
++++ b/go.mod
+@@ -60,11 +60,11 @@ require (
+ 	go.opentelemetry.io/otel v1.29.0 // indirect
+ 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+ 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+-	golang.org/x/net v0.28.0 // indirect
++	golang.org/x/net v0.33.0 // indirect
+ 	golang.org/x/oauth2 v0.22.0 // indirect
+-	golang.org/x/sys v0.24.0 // indirect
+-	golang.org/x/term v0.23.0 // indirect
+-	golang.org/x/text v0.17.0 // indirect
++	golang.org/x/sys v0.28.0 // indirect
++	golang.org/x/term v0.27.0 // indirect
++	golang.org/x/text v0.21.0 // indirect
+ 	golang.org/x/time v0.6.0 // indirect
+ 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect
+ 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+diff --git a/go.sum b/go.sum
+index dcae10efe..af07cd6b2 100644
+--- a/go.sum
++++ b/go.sum
+@@ -138,8 +138,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
+ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+ golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+ golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+@@ -152,15 +152,15 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
+ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
+-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+ golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+ golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/images/snapshot-controller/patches/README.md b/images/snapshot-controller/patches/README.md
@@ -0,0 +1,3 @@
+# 001-go-mod.patch
+
+This patch fixes CVE in original CSI
diff --git a/images/snapshot-controller/werf.inc.yaml b/images/snapshot-controller/werf.inc.yaml
@@ -16,11 +16,12 @@ git:
 
 shell:
   install:
-    - cd /src
-    - git clone --depth 1 --branch {{ $.Versions.SNAPSHOT_CONTROLLER }} {{ env "SOURCE_REPO" }}/kubernetes-csi/external-snapshotter.git .
-    - for patchfile in /patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
-    - rm -rf vendor
-    - rm -rf .git
+    - git clone --depth 1 --branch {{ $.Versions.SNAPSHOT_CONTROLLER }} {{ env "SOURCE_REPO" }}/kubernetes-csi/external-snapshotter.git /src/snapshot-controller
+    - cd /src/snapshot-controller
+    - for patchfile in /src/images/{{ $.ImageName }}/patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
+    - rm -rf /src/images/{{ $.ImageName }}/patches
+    - rm -rf /src/snapshot-controller/vendor
+    - rm -rf /src/snapshot-controller/.git
 
 ---
 image: {{ $.ImageName }}-golang-artifact
@@ -43,7 +44,7 @@ shell:
   install:
     - export GO_VERSION={{ env "GOLANG_VERSION" }} CGO_ENABLED=0 GOOS=linux GOARCH=amd64
     - export GOPROXY={{ env "GOPROXY" }}
-    - cd /src
+    - cd /src/snapshot-controller
     - make build
     - cp bin/snapshot-controller bin/csi-snapshotter bin/snapshot-validation-webhook /
     - chown 64535:64535 /snapshot-controller /csi-snapshotter /snapshot-validation-webhook
diff --git a/images/snapshot-validation-webhook/patches/001-go-mod.patch b/images/snapshot-validation-webhook/patches/001-go-mod.patch
@@ -0,0 +1,57 @@
+diff --git a/go.mod b/go.mod
+index 459123086..575dc5706 100644
+--- a/go.mod
++++ b/go.mod
+@@ -60,11 +60,11 @@ require (
+ 	go.opentelemetry.io/otel v1.29.0 // indirect
+ 	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+ 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+-	golang.org/x/net v0.28.0 // indirect
++	golang.org/x/net v0.33.0 // indirect
+ 	golang.org/x/oauth2 v0.22.0 // indirect
+-	golang.org/x/sys v0.24.0 // indirect
+-	golang.org/x/term v0.23.0 // indirect
+-	golang.org/x/text v0.17.0 // indirect
++	golang.org/x/sys v0.28.0 // indirect
++	golang.org/x/term v0.27.0 // indirect
++	golang.org/x/text v0.21.0 // indirect
+ 	golang.org/x/time v0.6.0 // indirect
+ 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect
+ 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+diff --git a/go.sum b/go.sum
+index dcae10efe..af07cd6b2 100644
+--- a/go.sum
++++ b/go.sum
+@@ -138,8 +138,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
+ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+-golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+-golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
++golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
++golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+ golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
+ golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+@@ -152,15 +152,15 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
+ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+-golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
+-golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
++golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
++golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+-golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
+-golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk=
++golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
++golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
++golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
++golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+ golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+ golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
diff --git a/images/snapshot-validation-webhook/patches/README.md b/images/snapshot-validation-webhook/patches/README.md
@@ -0,0 +1,3 @@
+# 001-go-mod.patch
+
+This patch fixes CVE in original CSI
diff --git a/images/snapshot-validation-webhook/werf.inc.yaml b/images/snapshot-validation-webhook/werf.inc.yaml
@@ -1,16 +1,63 @@
-{{- $versions := list }}
-{{- range $key, $value := .CandiVersionMap.k8s }}
-  {{- $versions = append $versions (toString $key) }}
-{{- end }}
-{{- $version := $versions | sortAlpha | last }}
 ---
-image: {{ $.ModuleName }}/{{ $.ImageName }}
-fromImage: common/distroless
+image: {{ $.ImageName }}-src-artifact
+fromImage: builder/src
+final: false
+
+git:
+  - add: /
+    to: /src
+    includePaths:
+      - images/{{ $.ImageName }}
+    stageDependencies:
+      install:
+        - '**/*'
+    excludePaths:
+      - images/{{ $.ImageName }}/werf.yaml
+
+shell:
+  install:
+    - git clone --depth 1 --branch {{ $.Versions.SNAPSHOT_CONTROLLER }} {{ env "SOURCE_REPO" }}/kubernetes-csi/external-snapshotter.git /src/snapshot-controller
+    - cd /src/snapshot-controller
+    - for patchfile in /src/images/{{ $.ImageName }}/patches/*.patch ; do echo -n "Apply ${patchfile} ... "; git apply ${patchfile}; done
+    - rm -rf /src/images/{{ $.ImageName }}/patches
+    - rm -rf /src/snapshot-controller/vendor
+    - rm -rf /src/snapshot-controller/.git
+
+---
+image: {{ $.ImageName }}-golang-artifact
+fromImage: builder/golang-alpine
+final: false
+
+import:
+- image: {{ $.ImageName }}-src-artifact
+  add: /src
+  to: /src
+  before: install
+
+mount:
+  - fromPath: ~/go-pkg-cache
+    to: /go/pkg
+
+shell:
+  beforeInstall:    
+    - apk add --no-cache make bash git
+  install:
+    - export GO_VERSION={{ env "GOLANG_VERSION" }} CGO_ENABLED=0 GOOS=linux GOARCH=amd64
+    - export GOPROXY={{ env "GOPROXY" }}
+    - cd /src/snapshot-controller
+    - make build
+    - cp bin/snapshot-controller bin/csi-snapshotter bin/snapshot-validation-webhook /
+    - chown 64535:64535 /snapshot-controller /csi-snapshotter /snapshot-validation-webhook
+    - chmod 0755 /snapshot-controller /csi-snapshotter /snapshot-validation-webhook
+
+---
+image: {{ $.ImageName }}
+fromImage: base/distroless
 import:
-  - image: common/csi-external-snapshotter-artifact-{{ $version | replace "." "-" }}
-    add: /snapshot-validation-webhook
-    to: /snapshot-validation-webhook
-    before: setup
+- image: {{ $.ImageName }}-golang-artifact
+  add: /snapshot-validation-webhook
+  to: /snapshot-validation-webhook
+  before: setup
 imageSpec:
   config:
     entrypoint: ["/snapshot-validation-webhook"]
diff --git a/lib/python/requirements.txt b/lib/python/requirements.txt
@@ -0,0 +1,4 @@
+deckhouse==0.4.9
+dotmap==1.3.30
+kubernetes==28.1.0
+PyYAML==6.0.1
diff --git a/module.yaml b/module.yaml
@@ -1,13 +1,12 @@
 name: snapshot-controller
-weight: 37
+weight: 900
 subsystems:
   - storage
   - infrastructure
 namespace: d8-snapshot-controller
-description: |
-  This module enables snapshot support for compatible CSI-drivers in the Kubernetes cluster.
 descriptions:
   en: |
     This module enables snapshot support for compatible CSI-drivers in the Kubernetes cluster.
 requirements:
   bootstrapped: true
+  deckhouse: ">= 1.67"
diff --git a/openapi/values.yaml b/openapi/values.yaml
@@ -11,7 +11,7 @@ properties:
         default: []
         items:
           type: string
-      customWebhookCert:
+      snapshotValidationWebhookCert:
         type: object
         default: {}
         x-required-for-helm:
diff --git a/templates/snapshot-validation-webhook/secret.yaml b/templates/snapshot-validation-webhook/secret.yaml
diff --git a/templates/snapshot-validation-webhook/webhook.yaml b/templates/snapshot-validation-webhook/webhook.yaml
diff --git a/werf.yaml b/werf.yaml
diff --git a/werf_cleanup.yaml b/werf_cleanup.yaml

Original file line number	Diff line number	Diff line change
`@@ -20,5 +20,5 @@ const (`
`20`	`20`	`ModuleName string = "snapshotController"`
`21`	`21`	`ModuleNamespace string = "d8-snapshot-controller"`
`22`	`22`	`ModulePluralName string = "snapshot-controller"`
`23`		`- WebhookCertCn string = "webhooks"`
	`23`	`+ WebhookCertCn string = "snapshot-validation-webhook"`
`24`	`24`	`)`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ package main`
`18`	`18`
`19`	`19`	`import (`
`20`	`20`	`"github.com/deckhouse/module-sdk/pkg/app"`
`21`		`- _ "github.com/deckhouse/snapshot-controller/hooks/go/020-webhook-certs"`
	`21`	`+ _ "github.com/deckhouse/snapshot-controller/hooks/go/030-snapshot-validation-webhook-certs"`
`22`	`22`	`)`
`23`	`23`
`24`	`24`	`func main() {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# 001-go-mod.patch`
	`2`	`+`
	`3`	`+This patch fixes CVE in original CSI`