dynamic admission hook sample (#24)

Author: csviri

README.md

@@ -40,6 +40,16 @@ class JUnitExtensionTest {
 }
 ```
 
+### Testing Mutation and Validation Webhooks
+
+An additional benefits os running K8S API Server this way, is that it makes easy to test 
+[Conversion Hooks]()https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#webhook-conversion 
+and/or
+[Dynamic Admission Controllers](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
+
+You would probably use some additional framework to implement those hooks, like [kubernetes-webooks-framework](https://github.com/java-operator-sdk/kubernetes-webooks-framework)
+with Quarkus or Spring. However, we demonstrate how it works in [this test](https://github.com/csviri/jenvtest/blob/main/src/test/java/com/csviri/jenvtest/KubernetesMutationHookHandlingTest.java)
+
 ### Download binaries
 
 Binaries are downloaded automatically under $JENVTEST_DIR/k8s/[target-platform-and-version].

pom.xml

@@ -32,6 +32,8 @@
         <impsort-maven-plugin.version>1.8.0</impsort-maven-plugin.version>
         <formatter-maven-plugin.version>2.22.0</formatter-maven-plugin.version>
         <directory-maven-plugin.version>1.0</directory-maven-plugin.version>
+        <jetty.version>11.0.14</jetty.version>
+        <kubernetes.webhooks.framework.version>1.0.0</kubernetes.webhooks.framework.version>
     </properties>
 
     <dependencyManagement>
@@ -112,11 +114,23 @@
             <version>${assertj.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-server</artifactId>
+            <version>${jetty.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-jdk18on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.javaoperatorsdk</groupId>
+            <artifactId>kubernetes-webhooks-framework-core</artifactId>
+            <version>${kubernetes.webhooks.framework.version}</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
 

src/main/java/com/csviri/jenvtest/CertManager.java

@@ -80,7 +80,7 @@ private void generateUserCertificates() {
   }
 
 
-  private static void generateKeyAndCertificate(String dirName, File keyFile, File certFile,
+  public static void generateKeyAndCertificate(String dirName, File keyFile, File certFile,
       GeneralName... generalNames) {
     try {
       KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");

src/main/java/com/csviri/jenvtest/process/EtcdProcess.java

@@ -15,7 +15,7 @@ public class EtcdProcess {
 
   private static final Logger log = LoggerFactory.getLogger(EtcdProcess.class);
   private static final Logger etcdLog =
-      LoggerFactory.getLogger(EtcdProcess.class.getName() + ".etcdProcess");
+      LoggerFactory.getLogger(EtcdProcess.class.getName() + ".EtcdProcessLogs");
 
   private final BinaryManager binaryManager;
 

src/main/java/com/csviri/jenvtest/process/KubeAPIServerProcess.java

@@ -14,7 +14,7 @@ public class KubeAPIServerProcess {
 
   private static final Logger log = LoggerFactory.getLogger(KubeAPIServerProcess.class);
   private static final Logger apiLog = LoggerFactory.getLogger(KubeAPIServerProcess.class
-      .getName() + ".apiServerProcess");
+      .getName() + ".APIServerProcessLogs");
 
   private final CertManager certManager;
   private final BinaryManager binaryManager;

src/test/java/com/csviri/jenvtest/KubernetesMutationHookHandlingTest.java

@@ -0,0 +1,208 @@
+package com.csviri.jenvtest;
+
+import java.io.*;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+import java.util.HashMap;
+
+import org.apache.commons.io.FileUtils;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.eclipse.jetty.server.*;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+import org.eclipse.jetty.util.ssl.SslContextFactory;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.fabric8.kubernetes.api.model.admission.v1.AdmissionReview;
+import io.fabric8.kubernetes.api.model.admissionregistration.v1.MutatingWebhookConfiguration;
+import io.fabric8.kubernetes.api.model.networking.v1.*;
+import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.KubernetesClientBuilder;
+import io.fabric8.kubernetes.client.utils.Serialization;
+import io.javaoperatorsdk.webhook.admission.AdmissionController;
+
+import com.csviri.jenvtest.junit.EnableKubeAPIServer;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Test demonstrates how to test locally Mutating Webhooks, in real like you implementation such an
+ * endpoint would be simpler, using frameworks like
+ * <a href="https://github.com/java-operator-sdk/kubernetes-webooks-framework">Kubernetes Webhook
+ * Framework</a> with combination of Quarkus or Spring.
+ */
+@EnableKubeAPIServer
+class KubernetesMutationHookHandlingTest {
+
+  private static final Logger log =
+      LoggerFactory.getLogger(KubernetesMutationHookHandlingTest.class);
+
+  public static final String PASSWORD = "secret";
+  public static final String TEST_LABEL_KEY = "test-label";
+  public static final String TEST_LABEL_VALUE = "mutation-test";
+
+  static File certFile = new File("target", "mutation.crt");
+  // server that handles mutation hooks
+  static Server server = new Server();
+
+  // using https://github.com/java-operator-sdk/kubernetes-webooks-framework framework to implement
+  // the response
+  static AdmissionController<Ingress> mutationController =
+      new AdmissionController<>((resource, operation) -> {
+        if (resource.getMetadata().getLabels() == null) {
+          resource.getMetadata().setLabels(new HashMap<>());
+        }
+        resource.getMetadata().getLabels().putIfAbsent(TEST_LABEL_KEY, TEST_LABEL_VALUE);
+        return resource;
+      });
+
+  @Test
+  void handleMutatingWebhook() {
+    var client = new KubernetesClientBuilder().build();
+    applyConfig(client);
+
+    var ingress = client.resource(testIngress()).create();
+
+    assertThat(ingress.getMetadata().getLabels()).containsEntry(TEST_LABEL_KEY, TEST_LABEL_VALUE);
+  }
+
+  @BeforeAll
+  static void startWebhookServer() throws Exception {
+    initServerConfigs();
+    server.setHandler(new AbstractHandler() {
+      @Override
+      public void handle(String s, Request request, HttpServletRequest httpServletRequest,
+          HttpServletResponse httpServletResponse) {
+        try {
+          request.setHandled(true);
+          AdmissionReview admissionReview =
+              Serialization.unmarshal(httpServletRequest.getInputStream());
+
+          var response = mutationController.handle(admissionReview);
+
+          var out = httpServletResponse.getWriter();
+          httpServletResponse.setContentType("application/json");
+          httpServletResponse.setCharacterEncoding(StandardCharsets.UTF_8.toString());
+          httpServletResponse.setStatus(HttpServletResponse.SC_OK);
+          out.println(Serialization.asJson(response));
+        } catch (Exception e) {
+          log.error("Error in webhook", e);
+          throw new RuntimeException(e);
+        }
+      }
+    });
+    server.start();
+  }
+
+  @AfterAll
+  static void stopWebhookServer() throws Exception {
+    server.stop();
+  }
+
+  private void applyConfig(KubernetesClient client) {
+    try (var resource =
+        KubernetesMutationHookHandlingTest.class
+            .getResourceAsStream("/MutatingWebhookConfig.yaml")) {
+      MutatingWebhookConfiguration hook =
+          (MutatingWebhookConfiguration) client.load(resource).items().get(0);
+      String cert = FileUtils.readFileToString(certFile, StandardCharsets.UTF_8);
+
+      hook.getWebhooks().get(0).getClientConfig()
+          .setCaBundle(new String(Base64.getEncoder().encode(cert.getBytes())));
+
+      client.resource(hook).create();
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private static void initServerConfigs() {
+    HttpConfiguration httpConfig = new HttpConfiguration();
+    httpConfig.addCustomizer(new SecureRequestCustomizer());
+    HttpConnectionFactory http11 = new HttpConnectionFactory(httpConfig);
+
+    SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
+    var keyFile = new File("target", "mutation.key");
+
+    // certificates are generated in pem format, since are used also as an input for
+    // MutatingWebhookConfiguration CA Bundle
+    CertManager.generateKeyAndCertificate("CN=example.org", keyFile, certFile,
+        new GeneralName(GeneralName.iPAddress, "127.0.0.1"));
+    sslContextFactory.setKeyStore(createKeyStoreFrom(keyFile, certFile));
+    sslContextFactory.setKeyStorePassword(PASSWORD);
+    SslConnectionFactory tls = new SslConnectionFactory(sslContextFactory, http11.getProtocol());
+
+    ServerConnector connector = new ServerConnector(server, tls, http11);
+    connector.setPort(8443);
+    server.addConnector(connector);
+  }
+
+  /** Creates Keystore from generated Certificate/Key Pem files */
+  private static KeyStore createKeyStoreFrom(File keyPem, File certPem) {
+    try (var certReader = new PEMParser(new InputStreamReader(new FileInputStream(certPem)));
+        var keyReader = new PEMParser(new InputStreamReader(new FileInputStream(keyPem)))) {
+      var certConverter = new JcaX509CertificateConverter();
+      X509Certificate cert =
+          certConverter.getCertificate((X509CertificateHolder) certReader.readObject());
+
+      JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter();
+      PrivateKey key =
+          keyConverter.getPrivateKey(((PEMKeyPair) keyReader.readObject()).getPrivateKeyInfo());
+
+      KeyStore keystore = KeyStore.getInstance("JKS");
+      keystore.load(null);
+      keystore.setCertificateEntry("cert-alias", cert);
+      keystore.setKeyEntry("key-alias", key, PASSWORD.toCharArray(), new Certificate[] {cert});
+
+      return keystore;
+    } catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static Ingress testIngress() {
+    return new IngressBuilder()
+        .withNewMetadata()
+        .withName("test1")
+        .endMetadata()
+        .withSpec(new IngressSpecBuilder()
+            .withIngressClassName("sample")
+            .withRules(new IngressRuleBuilder()
+                .withHttp(new HTTPIngressRuleValueBuilder()
+                    .withPaths(new HTTPIngressPathBuilder()
+                        .withPath("/test")
+                        .withPathType("Prefix")
+                        .withBackend(new IngressBackendBuilder()
+                            .withService(new IngressServiceBackendBuilder()
+                                .withName("service")
+                                .withPort(new ServiceBackendPortBuilder()
+                                    .withNumber(80)
+                                    .build())
+                                .build())
+                            .build())
+                        .build())
+                    .build())
+                .build())
+            .build())
+        .build();
+  }
+
+}

src/test/resources/MutatingWebhookConfig.yaml

@@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: "mutating.jenvtest.example.com"
+webhooks:
+  - name: "mutating.jenvtest.example.com"
+    rules:
+      - apiGroups:   ["networking.k8s.io"]
+        apiVersions: ["v1"]
+        operations:  ["*"]
+        resources:   ["ingresses"]
+        scope:       "Namespaced"
+    clientConfig:
+      url: "https://127.0.0.1:8443/mutate"
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 10

src/test/resources/log4j2.xml

@@ -6,7 +6,9 @@
     </Console>
   </Appenders>
   <Loggers>
-    <Root level="debug">
+    <Logger name="com.csviri.jenvtest" level="debug">
+    </Logger>
+    <Root level="error">
       <AppenderRef ref="Console"/>
     </Root>
   </Loggers>