Updated podimagespec to support HCP

Requires getting kubeconfig to the KAS for the HCP, not the cluster
where the webbhook pod is running.

Author: jewzaam

build/resources.go

@@ -465,6 +465,14 @@ func createPackagedDeployment(replicas int32, phase string) *appsv1.Deployment {
 								},
 							},
 						},
+						{
+							Name: "hosted-kubeconfig",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: "service-network-admin-kubeconfig",
+								},
+							},
+						},
 					},
 					Containers: []corev1.Container{
 						{
@@ -484,6 +492,11 @@ func createPackagedDeployment(replicas int32, phase string) *appsv1.Deployment {
 									MountPath: "/service-ca",
 									ReadOnly:  true,
 								},
+								{
+									Name:      "hosted-kubeconfig",
+									MountPath: "/etc/hosted-kubernetes",
+									ReadOnly:  true,
+								},
 							},
 							Ports: []corev1.ContainerPort{
 								{
@@ -497,6 +510,12 @@ func createPackagedDeployment(replicas int32, phase string) *appsv1.Deployment {
 								"-cacert", "/service-ca/service-ca.crt",
 								"-tls",
 							},
+							Env: []corev1.EnvVar{
+								{
+									Name:  "KUBECONFIG",
+									Value: "/etc/hosted-kubernetes/kubeconfig",
+								},
+							},
 						},
 					},
 				},

config/package/resources.yaml.gotmpl

@@ -96,6 +96,9 @@ spec:
         - -cacert
         - /service-ca/service-ca.crt
         - -tls
+        env:
+        - name: KUBECONFIG
+          value: /etc/hosted-kubernetes/kubeconfig
         image: REPLACED_BY_PIPELINE
         imagePullPolicy: IfNotPresent
         name: webhooks
@@ -109,6 +112,9 @@ spec:
         - mountPath: /service-ca
           name: service-ca
           readOnly: true
+        - mountPath: /etc/hosted-kubernetes
+          name: hosted-kubeconfig
+          readOnly: true
       restartPolicy: Always
       tolerations:
       - effect: NoSchedule
@@ -130,6 +136,9 @@ spec:
       - configMap:
           name: webhook-cert
         name: service-ca
+      - name: hosted-kubeconfig
+        secret:
+          secretName: service-network-admin-kubeconfig
 status: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1

pkg/dispatcher/dispatcher.go

@@ -66,9 +66,10 @@ func (d *Dispatcher) HandleRequest(w http.ResponseWriter, r *http.Request) {
 		// Valid AdmissionReview, but we can't do anything with it because we do not
 		// think the request inside is valid.
 		if !hook().Validate(request) {
+			err = fmt.Errorf("not a valid webhook request")
+			log.Error(err, "Error validaing HTTP Request Body")
 			responsehelper.SendResponse(w,
-				admissionctl.Errored(http.StatusBadRequest,
-					fmt.Errorf("Not a valid webhook request")))
+				admissionctl.Errored(http.StatusBadRequest, err))
 			return
 		}
 
@@ -83,5 +84,5 @@ func (d *Dispatcher) HandleRequest(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(404)
 	responsehelper.SendResponse(w,
 		admissionctl.Errored(http.StatusBadRequest,
-			fmt.Errorf("Request is not for a registered webhook")))
+			fmt.Errorf("request is not for a registered webhook")))
 }

pkg/k8sutil/k8sutil.go

@@ -7,6 +7,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -28,9 +29,28 @@ var (
 	ErrRunLocal     = fmt.Errorf("operator run mode forced to local")
 )
 
+func buildConfig(kubeconfig string) (*rest.Config, error) {
+	// Try loading KUBECONFIG env var.  If not set fallback on InClusterConfig
+
+	if kubeconfig != "" {
+		cfg, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+		if err != nil {
+			return nil, err
+		}
+		return cfg, nil
+	}
+
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+	return cfg, nil
+}
+
 // KubeClient creates a new kubeclient that interacts with the Kube api with the service account secrets
 func KubeClient(s *runtime.Scheme) (client.Client, error) {
-	config, err := rest.InClusterConfig()
+	// Try loading KUBECONFIG env var.  Else falls back on in-cluster config
+	config, err := buildConfig(os.Getenv("KUBECONFIG"))
 	if err != nil {
 		return nil, err
 	}

pkg/webhooks/podimagespec/podimagespec.go

@@ -4,15 +4,16 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"os"
 	"regexp"
 
 	"github.com/openshift/managed-cluster-validating-webhooks/pkg/k8sutil"
 	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
 
 	imagestreamv1 "github.com/openshift/api/image/v1"
-	configv1 "github.com/openshift/api/imageregistry/v1"
 	registryv1 "github.com/openshift/api/imageregistry/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
+	admissionv1 "k8s.io/api/admission/v1"
 	admissionregv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -57,8 +58,33 @@ type PodImageSpecWebhook struct {
 // NewWebhook creates the new webhook
 func NewWebhook() *PodImageSpecWebhook {
 	scheme := runtime.NewScheme()
-	configv1.Install(scheme)
-	imagestreamv1.Install(scheme)
+
+	err := admissionv1.AddToScheme(scheme)
+	if err != nil {
+		log.Error(err, "Fail adding admissionv1 scheme to PodImageSpecWebhook")
+		os.Exit(1)
+	}
+	err = admissionregv1.AddToScheme(scheme)
+	if err != nil {
+		log.Error(err, "Fail adding admissionregv1 scheme to PodImageSpecWebhook")
+		os.Exit(1)
+	}
+	err = corev1.AddToScheme(scheme)
+	if err != nil {
+		log.Error(err, "Fail adding corev1 scheme to PodImageSpecWebhook")
+		os.Exit(1)
+	}
+	err = imagestreamv1.AddToScheme(scheme)
+	if err != nil {
+		log.Error(err, "Fail adding imagestreamv1 scheme to PodImageSpecWebhook")
+		os.Exit(1)
+	}
+	err = registryv1.AddToScheme(scheme)
+	if err != nil {
+		log.Error(err, "Fail adding registryv1 scheme to PodImageSpecWebhook")
+		os.Exit(1)
+	}
+
 	return &PodImageSpecWebhook{
 		s: scheme,
 	}
@@ -84,6 +110,7 @@ func (s *PodImageSpecWebhook) authorized(request admissionctl.Request) admission
 	if s.kubeClient == nil {
 		s.kubeClient, err = k8sutil.KubeClient(s.s)
 		if err != nil {
+			log.Error(err, "Fail creating KubeClient for PodImageSpecWebhook")
 			ret = admissionctl.Errored(http.StatusBadRequest, err)
 			ret.UID = request.AdmissionRequest.UID
 			return ret