remove panics

Signed-off-by: Lukas Hoehl <lukas.hoehl@stackit.cloud>

Author: hown3d

pkg/controller/actuator.go

@@ -309,9 +309,12 @@ func (a *actuator) createSeedResources(
 		return err
 	}
 
-	vpnEnvoyFilterSpec := envoyfilters.BuildVPNEnvoyFilterSpecForHelmChart(
+	vpnEnvoyFilterSpec, err := envoyfilters.BuildVPNEnvoyFilterSpecForHelmChart(
 		cluster, spec.Rule, alwaysAllowedCIDRs, istioLabels,
 	)
+	if err != nil {
+		return err
+	}
 
 	cfg := map[string]interface{}{
 		"shootName":          cluster.Shoot.Status.TechnicalID,
@@ -323,13 +326,17 @@ func (a *actuator) createSeedResources(
 	defaultLabels, err := a.findDefaultIstioLabels(ctx)
 	if client.IgnoreNotFound(err) != nil {
 		return err
-	} else if err == nil {
-		// The `nginx-ingress-controller` Gateway object only exists in g/g@v1.89, (introduced with
-		// https://github.com/gardener/gardener/pull/9038).
-		// If it doesn't exist yet, we can't apply ACLs to shoot ingresses.
-		ingressEnvoyFilterSpec := envoyfilters.BuildIngressEnvoyFilterSpecForHelmChart(
-			cluster, spec.Rule, alwaysAllowedCIDRs, defaultLabels)
+	}
+	// The `nginx-ingress-controller` Gateway object only exists in g/g@v1.89, (introduced with
+	// https://github.com/gardener/gardener/pull/9038).
+	// If it doesn't exist yet, we can't apply ACLs to shoot ingresses.
+	ingressEnvoyFilterSpec, err := envoyfilters.BuildIngressEnvoyFilterSpecForHelmChart(
+		cluster, spec.Rule, alwaysAllowedCIDRs, defaultLabels)
+	if err != nil {
+		return err
+	}
 
+	if ingressEnvoyFilterSpec != nil {
 		cfg["ingressEnvoyFilterSpec"] = ingressEnvoyFilterSpec
 	}
 

pkg/envoyfilters/envoyfilters.go

@@ -38,14 +38,14 @@ type ACLRule struct {
 	Type string `json:"type"`
 }
 
-func (r *ACLRule) actionProto() envoy_rbacv3.RBAC_Action {
+func (r *ACLRule) actionProto() (envoy_rbacv3.RBAC_Action, error) {
 	switch r.Action {
 	case "DENY":
-		return envoy_rbacv3.RBAC_DENY
+		return envoy_rbacv3.RBAC_DENY, nil
 	case "ALLOW":
-		return envoy_rbacv3.RBAC_ALLOW
+		return envoy_rbacv3.RBAC_ALLOW, nil
 	default:
-		panic("unknown action")
+		return -1, fmt.Errorf("unknown action %s", r.Action)
 	}
 }
 
@@ -57,21 +57,24 @@ type FilterPatch struct {
 }
 
 // asStructPB returns FilterPatch represented as a structpb.Struct
-func (f *FilterPatch) asStructPB() *structpb.Struct {
+func (f *FilterPatch) asStructPB() (*structpb.Struct, error) {
 	pb, err := structpb.NewStruct(map[string]any{
 		"name":         f.Name,
 		"typed_config": f.TypedConfig.AsMap(),
 	})
 	if err != nil {
-		// This state is not valid and should not be propergated
-		panic(err)
+		return nil, err
 	}
-	return pb
+	return pb, nil
 }
 
 // AsMap returns FilterPatch represented as a map[string]interface{}
-func (f *FilterPatch) AsMap() map[string]interface{} {
-	return f.asStructPB().AsMap()
+func (f *FilterPatch) AsMap() (map[string]interface{}, error) {
+	s, err := f.asStructPB()
+	if err != nil {
+		return nil, err
+	}
+	return s.AsMap(), nil
 }
 
 // BuildAPIEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for API server
@@ -97,28 +100,30 @@ func BuildAPIEnvoyFilterSpecForHelmChart(
 // endpoints using the seed ingress domain.
 func BuildIngressEnvoyFilterSpecForHelmChart(
 	cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, istioLabels map[string]string,
-) *istio_networkingv1alpha3.EnvoyFilter {
+) (*istio_networkingv1alpha3.EnvoyFilter, error) {
 	seedIngressDomain := helper.GetSeedIngressDomain(cluster.Seed)
-	if seedIngressDomain != "" {
-		shootID := helper.ComputeShortShootID(cluster.Shoot)
+	if seedIngressDomain == "" {
+		return nil, nil
+	}
+	shootID := helper.ComputeShortShootID(cluster.Shoot)
 
-		return &istio_networkingv1alpha3.EnvoyFilter{
-			WorkloadSelector: &istio_networkingv1alpha3.WorkloadSelector{
-				Labels: istioLabels,
-			},
-			ConfigPatches: []*istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{
-				ingressConfigPatchFromRule(rule, seedIngressDomain, shootID, alwaysAllowedCIDRs),
-			},
-		}
+	configPatch, err := ingressConfigPatchFromRule(rule, seedIngressDomain, shootID, alwaysAllowedCIDRs)
+	if err != nil {
+		return nil, err
 	}
-	return nil
+	return &istio_networkingv1alpha3.EnvoyFilter{
+		WorkloadSelector: &istio_networkingv1alpha3.WorkloadSelector{
+			Labels: istioLabels,
+		},
+		ConfigPatches: []*istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{configPatch},
+	}, nil
 }
 
 // ingressConfigPatchFromRule creates a network filter patch that can be
 // applied to the `GATEWAY` network filter chain matching the wildcard ingress domain.
 func ingressConfigPatchFromRule(
 	rule *ACLRule, seedIngressDomain, shootID string, alwaysAllowedCIDRs []string,
-) *istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch {
+) (*istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch, error) {
 	rbacName := "acl-ingress"
 	ingressSuffix := "-" + shootID + "." + seedIngressDomain
 
@@ -173,13 +178,16 @@ func ingressConfigPatchFromRule(
 	}
 	typedConfig, err := protoMessageToTypedConfig(rbacFilter)
 	if err != nil {
-		// this is a error in the code itself, don't return to caller
-		panic(err)
+		return nil, err
 	}
 	filter := &FilterPatch{
 		Name:        rbacName,
 		TypedConfig: typedConfig,
 	}
+	pb, err := filter.asStructPB()
+	if err != nil {
+		return nil, err
+	}
 	return &istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{
 		ApplyTo: istio_networkingv1alpha3.EnvoyFilter_NETWORK_FILTER,
 		Match: &istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{
@@ -194,30 +202,32 @@ func ingressConfigPatchFromRule(
 		},
 		Patch: &istio_networkingv1alpha3.EnvoyFilter_Patch{
 			Operation: istio_networkingv1alpha3.EnvoyFilter_Patch_INSERT_FIRST,
-			Value:     filter.asStructPB(),
+			Value:     pb,
 		},
-	}
+	}, nil
 }
 
 // BuildVPNEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for VPN.
 func BuildVPNEnvoyFilterSpecForHelmChart(
 	cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, istioLabels map[string]string,
-) *istio_networkingv1alpha3.EnvoyFilter {
+) (*istio_networkingv1alpha3.EnvoyFilter, error) {
+	patch, err := vpnConfigPatchFromRule(rule, helper.ComputeShortShootID(cluster.Shoot), cluster.Shoot.Status.TechnicalID, alwaysAllowedCIDRs)
+	if err != nil {
+		return nil, err
+	}
 	return &istio_networkingv1alpha3.EnvoyFilter{
 		WorkloadSelector: &istio_networkingv1alpha3.WorkloadSelector{
 			Labels: istioLabels,
 		},
-		ConfigPatches: []*istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{
-			vpnConfigPatchFromRule(rule, helper.ComputeShortShootID(cluster.Shoot), cluster.Shoot.Status.TechnicalID, alwaysAllowedCIDRs),
-		},
-	}
+		ConfigPatches: []*istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{patch},
+	}, nil
 }
 
 // vpnConfigPatchFromRule creates an HTTP filter patch that can be applied to the
 // `GATEWAY` HTTP filter chain for the VPN.
 func vpnConfigPatchFromRule(rule *ACLRule,
 	shortShootID, technicalShootID string, alwaysAllowedCIDRs []string,
-) *istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch {
+) (*istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch, error) {
 	rbacName := "acl-vpn"
 	headerMatcher := envoy_routev3.HeaderMatcher{
 		Name: "reversed-vpn",
@@ -280,13 +290,17 @@ func vpnConfigPatchFromRule(rule *ACLRule,
 	}
 	typedConfig, err := protoMessageToTypedConfig(rbacFilter)
 	if err != nil {
-		// this is a error in the code itself, don't return to caller
-		panic(err)
+		return nil, err
 	}
 	filterPatch := &FilterPatch{
 		Name:        rbacName,
 		TypedConfig: typedConfig,
 	}
+	pb, err := filterPatch.asStructPB()
+	if err != nil {
+		return nil, err
+	}
+
 	return &istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{
 		ApplyTo: istio_networkingv1alpha3.EnvoyFilter_HTTP_FILTER,
 		Match: &istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{
@@ -299,9 +313,9 @@ func vpnConfigPatchFromRule(rule *ACLRule,
 		},
 		Patch: &istio_networkingv1alpha3.EnvoyFilter_Patch{
 			Operation: istio_networkingv1alpha3.EnvoyFilter_Patch_INSERT_FIRST,
-			Value:     filterPatch.asStructPB(),
+			Value:     pb,
 		},
-	}
+	}, nil
 }
 
 // CreateAPIConfigPatchFromRule combines an ACLRule, the first entry  of the
@@ -315,7 +329,14 @@ func CreateAPIConfigPatchFromRule(
 	}
 	rbacName := "acl-api"
 	principals := ruleCIDRsToPrincipal(rule, alwaysAllowedCIDRs)
-
+	action, err := rule.actionProto()
+	if err != nil {
+		return nil, err
+	}
+	patch, err := principalsToPatch(rbacName, action, principals)
+	if err != nil {
+		return nil, err
+	}
 	return &istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectPatch{
 		ApplyTo: istio_networkingv1alpha3.EnvoyFilter_NETWORK_FILTER,
 		Match: &istio_networkingv1alpha3.EnvoyFilter_EnvoyConfigObjectMatch{
@@ -328,27 +349,30 @@ func CreateAPIConfigPatchFromRule(
 				},
 			},
 		},
-		Patch: principalsToPatch(rbacName, rule.actionProto(), principals),
+		Patch: patch,
 	}, nil
 }
 
 func principalsToPatch(
 	rbacName string, ruleAction envoy_rbacv3.RBAC_Action, principals []*envoy_rbacv3.Principal,
-) *istio_networkingv1alpha3.EnvoyFilter_Patch {
+) (*istio_networkingv1alpha3.EnvoyFilter_Patch, error) {
 	rbacFilter := newRBACFilter(rbacName, ruleAction, principals)
 	typedConfig, err := protoMessageToTypedConfig(rbacFilter)
 	if err != nil {
-		// this is a error in the code itself, don't return to caller
-		panic(err)
+		return nil, err
 	}
 	filter := &FilterPatch{
 		Name:        rbacName,
 		TypedConfig: typedConfig,
 	}
+	pb, err := filter.asStructPB()
+	if err != nil {
+		return nil, err
+	}
 	return &istio_networkingv1alpha3.EnvoyFilter_Patch{
 		Operation: istio_networkingv1alpha3.EnvoyFilter_Patch_INSERT_FIRST,
-		Value:     filter.asStructPB(),
-	}
+		Value:     pb,
+	}, nil
 }
 
 // CreateInternalFilterPatchFromRule combines an ACLRule, the
@@ -357,20 +381,23 @@ func CreateInternalFilterPatchFromRule(
 	rule *ACLRule,
 	alwaysAllowedCIDRs []string,
 	shootSpecificCIDRs []string,
-) *FilterPatch {
+) (*FilterPatch, error) {
 	rbacName := "acl-internal"
 	principals := ruleCIDRsToPrincipal(rule, append(alwaysAllowedCIDRs, shootSpecificCIDRs...))
-	rbacFilter := newRBACFilter(rbacName, rule.actionProto(), principals)
+	action, err := rule.actionProto()
+	if err != nil {
+		return nil, err
+	}
+	rbacFilter := newRBACFilter(rbacName, action, principals)
 	typedConfig, err := protoMessageToTypedConfig(rbacFilter)
 	if err != nil {
-		// this is a error in the code itself, don't return to caller
-		panic(err)
+		return nil, err
 	}
 
 	return &FilterPatch{
 		Name:        rbacName + "-" + strings.ToLower(rule.Type),
 		TypedConfig: typedConfig,
-	}
+	}, nil
 }
 
 // ruleCIDRsToPrincipal translates a list of strings in the form "0.0.0.0/0"

pkg/envoyfilters/envoyfilters_test.go

@@ -68,7 +68,8 @@ var _ = Describe("EnvoyFilter Unit Tests", func() {
 					"app":   "istio-ingressgateway",
 					"istio": "ingressgateway",
 				}
-				ingressEnvoyFilterSpec := BuildIngressEnvoyFilterSpecForHelmChart(cluster, rule, alwaysAllowedCIDRs, labels)
+				ingressEnvoyFilterSpec, err := BuildIngressEnvoyFilterSpecForHelmChart(cluster, rule, alwaysAllowedCIDRs, labels)
+				Expect(err).NotTo(HaveOccurred())
 
 				checkIfFilterEquals(ingressEnvoyFilterSpec, "ingressEnvoyFilterSpecWithOneAllowRule.yaml")
 			})
@@ -79,7 +80,9 @@ var _ = Describe("EnvoyFilter Unit Tests", func() {
 					"app":   "istio-ingressgateway",
 					"istio": "ingressgateway",
 				}
-				ingressEnvoyFilterSpec := BuildIngressEnvoyFilterSpecForHelmChart(cluster, rule, alwaysAllowedCIDRs, labels)
+				ingressEnvoyFilterSpec, err := BuildIngressEnvoyFilterSpecForHelmChart(cluster, rule, alwaysAllowedCIDRs, labels)
+
+				Expect(err).NotTo(HaveOccurred())
 				Expect(ingressEnvoyFilterSpec).To(BeNil())
 			})
 		})
@@ -93,7 +96,9 @@ var _ = Describe("EnvoyFilter Unit Tests", func() {
 					"app":   "istio-ingressgateway",
 					"istio": "ingressgateway",
 				}
-				result := BuildVPNEnvoyFilterSpecForHelmChart(cluster, rule, alwaysAllowedCIDRs, labels)
+				result, err := BuildVPNEnvoyFilterSpecForHelmChart(cluster, rule, alwaysAllowedCIDRs, labels)
+
+				Expect(err).NotTo(HaveOccurred())
 				checkIfFilterEquals(result, "vpnEnvoyFilterSpecWithOneAllowRule.yaml")
 			})
 		})
@@ -104,7 +109,8 @@ var _ = Describe("EnvoyFilter Unit Tests", func() {
 			It("Should create a filter spec matching the expected one, including the always allowed CIDRs", func() {
 				rule := createRule("ALLOW", "remote_ip", "0.0.0.0/0")
 
-				result := CreateInternalFilterPatchFromRule(rule, alwaysAllowedCIDRs, []string{})
+				result, err := CreateInternalFilterPatchFromRule(rule, alwaysAllowedCIDRs, []string{})
+				Expect(err).NotTo(HaveOccurred())
 				checkIfFilterEquals(result, "singleFiltersAllowEntry.yaml")
 			})
 		})

pkg/webhook/webhook.go

@@ -121,10 +121,17 @@ func (e *EnvoyFilterWebhook) createAdmissionResponse(
 	if originalFilter == nil {
 		return admission.Errored(http.StatusBadRequest, fmt.Errorf("filter with name \"envoy.filters.network.tcp_proxy\" not present in EnvoyFilter %s/%s", filter.Namespace, filter.Name))
 	}
-	filterPatch := envoyfilters.CreateInternalFilterPatchFromRule(extSpec.Rule, alwaysAllowedCIDRs, shootSpecificCIRDs)
+	filterPatch, err := envoyfilters.CreateInternalFilterPatchFromRule(extSpec.Rule, alwaysAllowedCIDRs, shootSpecificCIRDs)
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
 
+	filterPatchMap, err := filterPatch.AsMap()
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
 	// make sure the original filter is the last
-	filterPatches := []map[string]interface{}{filterPatch.AsMap(), originalFilter.AsMap()}
+	filterPatches := []map[string]interface{}{filterPatchMap, originalFilter.AsMap()}
 
 	return buildAdmissionResponseWithFilterPatches(filterPatches)
 }