Add admission webhook

This PR adds the admission webhook for verifying snapshot API objects
and also seting the default snapshot class if it is not specified by the
users

cmd/csi-snapshotter/main.go

@@ -20,11 +20,13 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	"net/http"
 	"os"
 	"os/signal"
 	"time"
 
 	"github.com/golang/glog"
+	"github.com/pkg/errors"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
@@ -36,6 +38,7 @@ import (
 	clientset "github.com/kubernetes-csi/external-snapshotter/pkg/client/clientset/versioned"
 	snapshotscheme "github.com/kubernetes-csi/external-snapshotter/pkg/client/clientset/versioned/scheme"
 	informers "github.com/kubernetes-csi/external-snapshotter/pkg/client/informers/externalversions"
+	"github.com/kubernetes-csi/external-snapshotter/pkg/webhook"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 )
 
@@ -62,7 +65,9 @@ var (
 )
 
 var (
-	version = "unknown"
+	version          = "unknown"
+	serviceName      = flag.String("service-name", "snapshot-admission-webhook-svc", "The name of the admission webhook service.")
+	serviceNamespace = flag.String("service-namespace", "default", "The namespace of the admission webhook service.")
 )
 
 func main() {
@@ -156,6 +161,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := webhook.CreateConfiguration(kubeClient, *serviceName, *serviceNamespace); err != nil {
+		glog.Error("Failed to create configuration for Webhook, %v", err)
+		os.Exit(1)
+	}
+
 	glog.V(2).Infof("Start NewCSISnapshotController with snapshotter [%s] kubeconfig [%s] connectionTimeout [%+v] csiAddress [%s] createSnapshotContentRetryCount [%d] createSnapshotContentInterval [%+v] resyncPeriod [%+v] snapshotNamePrefix [%s] snapshotNameUUIDLength [%d]", *snapshotter, *kubeconfig, *connectionTimeout, *csiAddress, createSnapshotContentRetryCount, *createSnapshotContentInterval, *resyncPeriod, *snapshotNamePrefix, snapshotNameUUIDLength)
 
 	ctrl := controller.NewCSISnapshotController(
@@ -177,6 +187,7 @@ func main() {
 	// run...
 	stopCh := make(chan struct{})
 	factory.Start(stopCh)
+	go startWebhooksHTTPs(kubeClient, snapClient)
 	go ctrl.Run(threads, stopCh)
 
 	// ...until SIGINT
@@ -214,3 +225,23 @@ func waitForDriverReady(csiConn connection.CSIConnection, timeout time.Duration)
 		time.Sleep(time.Second)
 	}
 }
+
+func startWebhooksHTTPs(kubeClientset kubernetes.Interface, snapClient clientset.Interface) error {
+	glog.V(2).Infof("Starting Snapshot webhooks HTTPS handler")
+	defer glog.V(2).Infof("Stopping Snapshot webhooks HTTPS handler")
+
+	mux := http.NewServeMux()
+	mux.Handle("/", http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			webhook.AdmitSnapshot(w, r, kubeClientset, snapClient)
+		}))
+	server := &http.Server{
+		Addr:      ":443",
+		TLSConfig: webhook.GetTLSConfig(),
+		Handler:   mux,
+	}
+	if err := server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
+		return errors.Wrap(err, "start webhook HTTPS handler")
+	}
+	return nil
+}

hack/gencerts.sh

@@ -0,0 +1,65 @@
+
+#!/bin/bash
+
+# Copyright 2018 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Generates the a CA cert, a server key, and a server cert signed by the CA. 
+# reference: https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/webhook/gencerts.sh
+set -e
+
+CN_BASE="snapshot"
+CN="snapshot-admission-webhook-svc.default.svc"
+
+cat > server.conf << EOF
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, serverAuth
+EOF
+
+# Create a certificate authority
+openssl genrsa -out caKey.pem 2048
+openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca"
+
+# Create a server certificate
+openssl genrsa -out serverKey.pem 2048
+# Note the CN is the DNS name of the service of the webhook.
+openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN}" -config server.conf
+openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf
+
+outfile=pkg/webhook/certs.go
+
+cat > $outfile << EOF
+EOF
+
+echo "// This file was generated using openssl by the gencerts.sh script" >> $outfile
+echo "" >> $outfile
+echo "package webhook" >> $outfile
+for file in caKey caCert serverKey serverCert; do
+	data=$(cat ${file}.pem)
+	echo "" >> $outfile
+	echo "var $file = []byte(\`$data\`)" >> $outfile
+done
+
+# Clean up after we're done.
+rm *.pem
+rm *.csr
+rm *.srl
+rm *.conf

pkg/webhook/certs.go

@@ -0,0 +1,112 @@
+// Copyright 2018 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// This file was generated using openssl by the gencerts.sh script
+
+package webhook
+
+var caKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuVbxVMXgIyoEPRj6XdX/uCGcz7SSrzDYsgFvWFuEtEiFWXZ7
+izGhM+KtgrFxwchr/J+ZIFO6tOjX+uM1LuQzjLn3MfFoJtdGANAm8Kqus8eOOXOb
+78/JELdGYkkrYENWIsSvcB81y3ahjgAPV4X74ZjPVuGjd2EVRgFtOfYOaGYzehdh
+Ih47CxjMKYPZ5T3F6MptY1YYxEBfCGl7PuEkRUd8jnqubYCbnN8Tch1LOVrNPgc2
+M5KY4/P1xiftFJU4KhWvqceicYc2/0le3Hu29m5L2lFDK2OF2gcIpbmF1LPeuzol
+u7XzRqteSU9/BOGNGgHF0808jgIMU39DQGyuXwIDAQABAoIBAFVFMvMVtvF2u0yA
+2W+irWxByqulIHeJuajsEBZOxNdNJkzqvhxkUQ5WFA41JWlKlKQ9qW2+GABzwCql
+ripMw4rTZG+N6aU1Fff5zHCdlpMQFNdJ4UyMBK20JKXDlDlNwattYmnrcgySH/H9
+BRH3itNYQsxuM48RE4CJ1377PdW5pplj8urMJ6vaQ5FdBnxFpThMlyuqSezk/GqA
+iXAB0VHt2JvkSe8XXIzVtkKR6FnfaGT5dH020/Ia4w07zY4l6rBvSN2iaW8a9trc
+MsZug9At+I+/WVBDS97PRrmEREECPJJB78E9F+nPxEToYTns5zrKz8m3N3LX0CcK
+ZQV6w8ECgYEA64rdB/5wwBxjHY+YqmaxezQXS1TT8Z3hkHw10BPeabYSzmiCDzwh
+2lQztiA2mBhTsyOG82uz/BFQEEB+6d6cf77BJuh4pk7w4Mg+UYoHoBfIr7zC2rfS
+RUC1uRSvgYWTf/MPKPKzSJpEVaVV8IBn+ibpwKFURMFhIdL/C+Qe1ZsCgYEAyW/Z
+/1s/BGhXrqNsPVbqAyIKJXNcaJDzNNfktY43w9U9sUIMrW2J2trjK6qJ5Itlfro9
+NXquchd0pYm+ysAqF8vmN4vB/FN0QcnvBSYoM2iDtc8+C/G6cjt9adiJQTDYh1yF
+/I3xz+d/bynyTgoYKc7fsMyHflYcK4N3wmYnmI0CgYEArTYG6NQBkiTN9nUcrWKr
+bZCW+Ly+x1V1BM1yvTt/OXm9RrCvxAhSVL3K8UmrHBn3oyqjGOrBBsKsf+cN7WnY
+6FActkIKRzKSDJr0yP2aMe6LlEBZgoHfTTIS8LH3hmX2XAcfxNsFYIShb+IP2rZy
+wBBRoWiCEbWrejYxfEsbKbUCgYB8HEFJlzO1iIB1plUbWgCm24M63eASwTRH27kb
+r7tmGm1/WH2tIS9tu616CwIY4VYwhZkO6T6wJwmEsODv1QRaUxPOJ3rm95hKrJtr
+Jb5hJkT4cO7+tvo0RbkYzQSMOQdAJ16aY+6YNT8MA+E5+fg3UjH6oZnd2jpTCRZx
+nTVKRQKBgEXRMBHJv6xzF0vfdsNTftgX5vfOyHRFuGzL04a0evv6Zj8izPJ2rOwy
+tbFfCvmMiNqBANTR9YxM9fDv2Aq7qWUSJ2IqVS6nXw0EDj3TXH+Pur2LfQPACKtD
+1Oe+4t0kmon2We6o9hNM9nR3EjFA0zDauKwRBSrjrlGaf4tTsc/6
+-----END RSA PRIVATE KEY-----`)
+
+var caCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIDBDCCAeygAwIBAgIJAPLPw2bFlYqUMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC3NuYXBzaG90X2NhMCAXDTE4MDkyNzIwNTIzNloYDzIyOTIwNzEyMjA1MjM2
+WjAWMRQwEgYDVQQDDAtzbmFwc2hvdF9jYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALlW8VTF4CMqBD0Y+l3V/7ghnM+0kq8w2LIBb1hbhLRIhVl2e4sx
+oTPirYKxccHIa/yfmSBTurTo1/rjNS7kM4y59zHxaCbXRgDQJvCqrrPHjjlzm+/P
+yRC3RmJJK2BDViLEr3AfNct2oY4AD1eF++GYz1bho3dhFUYBbTn2DmhmM3oXYSIe
+OwsYzCmD2eU9xejKbWNWGMRAXwhpez7hJEVHfI56rm2Am5zfE3IdSzlazT4HNjOS
+mOPz9cYn7RSVOCoVr6nHonGHNv9JXtx7tvZuS9pRQytjhdoHCKW5hdSz3rs6Jbu1
+80arXklPfwThjRoBxdPNPI4CDFN/Q0Bsrl8CAwEAAaNTMFEwHQYDVR0OBBYEFFGw
+D7vzl/nFIQ8h5rcqc6LsOVY5MB8GA1UdIwQYMBaAFFGwD7vzl/nFIQ8h5rcqc6Ls
+OVY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEVO/V0PFB9E
+wujSbOYCIbx+51yDUoC8hxT1r1Kcx3u08MDgUoDX+Rxg/Ok7XbqweCvR0drbSKAA
+kLE96CVL98gonTK8xq/wr6ajEu4Zkq2gG+uTDnk09Rw3tQDlu5a8y2xx3tkPwXZQ
+mJlOKfRQJT16scQYJI2vYlfD02sIAz82+Y6tJTe8X4HviSPx4l65V1gP1Cv0IRQN
+FmZf7z8vxhvuO2bc4kEfD2ROtn8JR6IohFkqbsgLblZleFlsjnoS+wZr/hg4OGKN
+Ra00JO66qaNYwwueeKU4Qvfo/HiWXwRivsCmNkkuzneovYI9WAnspQXg6szMMKxj
+g1O6iPylFcU=
+-----END CERTIFICATE-----`)
+
+var serverKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA2VeAQeGNCBfuCQaqQIEspJFQNnal47TytS5LDgH5RccoRkIs
+kCsecdPEZeLqHnuDEMg9M6DPWjl4VHkPnBCUkCVVGjvhb1c4A5LI++zKIZkhvUvY
+zpsS6emQs+Ji+86I83EgxpjBXzEgD0NffOfaDbLdLFA+B0R7jOyaIquvvMPXcca7
+z1EDbN0zuUPmPHBa9LRLs4TlEbn8gGpL+ajSyBqrsL5qP92VUq8wcFpUXJ50xocD
+B5tZc8ESmIiYjIVXaFvIZu1RAIG2Sj68HOpbU61T/Ftdc3y4kB8+9rTUFaTvSVvD
+ShW3sUqFULD6qv+vg+GzRAWGM+sUjhvx0VZrzQIDAQABAoIBADNG56Wjd0ifjLNo
+dSZ+02+IMSqIV58fg9unLmIBqTQDRsc8uZLR+X7VfZKkNKQ4c7Wz6GyT1hftUyxq
+23nwl3xism9cDVXdeAOvz+dP+Ghw3nrwuBgWkiHJzzABi2TpV3pICHmSdJzm1C+F
+r7OiZ9mvh2r7C4dfat7Wu47OfsnD42ziS9p3R6hcvugPoaAy23IwAgmR8LwoOXGy
+ZiAkb/d30G0MNt3lFbeZKHL16ibRxPjCRnDrfI++4/iJhuxBVv0BebYEjvajAFby
+G/bQNfXSghpYAywnCMoTqUVCV8ZALbw+okGrcxThcI7ZKghVGcYeK9/n5+tg7+r9
+I1Q3J2kCgYEA8ZW3xhRr3XwuJCUFBs5yB0ibjV31w5slvSBrhd78gGLij8DRRynt
+U/rro0Vk0rw3VzKJvk9rohR0YbQBDIrtfVNWzkJOZJXDDwmb6b8ooUcADl5ui9Ul
+NvgwzQtq/p/nDfPNbwzMN4XiwfnQ/+yq0J98+RvEM6bDlYOT6wma8hsCgYEA5k92
+oDfyIGqI3Cx1jFnRwxTo5A6yW73B0XkIFOe8P2PMhntjt7rpE3gq3VVfDbemVSI5
+WXY5wh0daOFkWzNbuvudHxslWQrZSyG71ycEcAHfxWuwqOLiGn4x3/CXzIJsyR8L
+jkhApZ2J6YwotxFk9kh/DW+vOpbPKUdPZbGruDcCgYEA3f4T90LAs6/uvmv+KHkA
+M003EzpqIaqpjRcDduqm4Fr9kdc+98PBP9BtQ4T61uL5f3kDNgvI/hEJuNYtuJbZ
+ELbKJ5KqcqdjrKfJy4tLDJgvpwSDVJ8yKUb7oQ+C7COHsDx+ZDNAXSz8Z/7lXKbf
+eAF2V3p6WnQ9eWCFRg93gE0CgYBNGR7aBcB9T4yfQBbdtBe/WZmY9r6IbZ6bdAvb
+i7P9+He4MUgxclWiGeEnlPOsEOWSrFFMfIJbVAnLWWCSE0BK+P4hMqIvC62wNAvA
+u6QFpur1GNbbwo/0VHh3wf/fC25FaaohqFhT2MgZMb1Tg3Qr6hr2MYQUdfXFmMSg
+g3i7wwKBgQCPv2YxHynKq/N6Ns8OUAAGatIc8BG07EBT79T8UPiGi7Ova3jIoQLp
+UkiSKdtPaYDnjUG/a4MkVbNATNh48rveW/U5BumLMMFQtHK44vOQFX9fGS/zLKkZ
+yt8uo1eX6Uo3QGuXaLFKgu0sXRRzBtZBu/6AUzTNA5gKz9qIBKkfeA==
+-----END RSA PRIVATE KEY-----`)
+
+var serverCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIJAMT8cU6Xrf9/MA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMMC3NuYXBzaG90X2NhMCAXDTE4MDkyNzIwNTIzN1oYDzIyOTIwNzEyMjA1MjM3
+WjA1MTMwMQYDVQQDDCpzbmFwc2hvdC1hZG1pc3Npb24td2ViaG9vay1zdmMuZGVm
+YXVsdC5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZV4BB4Y0I
+F+4JBqpAgSykkVA2dqXjtPK1LksOAflFxyhGQiyQKx5x08Rl4uoee4MQyD0zoM9a
+OXhUeQ+cEJSQJVUaO+FvVzgDksj77MohmSG9S9jOmxLp6ZCz4mL7zojzcSDGmMFf
+MSAPQ19859oNst0sUD4HRHuM7Joiq6+8w9dxxrvPUQNs3TO5Q+Y8cFr0tEuzhOUR
+ufyAakv5qNLIGquwvmo/3ZVSrzBwWlRcnnTGhwMHm1lzwRKYiJiMhVdoW8hm7VEA
+gbZKPrwc6ltTrVP8W11zfLiQHz72tNQVpO9JW8NKFbexSoVQsPqq/6+D4bNEBYYz
+6xSOG/HRVmvNAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1Ud
+JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAQEADQw8
+fw/RgOTtx9QVxUYMVD55VtdX/xctaAllTnE3A2T03/o73pdLs8owaPd0CbUFZO4m
+0AgaSzOamd3HHTY9TBxtddGh1wU+yxWMB+XhffAQwHpxIZ/BVMhu3pf5024D7S6k
+5dskfY/011+JmCi28Rfwb86mlwluR4fOczSTW22815aZv8LXxsCrwzbft86pa+dQ
+b6lzWsT6H+BE92xBCpgrZyMBCSs0hXfDQV7f0lVJcD+Z3bJkDPO/8yue2IyluUx+
+Eovpt5wY4AhiorLD5xw5jY4cFLooDLOyV8VGJ56GuAUVpvYKivD92k5whTl7fSAR
+xsubPWWjGPtNl9vpyQ==
+-----END CERTIFICATE-----`)