Drop the distinction between Create/Update. (#635)

There was a bunch of boilerplate to differentiate between Create/Update, which wasn't particularly useful. This drops it and streamlines a bunch of the logic. I expect this will be the first cleanup of a number to follow... Signed-off-by: Matt Moore <[email protected]>
sigstore · Sep 7, 2021 · 6a1e1b5 · 6a1e1b5
1 parent 8d550b3
commit 6a1e1b5
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 81 deletions.
diff --git a/cmd/cosign/webhook/main.go b/cmd/cosign/webhook/main.go
@@ -71,31 +71,13 @@ func main() {
 		os.Exit(1)
 	}
 
-	cosignedValidationFuncs := map[schema.GroupVersionKind]webhook.ValidationFuncs{
-		corev1.SchemeGroupVersion.WithKind("Pod"): {
-			ValidateCreate: webhook.ValidateSignedResources,
-			ValidateUpdate: webhook.ValidateSignedResourcesUpdate,
-		},
-		batchv1.SchemeGroupVersion.WithKind("Job"): {
-			ValidateCreate: webhook.ValidateSignedResources,
-			ValidateUpdate: webhook.ValidateSignedResourcesUpdate,
-		},
-		appsv1.SchemeGroupVersion.WithKind("Deployment"): {
-			ValidateCreate: webhook.ValidateSignedResources,
-			ValidateUpdate: webhook.ValidateSignedResourcesUpdate,
-		},
-		appsv1.SchemeGroupVersion.WithKind("StatefulSet"): {
-			ValidateCreate: webhook.ValidateSignedResources,
-			ValidateUpdate: webhook.ValidateSignedResourcesUpdate,
-		},
-		appsv1.SchemeGroupVersion.WithKind("ReplicateSet"): {
-			ValidateCreate: webhook.ValidateSignedResources,
-			ValidateUpdate: webhook.ValidateSignedResourcesUpdate,
-		},
-		appsv1.SchemeGroupVersion.WithKind("DaemonSet"): {
-			ValidateCreate: webhook.ValidateSignedResources,
-			ValidateUpdate: webhook.ValidateSignedResourcesUpdate,
-		},
+	cosignedValidationFuncs := map[schema.GroupVersionKind]webhook.ValidationFunc{
+		corev1.SchemeGroupVersion.WithKind("Pod"):          webhook.ValidateSignedResources,
+		batchv1.SchemeGroupVersion.WithKind("Job"):         webhook.ValidateSignedResources,
+		appsv1.SchemeGroupVersion.WithKind("Deployment"):   webhook.ValidateSignedResources,
+		appsv1.SchemeGroupVersion.WithKind("StatefulSet"):  webhook.ValidateSignedResources,
+		appsv1.SchemeGroupVersion.WithKind("ReplicateSet"): webhook.ValidateSignedResources,
+		appsv1.SchemeGroupVersion.WithKind("DaemonSet"):    webhook.ValidateSignedResources,
 	}
 
 	dynamicClient, err := kubernetesClientOptions.NewDynamicClient()

diff --git a/pkg/cosign/kubernetes/webhook/handler.go b/pkg/cosign/kubernetes/webhook/handler.go
@@ -53,12 +53,12 @@ type funcAdmissionValidator struct {
 	regularDecoder      runtime.Decoder
 	unstructuredDecoder runtime.Decoder
 	apiReader           client.Reader
-	validations         map[schema.GroupVersionKind]ValidationFuncs
+	validations         map[schema.GroupVersionKind]ValidationFunc
 	scheme              *runtime.Scheme
 	secretKeyRef        string
 }
 
-func NewFuncAdmissionValidator(scheme *runtime.Scheme, dynamicClient client.Client, fns map[schema.GroupVersionKind]ValidationFuncs, secretKeyRef string) *webhook.Admission {
+func NewFuncAdmissionValidator(scheme *runtime.Scheme, dynamicClient client.Client, fns map[schema.GroupVersionKind]ValidationFunc, secretKeyRef string) *webhook.Admission {
 	factory := serializer.NewCodecFactory(scheme)
 	return &webhook.Admission{
 		Handler: &funcAdmissionValidator{
@@ -72,19 +72,13 @@ func NewFuncAdmissionValidator(scheme *runtime.Scheme, dynamicClient client.Clie
 	}
 }
 
-type ValidationFuncs struct {
-	ValidateCreate ValidationCreateFunc
-	ValidateUpdate ValidationUpdateFunc
-}
-
-type ValidationCreateFunc func(newObj runtime.Object, apiReader client.Reader, keys []*ecdsa.PublicKey) field.ErrorList
-type ValidationUpdateFunc func(newObj runtime.Object, oldObj runtime.Object, apiReader client.Reader, keys []*ecdsa.PublicKey) field.ErrorList
+type ValidationFunc func(newObj runtime.Object, apiReader client.Reader, keys []*ecdsa.PublicKey) field.ErrorList
 
 func (c *funcAdmissionValidator) Handle(_ context.Context, admissionSpec admission.Request) admission.Response {
 	var (
-		newObj, oldObj runtime.Object
-		gvk            *schema.GroupVersionKind
-		err            error
+		newObj runtime.Object
+		gvk    *schema.GroupVersionKind
+		err    error
 	)
 
 	decoder := c.regularDecoder
@@ -105,23 +99,6 @@ func (c *funcAdmissionValidator) Handle(_ context.Context, admissionSpec admissi
 		}
 	}
 
-	if len(admissionSpec.OldObject.Raw) > 0 {
-		oldObj, gvk, err = decoder.Decode(admissionSpec.OldObject.Raw, nil, nil)
-		if err != nil {
-			return admission.Response{
-				AdmissionResponse: admissionv1.AdmissionResponse{
-					Allowed: false,
-					Result: &metav1.Status{
-						Status:  metav1.StatusFailure,
-						Code:    http.StatusInternalServerError,
-						Reason:  metav1.StatusReasonInternalError,
-						Message: fmt.Sprintf("Failed to decode object: %v", err),
-					},
-				},
-			}
-		}
-	}
-
 	cfg, err := kubernetes.GetKeyPairSecret(context.Background(), c.secretKeyRef)
 	if err != nil {
 		return admission.Response{
@@ -150,7 +127,7 @@ func (c *funcAdmissionValidator) Handle(_ context.Context, admissionSpec admissi
 		}
 	}
 
-	validateFuncs, ok := c.validations[*gvk]
+	validateFunc, ok := c.validations[*gvk]
 	if !ok {
 		return admission.Response{
 			AdmissionResponse: admissionv1.AdmissionResponse{
@@ -169,14 +146,9 @@ func (c *funcAdmissionValidator) Handle(_ context.Context, admissionSpec admissi
 	keys := getKeys(cfg.Data)
 
 	switch admissionSpec.Operation {
-	case admissionv1.Create:
-		if validateFuncs.ValidateCreate != nil {
-			validationErrs = validateFuncs.ValidateCreate(newObj, c.apiReader, keys)
-		}
-	case admissionv1.Update:
-		if validateFuncs.ValidateUpdate != nil {
-			validationErrs = validateFuncs.ValidateUpdate(newObj, oldObj, c.apiReader, keys)
-		}
+	case admissionv1.Create, admissionv1.Update:
+		validationErrs = validateFunc(newObj, c.apiReader, keys)
+
 	default:
 		return admission.Response{
 			AdmissionResponse: admissionv1.AdmissionResponse{

diff --git a/pkg/cosign/kubernetes/webhook/validation.go b/pkg/cosign/kubernetes/webhook/validation.go
@@ -49,24 +49,6 @@ func ValidateSignedResources(obj runtime.Object, apiReader client.Reader, keys [
 	return validateSignedContainerImages(containers, keys)
 }
 
-func ValidateSignedResourcesUpdate(newObj runtime.Object, oldObj runtime.Object, apiReader client.Reader, keys []*ecdsa.PublicKey) field.ErrorList {
-	var allErrs field.ErrorList
-
-	containers, err := getContainers(newObj)
-	if err != nil {
-		return field.ErrorList{field.InternalError(field.NewPath(""), err)}
-	}
-
-	_, err = getContainers(oldObj)
-	if err != nil {
-		return field.ErrorList{field.InternalError(field.NewPath(""), err)}
-	}
-
-	allErrs = append(allErrs, validateSignedContainerImages(containers, keys)...)
-
-	return allErrs
-}
-
 func validateSignedContainerImages(containers []corev1.Container, keys []*ecdsa.PublicKey) field.ErrorList {
 	var allErrs field.ErrorList