Merge webhook plugins into one. (#311)

hack/deploy/admission/operator.yaml

@@ -131,45 +131,29 @@ spec:
     namespace: $STASH_NAMESPACE
   version: v1alpha1
 ---
-# register to intercept namespace creates
+# register to intercept stash CRD creates / updates
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: admission.stash.appscode.com
   labels:
     app: stash
 webhooks:
-- name: resticreviews.admission.stash.appscode.com
+- name: admission.stash.appscode.com
   clientConfig:
     service:
       namespace: default
       name: kubernetes
-      path: /apis/admission.stash.appscode.com/v1alpha1/resticreviews
+      path: /apis/admission.stash.appscode.com/v1alpha1/reviews
     caBundle: $KUBE_CA
   rules:
   - operations:
     - CREATE
+    - UPDATE
     apiGroups:
     - stash.appscode.com
     apiVersions:
     - "*"
     resources:
-    - restics
-  failurePolicy: Fail
-- name: recoveryreviews.admission.stash.appscode.com
-  clientConfig:
-    service:
-      namespace: default
-      name: kubernetes
-      path: /apis/admission.stash.appscode.com/v1alpha1/recoveryreviews
-    caBundle: $KUBE_CA
-  rules:
-  - operations:
-    - CREATE
-    apiGroups:
-    - stash.appscode.com
-    apiVersions:
     - "*"
-    resources:
-    - recoveries
   failurePolicy: Fail

pkg/admission/plugin/admission.go

@@ -0,0 +1,88 @@
+package plugin
+
+import (
+	"encoding/json"
+	"net/http"
+
+	api "github.com/appscode/stash/apis/stash/v1alpha1"
+	admission "k8s.io/api/admission/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/client-go/rest"
+)
+
+type AdmissionHook struct {
+}
+
+func (a *AdmissionHook) ValidatingResource() (plural schema.GroupVersionResource, singular string) {
+	return schema.GroupVersionResource{
+			Group:    "admission.stash.appscode.com",
+			Version:  "v1alpha1",
+			Resource: "reviews",
+		},
+		"review"
+}
+
+func (a *AdmissionHook) Validate(req *admission.AdmissionRequest) *admission.AdmissionResponse {
+	status := &admission.AdmissionResponse{}
+	supportedKinds := sets.NewString(api.ResourceKindRestic, api.ResourceKindRecovery)
+
+	if req.Operation != admission.Create ||
+		len(req.SubResource) != 0 ||
+		req.Kind.Group != api.SchemeGroupVersion.Group ||
+		!supportedKinds.Has(req.Kind.Kind) {
+		status.Allowed = true
+		return status
+	}
+
+	switch req.Kind.Kind {
+	case api.ResourceKindRestic:
+		obj := &api.Restic{}
+		err := json.Unmarshal(req.Object.Raw, obj)
+		if err != nil {
+			status.Allowed = false
+			status.Result = &metav1.Status{
+				Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest,
+				Message: err.Error(),
+			}
+			return status
+		}
+		err = obj.IsValid()
+		if err != nil {
+			status.Allowed = false
+			status.Result = &metav1.Status{
+				Status: metav1.StatusFailure, Code: http.StatusForbidden, Reason: metav1.StatusReasonForbidden,
+				Message: err.Error(),
+			}
+			return status
+		}
+	case api.ResourceKindRecovery:
+		obj := &api.Recovery{}
+		err := json.Unmarshal(req.Object.Raw, obj)
+		if err != nil {
+			status.Allowed = false
+			status.Result = &metav1.Status{
+				Status: metav1.StatusFailure, Code: http.StatusBadRequest, Reason: metav1.StatusReasonBadRequest,
+				Message: err.Error(),
+			}
+			return status
+		}
+		err = obj.IsValid()
+		if err != nil {
+			status.Allowed = false
+			status.Result = &metav1.Status{
+				Status: metav1.StatusFailure, Code: http.StatusForbidden, Reason: metav1.StatusReasonForbidden,
+				Message: err.Error(),
+			}
+			return status
+		}
+	}
+
+	status.Allowed = true
+	return status
+}
+
+func (a *AdmissionHook) Initialize(kubeClientConfig *rest.Config, stopCh <-chan struct{}) error {
+	return nil
+}