SREP-2251: Add webhook validation framework (#1)

* SREP-2251: Add webhook validation framework

Provides a method for adding webhooks and injecting generated caBundles for use by said webhook. Refer to the README.md for additional details on how to add new hooks.

The included hook addresses the group validation request for SREP-2251.

Forthcoming changes will address CI/CD concerns.

Signed-off-by: Lisa Seelye <lseelye@redhat.com>

Author: lisa

.gitignore

@@ -0,0 +1,2 @@
+/deploy
+/__pycache__

Makefile

@@ -0,0 +1,34 @@
+SHELL := /usr/bin/env bash
+
+TEMPLATEFILES := $(shell find ./templates -type f -name "*.yaml.tmpl")
+
+NAMESPACE ?= openshift-validation-webhook
+SVCNAME ?= validation-webhook
+SANAME ?= validation-webhook
+IMAGETAG ?= latest
+CABUNDLECONFIGMAP ?= webhook-cert
+VWC_ANNOTATION ?= managed.openshift.io/inject-cabundle-from
+
+IMG ?= quay.io/lseelye/python3-webhookbase
+
+default: all
+all: build-base render
+
+.PHONY: build-base
+build-base: build/Dockerfile
+	docker build -t $(IMG):$(IMAGETAG) -f build/Dockerfile . && docker push $(IMG):$(IMAGETAG)
+
+# TODO: Change the render to allow for the permissions to have a list of all the webhook names
+# TODO: Pull that list of names from the yaml files?
+render: $(TEMPLATEFILES) build/Dockerfile
+	for f in $(TEMPLATEFILES); do \
+		sed \
+			-e "s!\#NAMESPACE\#!$(NAMESPACE)!g" \
+			-e "s!\#SVCNAME\#!$(SVCNAME)!g" \
+			-e "s!\#SANAME\#!$(SANAME)!g" \
+			-e "s!\#IMAGETAG\#!$(IMAGETAG)!g" \
+			-e "s!\#IMG\#!$(IMG)!g" \
+			-e "s!\#CABUNDLECONFIGMAP\#!$(CABUNDLECONFIGMAP)!g" \
+			-e "s!\#VWC_ANNOTATION\#!$(VWC_ANNOTATION)!g" \
+		$$f > deploy/$$(basename $$f .tmpl) ;\
+	done

README.md

@@ -0,0 +1,139 @@
+# Managed Cluster Validating Webhooks
+
+A Flask app designed to act as a webhook admission controller for OpenShift.
+
+Presently there is a single webhook, [group-validation](#group_validation), which is provided via `/group-validation` endpoint.
+
+## Group Validation
+
+Configuration for this webhook is provided by environment variables:
+
+* `GROUP_VALIDATION_PREFIX` - Group prefix to apply the webhook, such as `osd-` to apply to `CREATE`, `UPDATE`, `DELETE` operations on groups starting with `osd-`.
+* `GROUP_VALIDATION_ADMIN_GROUP` - Admin group, which the requestor must be a member in order to have access granted.
+* `DEBUG_GROUP_VALIDATION` - Debug the webhook? Set to `True` to enable, all other values (including absent) disable.
+
+## How it works
+
+In order for a validating webhook to talk to the code which is performing the validation (eg, the code in this repository), which is running in-cluster, Kubernetes needs to talk to it via a `Service` over HTTPS. This forces the Python Flask app to serve itself with a TLS certificate and the corresponding webhook configuration to specify the CA Bundle (`caBundle`) that matches up for those TLS certs.
+
+The TLS cert is provisioned by using the [openshift-ca-operator](https://github.com/openshift/service-ca-operator). Refer to its documentation for how TLS keys are requested and stored. See also: [02-webhook-cacert.configmap.yaml.tmpl](/templates/02-webhook-cacert.configmap.yaml.tmpl) and [05-group-validation-webhook.service.yaml.tmpl](/templates/05-group-validation-webhook.service.yaml.tmpl).
+
+Getting the TLS certificates is only part of the battle, as the operator does not inject them into the `ValidatingWebhookConfiguration`. To accomplish that, a small Python script has been written that is used as an `initContainer` in the Deployment of the webhook framework. The "injector" script, when run, will find all `ValidatingWebhookConfiguration` objects with an `managed.openshift.io/inject-cabundle-from` annotation. The annotation's value is in the format `namespace/configmap` from whence the CA Bundle can be found (as the key `service-ca.crt`). Thus an annotation `managed.openshift.io/inject-cabundle-from: openshift-validation-webhook/webhook-cert` will have the "injector" script look in the `openshift-validation-webhook` `Namespace` for the `webhook-cert` `ConfigMap` to contain a `service-ca.crt` key and therein, a PEM encoded certificate. The certificate is base64-encoded and set as the `caBundle` for each webhook defined in the `ValidatingWebhookConfiguration`.
+
+## Development
+
+### Adding New Webhooks
+
+In order to add new webhooks, create a new Python file in [src/webhook](src/webhook), following the pattern from [src/webhook/group_validation.py](src/webhook/group_validation.py). Add an entry to [src/webhook/__init__.py](src/webhook/__init__.py) in the pattern of the group validation webhook.
+
+#### Register with the Flask application
+
+To register your webhook with the Flask app:
+
+```python
+# src/webhook/__init__.py
+from flask import Flask
+from flask import request
+
+app = Flask(__name__,instance_relative_config=True)
+
+from webhook import group_validation
+app.register_blueprint(group_validation.bp)
+
+from webhook import your_hook
+app.register_blueprint(your_hook.bp)
+```
+
+#### Adding YAML Manifests
+
+To add a new YAML Manifest:
+
+Create a new file in [templates](/templates) directory with a `10-` prefix, ex `10-your-hook.ValidatingWebhookConfiguration.yaml.tmpl` with contents:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata: 
+  name: your-webhook-name-here
+  annotations:
+    # Typically  managed.openshift.io/inject-cabundle-from: namespace/configmap
+    # The configmap must have the cert in PEM format in a key named service-ca.crt.
+    # Each webhook in this object with a service clientConfig will have the bundle injected.
+    #VWC_ANNOTATION#: #NAMESPACE#/#CABUNDLECONFIGMAP#
+webhooks:
+  - clientConfig:
+      service:
+        namespace: #NAMESPACE#
+        name: #SVCNAME#
+        path: /your-webhook
+    failurePolicy:
+      # What to do if the hook itself fails (Ignore/Fail)
+    name: your-webhook.managed.openshift.io
+    rules:
+      - operations:
+          # operations list
+        apiGroups:
+          # apiGroups list
+        apiVersions:
+          # apiVersions list
+        resources:
+          # resources List
+```
+
+From here, `make render` will populate [deploy](/deploy) with YAML manifests that can be `oc apply` to the cluster in question. Note that new hooks require a restart of the Flask application.
+
+### Request Helpers
+
+There are helper methods within the [src/webhook/request_helper](src/webhook/request_helper) to aid with:
+
+* [Incoming request validation](src/webhook/request_helper/validate.py)
+* [Formulating the response JSON body](src/webhook/request_helper/responses.py)
+
+To use the request validation:
+
+```python
+# src/webhook/your_hook.py
+from flask import request, Blueprint
+import json
+
+from webhook.request_helper import validate, responses
+@bp.route('/your-webhook', methods=('GET','POST'))
+def handle_request():
+  valid = True
+  try:
+    valid = validate.validate_request_structure(request.json)
+  except:
+    # if anything goes wrong, it's not valid.
+    valid = False
+  if not valid:
+    return responses.response_invalid()
+  # ... normal hook flow
+```
+
+To use the response helpers:
+
+```python
+# src/webhook/your_hook.py
+from flask import request, Blueprint
+import json
+
+from webhook.request_helper import responses
+@bp.route('/your-webhook', methods=('GET','POST'))
+def handle_request():
+  # ...
+
+  # request is the object coming from the webhook
+  # request.json converts to JSON document, and the request key therein has the interesting data
+  request_body = request.json['request']
+
+  # Invalid request came in
+  return responses.response_invalid()
+
+  # Access granted:
+  return responses.response_allow(req=request_body)
+
+  # Access denied:
+  return responses.response_deny(req=response_body, msg="Reason to deny")
+  
+  # ...
+```

build/Dockerfile

@@ -0,0 +1,10 @@
+FROM python:3.7
+
+
+ADD src /app
+WORKDIR /app
+RUN pip install -r /app/requirements.txt
+ENV FLASK_APP=webhook
+EXPOSE 5000
+
+CMD ["gunicorn", "--config", "/app/gunicorn.py"]

deploy/01-webhook.namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-validation-webhook

deploy/02-webhook-cacert.configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+  name: webhook-cert
+  namespace: openshift-validation-webhook
+# data.(service-ca.crt) is filled in by openshift-ca-operator
+data: {}

deploy/02-webhook.permissions.yaml

@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: webhook-validation-cr
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+    - validatingwebhookconfigurations
+  verbs:
+    - list
+    - patch
+    - get
+- apiGroups:
+  - ""
+  resources:
+    - configmaps
+  verbs:
+    - list
+    - get
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: validation-webhook
+  namespace: openshift-validation-webhook
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: webhook-validation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: webhook-validation-cr
+subjects:
+  - kind: ServiceAccount
+    name: validation-webhook
+    namespace: openshift-validation-webhook

src/README.md

@@ -0,0 +1,14 @@
+# gunicorn config file
+import ssl
+
+access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s" "pid=%(p)s"'
+raw_env = [
+  'FLASK_APP=webhook',
+
+  'GROUP_VALIDATION_ADMIN_GROUP=osd-sre-admins',
+  'GROUP_VALIDATION_PREFIX=osd-sre-',
+]
+bind="0.0.0.0:5000"
+workers=5
+accesslog="-"
+#cert_reqs = ssl.CERT_REQUIRED

src/gunicorn.py

@@ -0,0 +1,55 @@
+#!/usr/bin/env python3
+
+# Update the ValidatingWebhookConfiguration with the contents of the Service CA.
+
+from kubernetes import client, config
+import os
+import argparse
+import copy
+import base64
+
+
+parser = argparse.ArgumentParser(description="Options to Program")
+parser.add_argument('-a', default="managed.openshift.io/inject-cabundle-from", dest='annotation_name', help='What is the annotation that has a reference to a namespace/configmap for the caBundle. The cert must be stored in pem format in a key called service-ca.crt')
+parsed = parser.parse_args()
+
+config.load_incluster_config()
+admission_client = client.AdmissionregistrationV1beta1Api()
+cm_client = client.CoreV1Api()
+
+def get_cert_from_configmap(client, namespace, configmap_name, key="service-ca.crt"):
+  try:
+    o = client.read_namespaced_config_map(configmap_name, namespace)
+    if key in o.data:
+      return o.data[key].rstrip()
+  except:
+    return None
+  return None
+
+def encode_cert(cert):
+  return base64.b64encode(cert.encode("UTF-8")).decode("UTF-8")
+
+def get_validating_webhook_configuration_objects_with_annotation(client, annotation):
+  ret = []
+  for o in client.list_validating_webhook_configuration().items:
+    if annotation in o.metadata.annotations:
+      ret.append(o)
+  return ret
+
+for vwc in get_validating_webhook_configuration_objects_with_annotation(admission_client, parsed.annotation_name):
+  ns, cm_name = vwc.metadata.annotations[parsed.annotation_name].split('/')
+  cert = get_cert_from_configmap(cm_client, ns, cm_name)
+  if cert is None:
+    print("WARNING: Skipping validatingwebhookconfiguration/{}: Couldn't find a cert from {}/{} ConfigMap. \n".format(vwc.metadata.name, ns, cm_name))
+    continue
+  encoded_cert = encode_cert(cert)
+  new_vwc = copy.deepcopy(vwc)
+  for hook in new_vwc.webhooks:
+    if hook.client_config.service is not None and hook.client_config.ca_bundle is not encoded_cert:
+      hook.client_config.ca_bundle = encoded_cert
+      print("validatingwebhookconfiguration/{}: Injecting caBundle from {}/{}, for hook name {}, to service/{}/{}\n".format(new_vwc.metadata.name, ns, cm_name, hook.name, hook.client_config.service.namespace, hook.client_config.service.name))
+  try:
+    result = admission_client.patch_validating_webhook_configuration(name=new_vwc.metadata.name, body=new_vwc)
+  except Exception as err:
+    print("ERROR: Couldn't save validatingwebhookconfiguration/{}: {}\n",new_vwc.metadata.name, err)
+    os.exit(1)