admission

package
v1.6.1-0...-f207c0f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 28, 2025 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ErrTextAdminAPIUnavailable                = "could not talk to Kong admin API"
	ErrTextConsumerCredentialSecretNotFound   = "consumer referenced non-existent credentials secret"
	ErrTextConsumerCredentialValidationFailed = "consumer credential failed validation"
	ErrTextConsumerExists                     = "consumer already exists"
	ErrTextConsumerUnretrievable              = "failed to fetch consumer from kong"
	ErrTextConsumerGroupUnsupported           = "consumer group support requires Kong Enterprise"
	ErrTextConsumerGroupUnlicensed            = "consumer group support requires a valid Kong Enterprise license"
	ErrTextConsumerGroupUnexpected            = "unexpected error during checking support for consumer group"
	ErrTextCustomEntityFieldsUnmarshalFailed  = "failed to unmarshal fields of custom entity: %v"
	ErrTextCustomEntityGetSchemaFailed        = "failed to get schema of Kong entity type '%s': %v"
	ErrTextFailedToRetrieveSecret             = "could not retrieve secrets from the kubernetes API" //nolint:gosec
	ErrTextPluginConfigInvalid                = "could not parse plugin configuration"
	ErrTextPluginConfigValidationFailed       = "unable to validate plugin schema"
	ErrTextPluginConfigViolatesSchema         = "plugin failed schema validation: %s"
	ErrTextPluginSecretConfigUnretrievable    = "could not load secret plugin configuration"
	ErrTextVaultConfigUnmarshalFailed         = "failed to unmarshal vault configuration: %v"
	ErrTextVaultUnableToValidate              = "unable to validate vault on Kong gateway"
	ErrTextVaultConfigValidationResultInvalid = "vault configuration in invalid: %s"
)
View Source 
const (
	ErrTextCantRetrieveGatewayClass    = "gatewayclass for this gateway could not be retrieved"
	ErrTextInvalidGatewayConfiguration = "gateway metadata and/or spec are invalid"
)
View Source 
const (
	KindKongPlugin        = "KongPlugin"
	KindKongClusterPlugin = "KongClusterPlugin"
)
View Source 
const (
	// DefaultAdmissionWebhookBasePath is the default path to validating admission webhook files.
	DefaultAdmissionWebhookBasePath = "/tmp/k8s-webhook-server/serving-certs/validating-admission-webhook/"
	// DefaultAdmissionWebhookCertPath is the default path to the any (validation, conversion) webhook server TLS certificate.
	DefaultAdmissionWebhookCertPath = DefaultAdmissionWebhookBasePath + "tls.crt"
	// DefaultAdmissionWebhookKeyPath is the default path to the any (validation, conversion) webhook server TLS key.
	DefaultAdmissionWebhookKeyPath = DefaultAdmissionWebhookBasePath + "tls.key"
)

NOTE: These paths have to match paths used in Helm Chart. E.g. in

Variables

This section is empty.

Functions

This section is empty.

Types

type AdminAPIServicesProvider 

type AdminAPIServicesProvider interface {
	GetConsumersService() (kong.AbstractConsumerService, bool)
	GetPluginsService() (kong.AbstractPluginService, bool)
	GetConsumerGroupsService() (kong.AbstractConsumerGroupService, bool)
	GetInfoService() (kong.AbstractInfoService, bool)
	GetRoutesService() (kong.AbstractRouteService, bool)
	GetVaultsService() (kong.AbstractVaultService, bool)
	GetSchemasService() (kong.AbstractSchemaService, bool)
}

AdminAPIServicesProvider provides KongHTTPValidator with Kong Admin API services that are needed to perform validation against entities stored by the Gateway.

type ConsumerGetter 

type ConsumerGetter interface {
	ListAllConsumers(ctx context.Context) ([]configurationv1.KongConsumer, error)
}

ConsumerGetter is an interface for retrieving KongConsumers.

type DefaultAdminAPIServicesProvider 

type DefaultAdminAPIServicesProvider struct {
	// contains filtered or unexported fields
}

DefaultAdminAPIServicesProvider allows getting Admin API services that require having at least one Gateway discovered. In the case there's no Gateways, it will return `false` from every method, signalling there's no Gateway available.

func NewDefaultAdminAPIServicesProvider 

func NewDefaultAdminAPIServicesProvider(gatewaysProvider GatewayClientsProvider) *DefaultAdminAPIServicesProvider

func (DefaultAdminAPIServicesProvider) GetConsumerGroupsService 

func (p DefaultAdminAPIServicesProvider) GetConsumerGroupsService() (kong.AbstractConsumerGroupService, bool)

func (DefaultAdminAPIServicesProvider) GetConsumersService 

func (p DefaultAdminAPIServicesProvider) GetConsumersService() (kong.AbstractConsumerService, bool)

func (DefaultAdminAPIServicesProvider) GetInfoService 

func (p DefaultAdminAPIServicesProvider) GetInfoService() (kong.AbstractInfoService, bool)

func (DefaultAdminAPIServicesProvider) GetPluginsService 

func (p DefaultAdminAPIServicesProvider) GetPluginsService() (kong.AbstractPluginService, bool)

func (DefaultAdminAPIServicesProvider) GetRoutesService 

func (p DefaultAdminAPIServicesProvider) GetRoutesService() (kong.AbstractRouteService, bool)

func (DefaultAdminAPIServicesProvider) GetSchemasService 

func (p DefaultAdminAPIServicesProvider) GetSchemasService() (kong.AbstractSchemaService, bool)

func (DefaultAdminAPIServicesProvider) GetVaultsService 

func (p DefaultAdminAPIServicesProvider) GetVaultsService() (kong.AbstractVaultService, bool)

type GatewayClientsProvider 

type GatewayClientsProvider interface {
	GatewayClients() []*adminapi.Client
}

GatewayClientsProvider returns the most recent set of Gateway Admin API clients.

type KongHTTPValidator 

type KongHTTPValidator struct {
	Logger                   logr.Logger
	SecretGetter             kongstate.SecretGetter
	ConsumerGetter           ConsumerGetter
	Storer                   store.Storer
	ManagerClient            client.Client
	AdminAPIServicesProvider AdminAPIServicesProvider
	TranslatorFeatures       translator.FeatureFlags
	// ReferenceIndexers gets the resources (KongPlugin and KongClusterPlugin)
	// referring the validated resource (Secret) to check the changes on
	// referred Secret will produce invalid configuration of the plugins.
	ReferenceIndexers ctrlref.CacheIndexers
	// contains filtered or unexported fields
}

KongHTTPValidator implements KongValidator interface to validate Kong entities using the Admin API of Kong.

func NewKongHTTPValidator 

func NewKongHTTPValidator(
	logger logr.Logger,
	managerClient client.Client,
	ingressClass string,
	servicesProvider AdminAPIServicesProvider,
	translatorFeatures translator.FeatureFlags,
	storer store.Storer,
	referenceIndexer ctrlref.CacheIndexers,
) KongHTTPValidator

NewKongHTTPValidator provides a new KongHTTPValidator object provided a controller-runtime client which will be used to retrieve reference objects such as consumer credentials secrets. If you do not pass a cached client here, the performance of this validator can get very poor at high scales.

func (KongHTTPValidator) GetReferenceIndexers 

func (validator KongHTTPValidator) GetReferenceIndexers() ctrlref.CacheIndexers

func (KongHTTPValidator) IngressClassMatcher 

func (validator KongHTTPValidator) IngressClassMatcher(om *metav1.ObjectMeta) bool

func (KongHTTPValidator) IngressV1ClassMatcher 

func (validator KongHTTPValidator) IngressV1ClassMatcher(ingress *netv1.Ingress) bool

func (KongHTTPValidator) ValidateClusterPlugin 

func (validator KongHTTPValidator) ValidateClusterPlugin(
	ctx context.Context,
	k8sPlugin configurationv1.KongClusterPlugin,
	overrideSecrets []*corev1.Secret,
) (bool, string, error)

ValidateClusterPlugin transfers relevant fields from a KongClusterPlugin into a KongPlugin and then returns the result of ValidatePlugin for the derived KongPlugin.

func (KongHTTPValidator) ValidateConsumer 

func (validator KongHTTPValidator) ValidateConsumer(
	ctx context.Context,
	consumer configurationv1.KongConsumer,
) (bool, string, error)

ValidateConsumer checks if consumer has a Username and a consumer with the same username doesn't exist in Kong. If an error occurs during validation, it is returned as the last argument. The first boolean communicates if the consumer is valid or not and string holds a message if the entity is not valid.

func (KongHTTPValidator) ValidateConsumerGroup 

func (validator KongHTTPValidator) ValidateConsumerGroup(
	ctx context.Context,
	consumerGroup configurationv1beta1.KongConsumerGroup,
) (bool, string, error)

func (KongHTTPValidator) ValidateCredential 

func (validator KongHTTPValidator) ValidateCredential(ctx context.Context, secret corev1.Secret) (bool, string)

ValidateCredential checks if the secret contains a credential meant to be installed in Kong. If so, then it verifies if all the required fields are present in it or not. If valid, it returns true with an empty string, else it returns false with the error message. If an error happens during validation, error is returned.

func (KongHTTPValidator) ValidateCustomEntity 

func (validator KongHTTPValidator) ValidateCustomEntity(ctx context.Context, entity configurationv1alpha1.KongCustomEntity) (bool, string, error)

func (KongHTTPValidator) ValidateGateway 

func (validator KongHTTPValidator) ValidateGateway(
	ctx context.Context, gateway gatewayapi.Gateway,
) (bool, string, error)

func (KongHTTPValidator) ValidateHTTPRoute 

func (validator KongHTTPValidator) ValidateHTTPRoute(
	ctx context.Context, httproute gatewayapi.HTTPRoute,
) (bool, string, error)

func (KongHTTPValidator) ValidateIngress 

func (validator KongHTTPValidator) ValidateIngress(
	ctx context.Context, ingress netv1.Ingress,
) (bool, string, error)

func (KongHTTPValidator) ValidatePlugin 

func (validator KongHTTPValidator) ValidatePlugin(
	ctx context.Context,
	k8sPlugin configurationv1.KongPlugin,
	overrideSecrets []*corev1.Secret,
) (bool, string, error)

ValidatePlugin checks if k8sPlugin is valid. It does so by performing an HTTP request to Kong's Admin API entity validation endpoints. If an error occurs during validation, it is returned as the last argument. The first boolean communicates if k8sPluign is valid or not and string holds a message if the entity is not valid.

func (KongHTTPValidator) ValidateVault 

func (validator KongHTTPValidator) ValidateVault(ctx context.Context, k8sKongVault configurationv1alpha1.KongVault) (bool, string, error)

type KongValidator 

type KongValidator interface {
	ValidateConsumer(ctx context.Context, consumer configurationv1.KongConsumer) (bool, string, error)
	ValidateConsumerGroup(ctx context.Context, consumerGroup configurationv1beta1.KongConsumerGroup) (bool, string, error)
	ValidatePlugin(ctx context.Context, plugin configurationv1.KongPlugin, overrideSecrets []*corev1.Secret) (bool, string, error)
	ValidateClusterPlugin(ctx context.Context, plugin configurationv1.KongClusterPlugin, overrideSecrets []*corev1.Secret) (bool, string, error)
	ValidateVault(ctx context.Context, vault configurationv1alpha1.KongVault) (bool, string, error)
	ValidateCustomEntity(ctx context.Context, entity configurationv1alpha1.KongCustomEntity) (bool, string, error)
	ValidateCredential(ctx context.Context, secret corev1.Secret) (bool, string)
	ValidateGateway(ctx context.Context, gateway gatewayapi.Gateway) (bool, string, error)
	ValidateHTTPRoute(ctx context.Context, httproute gatewayapi.HTTPRoute) (bool, string, error)
	ValidateIngress(ctx context.Context, ingress netv1.Ingress) (bool, string, error)

	IngressClassMatcher(obj *metav1.ObjectMeta) bool
	IngressV1ClassMatcher(ing *netv1.Ingress) bool
	GetReferenceIndexers() ctrlref.CacheIndexers
}

KongValidator validates Kong entities.

type RequestHandler 

type RequestHandler struct {
	Logger logr.Logger
	// contains filtered or unexported fields
}

RequestHandler is an HTTP server that can validate Kong Ingress Controllers' Custom Resources using Kubernetes Admission Webhooks.

func (*RequestHandler) RegisterValidator 

func (h *RequestHandler) RegisterValidator(id mgrID, validator KongValidator)

RegisterValidator adds a new validator to the request handler. An instance of validator is created per KIC instance in KO.

func (RequestHandler) ServeHTTP 

func (h RequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP parses AdmissionReview requests and responds back with the validation result of the entity.

func (*RequestHandler) UnregisterValidator 

func (h *RequestHandler) UnregisterValidator(id mgrID)

UnregisterValidator removes a validator from from the request handler. An instance of validator is removed when a particular KIC instance is removed from KO.

type ResponseBuilder 

type ResponseBuilder struct {
	// contains filtered or unexported fields
}

func NewResponseBuilder 

func NewResponseBuilder(uid k8stypes.UID) *ResponseBuilder

func (*ResponseBuilder) Allowed 

func (r *ResponseBuilder) Allowed(allowed bool) *ResponseBuilder

func (*ResponseBuilder) Build 

func (r *ResponseBuilder) Build() *admissionv1.AdmissionResponse

func (*ResponseBuilder) WithMessage 

func (r *ResponseBuilder) WithMessage(msg string) *ResponseBuilder

func (*ResponseBuilder) WithWarning 

func (r *ResponseBuilder) WithWarning(warning string) *ResponseBuilder

type SecretGetterWithOverride 

type SecretGetterWithOverride struct {
	// contains filtered or unexported fields
}

SecretGetterWithOverride returns the override secrets in the list if the namespace and name matches, or use the nested secretGetter to fetch the secret otherwise. Used for validating changes of secrets to override existing the one in cache with the one to be updated.

func NewSecretGetterWithOverride 

func NewSecretGetterWithOverride(s kongstate.SecretGetter, overrideSecrets []*corev1.Secret) *SecretGetterWithOverride

NewSecretGetterWithOverride returns a secret getter with given override secrets.

func (*SecretGetterWithOverride) GetSecret 

func (s *SecretGetterWithOverride) GetSecret(namespace, name string) (*corev1.Secret, error)

type Server 

type Server struct {
	// contains filtered or unexported fields
}

func MakeTLSServer 

func MakeTLSServer(port int32, handler http.Handler) (*Server, error)

func (*Server) Start 

func (s *Server) Start(ctx context.Context) error

Start starts the admission server and blocks until the context is done.

Source Files

View all Source files

Directories

Path Synopsis
consumers/credentials
Package credentials includes validators for the credentials provided for KongConsumers.
 Package credentials includes validators for the credentials provided for KongConsumers.
gateway
ingress

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.