Merge pull request #109 from ratschance/allow-extra-vols-and-webhook-url

feat: Add support for mounting extra volumes and add webhook URL override capability
loft-sh · Dec 7, 2023 · 5b027ee · 5b027ee
2 parents 0fedc7b + e39a0fd
commit 5b027ee
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 10 deletions.
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -35,6 +35,10 @@ spec:
       {{- if .Values.tolerations }}
       tolerations: {{- include "jspolicy.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
       {{- end }}
+      {{- if .Values.jspolicy.extraVolumes }}
+      volumes:
+        {{- toYaml .Values.jspolicy.extraVolumes | nindent 8 }}
+      {{- end }}
       containers:
       - ports:
         - name: webhook
@@ -89,3 +93,7 @@ spec:
         {{- end }}
         resources:
 {{ toYaml .Values.jspolicy.resources | indent 10 }}
+        {{- if .Values.jspolicy.extraVolumeMounts }}
+        volumeMounts:
+          {{- toYaml .Values.jspolicy.extraVolumeMounts | nindent 10 }}
+        {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -28,6 +28,9 @@ jspolicy:
     requests:
       memory: 128Mi
       cpu: 50m
+  # extraVolumes and extraVolumeMounts allows mounting other volumes to the jsPolicy pod.
+  extraVolumes: []
+  extraVolumeMounts: []
 
 policyReports:
   enabled: false

diff --git a/pkg/controllers/jspolicy.go b/pkg/controllers/jspolicy.go
@@ -541,11 +541,16 @@ func (r *JsPolicyReconciler) syncMutatingWebhookConfiguration(ctx context.Contex
 	// Ensure webhook fields
 	webhook.Webhooks[0].Name = jsPolicy.Name
 	path := "/policy/" + jsPolicy.Name
-	webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
-		Name:      clienthelper.ServiceName(),
-		Namespace: namespace,
-		Path:      &path,
-		Port:      &port,
+	if url := clienthelper.WebhookURL(); url != "" {
+		url = url + path
+		webhook.Webhooks[0].ClientConfig.URL = &url
+	} else {
+		webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
+			Name:      clienthelper.ServiceName(),
+			Namespace: namespace,
+			Path:      &path,
+			Port:      &port,
+		}
 	}
 	webhook.Webhooks[0].ClientConfig.CABundle = r.CaBundle
 	if len(webhook.Webhooks[0].Rules) != 1 {
@@ -639,11 +644,16 @@ func (r *JsPolicyReconciler) syncValidatingWebhookConfiguration(ctx context.Cont
 	// Ensure webhook fields
 	webhook.Webhooks[0].Name = jsPolicy.Name
 	path := "/policy/" + jsPolicy.Name
-	webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
-		Name:      clienthelper.ServiceName(),
-		Namespace: namespace,
-		Path:      &path,
-		Port:      &port,
+	if url := clienthelper.WebhookURL(); url != "" {
+		url = url + path
+		webhook.Webhooks[0].ClientConfig.URL = &url
+	} else {
+		webhook.Webhooks[0].ClientConfig.Service = &admissionregistrationv1.ServiceReference{
+			Name:      clienthelper.ServiceName(),
+			Namespace: namespace,
+			Path:      &path,
+			Port:      &port,
+		}
 	}
 	webhook.Webhooks[0].ClientConfig.CABundle = r.CaBundle
 	if len(webhook.Webhooks[0].Rules) != 1 {

diff --git a/pkg/controllers/jspolicy_test.go b/pkg/controllers/jspolicy_test.go
@@ -81,6 +81,8 @@ func TestSimple(t *testing2.T) {
 	err = fakeClient.List(context.TODO(), list)
 	assert.NilError(t, err)
 	assert.Equal(t, len(list.Items), 1)
+	var expectedURL *string
+	assert.Equal(t, list.Items[0].Webhooks[0].ClientConfig.URL, expectedURL, "the webhook url should be nil when JS_POLICY_WEBHOOK_URL is not set")
 	mList := &admissionregistrationv1.MutatingWebhookConfigurationList{}
 	err = fakeClient.List(context.TODO(), mList)
 	assert.NilError(t, err)
@@ -104,6 +106,39 @@ func TestSimple(t *testing2.T) {
 	assert.NilError(t, err)
 	assert.Equal(t, len(mList.Items), 1)
 }
+func TestSimpleURL(t *testing2.T) {
+	err := os.Setenv("KUBE_NAMESPACE", "default")
+	assert.NilError(t, err)
+	err = os.Setenv("JS_POLICY_WEBHOOK_URL", "https://testurl.example.local")
+	assert.NilError(t, err)
+
+	scheme := testing.NewScheme()
+	fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithRuntimeObjects(testPolicy).Build()
+
+	controller := &JsPolicyReconciler{
+		Client:                  fakeClient,
+		Log:                     loghelper.New("test"),
+		Scheme:                  scheme,
+		Bundler:                 nil,
+		ControllerPolicyManager: nil,
+		controllerPolicyHash:    map[string]string{},
+		CaBundle:                []byte("any"),
+	}
+
+	// sync the webhook
+	err = controller.syncWebhook(context.Background(), testPolicy)
+	assert.NilError(t, err)
+
+	// check if there was a validating webhook created
+	list := &admissionregistrationv1.ValidatingWebhookConfigurationList{}
+	err = fakeClient.List(context.TODO(), list)
+	assert.NilError(t, err)
+	assert.Equal(t, len(list.Items), 1)
+
+	// confirm that the webhook url is set correctly
+	expectedURL := "https://testurl.example.local" + "/policy/test.test.com"
+	assert.Equal(t, *list.Items[0].Webhooks[0].ClientConfig.URL, expectedURL)
+}
 
 type fakeBundler struct {
 	bundle []byte

diff --git a/pkg/util/clienthelper/helper.go b/pkg/util/clienthelper/helper.go
@@ -20,6 +20,15 @@ func ServiceName() string {
 	return "jspolicy"
 }
 
+// WebhookURL returns the URL of the webhook service if it is set in the environment variable JS_POLICY_WEBHOOK_URL.
+// Otherwise, it returns an empty string which means a webhook service reference should be used.
+func WebhookURL() string {
+	if os.Getenv("JS_POLICY_WEBHOOK_URL") != "" {
+		return os.Getenv("JS_POLICY_WEBHOOK_URL")
+	}
+	return ""
+}
+
 func CurrentNamespace() (string, error) {
 	envNamespace := os.Getenv("KUBE_NAMESPACE")
 	if envNamespace != "" {