refactor(all): refactor code

refactor code Signed-off-by: mritd <[email protected]>
mritd · Aug 25, 2020 · 12019ed · 12019ed
1 parent 76d430e
commit 12019ed
Show file tree

Hide file tree

Showing 8 changed files with 244 additions and 223 deletions.
diff --git a/main.go b/main.go
@@ -70,14 +70,18 @@ var rootCmd = &cobra.Command{
 			logger.Infof("Listen TLS Server at %s", conf.Addr)
 			err := srv.ListenAndServeTLS(conf.Cert, conf.Key)
 			if err != nil {
-				logger.Fatal(err)
+				if err == http.ErrServerClosed {
+					logger.Info("server shutdown success.")
+				} else {
+					logger.Fatal(err)
+				}
 			}
 		} else {
 			logger.Infof("Listen HTTP Server at %s", conf.Addr)
 			err := srv.ListenAndServe()
 			if err != nil {
 				if err == http.ErrServerClosed {
-					logger.Info("server shutdown success")
+					logger.Info("server shutdown success.")
 				} else {
 					logger.Fatal(err)
 				}

diff --git a/pkg/adfunc/adfuncs.go b/pkg/adfunc/adfuncs.go
@@ -7,14 +7,15 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/mritd/goadmission/pkg/zaplogger"
 	"go.uber.org/zap"
+
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 
 	jsoniter "github.com/json-iterator/go"
 
 	"github.com/mritd/goadmission/pkg/route"
 
-	"github.com/mritd/goadmission/pkg/zaplogger"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
@@ -26,12 +27,14 @@ const (
 
 type AdmissionType string
 
+// AdmissionFunc defines an admission control handler
 type AdmissionFunc struct {
 	Type AdmissionType
 	Path string
 	Func func(request *admissionv1.AdmissionRequest) (*admissionv1.AdmissionResponse, error)
 }
 
+// admissionFuncMap is a collection of global admission control handlers
 type admissionFuncMap map[string]AdmissionFunc
 
 var funcMap = make(admissionFuncMap, 10)
@@ -40,6 +43,8 @@ var adfuncOnce sync.Once
 var deserializer runtime.Decoder
 var logger *zap.SugaredLogger
 
+// Setup initialize deserializer and register admission control handlers
+// to the global routing handlers collection.
 func Setup() {
 	adfuncOnce.Do(func() {
 		logger = zaplogger.NewSugar("adfunc")
@@ -137,7 +142,8 @@ func register(af AdmissionFunc) {
 		logger.Fatalf("unsupported admission func type")
 	}
 
-	if _, exist := funcMap[handlePath]; exist {
+	registeredAf, exist := funcMap[handlePath]
+	if exist && registeredAf.Type == af.Type {
 		logger.Fatalf("admission func [%s], type: %s already registered", af.Path, af.Type)
 	}
 

diff --git a/pkg/adfunc/func_check_deploy_time.go b/pkg/adfunc/func_check_deploy_time.go
@@ -20,65 +20,68 @@ func init() {
 	register(AdmissionFunc{
 		Type: AdmissionTypeValidating,
 		Path: "/check-deploy-time",
-		Func: func(request *admissionv1.AdmissionRequest) (*admissionv1.AdmissionResponse, error) {
-			switch request.Kind.Kind {
-			case "Deployment":
-				var deploy appsv1.Deployment
-				err := jsoniter.Unmarshal(request.Object.Raw, &deploy)
-				if err != nil {
-					errMsg := fmt.Sprintf("[route.Validating] /check-deploy-time: failed to unmarshal object: %v", err)
-					logger.Error(errMsg)
-					return &admissionv1.AdmissionResponse{
-						Allowed: false,
-						Result: &metav1.Status{
-							Code:    http.StatusBadRequest,
-							Message: errMsg,
-						},
-					}, nil
-				}
-				for label := range deploy.Labels {
-					if label == conf.ForceDeployLabel {
-						return &admissionv1.AdmissionResponse{
-							Allowed: true,
-							Result: &metav1.Status{
-								Code:    http.StatusOK,
-								Message: "success",
-							},
-						}, nil
-					}
-				}
+		Func: checkDeployTime,
+	})
+}
 
-				err = checkTime(conf.AllowDeployTime)
-				if err != nil {
-					return &admissionv1.AdmissionResponse{
-						Allowed: false,
-						Result: &metav1.Status{
-							Code:    http.StatusForbidden,
-							Message: err.Error(),
-						},
-					}, nil
-				} else {
-					return &admissionv1.AdmissionResponse{
-						Allowed: true,
-						Result: &metav1.Status{
-							Code:    http.StatusOK,
-							Message: "success",
-						},
-					}, nil
-				}
-			default:
-				errMsg := fmt.Sprintf("[route.Validating] /check-deploy-time: received wrong kind request: %s, Only support Kind: Deployment", request.Kind.Kind)
-				logger.Error(errMsg)
+// checkDeployTime check the current time allow deployment
+func checkDeployTime(request *admissionv1.AdmissionRequest) (*admissionv1.AdmissionResponse, error) {
+	switch request.Kind.Kind {
+	case "Deployment":
+		var deploy appsv1.Deployment
+		err := jsoniter.Unmarshal(request.Object.Raw, &deploy)
+		if err != nil {
+			errMsg := fmt.Sprintf("[route.Validating] /check-deploy-time: failed to unmarshal object: %v", err)
+			logger.Error(errMsg)
+			return &admissionv1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Code:    http.StatusBadRequest,
+					Message: errMsg,
+				},
+			}, nil
+		}
+		for label := range deploy.Labels {
+			if label == conf.ForceDeployLabel {
 				return &admissionv1.AdmissionResponse{
-					Allowed: false,
+					Allowed: true,
 					Result: &metav1.Status{
-						Code:    http.StatusForbidden,
-						Message: errMsg,
+						Code:    http.StatusOK,
+						Message: "success",
 					},
 				}, nil
 			}
-		},
-	})
+		}
+
+		err = checkTime(conf.AllowDeployTime)
+		if err != nil {
+			return &admissionv1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Code:    http.StatusForbidden,
+					Message: err.Error(),
+				},
+			}, nil
+		} else {
+			return &admissionv1.AdmissionResponse{
+				Allowed: true,
+				Result: &metav1.Status{
+					Code:    http.StatusOK,
+					Message: "success",
+				},
+			}, nil
+		}
+	default:
+		errMsg := fmt.Sprintf("[route.Validating] /check-deploy-time: received wrong kind request: %s, Only support Kind: Deployment", request.Kind.Kind)
+		logger.Error(errMsg)
+		return &admissionv1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Code:    http.StatusForbidden,
+				Message: errMsg,
+			},
+		}, nil
+	}
 }
 
 func checkTime(allowTime []string) error {

diff --git a/pkg/adfunc/func_disable_service_links.go b/pkg/adfunc/func_disable_service_links.go
@@ -20,84 +20,88 @@ func init() {
 	register(AdmissionFunc{
 		Type: AdmissionTypeMutating,
 		Path: "/disable-service-links",
-		Func: func(request *admissionv1.AdmissionRequest) (*admissionv1.AdmissionResponse, error) {
-			switch request.Kind.Kind {
-			case "Deployment":
-				var deploy appsv1.Deployment
-				err := jsoniter.Unmarshal(request.Object.Raw, &deploy)
-				if err != nil {
-					errMsg := fmt.Sprintf("[route.Mutating] /disable-service-links: failed to unmarshal object: %v", err)
-					logger.Error(errMsg)
-					return &admissionv1.AdmissionResponse{
-						Allowed: false,
-						Result: &metav1.Status{
-							Code:    http.StatusBadRequest,
-							Message: errMsg,
-						},
-					}, nil
-				}
-
-				for label := range deploy.Labels {
-					if label == conf.ForceEnableServiceLinksLabel {
-						return &admissionv1.AdmissionResponse{
-							Allowed: true,
-							Result: &metav1.Status{
-								Code:    http.StatusOK,
-								Message: "success",
-							},
-						}, nil
-					}
-				}
-
-				patches := []Patch{
-					{
-						Option: PatchOptionAdd,
-						Path:   "/metadata/annotations",
-						Value: map[string]string{
-							fmt.Sprintf("disable-service-links-mutatingwebhook-%d.mritd.me", time.Now().Unix()): "true",
-						},
-					},
-					{
-						Option: PatchOptionReplace,
-						Path:   "/spec/template/spec/enableServiceLinks",
-						Value:  false,
-					},
-				}
+		Func: disableServiceLinks,
+	})
+}
 
-				patch, err := jsoniter.Marshal(patches)
-				if err != nil {
-					errMsg := fmt.Sprintf("[route.Mutating] /disable-service-links: failed to marshal patch: %v", err)
-					logger.Error(errMsg)
-					return &admissionv1.AdmissionResponse{
-						Allowed: false,
-						Result: &metav1.Status{
-							Code:    http.StatusInternalServerError,
-							Message: errMsg,
-						},
-					}, nil
-				}
+// disableServiceLinks auto set enableServiceLinks of the target Deployment to false
+// to prevent k8s environment variable injection
+func disableServiceLinks(request *admissionv1.AdmissionRequest) (*admissionv1.AdmissionResponse, error) {
+	switch request.Kind.Kind {
+	case "Deployment":
+		var deploy appsv1.Deployment
+		err := jsoniter.Unmarshal(request.Object.Raw, &deploy)
+		if err != nil {
+			errMsg := fmt.Sprintf("[route.Mutating] /disable-service-links: failed to unmarshal object: %v", err)
+			logger.Error(errMsg)
+			return &admissionv1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Code:    http.StatusBadRequest,
+					Message: errMsg,
+				},
+			}, nil
+		}
 
-				logger.Infof("[route.Mutating] /disable-service-links: patches: %s", string(patch))
+		for label := range deploy.Labels {
+			if label == conf.ForceEnableServiceLinksLabel {
 				return &admissionv1.AdmissionResponse{
-					Allowed:   true,
-					Patch:     patch,
-					PatchType: JSONPatch(),
+					Allowed: true,
 					Result: &metav1.Status{
 						Code:    http.StatusOK,
 						Message: "success",
 					},
 				}, nil
-			default:
-				errMsg := fmt.Sprintf("[route.Mutating] /disable-service-links: received wrong kind request: %s, Only support Kind: Deployment", request.Kind.Kind)
-				logger.Error(errMsg)
-				return &admissionv1.AdmissionResponse{
-					Allowed: false,
-					Result: &metav1.Status{
-						Code:    http.StatusForbidden,
-						Message: errMsg,
-					},
-				}, nil
 			}
-		},
-	})
+		}
+
+		patches := []Patch{
+			{
+				Option: PatchOptionAdd,
+				Path:   "/metadata/annotations",
+				Value: map[string]string{
+					fmt.Sprintf("disable-service-links-mutatingwebhook-%d.mritd.me", time.Now().Unix()): "true",
+				},
+			},
+			{
+				Option: PatchOptionReplace,
+				Path:   "/spec/template/spec/enableServiceLinks",
+				Value:  false,
+			},
+		}
+
+		patch, err := jsoniter.Marshal(patches)
+		if err != nil {
+			errMsg := fmt.Sprintf("[route.Mutating] /disable-service-links: failed to marshal patch: %v", err)
+			logger.Error(errMsg)
+			return &admissionv1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Code:    http.StatusInternalServerError,
+					Message: errMsg,
+				},
+			}, nil
+		}
+
+		logger.Infof("[route.Mutating] /disable-service-links: patches: %s", string(patch))
+		return &admissionv1.AdmissionResponse{
+			Allowed:   true,
+			Patch:     patch,
+			PatchType: JSONPatch(),
+			Result: &metav1.Status{
+				Code:    http.StatusOK,
+				Message: "success",
+			},
+		}, nil
+	default:
+		errMsg := fmt.Sprintf("[route.Mutating] /disable-service-links: received wrong kind request: %s, Only support Kind: Deployment", request.Kind.Kind)
+		logger.Error(errMsg)
+		return &admissionv1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Code:    http.StatusForbidden,
+				Message: errMsg,
+			},
+		}, nil
+	}
 }