diff --git a/cmd/kubevpn/cmds/webhook.go b/cmd/kubevpn/cmds/webhook.go index 759d44b2..4f9154cd 100644 --- a/cmd/kubevpn/cmds/webhook.go +++ b/cmd/kubevpn/cmds/webhook.go @@ -7,7 +7,7 @@ import ( "github.com/wencaiwulue/kubevpn/pkg/webhook" ) -func CmdWebhook(cmdutil.Factory) *cobra.Command { +func CmdWebhook(f cmdutil.Factory) *cobra.Command { cmd := &cobra.Command{ Use: "webhook", Short: "Starts a HTTP server, useful for creating MutatingAdmissionWebhook", @@ -15,7 +15,9 @@ func CmdWebhook(cmdutil.Factory) *cobra.Command { After deploying it to Kubernetes cluster, the Administrator needs to create a MutatingWebhookConfiguration in the Kubernetes cluster to register remote webhook admission controllers.`, Args: cobra.MaximumNArgs(0), - Run: webhook.Main, + RunE: func(cmd *cobra.Command, args []string) error { + return webhook.Main(f) + }, } return cmd } diff --git a/pkg/handler/connect.go b/pkg/handler/connect.go index 70ed887a..9992c21e 100644 --- a/pkg/handler/connect.go +++ b/pkg/handler/connect.go @@ -250,7 +250,7 @@ func (c *ConnectOptions) startLocalTunServe(ctx context.Context, forwardAddress Retries: 5, } - log.Info("your ip is " + c.localTunIP.IP.String()) + log.Debugf("your ip is %s", c.localTunIP.IP.String()) if err = Start(ctx, r); err != nil { log.Errorf("error while create tunnel, err: %v", err) } else { diff --git a/pkg/webhook/mutateadmissionwebhook.go b/pkg/webhook/mutateadmissionwebhook.go index 5b6bd502..d20c17be 100644 --- a/pkg/webhook/mutateadmissionwebhook.go +++ b/pkg/webhook/mutateadmissionwebhook.go @@ -9,14 +9,18 @@ import ( "net/http" "os" - "github.com/spf13/cobra" - v1 "k8s.io/api/admission/v1" "k8s.io/api/admission/v1beta1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/klog/v2" + cmdutil "k8s.io/kubectl/pkg/cmd/util" ) +// admissionReviewHandler is a handler to handle business logic, holding an util.Factory +type admissionReviewHandler struct { + f cmdutil.Factory +} + // admitv1beta1Func handles a v1beta1 admission type admitv1beta1Func func(v1beta1.AdmissionReview) *v1beta1.AdmissionResponse @@ -116,23 +120,30 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitHandler) { } } -func servePods(w http.ResponseWriter, r *http.Request) { - serve(w, r, newDelegateToV1AdmitHandler(admitPods)) -} - -func Main(cmd *cobra.Command, args []string) { - http.HandleFunc("/pods", servePods) - http.HandleFunc("/readyz", func(w http.ResponseWriter, req *http.Request) { w.Write([]byte("ok")) }) - cert, _ := base64.StdEncoding.DecodeString(os.Getenv("CERT")) - key, _ := base64.StdEncoding.DecodeString(os.Getenv("KEY")) - pair, _ := tls.X509KeyPair(cert, key) +func Main(f cmdutil.Factory) error { + h := &admissionReviewHandler{f: f} + http.HandleFunc("/pods", func(w http.ResponseWriter, r *http.Request) { + serve(w, r, newDelegateToV1AdmitHandler(h.admitPods)) + }) + http.HandleFunc("/readyz", func(w http.ResponseWriter, req *http.Request) { + _, _ = w.Write([]byte("ok")) + }) + cert, err := base64.StdEncoding.DecodeString(os.Getenv("CERT")) + if err != nil { + return err + } + key, err := base64.StdEncoding.DecodeString(os.Getenv("KEY")) + if err != nil { + return err + } + pair, err := tls.X509KeyPair(cert, key) + if err != nil { + return err + } t := &tls.Config{Certificates: []tls.Certificate{pair}} server := &http.Server{ Addr: fmt.Sprintf(":%d", 80), TLSConfig: t, } - err := server.ListenAndServeTLS("", "") - if err != nil { - panic(err) - } + return server.ListenAndServeTLS("", "") } diff --git a/pkg/webhook/pods.go b/pkg/webhook/pods.go index 509a7360..8d513dbb 100644 --- a/pkg/webhook/pods.go +++ b/pkg/webhook/pods.go @@ -9,8 +9,6 @@ import ( "k8s.io/api/admission/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/rest" "k8s.io/klog/v2" "k8s.io/kubectl/pkg/cmd/util/podcmd" @@ -19,7 +17,7 @@ import ( ) // only allow pods to pull images from specific registry. -func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse { +func (h *admissionReviewHandler) admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse { klog.V(2).Info("admitting pods") podResource := metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"} if ar.Request.Resource != podResource { @@ -47,12 +45,7 @@ func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse { pair := pod.Spec.Containers[i].Env[j] if pair.Name == "InboundPodTunIP" { found = true - conf, err := rest.InClusterConfig() - if err != nil { - klog.Error(err) - return toV1AdmissionResponse(err) - } - clientset, err := kubernetes.NewForConfig(conf) + clientset, err := h.f.KubernetesClientSet() if err != nil { klog.Error(err) return toV1AdmissionResponse(err) @@ -92,12 +85,7 @@ func admitPods(ar v1.AdmissionReview) *v1.AdmissionResponse { if envVar.Name == "InboundPodTunIP" { ip, cidr, err := net.ParseCIDR(envVar.Value) if err == nil { - conf, err := rest.InClusterConfig() - if err != nil { - klog.Error(err) - return toV1AdmissionResponse(err) - } - clientset, err := kubernetes.NewForConfig(conf) + clientset, err := h.f.KubernetesClientSet() if err != nil { klog.Error(err) return toV1AdmissionResponse(err)