feat: add validation webhook

cmd/aeraki/main.go

@@ -23,16 +23,15 @@ import (
 
 	"github.com/google/uuid"
 
-	"github.com/aeraki-mesh/aeraki/plugin/metaprotocol"
-
+	"github.com/aeraki-mesh/aeraki/pkg/bootstrap"
 	"github.com/aeraki-mesh/aeraki/pkg/envoyfilter"
+	"github.com/aeraki-mesh/aeraki/pkg/model/protocol"
 	"github.com/aeraki-mesh/aeraki/plugin/kafka"
+	"github.com/aeraki-mesh/aeraki/plugin/metaprotocol"
 	"github.com/aeraki-mesh/aeraki/plugin/thrift"
 	"github.com/aeraki-mesh/aeraki/plugin/zookeeper"
-	"istio.io/pkg/log"
 
-	"github.com/aeraki-mesh/aeraki/pkg/bootstrap"
-	"github.com/aeraki-mesh/aeraki/pkg/model/protocol"
+	"istio.io/pkg/log"
 )
 
 const (
@@ -42,6 +41,7 @@ const (
 	defaultElectionID        = "aeraki-controller"
 	defaultLogLevel          = "all:info"
 	defaultConfigStoreSecret = ""
+	defaultKubernetesDomain  = "cluster.local"
 )
 
 func main() {
@@ -58,6 +58,9 @@ func main() {
 	flag.StringVar(&args.LogLevel, "log-level", defaultLogLevel, "Component log level")
 	flag.BoolVar(&args.EnableEnvoyFilterNSScope, "enable-envoy-filter-namespace-scope", false,
 		"Generate Envoy Filters in the service namespace")
+	flag.StringVar(&args.KubeDomainSuffix, "domain", defaultKubernetesDomain, "Kubernetes DNS domain suffix")
+	flag.StringVar(&args.HTTPSAddr, "httpsAddr", ":15017", "validation service HTTPS address")
+
 	flag.Parse()
 	if args.ServerID == "" {
 		args.ServerID = "Aeraki-" + uuid.New().String()

go.mod

@@ -32,16 +32,18 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/zhaohuabing/debounce v1.0.0
 	go.uber.org/atomic v1.9.0
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
 	golang.org/x/net v0.0.0-20211020060615-d418f374d309
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/text v0.3.7 // indirect
 	google.golang.org/grpc v1.42.0
 	google.golang.org/protobuf v1.27.2-0.20220217170731-3992ea83a23c
-	istio.io/api v0.0.0-20220413220906-0d07ea5cbef8
-	istio.io/client-go v1.12.7-0.20220413221605-4b21f100d914
-	istio.io/gogo-genproto v0.0.0-20220413221206-c6177de3a4de
-	istio.io/istio v0.0.0-20220502132137-56f057aaaf2a
-	istio.io/pkg v0.0.0-20220413221105-d9bc5148f7a7
+	istio.io/api v0.0.0-20220413220906-0d07ea5cbef8 //1.12.7
+	istio.io/client-go v1.12.7
+	istio.io/gogo-genproto v0.0.0-20220413221206-c6177de3a4de //1.12.7
+	istio.io/istio v0.0.0-20220502132137-56f057aaaf2a //1.12.7
+	istio.io/pkg v0.0.0-20220413221105-d9bc5148f7a7 //1.12.7
+	k8s.io/api v0.22.2
 	k8s.io/apimachinery v0.22.2
 	k8s.io/client-go v0.22.2
 	sigs.k8s.io/controller-runtime v0.10.2

go.sum

@@ -86,6 +86,7 @@ github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSY
 github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
 github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
 github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
 github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
@@ -350,6 +351,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.11 h1:07n33Z8lZxZ2qwegKbObQohDhXDQxiMMz1NOUGYlesw=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
@@ -392,6 +394,7 @@ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dvyukov/go-fuzz v0.0.0-20210914135545-4980593459a1/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
+github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
@@ -1041,6 +1044,7 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh
 github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
@@ -1113,6 +1117,7 @@ github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag
 github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@@ -1261,8 +1266,9 @@ golang.org/x/crypto v0.0.0-20201217014255-9d1352758620/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1840,6 +1846,7 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
+gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
 helm.sh/helm/v3 v3.7.1/go.mod h1:3eOeBD3Z+O/ELiuu19zynZSN8jP1ErXLuyP21SZeMq8=
@@ -1853,8 +1860,9 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 istio.io/api v0.0.0-20220413220906-0d07ea5cbef8 h1:im8lJ0fiJkXNnruyASnOivlo/zvdrGKRrK3jLykCbtc=
 istio.io/api v0.0.0-20220413220906-0d07ea5cbef8/go.mod h1:lavaUNsnT7RGyMFNOGgV5XvOgP3fkTSZkxP/0H/ISt4=
-istio.io/client-go v1.12.7-0.20220413221605-4b21f100d914 h1:gHyEahsAwXPKYpzdTvhiyis7U3kPkkJR/Y/1149RfAU=
 istio.io/client-go v1.12.7-0.20220413221605-4b21f100d914/go.mod h1:IHR0jG4nSAW2ipo+mjB/Sxtg/emLmo0EKdZEF5+5UBo=
+istio.io/client-go v1.12.7 h1:AoSS2RC2AKqzfrpyqc0UyBmG+gkSOO+41diTbvSprR4=
+istio.io/client-go v1.12.7/go.mod h1:IHR0jG4nSAW2ipo+mjB/Sxtg/emLmo0EKdZEF5+5UBo=
 istio.io/gogo-genproto v0.0.0-20210113155706-4daf5697332f/go.mod h1:6BwTZRNbWS570wHX/uR1Wqk5e0157TofTAUMzT7N4+s=
 istio.io/gogo-genproto v0.0.0-20220413221206-c6177de3a4de h1:utkmEIjjXYOcvbkEWwdMoaNlCIV6/okHc6slAU5HcEg=
 istio.io/gogo-genproto v0.0.0-20220413221206-c6177de3a4de/go.mod h1:6BwTZRNbWS570wHX/uR1Wqk5e0157TofTAUMzT7N4+s=

k8s/aeraki-bootstrap-config.yaml

@@ -60,7 +60,7 @@ data:
                                "endpoint":{
                                   "address":{
                                      "socket_address":{
-                                        "address":"aeraki-xds.istio-system",
+                                        "address":"aeraki.istio-system",
                                         "port_value":15010
                                      }
                                   }

k8s/aeraki.yaml

@@ -78,15 +78,19 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: aeraki-xds
-  name: aeraki-xds
+    app: aeraki
+  name: aeraki
   namespace: istio-system
 spec:
   ports:
     - name: grpc-xds
       port: 15010
       protocol: TCP
       targetPort: 15010
+    - name: https-validation
+      port: 443
+      protocol: TCP
+      targetPort: 15017
   selector:
     app: aeraki
 ---
@@ -111,12 +115,12 @@ rules:
       - events
     verbs:
       - '*'
-  - verbs:
-      - '*'
-    apiGroups:
+  - apiGroups:
       - coordination.k8s.io
     resources:
       - '*'
+    verbs:
+      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -151,23 +155,15 @@ rules:
     resources:
       - '*'
     verbs:
-      - get
-      - watch
-      - list
+      - '*'
   - apiGroups:
       - redis.aeraki.io
       - dubbo.aeraki.io
       - metaprotocol.aeraki.io
     resources:
       - '*'
     verbs:
-      - get
-      - watch
-      - list
-      - update
-      - patch
-      - create
-      - delete
+      - '*'
   - apiGroups:
       - networking.istio.io
     resources:
@@ -176,13 +172,13 @@ rules:
       - envoyfilters
       - serviceentries
     verbs:
-      - get
-      - watch
-      - list
-      - update
-      - patch
-      - create
-      - delete
+      - '*'
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

manifests/charts/aeraki/templates/service.yaml

@@ -37,14 +37,18 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app: aeraki-xds
-  name: aeraki-xds
+    app: aeraki
+  name: aeraki
   namespace: {{ .Release.Namespace }}
 spec:
   ports:
     - name: grpc-xds
       port: 15010
       protocol: TCP
       targetPort: 15010
+    - name: https-validation
+      port: 443
+      protocol: TCP
+      targetPort: 15017
   selector:
     app: aeraki

pkg/bootstrap/aeraki_ca.go

@@ -0,0 +1,39 @@
+// Copyright Aeraki Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bootstrap
+
+import (
+	"crypto/tls"
+
+	"github.com/aeraki-mesh/aeraki/pkg/ca"
+)
+
+func (s *Server) initRootCA() error {
+	s.certMu.Lock()
+	defer s.certMu.Unlock()
+	if s.istiodCert == nil {
+		bundle, err := ca.GenerateKeyCertBundle()
+		if err != nil {
+			return err
+		}
+		x509Cert, err := tls.X509KeyPair(bundle.CertPem.Bytes(), bundle.KeyPem.Bytes())
+		if err != nil {
+			return err
+		}
+		s.istiodCert = &x509Cert
+		s.CABundle = bundle.CABundle
+	}
+	return nil
+}

pkg/bootstrap/options.go

@@ -21,15 +21,18 @@ import (
 
 // AerakiArgs provides all of the configuration parameters for the Aeraki service.
 type AerakiArgs struct {
-	Master                   bool
-	IstiodAddr               string
-	XdsAddr                  string
+	Master     bool
+	IstiodAddr string
+	XdsAddr    string
+	// The listening address for HTTPS (webhooks).
+	HTTPSAddr                string
 	Namespace                string
 	ClusterID                string
 	ConfigStoreSecret        string
 	ElectionID               string
 	ServerID                 string
 	LogLevel                 string
+	KubeDomainSuffix         string
 	EnableEnvoyFilterNSScope bool
 	Protocols                map[protocol.Instance]envoyfilter.Generator
 }