Merge pull request #1 from EarnestResearch/dev

Create Kubernetes Webhook project

Author: amarrella

.envrc

@@ -0,0 +1 @@
+use nix

.gitignore

@@ -0,0 +1,8 @@
+.stack-work/
+*.pem
+*.csr
+result
+*.lock
+.pre-commit-config.yaml
+dist-newstyle/
+dist/

LICENSE

@@ -0,0 +1,22 @@
+
+The MIT License
+
+Copyright (c) 2020 Earnest Research
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,84 @@
+# kubernetes-webhook-haskell
+
+This library lets you create [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in Haskell.
+
+Using webhooks in Kubernetes requires some configuration, in the [dhall](./dhall) directory you can find some useful templates that you can reuse to deploy your webhooks. [cert-manager](https://cert-manager.io/docs/) is required to be installed in the cluster to use the templates.
+
+Example webhook using Servant:
+```hs
+module Kubernetes.Example
+    ( startApp,
+    app,
+    )
+where
+
+import Control.Monad.IO.Class
+import qualified Data.Aeson as A
+import qualified Data.ByteString as BS
+import qualified Data.HashMap.Strict as HM
+import Data.Text
+import GHC.Generics
+import qualified Kubernetes.Webhook as W
+import Network.Wai
+import Network.Wai.Handler.Warp
+import Network.Wai.Handler.WarpTLS
+import Servant
+import System.Environment
+
+type API =
+"mutate" :> ReqBody '[JSON] W.AdmissionReviewRequest :> Post '[JSON] W.AdmissionReviewResponse
+
+data Toleration
+= Toleration
+    { effect :: Maybe TolerationEffect,
+        key :: Maybe Text,
+        operator :: Maybe TolerationOperator,
+        tolerationSeconds :: Maybe Integer,
+        value :: Maybe Text
+    }
+deriving (Generic, A.ToJSON)
+
+data TolerationEffect = NoSchedule | PreferNoSchedule | NoExecute deriving (Generic, A.ToJSON)
+
+data TolerationOperator = Exists | Equal deriving (Generic, A.ToJSON)
+
+testToleration :: Toleration
+testToleration =
+Toleration
+    { effect = Just NoSchedule,
+    key = Just "dedicated",
+    operator = Just Equal,
+    tolerationSeconds = Nothing,
+    value = Just "test"
+    }
+
+startApp :: IO ()
+startApp = do
+let tlsOpts = tlsSettings "/certs/tls.crt" "/certs/tls.key"
+    warpOpts = setPort 8080 defaultSettings
+runTLS tlsOpts warpOpts app
+
+app :: Application
+app = serve api server
+
+api :: Proxy API
+api = Proxy
+
+server :: Server API
+server = mutate
+
+mutate :: W.AdmissionReviewRequest -> Handler W.AdmissionReviewResponse
+mutate req = pure $ W.mutatingWebhook req (\_ -> Right W.Allowed) addToleration
+
+addToleration :: W.Patch
+addToleration = 
+W.Patch
+    [ W.PatchOperation
+        { op = W.Add,
+        path = "/spec/tolerations/-",
+        from = Nothing,
+        value = Just $ A.toJSON testToleration
+        }
+    ]
+```
+

Setup.hs

@@ -0,0 +1,2 @@
+import Distribution.Simple
+main = defaultMain

default.nix

@@ -0,0 +1,5 @@
+{ pkgs ? import ./nixpkgs {}
+}:
+pkgs.haskell-nix.stackProject {
+  src = pkgs.haskell-nix.haskellLib.cleanGit { src = ./.; };
+}

dhall/Config.dhall

@@ -0,0 +1,12 @@
+let k8s =
+      https://raw.githubusercontent.com/EarnestResearch/dhall-packages/master/kubernetes/k8s/1.14.dhall sha256:7839bf40f940757e4d71d3c1b84d878f6a4873c3b2706ae4be307b5991acdcac
+
+in  { name : Text
+    , namespace : Text
+    , imageName : Text
+    , namespaceSelector : Optional k8s.LabelSelector.Type
+    , port : Natural
+    , path : Text
+    , failurePolicy : Optional Text
+    , rules : List k8s.RuleWithOperations.Type
+    }

dhall/mutatingWebhookTemplate.dhall

@@ -0,0 +1,177 @@
+let k8s =
+      https://raw.githubusercontent.com/EarnestResearch/dhall-packages/master/kubernetes/k8s/1.14.dhall
+
+let cert-manager =
+      https://raw.githubusercontent.com/EarnestResearch/dhall-packages/master/kubernetes/cert-manager/package.dhall
+
+let certsPath = "/certs"
+
+let Config = ./Config.dhall
+
+let labels = \(config : Config) -> toMap { app = config.name }
+
+let deployment =
+          \(config : Config)
+      ->  k8s.Deployment::{
+          , metadata = k8s.ObjectMeta::{ name = config.name }
+          , spec =
+              Some
+                k8s.DeploymentSpec::{
+                , selector = k8s.LabelSelector::{ matchLabels = labels config }
+                , template =
+                    k8s.PodTemplateSpec::{
+                    , metadata =
+                        k8s.ObjectMeta::{
+                        , name = config.name
+                        , labels = labels config
+                        }
+                    , spec =
+                        Some
+                          k8s.PodSpec::{
+                          , containers =
+                              [ k8s.Container::{
+                                , name = config.name
+                                , image = Some config.imageName
+                                , ports =
+                                    [ k8s.ContainerPort::{
+                                      , containerPort = config.port
+                                      }
+                                    ]
+                                , env =
+                                    [ k8s.EnvVar::{
+                                      , name = "CERTIFICATE_FILE"
+                                      , value = Some "${certsPath}/tls.crt"
+                                      }
+                                    , k8s.EnvVar::{
+                                      , name = "KEY_FILE"
+                                      , value = Some "${certsPath}/tls.key"
+                                      }
+                                    ]
+                                , volumeMounts =
+                                    [ k8s.VolumeMount::{
+                                      , name = "certs"
+                                      , mountPath = certsPath
+                                      , readOnly = Some True
+                                      }
+                                    ]
+                                }
+                              ]
+                          , volumes =
+                              [ k8s.Volume::{
+                                , name = "certs"
+                                , secret =
+                                    Some
+                                      k8s.SecretVolumeSource::{
+                                      , secretName = Some config.name
+                                      }
+                                }
+                              ]
+                          }
+                    }
+                }
+          }
+
+let service =
+          \(config : Config)
+      ->  k8s.Service::{
+          , metadata = k8s.ObjectMeta::{ name = config.name }
+          , spec =
+              Some
+                k8s.ServiceSpec::{
+                , selector = labels config
+                , ports =
+                    [ k8s.ServicePort::{
+                      , targetPort = Some (k8s.IntOrString.Int config.port)
+                      , port = 443
+                      }
+                    ]
+                }
+          }
+
+let issuer =
+          \(config : Config)
+      ->  cert-manager.Issuer::{
+          , metadata = k8s.ObjectMeta::{ name = config.name }
+          , spec =
+              cert-manager.IssuerSpec.SelfSigned
+                cert-manager.SelfSignedIssuerSpec::{=}
+          }
+
+let certificate =
+          \(config : Config)
+      ->  cert-manager.Certificate::{
+          , metadata = k8s.ObjectMeta::{ name = config.name }
+          , spec =
+              cert-manager.CertificateSpec::{
+              , secretName = config.name
+              , issuerRef = { name = config.name, kind = (issuer config).kind }
+              , commonName = Some "${config.name}.${config.namespace}.svc"
+              , dnsNames =
+                  Some
+                    [ config.name
+                    , "${config.name}.${config.namespace}"
+                    , "${config.name}.${config.namespace}.svc"
+                    , "${config.name}.${config.namespace}.svc.cluster.local"
+                    , "${config.name}:443"
+                    , "${config.name}.${config.namespace}:443"
+                    , "${config.name}.${config.namespace}.svc:443"
+                    , "${config.name}.${config.namespace}.svc.cluster.local:443"
+                    , "localhost:8080"
+                    ]
+              , usages = Some [ "any" ]
+              , isCA = Some False
+              }
+          }
+
+let mutatingWebhookConfiguration =
+          \(config : Config)
+      ->  k8s.MutatingWebhookConfiguration::{
+          , metadata =
+              k8s.ObjectMeta::{
+              , name = config.name
+              , labels = labels config
+              , annotations =
+                  toMap
+                    { `cert-manager.io/inject-ca-from` =
+                        "${config.namespace}/${config.name}"
+                    }
+              }
+          , webhooks =
+              [ k8s.Webhook::{
+                , name = "${config.name}.${config.namespace}.svc"
+                , clientConfig =
+                    k8s.WebhookClientConfig::{
+                    , service =
+                        Some
+                          { name = config.name
+                          , namespace = config.namespace
+                          , path = Some config.path
+                          }
+                    }
+                , failurePolicy = config.failurePolicy
+                , admissionReviewVersions = [ "v1beta1" ]
+                , rules = config.rules
+                , namespaceSelector = config.namespaceSelector
+                }
+              ]
+          }
+
+let union =
+      < Deployment : k8s.Deployment.Type
+      | Service : k8s.Service.Type
+      | MWH : k8s.MutatingWebhookConfiguration.Type
+      | Certificate : cert-manager.Certificate.Type
+      | ClusterIssuer : cert-manager.ClusterIssuer.Type
+      >
+
+in      \(config : Config)
+    ->  { apiVersion = "v1"
+        , kind = "List"
+        , items =
+            [ union.Deployment (deployment config)
+            , union.Service (service config)
+            , union.MWH (mutatingWebhookConfiguration config)
+            , union.Certificate (certificate config)
+            , union.ClusterIssuer (issuer config)
+            ]
+        }