Merge pull request #9 from secrethub/feature/aws-webhook

Make the AWS webhook

.gcloudignore

@@ -12,3 +12,5 @@
 .circleci
 
 deploy/
+cmd/
+.github/

.github/workflows/release.yml

@@ -0,0 +1,39 @@
+on:
+  release:
+    types:
+      - created
+
+jobs:
+  aws-release:
+    name: Release zip for AWS Lambda
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Get release
+        id: get_release
+        uses: bruceadams/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - name: Set environment variables
+        uses: allenevans/[email protected]
+        with:
+          ZIP_ASSET_NAME: secrethub-kubernetes-mutating-webhook-${{ steps.get_release.outputs.tag_name }}-lambda.zip
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.13'
+      - name: Make zip for AWS Lambda
+        id: aws_lambda_zip
+        run: |
+          go build -o lambda-webhook ./cmd/lambda
+          zip $ZIP_ASSET_NAME lambda-webhook
+      - name: Upload release asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.get_release.outputs.upload_url }}
+          asset_path: ./${{ env.ZIP_ASSET_NAME }}
+          asset_name: ${{ env.ZIP_ASSET_NAME }}
+          asset_content_type: application/zip

cmd/lambda/main.go

@@ -0,0 +1,10 @@
+package main
+
+import (
+	"github.com/akrylysov/algnhsa"
+	webhook "github.com/secrethub/secrethub-kubernetes-mutating-webhook"
+)
+
+func main() {
+	algnhsa.ListenAndServe(webhook.Handler(), nil)
+}

deploy/aws-lambda/config.yaml

@@ -0,0 +1,18 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: secrethub-mutating-webhook
+  labels:
+    app: secrethub-mutating-webhook
+    kind: mutator
+webhooks:
+- name: secrethub-mutating-webhook.default.svc.cluster.local
+  clientConfig:
+    url: "YOUR_AWS_API_GATEWAY_URL"
+    caBundle: ""
+  rules:
+  - operations: ["CREATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  failurePolicy: Fail

deploy/gcloud-function/README.md

@@ -13,7 +13,7 @@ gcloud functions deploy secrethub-mutating-webhook --runtime go113 --entry-point
 ```
 > The function is configured to allow unauthenticated requests. The function doesn't give access to any resources or data. It only allows you to mutate provided data.
 
-3. Set the Google Cloud Function URL in the deploy.yaml:
+3. Set the Google Cloud Function URL in the `config.yaml`:
 ```sh
 URL=$(gcloud functions describe secrethub-mutating-webhook --format 'value(httpsTrigger.url)') sed -i "s|YOUR_CLOUD_FUNCTION_URL|$URL|" deploy/gcloud-function/config.yaml
 ```

go.mod

@@ -3,6 +3,7 @@ module github.com/secrethub/secrethub-kubernetes-mutating-webhook
 go 1.13
 
 require (
+	github.com/akrylysov/algnhsa v0.12.1
 	github.com/secrethub/secrethub-go v0.28.0
 	github.com/slok/kubewebhook v0.10.0
 	k8s.io/api v0.18.3

go.sum

@@ -13,11 +13,15 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/akrylysov/algnhsa v0.12.1 h1:A9Ojt4hZrL77mhBc3qGO3Sn9reyf+tvM3DmR0SfXguc=
+github.com/akrylysov/algnhsa v0.12.1/go.mod h1:xAcJ/X8DV+81e+dUjIoB/r5CbISrSXV9//leoMDHcdk=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
+github.com/aws/aws-lambda-go v1.9.0 h1:r9TWtk8ozLYdMW+aelUeWny8z2mjghJCMx6/uUwOLNo=
+github.com/aws/aws-lambda-go v1.9.0/go.mod h1:zUsUQhAUjYzR8AuduJPCfhBuKWUaDbQiPOG+ouzmE1A=
 github.com/aws/aws-sdk-go v1.25.49/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=

webhook.go

@@ -155,8 +155,8 @@ func (m *SecretHubMutator) mutateContainer(_ context.Context, c *corev1.Containe
 	return c, true, nil
 }
 
-// webhookHandler is the http.Handler that responds to webhooks
-func webhookHandler() http.Handler {
+// Handler is the http.Handler that responds to webhooks
+func Handler() http.Handler {
 	logger := &kwhlog.Std{Debug: true}
 
 	mutator := &SecretHubMutator{logger: logger}
@@ -183,4 +183,4 @@ func webhookHandler() http.Handler {
 }
 
 // F is the exported webhook for the function to bind.
-var F = webhookHandler().ServeHTTP
+var F = Handler().ServeHTTP