Watch-first ingestion with (optional!) audit-based attribution

cmd/main.go

@@ -47,6 +47,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
+	ctrlwebhook "sigs.k8s.io/controller-runtime/pkg/webhook"
+	ctrladmission "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	configbutleraiv1alpha2 "github.com/ConfigButler/gitops-reverser/api/v1alpha2"
 	"github.com/ConfigButler/gitops-reverser/internal/controller"
@@ -68,6 +70,7 @@ var (
 
 const (
 	flagParseFailureExitCode       = 2
+	defaultAdmissionWebhookPort    = 9443
 	defaultAuditPort               = 9444
 	defaultAuditMaxBodyBytes       = int64(10 * 1024 * 1024)
 	defaultAuditReadTimeout        = 15 * time.Second
@@ -119,7 +122,9 @@ func main() {
 		"metricsAddr", cfg.metricsAddr,
 		"metricsInsecure", cfg.metricsInsecure,
 		"auditAddress", buildAuditServerAddress(cfg.auditListenAddress, cfg.auditPort),
-		"auditInsecure", cfg.auditInsecure)
+		"auditInsecure", cfg.auditInsecure,
+		"admissionWebhookEnabled", cfg.admissionWebhookEnabled,
+		"admissionWebhookPort", cfg.admissionWebhookPort)
 	setupLog.Info("Sensitive resource policy", "resources", cfg.sensitiveResources.Entries())
 
 	// Initialize metrics
@@ -138,7 +143,7 @@ func main() {
 	)
 
 	// Manager
-	mgr := newManager(metricsServerOptions, cfg.probeAddr)
+	mgr := newManager(metricsServerOptions, cfg.probeAddr, cfg, tlsOpts)
 
 	// Expose build metadata on the metrics server so an operator can confirm a
 	// running pod is the build they expect (also logged at startup above).
@@ -414,6 +419,9 @@ func main() {
 		setupLog.Error(err, "unable to create controller", "controller", "CommitRequest")
 		os.Exit(1)
 	}
+	if cfg.admissionWebhookEnabled {
+		setupAdmissionWebhooks(mgr)
+	}
 	// +kubebuilder:scaffold:builder
 
 	// Cert watchers
@@ -445,6 +453,11 @@ type appConfig struct {
 	metricsCertKey           string
 	probeAddr                string
 	metricsInsecure          bool
+	admissionWebhookEnabled  bool
+	admissionWebhookPort     int
+	admissionWebhookCertPath string
+	admissionWebhookCertName string
+	admissionWebhookCertKey  string
 	enableHTTP2              bool
 	auditListenAddress       string
 	auditPort                int
@@ -496,6 +509,18 @@ func parseFlagsWithArgs(fs *flag.FlagSet, args []string) (appConfig, error) {
 	fs.StringVar(&cfg.probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	fs.BoolVar(&cfg.metricsInsecure, "metrics-insecure", false,
 		"If set, the metrics endpoint is served via HTTP instead of HTTPS.")
+	fs.BoolVar(&cfg.admissionWebhookEnabled, "admission-webhook-enabled", false,
+		"If set, serve the validating admission webhook endpoint.")
+	fs.IntVar(&cfg.admissionWebhookPort, "admission-webhook-port", defaultAdmissionWebhookPort,
+		"Port for the validating admission webhook HTTPS server.")
+	bindServerCertFlags(
+		fs,
+		"admission-webhook",
+		"validating admission webhook TLS",
+		&cfg.admissionWebhookCertPath,
+		&cfg.admissionWebhookCertName,
+		&cfg.admissionWebhookCertKey,
+	)
 	bindServerCertFlags(
 		fs,
 		"metrics",
@@ -594,6 +619,9 @@ func parseFlagsWithArgs(fs *flag.FlagSet, args []string) (appConfig, error) {
 	if err := validateAuditConfig(cfg); err != nil {
 		return appConfig{}, err
 	}
+	if err := validateAdmissionWebhookConfig(cfg); err != nil {
+		return appConfig{}, err
+	}
 
 	bufferQuantity, err := resource.ParseQuantity(branchBufferMaxBytesFlag)
 	if err != nil {
@@ -673,6 +701,19 @@ func validateAuditConfig(cfg appConfig) error {
 	return nil
 }
 
+func validateAdmissionWebhookConfig(cfg appConfig) error {
+	if !cfg.admissionWebhookEnabled {
+		return nil
+	}
+	if cfg.admissionWebhookPort <= 0 {
+		return fmt.Errorf("admission-webhook-port must be > 0, got %d", cfg.admissionWebhookPort)
+	}
+	if strings.TrimSpace(cfg.admissionWebhookCertPath) == "" {
+		return errors.New("admission-webhook-cert-path is required when admission webhook is enabled")
+	}
+	return nil
+}
+
 // splitCSV splits a comma-separated flag value into trimmed, non-empty entries (nil when blank).
 func splitCSV(s string) []string {
 	if strings.TrimSpace(s) == "" {
@@ -950,11 +991,24 @@ func loadCertPoolFromPEMFile(path string) (*x509.CertPool, error) {
 func newManager(
 	metricsOptions metricsserver.Options,
 	probeAddr string,
+	cfg appConfig,
+	baseTLS []func(*tls.Config),
 ) ctrl.Manager {
+	var webhookServer ctrlwebhook.Server
+	if cfg.admissionWebhookEnabled {
+		webhookServer = ctrlwebhook.NewServer(ctrlwebhook.Options{
+			Port:     cfg.admissionWebhookPort,
+			CertDir:  cfg.admissionWebhookCertPath,
+			CertName: cfg.admissionWebhookCertName,
+			KeyName:  cfg.admissionWebhookCertKey,
+			TLSOpts:  baseTLS,
+		})
+	}
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
 		Metrics:                metricsOptions,
 		HealthProbeBindAddress: probeAddr,
+		WebhookServer:          webhookServer,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
@@ -963,6 +1017,13 @@ func newManager(
 	return mgr
 }
 
+func setupAdmissionWebhooks(mgr ctrl.Manager) {
+	mgr.GetWebhookServer().Register(
+		webhookhandler.ValidateAdmissionWebhookPath,
+		&ctrladmission.Webhook{Handler: webhookhandler.AdmissionAllowHandler{}},
+	)
+}
+
 // addCertWatchersToManager attaches optional certificate watchers to the manager.
 func addCertWatchersToManager(
 	mgr ctrl.Manager,

cmd/main_audit_server_test.go

@@ -44,6 +44,8 @@ func TestParseFlagsWithArgs_Defaults(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.False(t, cfg.metricsInsecure)
+	assert.False(t, cfg.admissionWebhookEnabled)
+	assert.Equal(t, 9443, cfg.admissionWebhookPort)
 	assert.False(t, cfg.auditInsecure)
 	assert.Equal(t, "0.0.0.0", cfg.auditListenAddress)
 	assert.Equal(t, 9444, cfg.auditPort)
@@ -64,6 +66,26 @@ func TestParseFlagsWithArgs_Defaults(t *testing.T) {
 	assert.Equal(t, []string{"secrets"}, cfg.sensitiveResources.Entries())
 }
 
+func TestParseFlagsWithArgs_AdmissionWebhookValues(t *testing.T) {
+	fs := flag.NewFlagSet("test-admission-webhook", flag.ContinueOnError)
+	args := []string{
+		"--admission-webhook-enabled",
+		"--admission-webhook-port=9445",
+		"--admission-webhook-cert-path=/tmp/admission-certs",
+		"--admission-webhook-cert-name=cert.pem",
+		"--admission-webhook-cert-key=key.pem",
+	}
+
+	cfg, err := parseFlagsWithArgs(fs, args)
+	require.NoError(t, err)
+
+	assert.True(t, cfg.admissionWebhookEnabled)
+	assert.Equal(t, 9445, cfg.admissionWebhookPort)
+	assert.Equal(t, "/tmp/admission-certs", cfg.admissionWebhookCertPath)
+	assert.Equal(t, "cert.pem", cfg.admissionWebhookCertName)
+	assert.Equal(t, "key.pem", cfg.admissionWebhookCertKey)
+}
+
 func TestParseFlagsWithArgs_AuditUnsecure(t *testing.T) {
 	fs := flag.NewFlagSet("test-audit-insecure", flag.ContinueOnError)
 	args := []string{
@@ -191,6 +213,14 @@ func TestParseFlagsWithArgs_InvalidAuditSettings(t *testing.T) {
 			name: "invalid sensitive resource",
 			args: []string{"--additional-sensitive-resources=example.io/v1/credentials"},
 		},
+		{
+			name: "invalid admission webhook port",
+			args: []string{"--admission-webhook-enabled", "--admission-webhook-port=0"},
+		},
+		{
+			name: "missing admission webhook cert path",
+			args: []string{"--admission-webhook-enabled", "--admission-webhook-cert-path="},
+		},
 	}
 
 	for _, tt := range tests {