Add plugins to webhook server

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>

pkg/internal/apis/certmanager/validation/plugins/plugins.go

@@ -23,6 +23,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
+// Plugin is an admission plugin that will run during admission webhook events.
 type Plugin interface {
 	Init(client kubernetes.Interface)
 	Validate(admissionSpec *admissionv1.AdmissionRequest, oldObj, obj runtime.Object) *field.Error

pkg/webhook/handlers/BUILD.bazel

@@ -13,6 +13,7 @@ go_library(
     deps = [
         "//pkg/internal/api/mutation:go_default_library",
         "//pkg/internal/api/validation:go_default_library",
+        "//pkg/internal/apis/certmanager/validation/plugins:go_default_library",
         "//pkg/logs:go_default_library",
         "@com_github_go_logr_logr//:go_default_library",
         "@io_k8s_api//admission/v1:go_default_library",
@@ -25,6 +26,7 @@ go_library(
         "@io_k8s_apimachinery//pkg/runtime/serializer/json:go_default_library",
         "@io_k8s_apimachinery//pkg/runtime/serializer/versioning:go_default_library",
         "@io_k8s_apimachinery//pkg/util/validation/field:go_default_library",
+        "@io_k8s_client_go//kubernetes:go_default_library",
     ],
 )
 

pkg/webhook/handlers/interfaces.go

@@ -20,12 +20,17 @@ import (
 	admissionv1 "k8s.io/api/admission/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	"k8s.io/client-go/kubernetes"
 )
 
 type ValidatingAdmissionHook interface {
 	// Validate is called to decide whether to accept the admission request. The returned AdmissionResponse
 	// must not use the Patch field.
 	Validate(admissionSpec *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
+
+	// InitPlugins will initialise all plugins which are registered for this
+	// validating admission hook.
+	InitPlugins(client kubernetes.Interface)
 }
 
 type MutatingAdmissionHook interface {

pkg/webhook/handlers/validation.go

@@ -26,14 +26,18 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/client-go/kubernetes"
 
 	"github.com/jetstack/cert-manager/pkg/internal/api/validation"
+	"github.com/jetstack/cert-manager/pkg/internal/apis/certmanager/validation/plugins"
 )
 
 type registryBackedValidator struct {
 	log      logr.Logger
 	decoder  runtime.Decoder
 	registry *validation.Registry
+
+	plugins []plugins.Plugin
 }
 
 func NewRegistryBackedValidator(log logr.Logger, scheme *runtime.Scheme, registry *validation.Registry) *registryBackedValidator {
@@ -42,6 +46,13 @@ func NewRegistryBackedValidator(log logr.Logger, scheme *runtime.Scheme, registr
 		log:      log,
 		decoder:  factory.UniversalDecoder(),
 		registry: registry,
+		plugins:  plugins.All(scheme),
+	}
+}
+
+func (r *registryBackedValidator) InitPlugins(client kubernetes.Interface) {
+	for _, plugin := range r.plugins {
+		plugin.Init(client)
 	}
 }
 
@@ -96,12 +107,17 @@ func (r *registryBackedValidator) Validate(admissionSpec *admissionv1.AdmissionR
 	} else if admissionSpec.Operation == admissionv1.Update {
 		// perform update validation on resource
 		errs = append(errs, r.registry.ValidateUpdate(admissionSpec, oldObj, obj, gvk)...)
+	}
 
-		// If no validation errors occurred, perform SubjectAccessReview checks.
-		if len(errs) == 0 {
-			errs = append(errs, r.registry.SubjectAccessReview(admissionSpec, oldObj, obj, gvk)...)
+	// If no validation errors occurred, perform plugin checks.
+	if len(errs) == 0 {
+		for _, plugin := range r.plugins {
+			if err := plugin.Validate(admissionSpec, oldObj, obj); err != nil {
+				errs = append(errs, err)
+			}
 		}
 	}
+
 	// return with allowed = false if any errors occurred
 	if err := errs.ToAggregate(); err != nil {
 		status.Allowed = false