Mark Host Target as Child Object of the Ingress

J12934 · J12934 · commit f5fab5eff6aa · 2020-05-06T16:12:44.000+02:00
diff --git a/auto-discovery/kubernetes/controllers/ingress_scan_controller.go b/auto-discovery/kubernetes/controllers/ingress_scan_controller.go
@@ -24,9 +24,8 @@ import (
 	targetsv1 "github.com/secureCodeBox/secureCodeBox-v2-alpha/operator/apis/targets/v1"
 
 	networking "k8s.io/api/networking/v1beta1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
@@ -40,6 +39,11 @@ type IngressScanReconciler struct {
 	Scheme *runtime.Scheme
 }
 
+var (
+	ownerKey = ".metadata.controller"
+	apiGVStr = targetsv1.GroupVersion.String()
+)
+
 // +kubebuilder:rbac:groups=networking,resources=ingress,verbs=get;list;watch
 // +kubebuilder:rbac:groups=networking,resources=ingress/status,verbs=get
 
@@ -74,22 +78,45 @@ func (r *IngressScanReconciler) CreateOrUpdateTlsForHosts(ingress networking.Ing
 
 	for _, tlsConfig := range ingress.Spec.TLS {
 		for _, hostname := range tlsConfig.Hosts {
+
+			var hostTargets targetsv1.HostList
+
 			// Check if there is a target already, or create one
+			r.List(
+				context.Background(),
+				&hostTargets,
+				client.InNamespace(ingress.Namespace),
+				client.MatchingField(ownerKey, ingress.Name),
+			)
+			r.Log.Info("Listed hosts", "Length", len(hostTargets.Items))
+
 			host := targetsv1.Host{}
-			err := r.Get(context.Background(), types.NamespacedName{Name: hostname, Namespace: ingress.Namespace}, &host)
-			if apierrors.IsNotFound(err) {
+
+			found := false
+			// Check if the ingress has a child Host with a matching Hostname
+			for _, hostItem := range hostTargets.Items {
+				r.Log.Info("Comparing Hostnames", "LoopyHostname", hostItem.Spec.Hostname, "IngressHostname", hostname)
+				if hostItem.Spec.Hostname == hostname {
+					r.Log.Info("Found Host")
+					found = true
+					host = hostItem
+				}
+			}
+			if found == false {
 				host.GenerateName = fmt.Sprintf("%s-", ingress.Name)
 				host.Namespace = ingress.Namespace
 				host.Spec.Hostname = hostname
 				host.Spec.Ports = make([]targetsv1.HostPort, 0)
-				err = r.Create(context.Background(), &host)
+
+				if err := ctrl.SetControllerReference(&ingress, &host, r.Scheme); err != nil {
+					return err
+				}
+
+				err := r.Create(context.Background(), &host)
 				if err != nil {
 					r.Log.Error(err, "unable to create host")
 					return err
 				}
-			} else if err != nil {
-				r.Log.Error(err, "unable to get host")
-				return err
 			}
 
 			containsHTTPSPort := false
@@ -124,18 +151,47 @@ func (r *IngressScanReconciler) CreateOrUpdateTlsForHosts(ingress networking.Ing
 
 // SetupWithManager sets up the controller and initializes every thing it needs
 func (r *IngressScanReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	if err := mgr.GetFieldIndexer().IndexField(&targetsv1.Host{}, ownerKey, func(rawObj runtime.Object) []string {
+		// grab the job object, extract the owner...
+		host := rawObj.(*targetsv1.Host)
+		owner := metav1.GetControllerOf(host)
+		if owner == nil {
+			return nil
+		}
+		// ...make sure it's a Host...
+		if owner.APIVersion != "networking.k8s.io/v1beta1" || owner.Kind != "Ingress" {
+			return nil
+		}
+
+		// ...and if so, return it
+		return []string{owner.Name}
+	}); err != nil {
+		return err
+	}
 
 	isInDemoNamespaceFilter := predicate.Funcs{
 		CreateFunc: func(event event.CreateEvent) bool {
+			if val, ok := event.Meta.GetAnnotations()["auto-discovery.experimental.securecodebox.io/ignore"]; ok && val == "true" {
+				return false
+			}
 			return event.Meta.GetNamespace() == "juice-shop" || event.Meta.GetNamespace() == "bodgeit"
 		},
 		DeleteFunc: func(event event.DeleteEvent) bool {
+			if val, ok := event.Meta.GetAnnotations()["auto-discovery.experimental.securecodebox.io/ignore"]; ok && val == "true" {
+				return false
+			}
 			return event.Meta.GetNamespace() == "juice-shop" || event.Meta.GetNamespace() == "bodgeit"
 		},
 		UpdateFunc: func(event event.UpdateEvent) bool {
+			if val, ok := event.MetaNew.GetAnnotations()["auto-discovery.experimental.securecodebox.io/ignore"]; ok && val == "true" {
+				return false
+			}
 			return event.MetaNew.GetNamespace() == "juice-shop" || event.MetaNew.GetNamespace() == "bodgeit"
 		},
 		GenericFunc: func(event event.GenericEvent) bool {
+			if val, ok := event.Meta.GetAnnotations()["auto-discovery.experimental.securecodebox.io/ignore"]; ok && val == "true" {
+				return false
+			}
 			return event.Meta.GetNamespace() == "juice-shop" || event.Meta.GetNamespace() == "bodgeit"
 		},
 	}
