refactored packages

Dockerfile

@@ -1,11 +1,32 @@
+
+# build executable
 FROM golang:1.22 AS build-stage
 WORKDIR /app
 COPY . .
-RUN go build -o build/ ./...
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go build -o build/ ./...
+
+#
+##
+#
+
+# auto-updated by Dependabot
+FROM docker.io/openziti/ziti-cli:1.1.16
 
-FROM cgr.dev/chainguard/wolfi-base:latest AS build-release-stage
+### Required OpenShift Labels
+LABEL name="openziti/ziti-k8s-agent" \
+      maintainer="[email protected]" \
+      vendor="NetFoundry" \
+      summary="Run the OpenZiti k8s Agent" \
+      description="Run the OpenZiti k8s Agent"
+
+# set up image as root
 USER root
-COPY --from=build-stage /app/build/ziti-agent /usr/local/bin/
-RUN chmod 0755 /usr/local/bin/ziti-agent
-USER nobody
-ENTRYPOINT ["ziti-agent"]
+
+# install artifacts as root
+COPY --from=build-stage --chmod=0755 /app/build/ziti-agent /usr/local/bin/
+
+# drop privs
+USER ziggy
+ENTRYPOINT [ "ziti-agent" ]

deployment/ziti-webhook-spec.yaml

@@ -137,7 +137,7 @@ webhooks:
     admissionReviewVersions: ["v1"]
     namespaceSelector:
       matchLabels:
-        openziti/ziti-tunnel: namespace
+        openziti/tunnel-inject: enable
     # objectSelector:
     #   matchLabels:
     #     openziti/ziti-tunnel: pod
@@ -164,12 +164,9 @@ metadata:
   namespace: $WEBHOOK_NAMESPACE
   name: ziti-agent-wh-roles
 rules:
-- apiGroups: [""] # "" indicates the core API group
-  resources: ["secrets"]
-  verbs: ["get", "list", "create", "delete"]
 - apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get"]
+  resources: ["services","namespaces"]
+  verbs: ["get", "list"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1

go.mod

@@ -19,6 +19,7 @@ require (
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
@@ -44,6 +45,7 @@ require (
 	github.com/gorilla/schema v1.2.0 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect

go.sum

@@ -77,6 +77,8 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
+github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -232,6 +234,8 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=

ziti-agent/cmd/common/version.go

@@ -6,7 +6,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var Version = "0.1.2"
+var Version = "0.1.3"
 
 func NewVersionCmd() *cobra.Command {
 	return &cobra.Command{

ziti-agent/cmd/webhook/convert.go

@@ -26,42 +26,42 @@ func convertAdmissionRequestToV1(r *v1beta1.AdmissionRequest) *v1.AdmissionReque
 	}
 }
 
-func convertAdmissionRequestToV1beta1(r *v1.AdmissionRequest) *v1beta1.AdmissionRequest {
-	return &v1beta1.AdmissionRequest{
-		Kind:               r.Kind,
-		Namespace:          r.Namespace,
-		Name:               r.Name,
-		Object:             r.Object,
-		Resource:           r.Resource,
-		Operation:          v1beta1.Operation(r.Operation),
-		UID:                r.UID,
-		DryRun:             r.DryRun,
-		OldObject:          r.OldObject,
-		Options:            r.Options,
-		RequestKind:        r.RequestKind,
-		RequestResource:    r.RequestResource,
-		RequestSubResource: r.RequestSubResource,
-		SubResource:        r.SubResource,
-		UserInfo:           r.UserInfo,
-	}
-}
+// func convertAdmissionRequestToV1beta1(r *v1.AdmissionRequest) *v1beta1.AdmissionRequest {
+// 	return &v1beta1.AdmissionRequest{
+// 		Kind:               r.Kind,
+// 		Namespace:          r.Namespace,
+// 		Name:               r.Name,
+// 		Object:             r.Object,
+// 		Resource:           r.Resource,
+// 		Operation:          v1beta1.Operation(r.Operation),
+// 		UID:                r.UID,
+// 		DryRun:             r.DryRun,
+// 		OldObject:          r.OldObject,
+// 		Options:            r.Options,
+// 		RequestKind:        r.RequestKind,
+// 		RequestResource:    r.RequestResource,
+// 		RequestSubResource: r.RequestSubResource,
+// 		SubResource:        r.SubResource,
+// 		UserInfo:           r.UserInfo,
+// 	}
+// }
 
-func convertAdmissionResponseToV1(r *v1beta1.AdmissionResponse) *v1.AdmissionResponse {
-	var pt *v1.PatchType
-	if r.PatchType != nil {
-		t := v1.PatchType(*r.PatchType)
-		pt = &t
-	}
-	return &v1.AdmissionResponse{
-		UID:              r.UID,
-		Allowed:          r.Allowed,
-		AuditAnnotations: r.AuditAnnotations,
-		Patch:            r.Patch,
-		PatchType:        pt,
-		Result:           r.Result,
-		Warnings:         r.Warnings,
-	}
-}
+// func convertAdmissionResponseToV1(r *v1beta1.AdmissionResponse) *v1.AdmissionResponse {
+// 	var pt *v1.PatchType
+// 	if r.PatchType != nil {
+// 		t := v1.PatchType(*r.PatchType)
+// 		pt = &t
+// 	}
+// 	return &v1.AdmissionResponse{
+// 		UID:              r.UID,
+// 		Allowed:          r.Allowed,
+// 		AuditAnnotations: r.AuditAnnotations,
+// 		Patch:            r.Patch,
+// 		PatchType:        pt,
+// 		Result:           r.Result,
+// 		Warnings:         r.Warnings,
+// 	}
+// }
 
 func convertAdmissionResponseToV1beta1(r *v1.AdmissionResponse) *v1beta1.AdmissionResponse {
 	var pt *v1beta1.PatchType