in pre-sync/oci-image-verification/main.go [81:140]
func handleWebhook(w http.ResponseWriter, r *http.Request) {
body, err := io.ReadAll(r.Body)
if err != nil {
klog.Errorf("Failed to read request body: %v", err)
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
var admissionReview admissionv1.AdmissionReview
if err := json.Unmarshal(body, &admissionReview); err != nil {
klog.Errorf("Failed to unmarshal admission review: %v", err)
http.Error(w, "Failed to unmarshal admission review", http.StatusBadRequest)
return
}
response := &admissionv1.AdmissionResponse{
UID: admissionReview.Request.UID,
}
oldImage, err := getAnnotationByKey(admissionReview.Request.OldObject.Raw, imageToSync)
if err != nil {
klog.Errorf("Failed to extract old annotations: %v", err)
response.Result = &metav1.Status{
Message: fmt.Sprintf("Failed to extract old annotations: %v", err),
}
response.Allowed = false
return
}
newImage, err := getAnnotationByKey(admissionReview.Request.Object.Raw, imageToSync)
if err != nil {
klog.Errorf("Failed to extract new annotations: %v", err)
response.Result = &metav1.Status{
Message: fmt.Sprintf("Failed to extract new annotations: %v", err),
}
response.Allowed = false
return
}
if newImage != oldImage {
klog.Infof("Annotation %s changed from %s to %s", imageToSync, oldImage, newImage)
if err := verifyImageSignature(r.Context(), newImage); err != nil {
klog.Errorf("Image verification failed: %v", err)
response.Allowed = false
response.Result = &metav1.Status{
Message: fmt.Sprintf("Image verification failed: %v", err),
}
} else {
klog.Infof("Image verification successful for %s", newImage)
response.Allowed = true
}
} else {
response.Allowed = true
}
admissionReview.Response = response
if err := json.NewEncoder(w).Encode(admissionReview); err != nil {
klog.Errorf("Failed to encode admission response: %v", err)
}
}