Create certificate for webhook with "kube-webhook-certgen"

Fixes kanisterio#1345
muffl0n · Apr 7, 2022 · d9ce06c · d9ce06c
1 parent d7bd787
commit d9ce06c
Show file tree

Hide file tree

Showing 11 changed files with 203 additions and 39 deletions.
diff --git a/helm/kanister-operator/templates/deployment.yaml b/helm/kanister-operator/templates/deployment.yaml
@@ -19,7 +19,7 @@ spec:
       volumes:
         - name: webhook-certs
           secret:
-            secretName: kanister-webhook-certs
+            secretName: {{ include "kanister-operator.fullname" . }}-admission
 {{- end }}
       containers:
       - name: {{ template "kanister-operator.fullname" . }}

diff --git a/helm/kanister-operator/templates/validating-webhook.yaml b/helm/kanister-operator/templates/validating-webhook.yaml
diff --git a/helm/kanister-operator/templates/webhook/clusterrole.yaml b/helm/kanister-operator/templates/webhook/clusterrole.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+{{- end }}
diff --git a/helm/kanister-operator/templates/webhook/clusterrolebinding.yaml b/helm/kanister-operator/templates/webhook/clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kanister-operator.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kanister-operator.fullname" . }}-admission
+    namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/helm/kanister-operator/templates/webhook/job-createSecret.yaml b/helm/kanister-operator/templates/webhook/job-createSecret.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission-create
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+{{- end }}
+  template:
+    metadata:
+      name: {{ include "kanister-operator.fullname" . }}-admission-create
+    spec:
+      containers:
+        - name: create
+          {{- with .Values.bpValidatingWebhook.image }}
+          image: "{{ .repository }}/{{ .image }}:{{ .tag }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.bpValidatingWebhook.image.pullPolicy }}
+          args:
+            - create
+            - --host={{ include "kanister-operator.fullname" . }},{{ include "kanister-operator.fullname" . }}.$(POD_NAMESPACE).svc
+            - --namespace=$(POD_NAMESPACE)
+            - --secret-name={{ include "kanister-operator.fullname" . }}-admission
+            - --key-name=tls.key
+            - --cert-name=tls.crt
+          env:
+            - name: foo
+              value: bar
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "kanister-operator.fullname" . }}-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: {{ .Values.bpValidatingWebhook.runAsUser }}
+        fsGroup: {{ .Values.bpValidatingWebhook.fsGroup }}
+  {{- end }}
diff --git a/helm/kanister-operator/templates/webhook/job-patchWebhook.yaml b/helm/kanister-operator/templates/webhook/job-patchWebhook.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+{{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+{{- end }}
+  template:
+    metadata:
+      name: {{ include "kanister-operator.fullname" . }}-admission-patch
+    spec:
+      containers:
+        - name: patch
+          {{- with .Values.bpValidatingWebhook.image }}
+          image: "{{ .repository }}/{{ .image }}:{{ .tag }}"
+          {{- end }}
+          imagePullPolicy: {{ .Values.bpValidatingWebhook.image.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name=blueprints.cr.kanister.io
+            - --namespace=$(POD_NAMESPACE)
+            - --patch-mutating=false
+            - --secret-name={{ include "kanister-operator.fullname" . }}-admission
+            - --patch-failure-policy={{ .Values.bpValidatingWebhook.failurePolicy }}
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          securityContext:
+            allowPrivilegeEscalation: false
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "kanister-operator.fullname" . }}-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: {{ .Values.bpValidatingWebhook.runAsUser }}
+        fsGroup: {{ .Values.bpValidatingWebhook.fsGroup }}
+  {{- end }}
diff --git a/helm/kanister-operator/templates/webhook/role.yaml b/helm/kanister-operator/templates/webhook/role.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+{{- end }}
diff --git a/helm/kanister-operator/templates/webhook/rolebinding.yaml b/helm/kanister-operator/templates/webhook/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kanister-operator.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kanister-operator.fullname" . }}-admission
+{{- end }}
diff --git a/helm/kanister-operator/templates/webhook/serviceaccount.yaml b/helm/kanister-operator/templates/webhook/serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kanister-operator.fullname" . }}-admission
+  namespace: {{ .Release.Namespace | quote }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- end }}
diff --git a/helm/kanister-operator/templates/webhook/validating-webhook.yaml b/helm/kanister-operator/templates/webhook/validating-webhook.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.bpValidatingWebhook.enabled -}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "blueprints.cr.kanister.io"
+webhooks:
+- name: "blueprints.cr.kanister.io"
+  rules:
+  - apiGroups:   ["cr.kanister.io"]
+    apiVersions: ["v1alpha1"]
+    operations:  ["CREATE", "UPDATE"]
+    resources:   ["blueprints"]
+    scope:       "Namespaced"
+  clientConfig:
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: {{ template "kanister-operator.fullname" . }}
+      path: "/validate/v1alpha1/blueprint"
+      port: {{ .Values.controller.service.port }}
+  admissionReviewVersions: ["v1", "v1beta1"]
+  sideEffects: None
+  timeoutSeconds: 5
+{{- end -}}
diff --git a/helm/kanister-operator/values.yaml b/helm/kanister-operator/values.yaml
@@ -20,6 +20,14 @@ controller:
   updateCRDs: true
 bpValidatingWebhook:
   enabled: true
+  failurePolicy: Fail
+  image:
+    repository: k8s.gcr.io/ingress-nginx
+    image: kube-webhook-certgen
+    tag: v1.1.1
+    pullPolicy: IfNotPresent
+    runAsUser: 2000
+    fsGroup: 2000
 resources:
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little