Merge pull request #40 from Nordix/porch-cert-manager-webhook

Allow configuration of an external webhook and its associated certs in the Porch API server

nephio/optional/porch-cert-manager-webhook/0-packagerevs.yaml

@@ -0,0 +1,40 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: packagerevs.config.porch.kpt.dev
+spec:
+  group: config.porch.kpt.dev
+  names:
+    kind: PackageRev
+    listKind: PackageRevList
+    plural: packagerevs
+    singular: packagerev
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PackageRev
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PackageRevSpec defines the desired state of PackageRev
+            type: object
+          status:
+            description: PackageRevStatus defines the observed state of PackageRev
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

nephio/optional/porch-cert-manager-webhook/1-namespace.yaml

@@ -0,0 +1,22 @@
+# Copyright 2022 The kpt Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: porch-system
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: porch-fn-system

nephio/optional/porch-cert-manager-webhook/2-2-issuer-cert.yaml

@@ -0,0 +1,26 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: porch-system-server-certificate
+  namespace: porch-system
+spec:
+  isCA: true
+  commonName: my-selfsigned-ca
+  secretName: porch-system-server-tls
+  duration: 8760h #365d
+  renewBefore: 8640h #360d
+  issuerRef:
+    name: my-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+  dnsNames:
+  - api.porch-system.svc
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+  namespace: porch-system
+spec:
+  selfSigned: {}

nephio/optional/porch-cert-manager-webhook/2-3-validating-webhook.yaml

@@ -0,0 +1,33 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: packagerev-deletion-validating-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: porch-system/porch-system-server-certificate
+webhooks:
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    service:
+      name: api
+      namespace: porch-system
+      path: /validate-deletion
+      port: 8443
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  name: packagerevdeletion.google.com
+  namespaceSelector: {}
+  objectSelector: {}
+  rules:
+  - apiGroups:
+    - porch.kpt.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - DELETE
+    resources:
+    - packagerevisions
+    scope: '*'
+  sideEffects: None
+  timeoutSeconds: 10

nephio/optional/porch-cert-manager-webhook/2-function-runner.yaml

@@ -0,0 +1,107 @@
+# Copyright 2022 The kpt Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: porch-fn-runner
+  namespace: porch-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: function-runner
+  namespace: porch-system
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: function-runner
+  template:
+    metadata:
+      labels:
+        app: function-runner
+    spec:
+      serviceAccountName: porch-fn-runner
+      containers:
+        - name: function-runner
+          image: docker.io/nephio/porch-function-runner:v2.0.0
+          imagePullPolicy: IfNotPresent
+          command:
+            - /server
+            - --config=/config.yaml
+            - --functions=/functions
+            - --pod-namespace=porch-fn-system
+          env:
+            - name: WRAPPER_SERVER_IMAGE
+              value: docker.io/nephio/porch-wrapper-server:v2.0.0
+          ports:
+            - containerPort: 9445
+          # Add grpc readiness probe to ensure the cache is ready
+          readinessProbe:
+            exec:
+              command:
+                - /grpc-health-probe
+                - -addr
+                - localhost:9445
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: 125m
+          volumeMounts:
+            - mountPath: /pod-cache-config
+              name: pod-cache-config-volume
+      volumes:
+        - name: pod-cache-config-volume
+          configMap:
+            name: pod-cache-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: function-runner
+  namespace: porch-system
+spec:
+  selector:
+    app: function-runner
+  ports:
+    - port: 9445
+      protocol: TCP
+      targetPort: 9445
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pod-cache-config
+  namespace: porch-system
+data:
+  pod-cache-config.yaml: |
+    gcr.io/kpt-fn/apply-replacements:v0.1.1: 30m
+    gcr.io/kpt-fn/apply-setters:v0.2.0: 30m
+    gcr.io/kpt-fn/create-setters:v0.1.0: 30m
+    gcr.io/kpt-fn/ensure-name-substring:v0.2.0: 30m
+    gcr.io/kpt-fn/gatekeeper:v0.2.1: 30m
+    gcr.io/kpt-fn/kubeval:v0.2.0: 30m
+    gcr.io/kpt-fn/search-replace:v0.2.0: 30m
+    gcr.io/kpt-fn/set-annotations:v0.1.4: 30m
+    gcr.io/kpt-fn/set-enforcement-action:v0.1.0: 30m
+    gcr.io/kpt-fn/set-image:v0.1.1: 30m
+    gcr.io/kpt-fn/set-labels:v0.1.5: 30m
+    gcr.io/kpt-fn/set-namespace:v0.4.1: 30m
+    gcr.io/kpt-fn/starlark:v0.4.3: 30m
+    gcr.io/kpt-fn/upsert-resource:v0.2.0: 30m
+    gcr.io/kpt-fn/enable-gcp-services:v0.1.0: 30m
+    gcr.io/kpt-fn/export-terraform:v0.1.0: 30m
+    gcr.io/kpt-fn/generate-folders:v0.1.1: 30m
+    gcr.io/kpt-fn/remove-local-config-resources:v0.1.0: 30m
+    gcr.io/kpt-fn/set-project-id:v0.2.0: 30m

nephio/optional/porch-cert-manager-webhook/3-porch-server.yaml

@@ -0,0 +1,94 @@
+# Copyright 2022 The kpt Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: porch-server
+  namespace: porch-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: porch-server
+  namespace: porch-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: porch-server
+  template:
+    metadata:
+      labels:
+        app: porch-server
+    spec:
+      serviceAccountName: porch-server
+      volumes:
+        - name: cache-volume
+          emptyDir: {}
+        - name: webhook-certs
+          secret:
+            secretName: porch-system-server-tls
+        - name: api-server-certs
+          emptyDir: {}
+      containers:
+        - name: porch-server
+          # Update image to the image of your porch apiserver build.
+          image: docker.io/nephio/porch-server:v3.0.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 250m
+            limits:
+              memory: 512Mi
+          volumeMounts:
+            - mountPath: /cache
+              name: cache-volume
+            - mountPath: /etc/webhook/certs
+              name: webhook-certs
+            - name: api-server-certs
+              mountPath: /tmp/certs
+          env:
+            # Uncomment to enable trace-reporting to jaeger
+            #- name: OTEL
+            #  value: otel://jaeger-oltp:4317
+            - name: OTEL_SERVICE_NAME
+              value: porch-server
+            - name: CERT_STORAGE_DIR
+              value: /etc/webhook/certs
+            - name: USE_CERT_MAN_FOR_WEBHOOK
+              value: "true"
+          args:
+            - --function-runner=function-runner:9445
+            - --cache-directory=/cache
+            - --cert-dir=/tmp/certs
+            - --secure-port=4443
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: api
+  namespace: porch-system
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 4443
+      name: api
+    - port: 8443
+      protocol: TCP
+      targetPort: 8443
+      name: webhooks
+  selector:
+    app: porch-server

nephio/optional/porch-cert-manager-webhook/4-apiservice.yaml

@@ -0,0 +1,26 @@
+# Copyright 2022 The kpt Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.porch.kpt.dev
+spec:
+  insecureSkipTLSVerify: true
+  group: porch.kpt.dev
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  service:
+    name: api
+    namespace: porch-system
+  version: v1alpha1