cmd/kg/*: sub command peer validation webhook
This commit adds a sub command `webhook` to Kilo. It will start a https web server that answeres request from a Kubernetes API server to validate updates and creations of Kilo peers. It also updates the "Peer Validation" docs to enable users to install the web hook server and generate the self signed certificates in the cluster by only applying a manifest. Signed-off-by: leonnicolas <leonloechner@gmx.de> Apply suggestions from code review Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit is contained in:
@@ -0,0 +1,173 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: kilo
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1
|
||||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: "peers.kilo.squat.ai"
|
||||
webhooks:
|
||||
- name: "peers.kilo.squat.ai"
|
||||
rules:
|
||||
- apiGroups: ["kilo.squat.ai"]
|
||||
apiVersions: ["v1alpha1"]
|
||||
operations: ["CREATE","UPDATE"]
|
||||
resources: ["peers"]
|
||||
scope: "Cluster"
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: "kilo"
|
||||
name: "peer-validation"
|
||||
path: "/validate"
|
||||
admissionReviewVersions: ["v1"]
|
||||
sideEffects: None
|
||||
timeoutSeconds: 5
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: peer-validation-server
|
||||
namespace: kilo
|
||||
labels:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
containers:
|
||||
- name: server
|
||||
image: squat/kilo
|
||||
args:
|
||||
- webhook
|
||||
- --cert-file=/run/secrets/tls/tls.crt
|
||||
- --key-file=/run/secrets/tls/tls.key
|
||||
- --metrics-address=:1107
|
||||
- --listen=:8443
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
name: webhook
|
||||
- containerPort: 1107
|
||||
name: metrics
|
||||
volumeMounts:
|
||||
- name: tls
|
||||
mountPath: /run/secrets/tls
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: tls
|
||||
secret:
|
||||
secretName: peer-validation-webhook-tls
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: peer-validation
|
||||
namespace: kilo
|
||||
spec:
|
||||
selector:
|
||||
app.kubernetes.io/name: peer-validation-server
|
||||
ports:
|
||||
- port: 443
|
||||
targetPort: webhook
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
namespace: kilo
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
rules:
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- validatingwebhookconfigurations
|
||||
resourceNames:
|
||||
- peers.kilo.squat.ai
|
||||
verbs:
|
||||
- get
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kilo-peer-validation
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kilo
|
||||
name: kilo-peer-validation
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
namespace: kilo
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: kilo-peer-validation
|
||||
namespace: kilo
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: kilo-peer-validation
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
namespace: kilo
|
||||
name: kilo-peer-validation
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: cert-gen
|
||||
namespace: kilo
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: kilo-peer-validation
|
||||
initContainers:
|
||||
- name: create
|
||||
image: jettech/kube-webhook-certgen:v1.5.2
|
||||
args:
|
||||
- create
|
||||
- --namespace=kilo
|
||||
- --secret-name=peer-validation-webhook-tls
|
||||
- --host=peer-validation,peer-validation.kilo.svc
|
||||
- --key-name=tls.key
|
||||
- --cert-name=tls.crt
|
||||
containers:
|
||||
- name: patch
|
||||
image: jettech/kube-webhook-certgen:v1.5.2
|
||||
args:
|
||||
- patch
|
||||
- --webhook-name=peers.kilo.squat.ai
|
||||
- --secret-name=peer-validation-webhook-tls
|
||||
- --namespace=kilo
|
||||
- --patch-mutating=false
|
||||
restartPolicy: OnFailure
|
||||
backoffLimit: 4
|
||||
Reference in New Issue
Block a user