kilo/manifests/peer-validation.yaml
leonnicolas c8ed21cac4
manifests/peer-validation.yaml: fix image and flag
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.

Also fix the name of the liste-metrics flag.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-07 10:52:40 +02:00

174 lines
3.7 KiB
YAML

apiVersion: v1
kind: Namespace
metadata:
name: kilo
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: "peers.kilo.squat.ai"
webhooks:
- name: "peers.kilo.squat.ai"
rules:
- apiGroups: ["kilo.squat.ai"]
apiVersions: ["v1alpha1"]
operations: ["CREATE","UPDATE"]
resources: ["peers"]
scope: "Cluster"
clientConfig:
service:
namespace: "kilo"
name: "peer-validation"
path: "/validate"
admissionReviewVersions: ["v1"]
sideEffects: None
timeoutSeconds: 5
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: peer-validation-server
namespace: kilo
labels:
app.kubernetes.io/name: peer-validation-server
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: peer-validation-server
template:
metadata:
labels:
app.kubernetes.io/name: peer-validation-server
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: server
image: squat/kilo
args:
- webhook
- --cert-file=/run/secrets/tls/tls.crt
- --key-file=/run/secrets/tls/tls.key
- --listen-metrics=:1107
- --listen=:8443
ports:
- containerPort: 8443
name: webhook
- containerPort: 1107
name: metrics
volumeMounts:
- name: tls
mountPath: /run/secrets/tls
readOnly: true
volumes:
- name: tls
secret:
secretName: peer-validation-webhook-tls
---
apiVersion: v1
kind: Service
metadata:
name: peer-validation
namespace: kilo
spec:
selector:
app.kubernetes.io/name: peer-validation-server
ports:
- port: 443
targetPort: webhook
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kilo-peer-validation
namespace: kilo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kilo-peer-validation
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
resourceNames:
- peers.kilo.squat.ai
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kilo-peer-validation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kilo-peer-validation
subjects:
- kind: ServiceAccount
namespace: kilo
name: kilo-peer-validation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kilo-peer-validation
namespace: kilo
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kilo-peer-validation
namespace: kilo
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kilo-peer-validation
subjects:
- kind: ServiceAccount
namespace: kilo
name: kilo-peer-validation
---
apiVersion: batch/v1
kind: Job
metadata:
name: cert-gen
namespace: kilo
spec:
template:
spec:
serviceAccountName: kilo-peer-validation
initContainers:
- name: create
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0
args:
- create
- --namespace=kilo
- --secret-name=peer-validation-webhook-tls
- --host=peer-validation,peer-validation.kilo.svc
- --key-name=tls.key
- --cert-name=tls.crt
containers:
- name: patch
image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0
args:
- patch
- --webhook-name=peers.kilo.squat.ai
- --secret-name=peer-validation-webhook-tls
- --namespace=kilo
- --patch-mutating=false
restartPolicy: OnFailure
backoffLimit: 4