cluster/kube: deploy admitomatic webhook

This has been (succesfully) tested on prod and then rolled back. Change-Id: I22657f66b4aeaa8a0ae452035ba18a79f4549b14
2021-02-06 18:12:52 +00:00 · 2021-02-06 18:12:52 +00:00 · 41bbf1436a
commit 41bbf1436a
parent 3c5d836c56
3 changed files with 42 additions and 0 deletions
--- a/cluster/kube/k0-admitomatic.jsonnet
+++ b/cluster/kube/k0-admitomatic.jsonnet
@ -0,0 +1,7 @@
+// Only the admitomatic instance in k0.
+
+local k0 = (import "k0.libsonnet").k0;
+
+{
+    admitomatic: k0.admitomatic,
+}
--- a/cluster/kube/lib/admitomatic.libsonnet
+++ b/cluster/kube/lib/admitomatic.libsonnet
@ -90,5 +90,35 @@ local prototext = import "../../../kube/prototext.libsonnet";
        svc: ns.Contain(kube.Service("admitomatic")) {
            target_pod:: env.daemonset.spec.template,
        },
+
+        webhook: kube.ValidatingWebhookConfiguration("admitomatic") {
+            webhooks_: {
+                "admitomatic.hswaw.net": {
+                    rules: [
+                        {
+                            apiGroups: ["networking.k8s.io"],
+                            apiVersions: ["v1", "v1beta1"],
+                            operations: ["CREATE", "UPDATE"],
+                            resources: ["ingresses"],
+                            scope: "Namespaced",
+                        }
+                    ],
+                    clientConfig: {
+                        service: {
+                            namespace: env.svc.metadata.namespace,
+                            name: env.svc.metadata.name,
+                            port: 8443,
+                            path: "/webhook",
+                        },
+                        caBundle: std.base64(importstr "../../certs/ca-admitomatic.crt"),
+                    },
+                    failurePolicy: "Ignore",
+                    matchPolicy: "Equivalent",
+                    admissionReviewVersions: ["v1", "v1beta1"],
+                    sideEffects: "None",
+                    timeoutSeconds: 5,
+                },
+            },
+        },
    },
 }
--- a/kube/kube.libsonnet
+++ b/kube/kube.libsonnet
@ -17,6 +17,11 @@ kube {
        secret: { secretName: certificate.spec.secretName },
    },

+    ValidatingWebhookConfiguration(name): kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", name) {
+        webhooks_:: error "webhooks_ must be defined",
+        webhooks: kube.mapToNamedList(self.webhooks_),
+    },
+
    # Add .Contain method to Namespaces, allowing for easy marking of particular
    # kube objects as contained in that namespace.
    Namespace(name): kube.Namespace(name) {