diff --git a/cluster/kube/k0-admitomatic.jsonnet b/cluster/kube/k0-admitomatic.jsonnet new file mode 100644 index 00000000..efff6612 --- /dev/null +++ b/cluster/kube/k0-admitomatic.jsonnet @@ -0,0 +1,7 @@ +// Only the admitomatic instance in k0. + +local k0 = (import "k0.libsonnet").k0; + +{ + admitomatic: k0.admitomatic, +} diff --git a/cluster/kube/lib/admitomatic.libsonnet b/cluster/kube/lib/admitomatic.libsonnet index 36ea5efa..ab44bfb8 100644 --- a/cluster/kube/lib/admitomatic.libsonnet +++ b/cluster/kube/lib/admitomatic.libsonnet @@ -90,5 +90,35 @@ local prototext = import "../../../kube/prototext.libsonnet"; svc: ns.Contain(kube.Service("admitomatic")) { target_pod:: env.daemonset.spec.template, }, + + webhook: kube.ValidatingWebhookConfiguration("admitomatic") { + webhooks_: { + "admitomatic.hswaw.net": { + rules: [ + { + apiGroups: ["networking.k8s.io"], + apiVersions: ["v1", "v1beta1"], + operations: ["CREATE", "UPDATE"], + resources: ["ingresses"], + scope: "Namespaced", + } + ], + clientConfig: { + service: { + namespace: env.svc.metadata.namespace, + name: env.svc.metadata.name, + port: 8443, + path: "/webhook", + }, + caBundle: std.base64(importstr "../../certs/ca-admitomatic.crt"), + }, + failurePolicy: "Ignore", + matchPolicy: "Equivalent", + admissionReviewVersions: ["v1", "v1beta1"], + sideEffects: "None", + timeoutSeconds: 5, + }, + }, + }, }, } diff --git a/kube/kube.libsonnet b/kube/kube.libsonnet index 929c6f21..8d7254a5 100644 --- a/kube/kube.libsonnet +++ b/kube/kube.libsonnet @@ -17,6 +17,11 @@ kube { secret: { secretName: certificate.spec.secretName }, }, + ValidatingWebhookConfiguration(name): kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", name) { + webhooks_:: error "webhooks_ must be defined", + webhooks: kube.mapToNamedList(self.webhooks_), + }, + # Add .Contain method to Namespaces, allowing for easy marking of particular # kube objects as contained in that namespace. Namespace(name): kube.Namespace(name) {