From 41bbf1436a253503f824ac7f639b9fac2e672acb Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Sat, 6 Feb 2021 18:12:52 +0000 Subject: [PATCH] cluster/kube: deploy admitomatic webhook This has been (succesfully) tested on prod and then rolled back. Change-Id: I22657f66b4aeaa8a0ae452035ba18a79f4549b14 --- cluster/kube/k0-admitomatic.jsonnet | 7 ++++++ cluster/kube/lib/admitomatic.libsonnet | 30 ++++++++++++++++++++++++++ kube/kube.libsonnet | 5 +++++ 3 files changed, 42 insertions(+) create mode 100644 cluster/kube/k0-admitomatic.jsonnet diff --git a/cluster/kube/k0-admitomatic.jsonnet b/cluster/kube/k0-admitomatic.jsonnet new file mode 100644 index 00000000..efff6612 --- /dev/null +++ b/cluster/kube/k0-admitomatic.jsonnet @@ -0,0 +1,7 @@ +// Only the admitomatic instance in k0. + +local k0 = (import "k0.libsonnet").k0; + +{ + admitomatic: k0.admitomatic, +} diff --git a/cluster/kube/lib/admitomatic.libsonnet b/cluster/kube/lib/admitomatic.libsonnet index 36ea5efa..ab44bfb8 100644 --- a/cluster/kube/lib/admitomatic.libsonnet +++ b/cluster/kube/lib/admitomatic.libsonnet @@ -90,5 +90,35 @@ local prototext = import "../../../kube/prototext.libsonnet"; svc: ns.Contain(kube.Service("admitomatic")) { target_pod:: env.daemonset.spec.template, }, + + webhook: kube.ValidatingWebhookConfiguration("admitomatic") { + webhooks_: { + "admitomatic.hswaw.net": { + rules: [ + { + apiGroups: ["networking.k8s.io"], + apiVersions: ["v1", "v1beta1"], + operations: ["CREATE", "UPDATE"], + resources: ["ingresses"], + scope: "Namespaced", + } + ], + clientConfig: { + service: { + namespace: env.svc.metadata.namespace, + name: env.svc.metadata.name, + port: 8443, + path: "/webhook", + }, + caBundle: std.base64(importstr "../../certs/ca-admitomatic.crt"), + }, + failurePolicy: "Ignore", + matchPolicy: "Equivalent", + admissionReviewVersions: ["v1", "v1beta1"], + sideEffects: "None", + timeoutSeconds: 5, + }, + }, + }, }, } diff --git a/kube/kube.libsonnet b/kube/kube.libsonnet index 929c6f21..8d7254a5 100644 --- a/kube/kube.libsonnet +++ b/kube/kube.libsonnet @@ -17,6 +17,11 @@ kube { secret: { secretName: certificate.spec.secretName }, }, + ValidatingWebhookConfiguration(name): kube._Object("admissionregistration.k8s.io/v1", "ValidatingWebhookConfiguration", name) { + webhooks_:: error "webhooks_ must be defined", + webhooks: kube.mapToNamedList(self.webhooks_), + }, + # Add .Contain method to Namespaces, allowing for easy marking of particular # kube objects as contained in that namespace. Namespace(name): kube.Namespace(name) {