From 3935fd70e743931e6322bf088cd3e1c866f2e2cd Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Mon, 29 Apr 2019 17:55:26 +0100 Subject: [PATCH] Update Helm chart and Dockerfile Signed-off-by: James Munnelly --- .gitignore | 3 + Dockerfile | 24 ++++- .../example-webhook/templates/apiservice.yaml | 18 ++++ .../example-webhook/templates/deployment.yaml | 18 ++-- deploy/example-webhook/templates/ingress.yaml | 38 -------- deploy/example-webhook/templates/rbac.yaml | 90 +++++++++++++++++++ deploy/example-webhook/templates/service.yaml | 4 +- deploy/example-webhook/values.yaml | 6 +- main.go | 9 +- 9 files changed, 155 insertions(+), 55 deletions(-) create mode 100644 deploy/example-webhook/templates/apiservice.yaml delete mode 100644 deploy/example-webhook/templates/ingress.yaml create mode 100644 deploy/example-webhook/templates/rbac.yaml diff --git a/.gitignore b/.gitignore index f1c181e..7dcb1e9 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,6 @@ # Output of the go coverage tool, specifically when used with LiteIDE *.out + +# Ignore the built binary +cert-manager-webhook-example diff --git a/Dockerfile b/Dockerfile index 14a64d8..70ce631 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,25 @@ -FROM golang:1.12.1 +FROM golang:1.12.4-alpine AS build_deps -COPY . /workspace +RUN apk add --no-cache git WORKDIR /workspace -RUN go build +ENV GO111MODULE=on +COPY go.mod . +COPY go.sum . + +RUN go mod download + +FROM build_deps AS build + +COPY . . + +RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' . + +FROM alpine:3.9 + +RUN apk add --no-cache ca-certificates + +COPY --from=build /workspace/webhook /usr/local/bin/webhook + +ENTRYPOINT ["webhook"] diff --git a/deploy/example-webhook/templates/apiservice.yaml b/deploy/example-webhook/templates/apiservice.yaml new file mode 100644 index 0000000..ddd7c75 --- /dev/null +++ b/deploy/example-webhook/templates/apiservice.yaml @@ -0,0 +1,18 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1alpha1.{{ .Values.groupName }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + group: {{ .Values.groupName }} + groupPriorityMinimum: 1000 + versionPriority: 15 + insecureSkipTLSVerify: true + service: + name: {{ include "example-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + version: v1alpha1 diff --git a/deploy/example-webhook/templates/deployment.yaml b/deploy/example-webhook/templates/deployment.yaml index 4ae5220..fc0acbd 100644 --- a/deploy/example-webhook/templates/deployment.yaml +++ b/deploy/example-webhook/templates/deployment.yaml @@ -19,22 +19,28 @@ spec: app: {{ include "example-webhook.name" . }} release: {{ .Release.Name }} spec: + serviceAccountName: {{ include "example-webhook.fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: GROUP_NAME + value: {{ .Values.groupName | quote }} ports: - - name: http - containerPort: 80 + - name: https + containerPort: 443 protocol: TCP livenessProbe: httpGet: - path: / - port: http + scheme: HTTPS + path: /healthz + port: https readinessProbe: httpGet: - path: / - port: http + scheme: HTTPS + path: /healthz + port: https resources: {{ toYaml .Values.resources | indent 12 }} {{- with .Values.nodeSelector }} diff --git a/deploy/example-webhook/templates/ingress.yaml b/deploy/example-webhook/templates/ingress.yaml deleted file mode 100644 index 37d8b61..0000000 --- a/deploy/example-webhook/templates/ingress.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "example-webhook.fullname" . -}} -{{- $ingressPath := .Values.ingress.path -}} -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - app: {{ include "example-webhook.name" . }} - chart: {{ include "example-webhook.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- with .Values.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} - http: - paths: - - path: {{ $ingressPath }} - backend: - serviceName: {{ $fullName }} - servicePort: http - {{- end }} -{{- end }} diff --git a/deploy/example-webhook/templates/rbac.yaml b/deploy/example-webhook/templates/rbac.yaml new file mode 100644 index 0000000..3e51ef0 --- /dev/null +++ b/deploy/example-webhook/templates/rbac.yaml @@ -0,0 +1,90 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "example-webhook.fullname" . }} + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +--- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader + namespace: kube-system + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "example-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "example-webhook.fullname" . }}:auth-delegator + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ include "example-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +# Grant cert-manager permission to validate using our apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ include "example-webhook.fullname" . }}:domain-solver + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - {{ .Values.groupName }} + resources: + - '*' + verbs: + - 'create' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ include "example-webhook.fullname" . }}:domain-solver + labels: + app: {{ include "example-webhook.name" . }} + chart: {{ include "example-webhook.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager:domain-solver +subjects: + - apiGroup: "" + kind: ServiceAccount + name: {{ .Values.certManager.serviceAccountName }} + namespace: {{ .Values.certManager.namespace }} diff --git a/deploy/example-webhook/templates/service.yaml b/deploy/example-webhook/templates/service.yaml index 1c76555..572089e 100644 --- a/deploy/example-webhook/templates/service.yaml +++ b/deploy/example-webhook/templates/service.yaml @@ -11,9 +11,9 @@ spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: http + targetPort: https protocol: TCP - name: http + name: https selector: app: {{ include "example-webhook.name" . }} release: {{ .Release.Name }} diff --git a/deploy/example-webhook/values.yaml b/deploy/example-webhook/values.yaml index 6d974f9..da3f9eb 100644 --- a/deploy/example-webhook/values.yaml +++ b/deploy/example-webhook/values.yaml @@ -8,6 +8,10 @@ # here is recommended. groupName: acme.mycompany.com +certManager: + namespace: cert-manager + serviceAccountName: cert-manager + image: repository: mycompany/webhook-image tag: stable @@ -18,7 +22,7 @@ fullnameOverride: "" service: type: ClusterIP - port: 80 + port: 443 ingress: enabled: false diff --git a/main.go b/main.go index 2ba407f..8a4c78b 100644 --- a/main.go +++ b/main.go @@ -8,8 +8,8 @@ import ( //"k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" - "github.com/jetstack/cert-manager/pkg/acme/webhook/cmd" "github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" + "github.com/jetstack/cert-manager/pkg/acme/webhook/cmd" ) const GroupName = "acme.mycompany.com" @@ -88,7 +88,7 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { fmt.Printf("Decoded configuration %v", cfg) // TODO: add code that sets a record in the DNS provider's console - panic("implement me") + return nil } // CleanUp should delete the relevant TXT record from the DNS provider console. @@ -99,7 +99,7 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error { // concurrently. func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { // TODO: add code that deletes a record from the DNS provider's console - panic("implement me") + return nil } // Initialize will be called when the webhook first starts. @@ -123,8 +123,7 @@ func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stop //c.client = cl ///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE - - panic("implement me") + return nil } // loadConfig is a small helper function that decodes JSON configuration into