Update Helm chart and Dockerfile

Signed-off-by: James Munnelly <james@munnelly.eu>
2019-04-29 17:55:26 +01:00 · 2019-04-29 17:55:26 +01:00 · 3935fd70e7
commit 3935fd70e7
parent 2764e68e07
9 changed files with 155 additions and 55 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,6 @@

 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
+
+# Ignore the built binary
+cert-manager-webhook-example
--- a/24
+++ b/24
@ -1,7 +1,25 @@
-FROM golang:1.12.1
+FROM golang:1.12.4-alpine AS build_deps

-COPY . /workspace
+RUN apk add --no-cache git

 WORKDIR /workspace
-RUN go build
+ENV GO111MODULE=on

+COPY go.mod .
+COPY go.sum .
+
+RUN go mod download
+
+FROM build_deps AS build
+
+COPY . .
+
+RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
+
+FROM alpine:3.9
+
+RUN apk add --no-cache ca-certificates
+
+COPY --from=build /workspace/webhook /usr/local/bin/webhook
+
+ENTRYPOINT ["webhook"]
--- a/deploy/example-webhook/templates/apiservice.yaml
+++ b/deploy/example-webhook/templates/apiservice.yaml
@ -0,0 +1,18 @@
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1alpha1.{{ .Values.groupName }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  group: {{ .Values.groupName }}
+  groupPriorityMinimum: 1000
+  versionPriority: 15
+  insecureSkipTLSVerify: true
+  service:
+    name: {{ include "example-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+  version: v1alpha1
--- a/deploy/example-webhook/templates/deployment.yaml
+++ b/deploy/example-webhook/templates/deployment.yaml
@ -19,22 +19,28 @@ spec:
        app: {{ include "example-webhook.name" . }}
        release: {{ .Release.Name }}
    spec:
+      serviceAccountName: {{ include "example-webhook.fullname" . }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: GROUP_NAME
+              value: {{ .Values.groupName | quote }}
          ports:
-            - name: http
-              containerPort: 80
+            - name: https
+              containerPort: 443
              protocol: TCP
          livenessProbe:
            httpGet:
-              path: /
-              port: http
+              scheme: HTTPS
+              path: /healthz
+              port: https
          readinessProbe:
            httpGet:
-              path: /
-              port: http
+              scheme: HTTPS
+              path: /healthz
+              port: https
          resources:
 {{ toYaml .Values.resources | indent 12 }}
    {{- with .Values.nodeSelector }}
--- a/deploy/example-webhook/templates/ingress.yaml
+++ b/deploy/example-webhook/templates/ingress.yaml
@ -1,38 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "example-webhook.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    app: {{ include "example-webhook.name" . }}
-    chart: {{ include "example-webhook.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-{{- with .Values.ingress.annotations }}
-  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
-  {{- end }}
-{{- end }}
-  rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
-      http:
-        paths:
-          - path: {{ $ingressPath }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
-{{- end }}
--- a/deploy/example-webhook/templates/rbac.yaml
+++ b/deploy/example-webhook/templates/rbac.yaml
@ -0,0 +1,90 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "example-webhook.fullname" . }}
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+---
+# Grant the webhook permission to read the ConfigMap containing the Kubernetes
+# apiserver's requestheader-ca-certificate.
+# This ConfigMap is automatically created by the Kubernetes apiserver.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader
+  namespace: kube-system
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "example-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# apiserver gets the auth-delegator role to delegate auth decisions to
+# the core apiserver
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "example-webhook.fullname" . }}:auth-delegator
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ include "example-webhook.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+# Grant cert-manager permission to validate using our apiserver
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: {{ include "example-webhook.fullname" . }}:domain-solver
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+rules:
+  - apiGroups:
+      - {{ .Values.groupName }}
+    resources:
+      - '*'
+    verbs:
+      - 'create'
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "example-webhook.fullname" . }}:domain-solver
+  labels:
+    app: {{ include "example-webhook.name" . }}
+    chart: {{ include "example-webhook.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager:domain-solver
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ .Values.certManager.serviceAccountName }}
+    namespace: {{ .Values.certManager.namespace }}
--- a/deploy/example-webhook/templates/service.yaml
+++ b/deploy/example-webhook/templates/service.yaml
@ -11,9 +11,9 @@ spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
-      targetPort: http
+      targetPort: https
      protocol: TCP
-      name: http
+      name: https
  selector:
    app: {{ include "example-webhook.name" . }}
    release: {{ .Release.Name }}
--- a/deploy/example-webhook/values.yaml
+++ b/deploy/example-webhook/values.yaml
@ -8,6 +8,10 @@
 # here is recommended.
 groupName: acme.mycompany.com

+certManager:
+  namespace: cert-manager
+  serviceAccountName: cert-manager
+
 image:
  repository: mycompany/webhook-image
  tag: stable
@ -18,7 +22,7 @@ fullnameOverride: ""

 service:
  type: ClusterIP
-  port: 80
+  port: 443

 ingress:
  enabled: false
--- a/main.go
+++ b/main.go
@ -8,8 +8,8 @@ import (
 	//"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"

-	"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
 	"github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
+	"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
 )

 const GroupName = "acme.mycompany.com"
@ -88,7 +88,7 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 	fmt.Printf("Decoded configuration %v", cfg)

 	// TODO: add code that sets a record in the DNS provider's console
-	panic("implement me")
+	return nil
 }

 // CleanUp should delete the relevant TXT record from the DNS provider console.
@ -99,7 +99,7 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
 // concurrently.
 func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
 	// TODO: add code that deletes a record from the DNS provider's console
-	panic("implement me")
+	return nil
 }

 // Initialize will be called when the webhook first starts.
@ -123,8 +123,7 @@ func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stop
 	//c.client = cl

 	///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE
-
-	panic("implement me")
+	return nil
 }

 // loadConfig is a small helper function that decodes JSON configuration into