Merge pull request #588 from diconico07/autogen-webhook-certs

helm: Generate a self-signed cert for webhook if none given

agent/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "agent"
-version = "0.10.7"
+version = "0.10.8"
 authors = ["Kate Goldenring <[email protected]>", "<[email protected]>"]
 edition = "2018"
 rust-version = "1.68.1"

controller/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "controller"
-version = "0.10.7"
+version = "0.10.8"
 authors = ["<[email protected]>", "<[email protected]>"]
 edition = "2018"
 rust-version = "1.68.1"

deployment/helm/Chart.yaml

@@ -15,9 +15,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.10.7
+version: 0.10.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 0.10.7
+appVersion: 0.10.8

deployment/helm/templates/webhook-cert-autogen.yaml

@@ -0,0 +1,181 @@
+{{- if and .Values.webhookConfiguration.enabled (not .Values.webhookConfiguration.caBundle) -}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.webhookConfiguration.name }}-patch
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.webhookConfiguration.name }}-patch
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.webhookConfiguration.name }}-patch
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.webhookConfiguration.name }}-patch
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+---
+{{- end }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-create
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  ttlSecondsAfterFinished: 0
+  template:
+    metadata:
+      name: {{ .Values.webhookConfiguration.name }}-create
+      labels:
+        {{- include "akri.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: create
+          image: "{{ .Values.webhookConfiguration.certImage.reference }}:{{ .Values.webhookConfiguration.certImage.tag }}"
+          imagePullPolicy: {{ .Values.webhookConfiguration.certImage.pullPolicy }}
+          args:
+            - create
+            - --host={{ .Values.webhookConfiguration.name }},{{ .Values.webhookConfiguration.name }}.{{ .Release.Namespace }}.svc
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ .Values.webhookConfiguration.name }}
+            - --cert-name=tls.crt
+            - --key-name=tls.key
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ .Values.webhookConfiguration.name }}-patch
+      {{- end }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  ttlSecondsAfterFinished: 0
+  template:
+    metadata:
+      name: {{ .Values.webhookConfiguration.name }}-patch
+      labels:
+        {{- include "akri.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: patch
+          image: "{{ .Values.webhookConfiguration.certImage.reference }}:{{ .Values.webhookConfiguration.certImage.tag }}"
+          imagePullPolicy: {{ .Values.webhookConfiguration.certImage.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ .Values.webhookConfiguration.name }}
+            - --namespace={{ .Release.Namespace }}
+            - --patch-mutating=false
+            - --secret-name={{ .Values.webhookConfiguration.name }}
+            - --patch-failure-policy=Fail
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ .Values.webhookConfiguration.name }}-patch
+      {{- end }}
+{{- end -}}

deployment/helm/templates/webhook-configuration.yaml

@@ -126,7 +126,9 @@ items:
             namespace: {{ .Release.Namespace }}
             port: 443
             path: "/validate"
-          caBundle: {{ required "please rerun helm install" .Values.webhookConfiguration.caBundle }}
+          {{- if .Values.webhookConfiguration.caBundle }}
+          caBundle: {{ .Values.webhookConfiguration.caBundle }}
+          {{- end }}
         rules:
           - operations:
               - "CREATE"

deployment/helm/values.yaml

@@ -833,10 +833,11 @@ udev:
 # Admission Controllers (Webhooks)
 webhookConfiguration:
   # enabled defines whether to apply the Akri Admission Controller (Webhook) for Akri Configurations
-  enabled: false
+  enabled: true
   # name of the webhook
   name: akri-webhook-configuration
-  # base64-encoded CA certificate (PEM) used by Kubernetes to validate the Webhook's certificate
+  # base64-encoded CA certificate (PEM) used by Kubernetes to validate the Webhook's certificate, if
+  # unset, will generate a self-signed certificate valid for 100y
   caBundle: null
   image:
     # repository is the Akri Webhook for Configurations image reference
@@ -847,6 +848,13 @@ webhookConfiguration:
     tag:
     # pullPolicy is the Akri Webhook pull policy
     pullPolicy: Always
+  certImage:
+    # reference is the webhook-certgen image reference
+    reference: registry.k8s.io/ingress-nginx/kube-webhook-certgen
+    # tag is the webhook-certgen image tag
+    tag: v1.1.1
+    # pullPolicy is the webhook-certgen pull policy
+    pullPolicy: IfNotPresent
   # onlyOnControlPlane dictates whether the Akri Webhook will only run on nodes with 
   # the label with (key, value) of ("node-role.kubernetes.io/master", "")
   onlyOnControlPlane: false

discovery-handler-modules/debug-echo-discovery-handler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "debug-echo-discovery-handler"
-version = "0.10.7"
+version = "0.10.8"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.68.1"

discovery-handler-modules/onvif-discovery-handler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "onvif-discovery-handler"
-version = "0.10.7"
+version = "0.10.8"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.68.1"

discovery-handler-modules/opcua-discovery-handler/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "opcua-discovery-handler"
-version = "0.10.7"
+version = "0.10.8"
 authors = ["Kate Goldenring <[email protected]>"]
 edition = "2018"
 rust-version = "1.68.1"