diff --git a/apis/installer/v1alpha1/aws_credential_manager_types.go b/apis/installer/v1alpha1/aws_credential_manager_types.go index 68e52223..ce381a80 100644 --- a/apis/installer/v1alpha1/aws_credential_manager_types.go +++ b/apis/installer/v1alpha1/aws_credential_manager_types.go @@ -85,6 +85,10 @@ type AwsCredentialManagerSpec struct { VolumeMounts []core.VolumeMount `json:"volumeMounts"` // +optional Distro shared.DistroSpec `json:"distro"` + // +optional + Apiserver AwsCredentialManagerApiserver `json:"apiserver"` + // +optional + BucketAccessor BucketAccessor `json:"bucketAccessor"` } type ImageReference struct { @@ -99,6 +103,23 @@ type ServiceSpec struct { Port int `json:"port"` } +type AwsCredentialManagerApiserver struct { + GroupPriorityMinimum int `json:"groupPriorityMinimum"` + VersionPriority int `json:"versionPriority"` + EnableMutatingWebhook bool `json:"enableMutatingWebhook"` + EnableValidatingWebhook bool `json:"enableValidatingWebhook"` + Ca string `json:"ca"` + BypassValidatingWebhookXray bool `json:"bypassValidatingWebhookXray"` + UseKubeapiserverFqdnForAks bool `json:"useKubeapiserverFqdnForAks"` + Healthcheck HealthcheckSpec `json:"healthcheck"` + ServingCerts ServingCerts `json:"servingCerts"` +} + +type BucketAccessor struct { + AwsMaxIntervalSeconds string `json:"awsMaxIntervalSeconds"` + AwsMaxWaitSeconds string `json:"awsMaxWaitSeconds"` +} + // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // AwsCredentialManagerList is a list of AwsCredentialManagers diff --git a/apis/installer/v1alpha1/zz_generated.deepcopy.go b/apis/installer/v1alpha1/zz_generated.deepcopy.go index 9245906d..a951ff64 100644 --- a/apis/installer/v1alpha1/zz_generated.deepcopy.go +++ b/apis/installer/v1alpha1/zz_generated.deepcopy.go @@ -51,6 +51,23 @@ func (in *AwsCredentialManager) DeepCopyObject() runtime.Object { return nil } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AwsCredentialManagerApiserver) DeepCopyInto(out *AwsCredentialManagerApiserver) { + *out = *in + out.Healthcheck = in.Healthcheck + out.ServingCerts = in.ServingCerts +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsCredentialManagerApiserver. +func (in *AwsCredentialManagerApiserver) DeepCopy() *AwsCredentialManagerApiserver { + if in == nil { + return nil + } + out := new(AwsCredentialManagerApiserver) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *AwsCredentialManagerList) DeepCopyInto(out *AwsCredentialManagerList) { *out = *in @@ -163,6 +180,8 @@ func (in *AwsCredentialManagerSpec) DeepCopyInto(out *AwsCredentialManagerSpec) } } out.Distro = in.Distro + out.Apiserver = in.Apiserver + out.BucketAccessor = in.BucketAccessor } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsCredentialManagerSpec. @@ -175,6 +194,21 @@ func (in *AwsCredentialManagerSpec) DeepCopy() *AwsCredentialManagerSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BucketAccessor) DeepCopyInto(out *BucketAccessor) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketAccessor. +func (in *BucketAccessor) DeepCopy() *BucketAccessor { + if in == nil { + return nil + } + out := new(BucketAccessor) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CapaVpcPeeringOperator) DeepCopyInto(out *CapaVpcPeeringOperator) { *out = *in diff --git a/charts/aws-credential-manager/README.md b/charts/aws-credential-manager/README.md index faf1d0d5..25404f39 100644 --- a/charts/aws-credential-manager/README.md +++ b/charts/aws-credential-manager/README.md @@ -45,42 +45,58 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `aws-credential-manager` chart and their default values. -| Parameter | Description | Default | -|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| replicaCount | | 1 | -| registryFQDN | Docker registry fqdn used to pull app related images. Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | -| image.registry | Docker registry used to pull app container image | appscode | -| image.repository | | aws-credential-manager | -| image.pullPolicy | | IfNotPresent | -| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | -| imagePullSecrets | | [] | -| nameOverride | | "" | -| fullnameOverride | | "" | -| serviceAccount.create | Specifies whether a service account should be created | true | -| serviceAccount.annotations | Annotations to add to the service account | {} | -| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | -| podAnnotations | | {} | -| podLabels | | {} | -| podSecurityContext | | {} | -| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | -| service.type | | ClusterIP | -| service.port | | 8081 | -| resources | | {} | -| livenessProbe.httpGet.path | | /healthz | -| livenessProbe.httpGet.port | | http | -| livenessProbe.initialDelaySeconds | | 15 | -| livenessProbe.periodSeconds | | 20 | -| readinessProbe.httpGet.path | | /readyz | -| readinessProbe.httpGet.port | | http | -| readinessProbe.initialDelaySeconds | | 5 | -| readinessProbe.periodSeconds | | 10 | -| volumes | Additional volumes on the output Deployment definition. | [] | -| volumeMounts | Additional volumeMounts on the output Deployment definition. | [] | -| nodeSelector | | {} | -| tolerations | | [] | -| affinity | | {} | -| distro.openshift | Set true, if installed in OpenShift | false | -| distro.ubi | Set operator or all to use ubi images | "" | +| Parameter | Description | Default | +|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| replicaCount | | 1 | +| registryFQDN | Docker registry fqdn used to pull app related images. Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image} | ghcr.io | +| image.registry | Docker registry used to pull app container image | appscode | +| image.repository | | aws-credential-manager | +| image.pullPolicy | | IfNotPresent | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | +| imagePullSecrets | | [] | +| nameOverride | | "" | +| fullnameOverride | | "" | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| podAnnotations | | {} | +| podLabels | | {} | +| podSecurityContext | | {} | +| securityContext | | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | +| service.type | | ClusterIP | +| service.port | | 8081 | +| resources | | {} | +| livenessProbe.httpGet.path | | /healthz | +| livenessProbe.httpGet.port | | 8081 | +| livenessProbe.httpGet.scheme | | HTTP | +| livenessProbe.initialDelaySeconds | | 15 | +| livenessProbe.periodSeconds | | 20 | +| readinessProbe.httpGet.path | | /readyz | +| readinessProbe.httpGet.port | | 8081 | +| readinessProbe.httpGet.scheme | | HTTP | +| readinessProbe.initialDelaySeconds | | 5 | +| readinessProbe.periodSeconds | | 10 | +| volumes | Additional volumes on the output Deployment definition. | [] | +| volumeMounts | Additional volumeMounts on the output Deployment definition. | [] | +| nodeSelector | | {} | +| tolerations | | [] | +| affinity | | {} | +| distro.openshift | Set true, if installed in OpenShift | false | +| distro.ubi | Set operator or all to use ubi images | "" | +| bucketAccessor.awsMaxIntervalSeconds | | "5" | +| bucketAccessor.awsMaxWaitSeconds | | "300" | +| apiserver.groupPriorityMinimum | The minimum priority the webhook api group should have at least. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 for more information on proper values of this field. | 10000 | +| apiserver.versionPriority | The ordering of the webhook api inside of the group. Please see https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 for more information on proper values of this field | 15 | +| apiserver.enableMutatingWebhook | If true, mutating webhook is configured for Kubernetes workloads | true | +| apiserver.enableValidatingWebhook | If true, validating webhook is configured for Stash CRDss | true | +| apiserver.ca | CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator. | not-ca-cert | +| apiserver.bypassValidatingWebhookXray | If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster. | false | +| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | true | +| apiserver.healthcheck.enabled | If true, enables the readiness and liveliness probes for the operator pod. | false | +| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | true | +| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of webhook server. | "" | +| apiserver.servingCerts.serverCrt | Serving certficate used by webhook server. | "" | +| apiserver.servingCerts.serverKey | Private key for the serving certificate used by webhook server. | "" | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/aws-credential-manager/templates/_helpers.tpl b/charts/aws-credential-manager/templates/_helpers.tpl index 7b35da84..18034fa0 100644 --- a/charts/aws-credential-manager/templates/_helpers.tpl +++ b/charts/aws-credential-manager/templates/_helpers.tpl @@ -88,3 +88,38 @@ Returns if ubi images are to be used {{- define "operator.ubi" -}} {{ ternary "-ubi" "" (list "operator" "all" | has .Values.distro.ubi) }} {{- end }} + + +{{ define "aws-credential-manager.webhookServiceName" -}} +{{- printf "%s-webhook" (include "aws-credential-manager.fullname" . ) | trunc 63 | trimPrefix "-" -}} +{{- end -}} + +{{/* +Prepare certs +*/}} +{{- define "aws-credential-manager.prepare-certs" -}} +{{- if not ._caCrt }} +{{- $caCrt := "" }} +{{- $serverCrt := "" }} +{{- $serverKey := "" }} +{{- if .Values.apiserver.servingCerts.generate }} +{{- $ca := genCA "ca" 3650 }} +{{ $cn := include "aws-credential-manager.webhookServiceName" . -}} +{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }} +{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }} +{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} +{{- $caCrt = b64enc $ca.Cert }} +{{- $serverCrt = b64enc $server.Cert }} +{{- $serverKey = b64enc $server.Key }} +{{- else }} +{{- $caCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.caCrt }} +{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }} +{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }} +{{- end }} + +{{ $_ := set $ "_caCrt" $caCrt }} +{{ $_ := set $ "_serverCrt" $serverCrt }} +{{ $_ := set $ "_serverKey" $serverKey }} + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/aws-credential-manager/templates/cert.yaml b/charts/aws-credential-manager/templates/cert.yaml new file mode 100644 index 00000000..558ca196 --- /dev/null +++ b/charts/aws-credential-manager/templates/cert.yaml @@ -0,0 +1,16 @@ +{{ template "aws-credential-manager.prepare-certs" $ }} + +{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "aws-credential-manager.labels" . | nindent 4 }} +type: Opaque +data: + ca.crt: {{ $._caCrt }} + tls.crt: {{ $._serverCrt }} + tls.key: {{ $._serverKey }} +{{- end }} \ No newline at end of file diff --git a/charts/aws-credential-manager/templates/deployment.yaml b/charts/aws-credential-manager/templates/deployment.yaml index b58c0329..061534f8 100644 --- a/charts/aws-credential-manager/templates/deployment.yaml +++ b/charts/aws-credential-manager/templates/deployment.yaml @@ -47,9 +47,12 @@ spec: - --metrics-bind-address=:8443 - --leader-elect=false - --health-probe-bind-address=:{{ .Values.service.port }} + - --webhook-cert-path=/var/serving-cert + - --aws-max-interval-seconds={{ .Values.bucketAccessor.awsMaxIntervalSeconds }} + - --aws-max-wait-seconds={{ .Values.bucketAccessor.awsMaxWaitSeconds }} ports: - - name: http - containerPort: {{ .Values.service.port }} + - containerPort: 9443 + name: webhook-server protocol: TCP livenessProbe: {{- toYaml .Values.livenessProbe | nindent 12 }} @@ -57,12 +60,18 @@ spec: {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} volumeMounts: + - mountPath: /var/serving-cert + name: serving-cert + {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.volumes }} volumes: + - name: serving-cert + secret: + defaultMode: 420 + secretName: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert + {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.nodeSelector }} diff --git a/charts/aws-credential-manager/templates/mutating-webhook.yaml b/charts/aws-credential-manager/templates/mutating-webhook.yaml new file mode 100644 index 00000000..15999943 --- /dev/null +++ b/charts/aws-credential-manager/templates/mutating-webhook.yaml @@ -0,0 +1,32 @@ +{{ template "aws-credential-manager.prepare-certs" $ }} +{{- if .Values.apiserver.enableMutatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "aws-credential-manager.fullname" . }} + labels: + {{- include "aws-credential-manager.labels" . | nindent 4 }} +webhooks: + - name: vjob-v1.kb.io + admissionReviewVersions: + - v1 + failurePolicy: {{ .Values.apiserver.webhook.failurePolicy }} + sideEffects: None + rules: + - operations: + - CREATE + - UPDATE + - DELETE + apiGroups: + - batch + apiVersions: + - v1 + resources: + - jobs + clientConfig: + service: + namespace: {{ .Release.Namespace }} + name: {{ include "aws-credential-manager.webhookServiceName" . }} + path: /mutate-batch-v1-job + caBundle: {{ $._caCrt }} +{{- end }} diff --git a/charts/aws-credential-manager/templates/service.yaml b/charts/aws-credential-manager/templates/service.yaml index 6a3d16d8..db30a332 100644 --- a/charts/aws-credential-manager/templates/service.yaml +++ b/charts/aws-credential-manager/templates/service.yaml @@ -1,15 +1,14 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "aws-credential-manager.fullname" . }}-stats + name: {{ include "aws-credential-manager.webhookServiceName" . }} namespace: {{ .Release.Namespace }} labels: {{- include "aws-credential-manager.labels" . | nindent 4 }} spec: ports: - - name: https - port: 8443 + - port: 443 protocol: TCP - targetPort: 8443 + targetPort: 9443 selector: {{- include "aws-credential-manager.labels" . | nindent 4 }} diff --git a/charts/aws-credential-manager/values.yaml b/charts/aws-credential-manager/values.yaml index 78b550c4..8a1742d8 100644 --- a/charts/aws-credential-manager/values.yaml +++ b/charts/aws-credential-manager/values.yaml @@ -56,13 +56,15 @@ resources: {} livenessProbe: httpGet: path: /healthz - port: http + port: 8081 + scheme: HTTP initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: path: /readyz - port: http + port: 8081 + scheme: HTTP initialDelaySeconds: 5 periodSeconds: 10 # Additional volumes on the output Deployment definition. @@ -87,3 +89,40 @@ distro: openshift: false # Set operator or all to use ubi images ubi: "" + +bucketAccessor: + awsMaxIntervalSeconds: "5" + awsMaxWaitSeconds: "300" + +apiserver: + # The minimum priority the webhook api group should have at least. Please see + # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 + # for more information on proper values of this field. + groupPriorityMinimum: 10000 + # The ordering of the webhook api inside of the group. Please see + # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 + # for more information on proper values of this field + versionPriority: 15 + # If true, mutating webhook is configured for Kubernetes workloads + enableMutatingWebhook: true + # If true, validating webhook is configured for Stash CRDss + enableValidatingWebhook: true + # CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator. + ca: not-ca-cert + # If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster. + bypassValidatingWebhookXray: false + # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) + useKubeapiserverFqdnForAks: true + healthcheck: + # If true, enables the readiness and liveliness probes for the operator pod. + enabled: false + servingCerts: + # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) + # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. + generate: true + # CA certficate used by serving certificate of webhook server. + caCrt: "" + # Serving certficate used by webhook server. + serverCrt: "" + # Private key for the serving certificate used by webhook server. + serverKey: "" \ No newline at end of file