Added webhook server for aws-credential-manager

apis/installer/v1alpha1/aws_credential_manager_types.go

@@ -85,6 +85,10 @@ type AwsCredentialManagerSpec struct {
 	VolumeMounts   []core.VolumeMount `json:"volumeMounts"`
 	// +optional
 	Distro shared.DistroSpec `json:"distro"`
+	// +optional
+	Apiserver AwsCredentialManagerApiserver `json:"apiserver"`
+	// +optional
+	BucketAccessor BucketAccessor `json:"bucketAccessor"`
 }
 
 type ImageReference struct {
@@ -99,6 +103,23 @@ type ServiceSpec struct {
 	Port int    `json:"port"`
 }
 
+type AwsCredentialManagerApiserver struct {
+	GroupPriorityMinimum        int             `json:"groupPriorityMinimum"`
+	VersionPriority             int             `json:"versionPriority"`
+	EnableMutatingWebhook       bool            `json:"enableMutatingWebhook"`
+	EnableValidatingWebhook     bool            `json:"enableValidatingWebhook"`
+	Ca                          string          `json:"ca"`
+	BypassValidatingWebhookXray bool            `json:"bypassValidatingWebhookXray"`
+	UseKubeapiserverFqdnForAks  bool            `json:"useKubeapiserverFqdnForAks"`
+	Healthcheck                 HealthcheckSpec `json:"healthcheck"`
+	ServingCerts                ServingCerts    `json:"servingCerts"`
+}
+
+type BucketAccessor struct {
+	AwsMaxIntervalSeconds string `json:"awsMaxIntervalSeconds"`
+	AwsMaxWaitSeconds     string `json:"awsMaxWaitSeconds"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // AwsCredentialManagerList is a list of AwsCredentialManagers

charts/aws-credential-manager/templates/_helpers.tpl

@@ -88,3 +88,38 @@ Returns if ubi images are to be used
 {{- define "operator.ubi" -}}
 {{ ternary "-ubi" "" (list "operator" "all" | has .Values.distro.ubi) }}
 {{- end }}
+
+
+{{ define "aws-credential-manager.webhookServiceName" -}}
+{{- printf "%s-webhook" (include "aws-credential-manager.fullname" . ) | trunc 63 | trimPrefix "-" -}}
+{{- end -}}
+
+{{/*
+Prepare certs
+*/}}
+{{- define "aws-credential-manager.prepare-certs" -}}
+{{- if not ._caCrt }}
+{{- $caCrt := "" }}
+{{- $serverCrt := "" }}
+{{- $serverKey := "" }}
+{{- if .Values.apiserver.servingCerts.generate }}
+{{- $ca := genCA "ca" 3650 }}
+{{ $cn := include "aws-credential-manager.webhookServiceName" . -}}
+{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
+{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
+{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
+{{- $caCrt =  b64enc $ca.Cert }}
+{{- $serverCrt = b64enc $server.Cert }}
+{{- $serverKey = b64enc $server.Key }}
+{{- else }}
+{{- $caCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.caCrt }}
+{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }}
+{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }}
+{{- end }}
+
+{{ $_ := set $ "_caCrt" $caCrt }}
+{{ $_ := set $ "_serverCrt" $serverCrt }}
+{{ $_ := set $ "_serverKey" $serverKey }}
+
+{{- end }}
+{{- end }}

charts/aws-credential-manager/templates/cert.yaml

@@ -0,0 +1,16 @@
+{{ template "aws-credential-manager.prepare-certs" $ }}
+
+{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+type: Opaque
+data:
+  ca.crt: {{ $._caCrt }}
+  tls.crt: {{ $._serverCrt }}
+  tls.key: {{ $._serverKey }}
+{{- end }}

charts/aws-credential-manager/templates/deployment.yaml

@@ -47,22 +47,31 @@ spec:
             - --metrics-bind-address=:8443
             - --leader-elect=false
             - --health-probe-bind-address=:{{ .Values.service.port }}
+            - --webhook-cert-path=/var/serving-cert
+            - --aws-max-interval-seconds={{ .Values.bucketAccessor.awsMaxIntervalSeconds }}
+            - --aws-max-wait-seconds={{ .Values.bucketAccessor.awsMaxWaitSeconds }}
           ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
+            - containerPort: 9443
+              name: webhook-server
               protocol: TCP
           livenessProbe:
             {{- toYaml .Values.livenessProbe | nindent 12 }}
           readinessProbe:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
           volumeMounts:
+            - mountPath: /var/serving-cert
+              name: serving-cert
+          {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
-      {{- with .Values.volumes }}
       volumes:
+      - name: serving-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ include "aws-credential-manager.fullname" . }}-apiserver-cert
+      {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.nodeSelector }}

charts/aws-credential-manager/templates/mutating-webhook.yaml

@@ -0,0 +1,32 @@
+{{ template "aws-credential-manager.prepare-certs" $ }}
+{{- if .Values.apiserver.enableMutatingWebhook }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "aws-credential-manager.fullname" . }}
+  labels:
+    {{- include "aws-credential-manager.labels" . | nindent 4 }}
+webhooks:
+  - name: vjob-v1.kb.io
+    admissionReviewVersions:
+      - v1
+    failurePolicy: {{ .Values.apiserver.webhook.failurePolicy }}
+    sideEffects: None
+    rules:
+      - operations:
+          - CREATE
+          - UPDATE
+          - DELETE
+        apiGroups:
+          - batch
+        apiVersions:
+          - v1
+        resources:
+          - jobs
+    clientConfig:
+      service:
+        namespace: {{ .Release.Namespace }}
+        name: {{ include "aws-credential-manager.webhookServiceName" . }}
+        path: /mutate-batch-v1-job
+      caBundle: {{ $._caCrt }}
+{{- end }}

charts/aws-credential-manager/templates/service.yaml

@@ -1,15 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "aws-credential-manager.fullname" . }}-stats
+  name: {{ include "aws-credential-manager.webhookServiceName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "aws-credential-manager.labels" . | nindent 4 }}
 spec:
   ports:
-  - name: https
-    port: 8443
+  - port: 443
     protocol: TCP
-    targetPort: 8443
+    targetPort: 9443
   selector:
     {{- include "aws-credential-manager.labels" . | nindent 4 }}

charts/aws-credential-manager/values.yaml

@@ -56,13 +56,15 @@ resources: {}
 livenessProbe:
   httpGet:
     path: /healthz
-    port: http
+    port: 8081
+    scheme: HTTP
   initialDelaySeconds: 15
   periodSeconds: 20
 readinessProbe:
   httpGet:
     path: /readyz
-    port: http
+    port: 8081
+    scheme: HTTP
   initialDelaySeconds: 5
   periodSeconds: 10
 # Additional volumes on the output Deployment definition.
@@ -87,3 +89,40 @@ distro:
   openshift: false
   # Set operator or all to use ubi images
   ubi: ""
+
+bucketAccessor:
+  awsMaxIntervalSeconds: "5"
+  awsMaxWaitSeconds: "300"
+
+apiserver:
+  # The minimum priority the webhook api group should have at least. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64
+  # for more information on proper values of this field.
+  groupPriorityMinimum: 10000
+  # The ordering of the webhook api inside of the group. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70
+  # for more information on proper values of this field
+  versionPriority: 15
+  # If true, mutating webhook is configured for Kubernetes workloads
+  enableMutatingWebhook: true
+  # If true, validating webhook is configured for Stash CRDss
+  enableValidatingWebhook: true
+  # CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator.
+  ca: not-ca-cert
+  # If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster.
+  bypassValidatingWebhookXray: false
+  # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
+  useKubeapiserverFqdnForAks: true
+  healthcheck:
+    # If true, enables the readiness and liveliness probes for the operator pod.
+    enabled: false
+  servingCerts:
+    # If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor)
+    # to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`.
+    generate: true
+    # CA certficate used by serving certificate of webhook server.
+    caCrt: ""
+    # Serving certficate used by webhook server.
+    serverCrt: ""
+    # Private key for the serving certificate used by webhook server.
+    serverKey: ""