mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

NK-8: Implemented deployment script for free (local) and in-cluster usage of the controller. Added readme file for scripts, improved scripts: implemented more convenient way to pass arguments. Removed hardcode from server.go.

Browse source
This commit is contained in:
belyshevdenis 2019-02-13 19:57:18 +02:00
parent c30f4d3119
commit 6765c97106
7 changed files with 133 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
crd/MutatingWebhookConfiguration.yaml
View file

@ -11,6 +11,7 @@ webhooks:
name: kube-policy-svc name: kube-policy-svc
namespace: default namespace: default
path: "/mutate" path: "/mutate"
caBundle: MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5pa3ViZUNBMB4XDTE5MDIwMzE1MjM0M1oXDTI5MDIwMTE1MjM0M1owFTETMBEGA1UEAxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOW3JNJEhX6syO6a+Vr8fezQUmHgJ+oUwYZbwIcb1TQKAGVoIPcN5nkBw11P6syjnrxoPt9HVq3/0mWJOacBgVtuAAZ4sQ8QevFwKmipTpTAC+SEBVhsypqO/1aLs2imbHQr2AVlCy2LxppX7lupl5ELwt9t5nSI3zuauezZ6ujkOCWcO52dGA3dIEXBiKiSQ4Svlqfnjpt7w8Frf6z77nmZSCbAXOf8jjPlObQGTFqzKq+gOmK3LzpANoY6VJSAjQP0jTTc7qC9u3KG53lbTectcBrcQnHRukUvfExI1YyYBTjekjN3DzTkjsn8FCar8hkR8/G4OnwZmiHgDVClrtsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAPvhLvSaYjT32cqy8tR7KR6PyO3lWKt1Tg1R6IrzavSp+5q9AkQyJQmgsm6WcOsxVwFHDMb23iPzv5UDQPmhmJlGRtFgHbCXOYL+Gf/f/6atez5EzbX3T/tSZPF7ASGLSClEGtOwFUYcXqOeQtInPVPe26PbG5k+XCdqDL8HvrRvyKf5HkTt/5nMYMig5TBs6L1O+GGfvM8dTNwW8w3T0ZUMoF4CKVmhMynG47hWW1HGdvqj/NWp8VWqO6Mo+6pBGJrrMdb7IArN725jhZps2CaD1bpGYVIB4Ad65E6ZbSXl12xUq+RI/LfqIaRAALJkXK3v0bfiJ1+SPMWok0QxjJ
rules: rules:
- operations: [ "CREATE" ] - operations: [ "CREATE" ]
resources: [ "*/*" ] resources: [ "*/*" ]

15
crd/MutatingWebhookConfiguration_local.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: nirmata-kube-policy-webhook-cfg
labels:
app: kube-policy
webhooks:
- name: webhook.nirmata.kube-policy
clientConfig:
url: "https://localhost/mutate"
rules:
- operations: [ "CREATE" ]
resources: [ "*/*" ]
apiGroups: [ "*" ]
apiVersions: [ "*" ]

25
scripts/README.md Normal file
View file

@ -0,0 +1,25 @@
Use these scripts to prepare the controller for work.
All these scripts should be launched from the root folder of the project, for example:
`scripts/compile-image.sh`
### compile-image.sh ###
Compiles the project to go executable, generates docker image and pushes it to the repo. Has no arguments.
### generate-server-cert.sh ###
Generates TLS certificate and key that used by webhook server. Example:
`scripts/generate-server-cert.sh --service=kube-policy-svc --namespace=my_namespace --serverIp=192.168.10.117`
* `--service` identifies the service for in-cluster webhook server. Do not specify it if you plan to run webhook server outside the cluster.
* `--namespace` identifies the namespace for in-cluster webhook server. Default value is "default".
* `--serverIp` is the IP of master node, it can be found in `~/.kube/config`: clusters.cluster[0].server. **The default is hardcoded value**, so you should explicitly specify it.
### deploy-controller.sh ###
Prepares controller for current environment in 1 of 2 possible modes: free (local) and in-cluster. Usage:
`scripts/deploy-controller.sh --namespace=my_namespace --serverIp=192.168.10.117`
* --namespace identifies the namespace for in-cluster webhook server. Do not specify it if you plan to run webhook server outside the cluster.
* --serverIp is the IP of master node, means the same as for `generate-server-cert.sh`.
### test-web-hook.sh ###
Quickly creates and deletes test config map. If your webhook server is running, you should see the corresponding output from it. Use this script after `deploy-controller.sh`.
### update-codegen.sh ###
Generates additional code for controller object. You should resolve all dependencies before using it, see main Readme for details.

71
scripts/deploy-controller.sh
View file

@ -1,29 +1,64 @@
#!/bin/bash #!/bin/bash
for i in "$@"
do
case $i in
--namespace=*)
namespace="${i#*=}"
shift
;;
--serverIp=*)
serverIp="${i#*=}"
shift
;;
esac
done
if [ -z "${serverIp}" ]; then
# This is the standard IP of minikube
serverIp="192.168.10.117" #TODO: ! Read it from ~/.kube/config !
fi
hub_user_name="nirmata" hub_user_name="nirmata"
project_name="kube-policy" project_name="kube-policy"
echo ${1}
namespace=${1}
if [ ${namespace} -eq "" ]; then
echo "Specify target namespace in the first parameter"
exit 1
fi
service_name="${project_name}-svc" service_name="${project_name}-svc"
echo "Generating certificate for the service ${service_name}..." echo "Generating certificate for the service ${service_name}..."
serverIp="192.168.10.177" #TODO: ! Read it from ~/.kube/config !
certsGenerator="./scripts/generate-server-cert.sh" certsGenerator="./scripts/generate-server-cert.sh"
chmod +x "${certsGenerator}" chmod +x "${certsGenerator}"
${certsGenerator} ${service_name} ${namespace} ${serverIp} || exit 2
secret_name="${project_name}-secret" if [ -z "${namespace}" ]; then # controller is launched locally
echo "Generating secret ${secret_name}..."
kubectl delete secret "${secret_name}" 2>/dev/null
kubectl create secret generic ${secret_name} --namespace ${namespace} --from-file=./certs || exit 3
echo "Creating the service ${service_name}..." ${certsGenerator} "--serverIp=${serverIp}" || exit 2
kubectl delete -f crd/service.yaml
kubectl create -f crd/service.yaml || exit 4
echo "Creating deployment..." echo "Applying webhook..."
kubectl delete -f crd/deployment.yaml kubectl delete -f crd/MutatingWebhookConfiguration_local.yaml
kubectl create -f crd/deployment.yaml || exit 5 kubectl create -f crd/MutatingWebhookConfiguration_local.yaml || exit 3
echo -e "\n### You can build and run kube-policy project locally.\n### To check its work, run it with parameters -cert and -key, which contain generated TLS certificate and key (see their paths in log above)."
else # controller is launched within a cluster
${certsGenerator} "--service=${service_name}" "--namespace=${namespace}" "--serverIp=${serverIp}" || exit 2
secret_name="${project_name}-secret"
echo "Generating secret ${secret_name}..."
kubectl delete secret "${secret_name}" 2>/dev/null
kubectl create secret generic ${secret_name} --namespace ${namespace} --from-file=./certs || exit 3
echo "Creating the service ${service_name}..."
kubectl delete -f crd/service.yaml
kubectl create -f crd/service.yaml || exit 4
echo "Creating deployment..."
kubectl delete -f crd/deployment.yaml
kubectl create -f crd/deployment.yaml || exit 5
echo "Applying webhook..."
kubectl delete -f crd/MutatingWebhookConfiguration.yaml
kubectl create -f crd/MutatingWebhookConfiguration.yaml || exit 3
echo -e "\n### Controller is running in cluster.\n### You can use compile-image.sh to rebuild its image and then the current script to redeploy the controller.\n### Check its work by 'kubectl logs <controller_pod> command'"
fi

35
scripts/generate-server-cert.sh
View file

@ -1,7 +1,26 @@
#!/bin/bash #!/bin/bash
service=${1}
namespace=${2} for i in "$@"
serverIp=${3} do
case $i in
--service=*)
service="${i#*=}"
shift
;;
--namespace=*)
namespace="${i#*=}"
shift
;;
--serverIp=*)
serverIp="${i#*=}"
shift
;;
esac
done
if [ -z "${namespace}" ]; then
namespace="default"
fi
echo "service is $service" echo "service is $service"
echo "namespace is $namespace" echo "namespace is $namespace"
@ -34,7 +53,15 @@ outKeyFile=${destdir}/server-key.pem
outCertFile=${destdir}/server.crt outCertFile=${destdir}/server.crt
openssl genrsa -out ${outKeyFile} 2048 || exit 2 openssl genrsa -out ${outKeyFile} 2048 || exit 2
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3 if [ ! -z "${service}" ]; then
subjectCN="${service}.${namespace}.svc"
echo "Configuring work WITHIN a cluster with CN=${subjectCN}"
else
subjectCN=${serverIp}
echo "Configuring work OUTSIDE a cluster with CN=${subjectCN}"
fi
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${subjectCN}" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3
CSR_NAME=${service}.cert-request CSR_NAME=${service}.cert-request
kubectl delete csr ${CSR_NAME} 2>/dev/null kubectl delete csr ${CSR_NAME} 2>/dev/null

4
scripts/test-web-hook.sh Executable file
View file

@ -0,0 +1,4 @@
#!/bin/bash
# You should see the trace of requests in the output of webhook server
kubectl create configmap test-config-map --from-literal="some_var=some_value"
kubectl delete configmap test-config-map

5
server/server.go
View file

@ -12,11 +12,13 @@ import (
type WebhookServer struct { type WebhookServer struct {
server http.Server server http.Server
logger *log.Logger
} }
func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
fmt.Println("/mutate is called!") fmt.Println("/mutate is called!")
httputil.DumpRequest(r, true) dump, _ := httputil.DumpRequest(r, true)
ws.logger.Printf("%s", dump)
} }
func (ws *WebhookServer) RunAsync() { func (ws *WebhookServer) RunAsync() {
@ -39,6 +41,7 @@ func (ws *WebhookServer) Stop() {
func NewWebhookServer(certFile string, keyFile string, logger *log.Logger) WebhookServer { func NewWebhookServer(certFile string, keyFile string, logger *log.Logger) WebhookServer {
var ws WebhookServer var ws WebhookServer
ws.logger = logger
mux := http.NewServeMux() mux := http.NewServeMux()
mux.HandleFunc("/mutate", ws.serve) mux.HandleFunc("/mutate", ws.serve)