NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service.

crd/MutatingWebhookConfiguration.yaml

@@ -1,17 +1,16 @@
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: nirmata-policy-mutation-webhook
+  name: nirmata-kube-policy-webhook-cfg
   labels:
-    app: nirmata-policy-webhook-server
+    app: kube-policy
 webhooks:
-  - name: mutation.webhook.nirmata-policy
+  - name: webhook.nirmata.kube-policy
     clientConfig:
       service:
-        name: nirmata-webhook-server
+        name: kube-policy-svc
         namespace: default
         path: "/mutate"
-      caBundle: MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5pa3ViZUNBMB4XDTE5MDIwMzE1MjM0M1oXDTI5MDIwMTE1MjM0M1owFTETMBEGA1UEAxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOW3JNJEhX6syO6a+Vr8fezQUmHgJ+oUwYZbwIcb1TQKAGVoIPcN5nkBw11P6syjnrxoPt9HVq3/0mWJOacBgVtuAAZ4sQ8QevFwKmipTpTAC+SEBVhsypqO/1aLs2imbHQr2AVlCy2LxppX7lupl5ELwt9t5nSI3zuauezZ6ujkOCWcO52dGA3dIEXBiKiSQ4Svlqfnjpt7w8Frf6z77nmZSCbAXOf8jjPlObQGTFqzKq+gOmK3LzpANoY6VJSAjQP0jTTc7qC9u3KG53lbTectcBrcQnHRukUvfExI1YyYBTjekjN3DzTkjsn8FCar8hkR8/G4OnwZmiHgDVClrtsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAPvhLvSaYjT32cqy8tR7KR6PyO3lWKt1Tg1R6IrzavSp+5q9AkQyJQmgsm6WcOsxVwFHDMb23iPzv5UDQPmhmJlGRtFgHbCXOYL+Gf/f/6atez5EzbX3T/tSZPF7ASGLSClEGtOwFUYcXqOeQtInPVPe26PbG5k+XCdqDL8HvrRvyKf5HkTt/5nMYMig5TBs6L1O+GGfvM8dTNwW8w3T0ZUMoF4CKVmhMynG47hWW1HGdvqj/NWp8VWqO6Mo+6pBGJrrMdb7IArN725jhZps2CaD1bpGYVIB4Ad65E6ZbSXl12xUq+RI/LfqIaRAALJkXK3v0bfiJ1+SPMWok0QxjJ
     rules:
       - operations: [ "CREATE" ]
         resources: [ "*/*" ]

crd/deployment.yaml

@@ -0,0 +1,28 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kube-policy-deployment
+  labels:
+    app: kube-policy
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: kube-policy
+    spec:
+      containers:
+        - name: kube-policy
+          image: nirmata/kube-policy:latest
+          imagePullPolicy: IfNotPresent
+          args:
+            - -cert=/etc/kube-policy/certs/server.crt
+            - -key=/etc/kube-policy/certs/server-key.pem
+          volumeMounts:
+            - name: kube-policy-certs
+              mountPath: /etc/kube-policy/certs
+              readOnly: true
+      volumes:
+        - name: kube-policy-certs
+          secret:
+            secretName: kube-policy-secret

crd/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-policy-svc
+  labels:
+    app: kube-policy
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app: kube-policy

scripts/compile-image.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+hub_user_name="nirmata"
+project_name="kube-policy"
+version="latest"
+
+echo "# Ensuring Go dependencies..."
+#dep ensure || exit 2
+
+echo "# Building executable ${project_name}..."
+CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ${project_name} . || exit 3
+
+echo "# Building docker image ${hub_user_name}/${project_name}:${version}"
+cat <<EOF > Dockerfile
+FROM alpine:latest
+WORKDIR ~/
+ADD ${project_name} ./${project_name}
+ENTRYPOINT ["./${project_name}"]
+EOF
+tag="${hub_user_name}/${project_name}:${version}"
+docker build --no-cache -t "${tag}" . || exit 4
+
+echo "# Pushing image to repository..."
+docker push "${tag}" || exit 5

scripts/deploy-controller.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+hub_user_name="nirmata"
+project_name="kube-policy"
+echo ${1}
+namespace=${1}
+if [ ${namespace} -eq "" ]; then
+  echo "Specify target namespace in the first parameter"
+  exit 1
+fi
+
+service_name="${project_name}-svc"
+echo "Generating certificate for the service ${service_name}..."
+serverIp="192.168.10.177" #TODO: ! Read it from ~/.kube/config !
+certsGenerator="./scripts/generate-server-cert.sh"
+chmod +x "${certsGenerator}"
+${certsGenerator} ${service_name} ${namespace} ${serverIp} || exit 2
+
+secret_name="${project_name}-secret"
+echo "Generating secret ${secret_name}..."
+kubectl delete secret "${secret_name}" 2>/dev/null
+kubectl create secret generic ${secret_name} --namespace ${namespace} --from-file=./certs || exit 3
+
+echo "Creating the service ${service_name}..."
+kubectl delete -f crd/service.yaml
+kubectl create -f crd/service.yaml || exit 4
+
+echo "Creating deployment..."
+kubectl delete -f crd/deployment.yaml
+kubectl create -f crd/deployment.yaml || exit 5

scripts/generate-server-cert.sh

@@ -3,9 +3,13 @@ service=${1}
 namespace=${2}
 serverIp=${3}
 
+echo "service is $service"
+echo "namespace is $namespace"
+echo "serverIp is $serverIp"
+
 destdir="certs"
 if [ ! -d "$destdir" ]; then
-  mkdir ${destdir}
+  mkdir ${destdir} || exit 1
 fi
 tmpdir=$(mktemp -d)
 
@@ -29,8 +33,8 @@ EOF
 outKeyFile=${destdir}/server-key.pem
 outCertFile=${destdir}/server.crt
 
-openssl genrsa -out ${outKeyFile} 2048
-openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
+openssl genrsa -out ${outKeyFile} 2048 || exit 2
+openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3
 
 CSR_NAME=${service}.cert-request
 kubectl delete csr ${CSR_NAME} 2>/dev/null
@@ -50,8 +54,8 @@ spec:
   - server auth
 EOF
 
-kubectl certificate approve ${CSR_NAME}
-kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile}
+kubectl certificate approve ${CSR_NAME} || exit 4
+kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} || exit 5
 
 echo "Generated:"
 echo ${outKeyFile}