diff --git a/crd/MutatingWebhookConfiguration.yaml b/crd/MutatingWebhookConfiguration.yaml index 455f7cb900..1abd0e0531 100644 --- a/crd/MutatingWebhookConfiguration.yaml +++ b/crd/MutatingWebhookConfiguration.yaml @@ -1,17 +1,16 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: - name: nirmata-policy-mutation-webhook + name: nirmata-kube-policy-webhook-cfg labels: - app: nirmata-policy-webhook-server + app: kube-policy webhooks: - - name: mutation.webhook.nirmata-policy + - name: webhook.nirmata.kube-policy clientConfig: service: - name: nirmata-webhook-server + name: kube-policy-svc namespace: default path: "/mutate" - caBundle: MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5pa3ViZUNBMB4XDTE5MDIwMzE1MjM0M1oXDTI5MDIwMTE1MjM0M1owFTETMBEGA1UEAxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOW3JNJEhX6syO6a+Vr8fezQUmHgJ+oUwYZbwIcb1TQKAGVoIPcN5nkBw11P6syjnrxoPt9HVq3/0mWJOacBgVtuAAZ4sQ8QevFwKmipTpTAC+SEBVhsypqO/1aLs2imbHQr2AVlCy2LxppX7lupl5ELwt9t5nSI3zuauezZ6ujkOCWcO52dGA3dIEXBiKiSQ4Svlqfnjpt7w8Frf6z77nmZSCbAXOf8jjPlObQGTFqzKq+gOmK3LzpANoY6VJSAjQP0jTTc7qC9u3KG53lbTectcBrcQnHRukUvfExI1YyYBTjekjN3DzTkjsn8FCar8hkR8/G4OnwZmiHgDVClrtsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAPvhLvSaYjT32cqy8tR7KR6PyO3lWKt1Tg1R6IrzavSp+5q9AkQyJQmgsm6WcOsxVwFHDMb23iPzv5UDQPmhmJlGRtFgHbCXOYL+Gf/f/6atez5EzbX3T/tSZPF7ASGLSClEGtOwFUYcXqOeQtInPVPe26PbG5k+XCdqDL8HvrRvyKf5HkTt/5nMYMig5TBs6L1O+GGfvM8dTNwW8w3T0ZUMoF4CKVmhMynG47hWW1HGdvqj/NWp8VWqO6Mo+6pBGJrrMdb7IArN725jhZps2CaD1bpGYVIB4Ad65E6ZbSXl12xUq+RI/LfqIaRAALJkXK3v0bfiJ1+SPMWok0QxjJ rules: - operations: [ "CREATE" ] resources: [ "*/*" ] diff --git a/crd/deployment.yaml b/crd/deployment.yaml new file mode 100644 index 0000000000..907ac8d8e4 --- /dev/null +++ b/crd/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kube-policy-deployment + labels: + app: kube-policy +spec: + replicas: 1 + template: + metadata: + labels: + app: kube-policy + spec: + containers: + - name: kube-policy + image: nirmata/kube-policy:latest + imagePullPolicy: IfNotPresent + args: + - -cert=/etc/kube-policy/certs/server.crt + - -key=/etc/kube-policy/certs/server-key.pem + volumeMounts: + - name: kube-policy-certs + mountPath: /etc/kube-policy/certs + readOnly: true + volumes: + - name: kube-policy-certs + secret: + secretName: kube-policy-secret diff --git a/crd/service.yaml b/crd/service.yaml new file mode 100644 index 0000000000..e42b03f03b --- /dev/null +++ b/crd/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: kube-policy-svc + labels: + app: kube-policy +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kube-policy diff --git a/scripts/compile-image.sh b/scripts/compile-image.sh new file mode 100755 index 0000000000..19466975b0 --- /dev/null +++ b/scripts/compile-image.sh @@ -0,0 +1,23 @@ +#!/bin/bash +hub_user_name="nirmata" +project_name="kube-policy" +version="latest" + +echo "# Ensuring Go dependencies..." +#dep ensure || exit 2 + +echo "# Building executable ${project_name}..." +CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ${project_name} . || exit 3 + +echo "# Building docker image ${hub_user_name}/${project_name}:${version}" +cat < Dockerfile +FROM alpine:latest +WORKDIR ~/ +ADD ${project_name} ./${project_name} +ENTRYPOINT ["./${project_name}"] +EOF +tag="${hub_user_name}/${project_name}:${version}" +docker build --no-cache -t "${tag}" . || exit 4 + +echo "# Pushing image to repository..." +docker push "${tag}" || exit 5 diff --git a/scripts/deploy-controller.sh b/scripts/deploy-controller.sh new file mode 100755 index 0000000000..b5dad7e5eb --- /dev/null +++ b/scripts/deploy-controller.sh @@ -0,0 +1,29 @@ +#!/bin/bash +hub_user_name="nirmata" +project_name="kube-policy" +echo ${1} +namespace=${1} +if [ ${namespace} -eq "" ]; then + echo "Specify target namespace in the first parameter" + exit 1 +fi + +service_name="${project_name}-svc" +echo "Generating certificate for the service ${service_name}..." +serverIp="192.168.10.177" #TODO: ! Read it from ~/.kube/config ! +certsGenerator="./scripts/generate-server-cert.sh" +chmod +x "${certsGenerator}" +${certsGenerator} ${service_name} ${namespace} ${serverIp} || exit 2 + +secret_name="${project_name}-secret" +echo "Generating secret ${secret_name}..." +kubectl delete secret "${secret_name}" 2>/dev/null +kubectl create secret generic ${secret_name} --namespace ${namespace} --from-file=./certs || exit 3 + +echo "Creating the service ${service_name}..." +kubectl delete -f crd/service.yaml +kubectl create -f crd/service.yaml || exit 4 + +echo "Creating deployment..." +kubectl delete -f crd/deployment.yaml +kubectl create -f crd/deployment.yaml || exit 5 diff --git a/scripts/generate-server-cert.sh b/scripts/generate-server-cert.sh index 29ce790b23..798ace2ade 100755 --- a/scripts/generate-server-cert.sh +++ b/scripts/generate-server-cert.sh @@ -3,9 +3,13 @@ service=${1} namespace=${2} serverIp=${3} +echo "service is $service" +echo "namespace is $namespace" +echo "serverIp is $serverIp" + destdir="certs" if [ ! -d "$destdir" ]; then - mkdir ${destdir} + mkdir ${destdir} || exit 1 fi tmpdir=$(mktemp -d) @@ -29,8 +33,8 @@ EOF outKeyFile=${destdir}/server-key.pem outCertFile=${destdir}/server.crt -openssl genrsa -out ${outKeyFile} 2048 -openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf +openssl genrsa -out ${outKeyFile} 2048 || exit 2 +openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3 CSR_NAME=${service}.cert-request kubectl delete csr ${CSR_NAME} 2>/dev/null @@ -50,8 +54,8 @@ spec: - server auth EOF -kubectl certificate approve ${CSR_NAME} -kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} +kubectl certificate approve ${CSR_NAME} || exit 4 +kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} || exit 5 echo "Generated:" echo ${outKeyFile}