From c30f4d3119204d7a2dbbeef58fe70f6f3d2515b7 Mon Sep 17 00:00:00 2001 From: belyshevdenis Date: Wed, 13 Feb 2019 15:28:16 +0200 Subject: [PATCH] NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service. --- crd/MutatingWebhookConfiguration.yaml | 9 ++++----- crd/deployment.yaml | 28 ++++++++++++++++++++++++++ crd/service.yaml | 12 +++++++++++ scripts/compile-image.sh | 23 +++++++++++++++++++++ scripts/deploy-controller.sh | 29 +++++++++++++++++++++++++++ scripts/generate-server-cert.sh | 14 ++++++++----- 6 files changed, 105 insertions(+), 10 deletions(-) create mode 100644 crd/deployment.yaml create mode 100644 crd/service.yaml create mode 100755 scripts/compile-image.sh create mode 100755 scripts/deploy-controller.sh diff --git a/crd/MutatingWebhookConfiguration.yaml b/crd/MutatingWebhookConfiguration.yaml index 455f7cb900..1abd0e0531 100644 --- a/crd/MutatingWebhookConfiguration.yaml +++ b/crd/MutatingWebhookConfiguration.yaml @@ -1,17 +1,16 @@ apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: - name: nirmata-policy-mutation-webhook + name: nirmata-kube-policy-webhook-cfg labels: - app: nirmata-policy-webhook-server + app: kube-policy webhooks: - - name: mutation.webhook.nirmata-policy + - name: webhook.nirmata.kube-policy clientConfig: service: - name: nirmata-webhook-server + name: kube-policy-svc namespace: default path: "/mutate" - caBundle: MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5pa3ViZUNBMB4XDTE5MDIwMzE1MjM0M1oXDTI5MDIwMTE1MjM0M1owFTETMBEGA1UEAxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOW3JNJEhX6syO6a+Vr8fezQUmHgJ+oUwYZbwIcb1TQKAGVoIPcN5nkBw11P6syjnrxoPt9HVq3/0mWJOacBgVtuAAZ4sQ8QevFwKmipTpTAC+SEBVhsypqO/1aLs2imbHQr2AVlCy2LxppX7lupl5ELwt9t5nSI3zuauezZ6ujkOCWcO52dGA3dIEXBiKiSQ4Svlqfnjpt7w8Frf6z77nmZSCbAXOf8jjPlObQGTFqzKq+gOmK3LzpANoY6VJSAjQP0jTTc7qC9u3KG53lbTectcBrcQnHRukUvfExI1YyYBTjekjN3DzTkjsn8FCar8hkR8/G4OnwZmiHgDVClrtsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAPvhLvSaYjT32cqy8tR7KR6PyO3lWKt1Tg1R6IrzavSp+5q9AkQyJQmgsm6WcOsxVwFHDMb23iPzv5UDQPmhmJlGRtFgHbCXOYL+Gf/f/6atez5EzbX3T/tSZPF7ASGLSClEGtOwFUYcXqOeQtInPVPe26PbG5k+XCdqDL8HvrRvyKf5HkTt/5nMYMig5TBs6L1O+GGfvM8dTNwW8w3T0ZUMoF4CKVmhMynG47hWW1HGdvqj/NWp8VWqO6Mo+6pBGJrrMdb7IArN725jhZps2CaD1bpGYVIB4Ad65E6ZbSXl12xUq+RI/LfqIaRAALJkXK3v0bfiJ1+SPMWok0QxjJ rules: - operations: [ "CREATE" ] resources: [ "*/*" ] diff --git a/crd/deployment.yaml b/crd/deployment.yaml new file mode 100644 index 0000000000..907ac8d8e4 --- /dev/null +++ b/crd/deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kube-policy-deployment + labels: + app: kube-policy +spec: + replicas: 1 + template: + metadata: + labels: + app: kube-policy + spec: + containers: + - name: kube-policy + image: nirmata/kube-policy:latest + imagePullPolicy: IfNotPresent + args: + - -cert=/etc/kube-policy/certs/server.crt + - -key=/etc/kube-policy/certs/server-key.pem + volumeMounts: + - name: kube-policy-certs + mountPath: /etc/kube-policy/certs + readOnly: true + volumes: + - name: kube-policy-certs + secret: + secretName: kube-policy-secret diff --git a/crd/service.yaml b/crd/service.yaml new file mode 100644 index 0000000000..e42b03f03b --- /dev/null +++ b/crd/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: kube-policy-svc + labels: + app: kube-policy +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kube-policy diff --git a/scripts/compile-image.sh b/scripts/compile-image.sh new file mode 100755 index 0000000000..19466975b0 --- /dev/null +++ b/scripts/compile-image.sh @@ -0,0 +1,23 @@ +#!/bin/bash +hub_user_name="nirmata" +project_name="kube-policy" +version="latest" + +echo "# Ensuring Go dependencies..." +#dep ensure || exit 2 + +echo "# Building executable ${project_name}..." +CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ${project_name} . || exit 3 + +echo "# Building docker image ${hub_user_name}/${project_name}:${version}" +cat < Dockerfile +FROM alpine:latest +WORKDIR ~/ +ADD ${project_name} ./${project_name} +ENTRYPOINT ["./${project_name}"] +EOF +tag="${hub_user_name}/${project_name}:${version}" +docker build --no-cache -t "${tag}" . || exit 4 + +echo "# Pushing image to repository..." +docker push "${tag}" || exit 5 diff --git a/scripts/deploy-controller.sh b/scripts/deploy-controller.sh new file mode 100755 index 0000000000..b5dad7e5eb --- /dev/null +++ b/scripts/deploy-controller.sh @@ -0,0 +1,29 @@ +#!/bin/bash +hub_user_name="nirmata" +project_name="kube-policy" +echo ${1} +namespace=${1} +if [ ${namespace} -eq "" ]; then + echo "Specify target namespace in the first parameter" + exit 1 +fi + +service_name="${project_name}-svc" +echo "Generating certificate for the service ${service_name}..." +serverIp="192.168.10.177" #TODO: ! Read it from ~/.kube/config ! +certsGenerator="./scripts/generate-server-cert.sh" +chmod +x "${certsGenerator}" +${certsGenerator} ${service_name} ${namespace} ${serverIp} || exit 2 + +secret_name="${project_name}-secret" +echo "Generating secret ${secret_name}..." +kubectl delete secret "${secret_name}" 2>/dev/null +kubectl create secret generic ${secret_name} --namespace ${namespace} --from-file=./certs || exit 3 + +echo "Creating the service ${service_name}..." +kubectl delete -f crd/service.yaml +kubectl create -f crd/service.yaml || exit 4 + +echo "Creating deployment..." +kubectl delete -f crd/deployment.yaml +kubectl create -f crd/deployment.yaml || exit 5 diff --git a/scripts/generate-server-cert.sh b/scripts/generate-server-cert.sh index 29ce790b23..798ace2ade 100755 --- a/scripts/generate-server-cert.sh +++ b/scripts/generate-server-cert.sh @@ -3,9 +3,13 @@ service=${1} namespace=${2} serverIp=${3} +echo "service is $service" +echo "namespace is $namespace" +echo "serverIp is $serverIp" + destdir="certs" if [ ! -d "$destdir" ]; then - mkdir ${destdir} + mkdir ${destdir} || exit 1 fi tmpdir=$(mktemp -d) @@ -29,8 +33,8 @@ EOF outKeyFile=${destdir}/server-key.pem outCertFile=${destdir}/server.crt -openssl genrsa -out ${outKeyFile} 2048 -openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf +openssl genrsa -out ${outKeyFile} 2048 || exit 2 +openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3 CSR_NAME=${service}.cert-request kubectl delete csr ${CSR_NAME} 2>/dev/null @@ -50,8 +54,8 @@ spec: - server auth EOF -kubectl certificate approve ${CSR_NAME} -kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} +kubectl certificate approve ${CSR_NAME} || exit 4 +kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} || exit 5 echo "Generated:" echo ${outKeyFile}