mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
NK-8: Implemented script for generating webhook server certificates, script for building the Docker container with webserver executable, script for deploying webserver to the cluster. Provided YAMLS for webhooks service and deployment. Changed YAML for webhook configuration: now webhook server is configured as a service.
This commit is contained in:
parent
88c90eaa4d
commit
c30f4d3119
6 changed files with 105 additions and 10 deletions
|
@ -1,17 +1,16 @@
|
||||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||||
kind: MutatingWebhookConfiguration
|
kind: MutatingWebhookConfiguration
|
||||||
metadata:
|
metadata:
|
||||||
name: nirmata-policy-mutation-webhook
|
name: nirmata-kube-policy-webhook-cfg
|
||||||
labels:
|
labels:
|
||||||
app: nirmata-policy-webhook-server
|
app: kube-policy
|
||||||
webhooks:
|
webhooks:
|
||||||
- name: mutation.webhook.nirmata-policy
|
- name: webhook.nirmata.kube-policy
|
||||||
clientConfig:
|
clientConfig:
|
||||||
service:
|
service:
|
||||||
name: nirmata-webhook-server
|
name: kube-policy-svc
|
||||||
namespace: default
|
namespace: default
|
||||||
path: "/mutate"
|
path: "/mutate"
|
||||||
caBundle: MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5pa3ViZUNBMB4XDTE5MDIwMzE1MjM0M1oXDTI5MDIwMTE1MjM0M1owFTETMBEGA1UEAxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOW3JNJEhX6syO6a+Vr8fezQUmHgJ+oUwYZbwIcb1TQKAGVoIPcN5nkBw11P6syjnrxoPt9HVq3/0mWJOacBgVtuAAZ4sQ8QevFwKmipTpTAC+SEBVhsypqO/1aLs2imbHQr2AVlCy2LxppX7lupl5ELwt9t5nSI3zuauezZ6ujkOCWcO52dGA3dIEXBiKiSQ4Svlqfnjpt7w8Frf6z77nmZSCbAXOf8jjPlObQGTFqzKq+gOmK3LzpANoY6VJSAjQP0jTTc7qC9u3KG53lbTectcBrcQnHRukUvfExI1YyYBTjekjN3DzTkjsn8FCar8hkR8/G4OnwZmiHgDVClrtsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAPvhLvSaYjT32cqy8tR7KR6PyO3lWKt1Tg1R6IrzavSp+5q9AkQyJQmgsm6WcOsxVwFHDMb23iPzv5UDQPmhmJlGRtFgHbCXOYL+Gf/f/6atez5EzbX3T/tSZPF7ASGLSClEGtOwFUYcXqOeQtInPVPe26PbG5k+XCdqDL8HvrRvyKf5HkTt/5nMYMig5TBs6L1O+GGfvM8dTNwW8w3T0ZUMoF4CKVmhMynG47hWW1HGdvqj/NWp8VWqO6Mo+6pBGJrrMdb7IArN725jhZps2CaD1bpGYVIB4Ad65E6ZbSXl12xUq+RI/LfqIaRAALJkXK3v0bfiJ1+SPMWok0QxjJ
|
|
||||||
rules:
|
rules:
|
||||||
- operations: [ "CREATE" ]
|
- operations: [ "CREATE" ]
|
||||||
resources: [ "*/*" ]
|
resources: [ "*/*" ]
|
||||||
|
|
28
crd/deployment.yaml
Normal file
28
crd/deployment.yaml
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
apiVersion: extensions/v1beta1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: kube-policy-deployment
|
||||||
|
labels:
|
||||||
|
app: kube-policy
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: kube-policy
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: kube-policy
|
||||||
|
image: nirmata/kube-policy:latest
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
args:
|
||||||
|
- -cert=/etc/kube-policy/certs/server.crt
|
||||||
|
- -key=/etc/kube-policy/certs/server-key.pem
|
||||||
|
volumeMounts:
|
||||||
|
- name: kube-policy-certs
|
||||||
|
mountPath: /etc/kube-policy/certs
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: kube-policy-certs
|
||||||
|
secret:
|
||||||
|
secretName: kube-policy-secret
|
12
crd/service.yaml
Normal file
12
crd/service.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: kube-policy-svc
|
||||||
|
labels:
|
||||||
|
app: kube-policy
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- port: 443
|
||||||
|
targetPort: 443
|
||||||
|
selector:
|
||||||
|
app: kube-policy
|
23
scripts/compile-image.sh
Executable file
23
scripts/compile-image.sh
Executable file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/bash
|
||||||
|
hub_user_name="nirmata"
|
||||||
|
project_name="kube-policy"
|
||||||
|
version="latest"
|
||||||
|
|
||||||
|
echo "# Ensuring Go dependencies..."
|
||||||
|
#dep ensure || exit 2
|
||||||
|
|
||||||
|
echo "# Building executable ${project_name}..."
|
||||||
|
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o ${project_name} . || exit 3
|
||||||
|
|
||||||
|
echo "# Building docker image ${hub_user_name}/${project_name}:${version}"
|
||||||
|
cat <<EOF > Dockerfile
|
||||||
|
FROM alpine:latest
|
||||||
|
WORKDIR ~/
|
||||||
|
ADD ${project_name} ./${project_name}
|
||||||
|
ENTRYPOINT ["./${project_name}"]
|
||||||
|
EOF
|
||||||
|
tag="${hub_user_name}/${project_name}:${version}"
|
||||||
|
docker build --no-cache -t "${tag}" . || exit 4
|
||||||
|
|
||||||
|
echo "# Pushing image to repository..."
|
||||||
|
docker push "${tag}" || exit 5
|
29
scripts/deploy-controller.sh
Executable file
29
scripts/deploy-controller.sh
Executable file
|
@ -0,0 +1,29 @@
|
||||||
|
#!/bin/bash
|
||||||
|
hub_user_name="nirmata"
|
||||||
|
project_name="kube-policy"
|
||||||
|
echo ${1}
|
||||||
|
namespace=${1}
|
||||||
|
if [ ${namespace} -eq "" ]; then
|
||||||
|
echo "Specify target namespace in the first parameter"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
service_name="${project_name}-svc"
|
||||||
|
echo "Generating certificate for the service ${service_name}..."
|
||||||
|
serverIp="192.168.10.177" #TODO: ! Read it from ~/.kube/config !
|
||||||
|
certsGenerator="./scripts/generate-server-cert.sh"
|
||||||
|
chmod +x "${certsGenerator}"
|
||||||
|
${certsGenerator} ${service_name} ${namespace} ${serverIp} || exit 2
|
||||||
|
|
||||||
|
secret_name="${project_name}-secret"
|
||||||
|
echo "Generating secret ${secret_name}..."
|
||||||
|
kubectl delete secret "${secret_name}" 2>/dev/null
|
||||||
|
kubectl create secret generic ${secret_name} --namespace ${namespace} --from-file=./certs || exit 3
|
||||||
|
|
||||||
|
echo "Creating the service ${service_name}..."
|
||||||
|
kubectl delete -f crd/service.yaml
|
||||||
|
kubectl create -f crd/service.yaml || exit 4
|
||||||
|
|
||||||
|
echo "Creating deployment..."
|
||||||
|
kubectl delete -f crd/deployment.yaml
|
||||||
|
kubectl create -f crd/deployment.yaml || exit 5
|
|
@ -3,9 +3,13 @@ service=${1}
|
||||||
namespace=${2}
|
namespace=${2}
|
||||||
serverIp=${3}
|
serverIp=${3}
|
||||||
|
|
||||||
|
echo "service is $service"
|
||||||
|
echo "namespace is $namespace"
|
||||||
|
echo "serverIp is $serverIp"
|
||||||
|
|
||||||
destdir="certs"
|
destdir="certs"
|
||||||
if [ ! -d "$destdir" ]; then
|
if [ ! -d "$destdir" ]; then
|
||||||
mkdir ${destdir}
|
mkdir ${destdir} || exit 1
|
||||||
fi
|
fi
|
||||||
tmpdir=$(mktemp -d)
|
tmpdir=$(mktemp -d)
|
||||||
|
|
||||||
|
@ -29,8 +33,8 @@ EOF
|
||||||
outKeyFile=${destdir}/server-key.pem
|
outKeyFile=${destdir}/server-key.pem
|
||||||
outCertFile=${destdir}/server.crt
|
outCertFile=${destdir}/server.crt
|
||||||
|
|
||||||
openssl genrsa -out ${outKeyFile} 2048
|
openssl genrsa -out ${outKeyFile} 2048 || exit 2
|
||||||
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf
|
openssl req -new -key ${destdir}/server-key.pem -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf || exit 3
|
||||||
|
|
||||||
CSR_NAME=${service}.cert-request
|
CSR_NAME=${service}.cert-request
|
||||||
kubectl delete csr ${CSR_NAME} 2>/dev/null
|
kubectl delete csr ${CSR_NAME} 2>/dev/null
|
||||||
|
@ -50,8 +54,8 @@ spec:
|
||||||
- server auth
|
- server auth
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
kubectl certificate approve ${CSR_NAME}
|
kubectl certificate approve ${CSR_NAME} || exit 4
|
||||||
kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile}
|
kubectl get csr ${CSR_NAME} -o jsonpath='{.status.certificate}' | base64 --decode > ${outCertFile} || exit 5
|
||||||
|
|
||||||
echo "Generated:"
|
echo "Generated:"
|
||||||
echo ${outKeyFile}
|
echo ${outKeyFile}
|
||||||
|
|
Loading…
Reference in a new issue