[stable/field-exporter] add validating webhook configuration (#556)

deliveryhero · Jan 2, 2024 · 8829afb · 8829afb
1 parent ee9c471
commit 8829afb
Show file tree

Hide file tree

Showing 10 changed files with 196 additions and 21 deletions.
diff --git a/stable/field-exporter/Chart.yaml b/stable/field-exporter/Chart.yaml
@@ -4,8 +4,8 @@ description: |
   A chart to install [field-exporter](https://github.com/deliveryhero/field-exporter). This controller is used to fill the gap in [k8s-config-connector](https://github.com/GoogleCloudPlatform/k8s-config-connector) for exporting value from Config Connector managed resources into Secrets and ConfigMaps.
 
 type: application
-version: 1.1.0
-appVersion: "v1.1.0"
+version: 1.3.0
+appVersion: "v1.3.0"
 home: https://github.com/deliveryhero/field-exporter
 sources:
   - https://github.com/deliveryhero/field-exporter

diff --git a/stable/field-exporter/README.md b/stable/field-exporter/README.md
@@ -1,6 +1,6 @@
 # field-exporter
 
-![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square)
+![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.3.0](https://img.shields.io/badge/AppVersion-v1.3.0-informational?style=flat-square)
 
 A chart to install [field-exporter](https://github.com/deliveryhero/field-exporter). This controller is used to fill the gap in [k8s-config-connector](https://github.com/GoogleCloudPlatform/k8s-config-connector) for exporting value from Config Connector managed resources into Secrets and ConfigMaps.
 
@@ -46,26 +46,34 @@ helm install my-release deliveryhero/field-exporter -f values.yaml
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| controllerManager.manager.args[0] | string | `"--health-probe-bind-address=:8081"` |  |
-| controllerManager.manager.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` |  |
-| controllerManager.manager.args[2] | string | `"--leader-elect"` |  |
+| cluster.dnsDomain | string | `"cluster.local"` |  |
+| controllerManager.manager.args[0] | string | `"--leader-elect"` |  |
 | controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controllerManager.manager.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | controllerManager.manager.image.repository | string | `"europe-docker.pkg.dev/dp-common-infra-5780/developer-platform-public/deliveryhero/field-exporter"` |  |
-| controllerManager.manager.image.tag | string | `"v1.1.0"` |  |
+| controllerManager.manager.image.tag | string | `"v1.3.0"` |  |
 | controllerManager.manager.resources.limits.cpu | string | `"500m"` |  |
 | controllerManager.manager.resources.limits.memory | string | `"128Mi"` |  |
 | controllerManager.manager.resources.requests.cpu | string | `"10m"` |  |
 | controllerManager.manager.resources.requests.memory | string | `"128Mi"` |  |
 | controllerManager.podLabels | object | `{}` |  |
 | controllerManager.replicas | int | `1` |  |
 | controllerManager.serviceAccount.annotations | object | `{}` |  |
+| enableCertManager | bool | `false` |  |
+| keepTLSSecret | bool | `false` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` |  |
 | metricsService.ports[0].name | string | `"https"` |  |
 | metricsService.ports[0].port | int | `8443` |  |
 | metricsService.ports[0].protocol | string | `"TCP"` |  |
 | metricsService.ports[0].targetPort | string | `"https"` |  |
 | metricsService.type | string | `"ClusterIP"` |  |
+| webhookService.ports[0].port | int | `443` |  |
+| webhookService.ports[0].protocol | string | `"TCP"` |  |
+| webhookService.ports[0].targetPort | int | `9443` |  |
+| webhookService.type | string | `"ClusterIP"` |  |
+| webhookTLS.caCert | string | `nil` |  |
+| webhookTLS.cert | string | `nil` |  |
+| webhookTLS.key | string | `nil` |  |
 
 ## Maintainers
 

diff --git a/stable/field-exporter/templates/_helpers.tpl b/stable/field-exporter/templates/_helpers.tpl
@@ -60,3 +60,42 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the webhook service
+*/}}
+{{- define "field-exporter.webhookService" -}}
+{{- printf "%s-webhook-service" (include "field-exporter.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Create the name of the webhook cert secret
+*/}}
+{{- define "field-exporter.webhookCertSecret" -}}
+{{- printf "%s-tls" (include "field-exporter.name" .) -}}
+{{- end -}}
+
+{{/*
+Generate certificates for webhook
+*/}}
+{{- define "field-exporter.webhookCerts" -}}
+{{- $serviceName := (include "field-exporter.webhookService" .) -}}
+{{- $secretName := (include "field-exporter.webhookCertSecret" .) -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}}
+caCert: {{ .Values.webhookTLS.caCert | b64enc }}
+clientCert: {{ .Values.webhookTLS.cert | b64enc }}
+clientKey: {{ .Values.webhookTLS.key | b64enc }}
+{{- else if and .Values.keepTLSSecret $secret -}}
+caCert: {{ index $secret.data "ca.crt" }}
+clientCert: {{ index $secret.data "tls.crt" }}
+clientKey: {{ index $secret.data "tls.key" }}
+{{- else -}}
+{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}}
+{{- $ca := genCA "field-exporter-ca" 3650 -}}
+{{- $cert := genSignedCert (include "field-exporter.fullname" .) nil $altNames 3650 $ca -}}
+caCert: {{ $ca.Cert | b64enc }}
+clientCert: {{ $cert.Cert | b64enc }}
+clientKey: {{ $cert.Key | b64enc }}
+{{- end -}}
+{{- end -}}
diff --git a/stable/field-exporter/templates/deployment.yaml b/stable/field-exporter/templates/deployment.yaml
@@ -28,14 +28,21 @@ spec:
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
+        - name: ENABLE_WEBHOOKS
+          value: "true"
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
+          | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
             path: /healthz
             port: 8081
           initialDelaySeconds: 15
           periodSeconds: 20
         name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
         readinessProbe:
           httpGet:
             path: /readyz
@@ -46,7 +53,16 @@ spec:
           }}
         securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
           | nindent 10 }}
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: {{ include "field-exporter.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ template "field-exporter.webhookCertSecret" . }}
diff --git a/stable/field-exporter/templates/leader-election-rbac.yaml b/stable/field-exporter/templates/leader-election-rbac.yaml
@@ -53,4 +53,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "field-exporter.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/stable/field-exporter/templates/manager-rbac.yaml b/stable/field-exporter/templates/manager-rbac.yaml
@@ -6,23 +6,23 @@ metadata:
   {{- include "field-exporter.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - ""
+  - alloydb.cnrm.cloud.google.com
   resources:
-  - configmaps
-  - secrets
+  - '*'
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
-  - alloydb.cnrm.cloud.google.com
+  - ""
   resources:
-  - '*'
+  - configmaps
+  - secrets
   verbs:
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - gdp.deliveryhero.io
@@ -99,4 +99,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "field-exporter.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/stable/field-exporter/templates/serviceaccount.yaml b/stable/field-exporter/templates/serviceaccount.yaml
@@ -5,4 +5,4 @@ metadata:
   labels:
   {{- include "field-exporter.labels" . | nindent 4 }}
   annotations:
-    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
+    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
diff --git a/stable/field-exporter/templates/webhook-service.yaml b/stable/field-exporter/templates/webhook-service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-webhook-service
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.webhookService.type }}
+  selector:
+    control-plane: controller-manager
+  {{- include "field-exporter.selectorLabels" . | nindent 4 }}
+  ports:
+	{{- .Values.webhookService.ports | toYaml | nindent 2 -}}
diff --git a/stable/field-exporter/templates/webhook.yaml b/stable/field-exporter/templates/webhook.yaml
@@ -0,0 +1,75 @@
+{{ $tls := fromYaml ( include "field-exporter.webhookCerts" . ) }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "field-exporter.fullname" . }}-serving-cert
+  labels:
+  {{- include "field-exporter.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    {{ if not $.Values.enableCertManager -}}
+    caBundle: {{ $tls.caCert }}
+    {{ end }}
+    service:
+      name: '{{ include "field-exporter.fullname" . }}-webhook-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-gdp-deliveryhero-io-v1alpha1-resourcefieldexport
+  failurePolicy: Fail
+  name: vresourcefieldexport.kb.io
+  rules:
+  - apiGroups:
+    - gdp.deliveryhero.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - resourcefieldexports
+  sideEffects: None
+---
+{{- if .Values.enableCertManager }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-selfsigned-issuer
+  labels:
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-serving-cert
+  labels:
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+    - '{{ include "field-exporter.fullname" . }}-webhook-service.{{ .Release.Namespace
+    }}.svc'
+    - '{{ include "field-exporter.fullname" . }}-webhook-service.{{ .Release.Namespace
+    }}.svc.{{ .Values.kubernetesClusterDomain }}'
+  issuerRef:
+    kind: Issuer
+    name: '{{ include "field-exporter.fullname" . }}-selfsigned-issuer'
+  secretName: {{ template "field-exporter.webhookCertSecret" . }}
+{{- else }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "field-exporter.webhookCertSecret" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "field-exporter.labels" . | indent 4 }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ $tls.caCert }}
+  tls.crt: {{ $tls.clientCert }}
+  tls.key: {{ $tls.clientKey }}
+{{- end}}
diff --git a/stable/field-exporter/values.yaml b/stable/field-exporter/values.yaml
@@ -1,8 +1,6 @@
 controllerManager:
   manager:
     args:
-    - --health-probe-bind-address=:8081
-    - --metrics-bind-address=127.0.0.1:8080
     - --leader-elect
     containerSecurityContext:
       allowPrivilegeEscalation: false
@@ -11,7 +9,7 @@ controllerManager:
         - ALL
     image:
       repository: europe-docker.pkg.dev/dp-common-infra-5780/developer-platform-public/deliveryhero/field-exporter
-      tag: v1.1.0
+      tag: v1.3.0
     resources:
       limits:
         cpu: 500m
@@ -31,3 +29,26 @@ metricsService:
     protocol: TCP
     targetPort: https
   type: ClusterIP
+webhookService:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  type: ClusterIP
+
+# webhookTLS specifies TLS cert/key for the webhook
+webhookTLS:
+  caCert:
+  cert:
+  key:
+
+# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade
+keepTLSSecret: false
+
+# Enable cert-manager
+enableCertManager: false
+
+# cluster contains configurations specific to the kubernetes cluster
+cluster:
+  # Cluster DNS domain (required for requesting TLS certificates)
+  dnsDomain: cluster.local