Fix Helm chart namespace and handle webhooks certificates creation

seaweedfs · May 14, 2024 · 718db3a · 718db3a
1 parent 9620476
commit 718db3a
Show file tree

Hide file tree

Showing 9 changed files with 187 additions and 21 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -27,7 +27,6 @@ A Helm chart for the seaweedfs-operator
 | port.name                       | string | `"http"`                        | name of the container port to use for the Kubernete service and ingress                                                                                                                                              |
 | port.number                     | int    | `8080`                          | container port number to use for the Kubernete service and ingress                                                                                                                                                   |
 | rbac.serviceAccount.name        | string | `"default"`                     | name of the Kubernetes service account to create                                                                                                                                                                     |
-| rbac.serviceAccount.namespace   | string | `"operators"`                   | Kubernetes namespace to create the Kubernetes service account in                                                                                                                                                     |
 | replicaCount                    | int    | `1`                             | Set number of pod replicas                                                                                                                                                                                           |
 | resources.limits.cpu            | string | `"500m"`                        | seaweedfs-operator containers' cpu limit (maximum allowes CPU)                                                                                                                                                       |
 | resources.limits.memory         | string | `"500Mi"`                       | seaweedfs-operator containers' memory limit (maximum allowes memory)                                                                                                                                                 |
@@ -39,7 +38,6 @@ A Helm chart for the seaweedfs-operator
 | serviceMonitor.enabled          | bool   | `true`                          | Enable or disable ServiceMonitor for prometheus metrics                                                                                                                                                              |
 | serviceMonitor.honorLabels      | bool   | `true`                          | Specify honorLabels parameter to add the scrape endpoint                                                                                                                                                             |
 | serviceMonitor.interval         | string | `"10s"`                         | Specify the interval at which metrics should be scraped                                                                                                                                                              |
-| serviceMonitor.namespace        | string | `""`                            | Specify the namespace in which the serviceMonitor resource will be created                                                                                                                                           |
 | serviceMonitor.scrapeTimeout    | string | `"10s"`                         | Specify the timeout after which the scrape is ended                                                                                                                                                                  |
 | webhook.enabled                 | bool   | `true`                          | Enable or disable webhooks                                                                                                                                                                                           |
 

diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml
@@ -38,4 +38,26 @@ spec:
         {{- if .Values.resources }}
         resources: {{- toYaml .Values.resources | nindent 12 }}
         {{- end }}
+        {{- if .Values.webhook.enabled }}
+        ports:
+        - name: https
+          containerPort: 443
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+        {{- end }}
       terminationGracePeriodSeconds: 10
+      {{- if .Values.webhook.enabled }}
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: {{ include "seaweedfs-operator.fullname" . }}-webhook-server-cert
+          items:
+          - key: cert
+            path: tls.crt
+          - key: key
+            path: tls.key
+      {{- end }}
diff --git a/deploy/helm/templates/rbac/leader_election_role_binding.yaml b/deploy/helm/templates/rbac/leader_election_role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.rbac.serviceAccount.name }}
-  namespace: {{ .Values.rbac.serviceAccount.namespace }}
+  namespace: {{ .Release.Namespace }}
diff --git a/deploy/helm/templates/rbac/role_binding.yaml b/deploy/helm/templates/rbac/role_binding.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.rbac.serviceAccount.name }}
-  namespace: {{ .Values.rbac.serviceAccount.namespace }}
+  namespace: {{ .Release.Namespace }}
diff --git a/deploy/helm/templates/webhook/job-update-webhook-certificates.yaml b/deploy/helm/templates/webhook/job-update-webhook-certificates.yaml
@@ -0,0 +1,149 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-create-webhook-certificates
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+      containers:
+      - name: certgen
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0
+        args:
+          - create
+          - --host={{ include "seaweedfs-operator.fullname" . }}-webhook,{{ include "seaweedfs-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+          - --namespace=$(POD_NAMESPACE)
+          - --secret-name={{ include "seaweedfs-operator.fullname" . }}-webhook-server-cert
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-patch-mutating-webhook
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+      containers:
+      - name: certgen
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0
+        args:
+          - patch
+          - --webhook-name=mutating-webhook-configuration
+          - --namespace=$(POD_NAMESPACE)
+          - --patch-mutating=true
+          - --patch-validating=false
+          - --secret-name={{ include "seaweedfs-operator.fullname" . }}-webhook-server-cert
+          - --patch-failure-policy=Fail
+
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-patch-validating-webhook
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+      containers:
+      - name: certgen
+        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231011-8b53cabe0
+        args:
+          - patch
+          - --webhook-name=validating-webhook-configuration
+          - --namespace=$(POD_NAMESPACE)
+          - --patch-mutating=false
+          - --patch-validating=true
+          - --secret-name={{ include "seaweedfs-operator.fullname" . }}-webhook-server-cert
+          - --patch-failure-policy=Fail
+
+        env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "seaweedfs-operator.fullname" . }}-update-webhook-certificates
+    namespace: {{ .Release.Namespace }}
diff --git a/deploy/helm/templates/webhook/mutating-webhook.yaml b/deploy/helm/templates/webhook/mutating-webhook.yaml
@@ -7,12 +7,11 @@ metadata:
   name: mutating-webhook-configuration
 webhooks:
 - clientConfig:
-    caBundle: Cg==
     service:
-      name: webhook-service
-      namespace: system
+      name: {{ include "seaweedfs-operator.fullname" . }}-webhook
+      namespace: {{ .Release.Namespace }}
+      port: 443
       path: /mutate-seaweed-seaweedfs-com-v1-seaweed
-  failurePolicy: Fail
   name: mseaweed.kb.io
   sideEffects: None
   admissionReviewVersions:
@@ -29,4 +28,4 @@ webhooks:
     resources:
     - seaweeds
 
-{{- end }}
+{{- end }}
diff --git a/deploy/helm/templates/webhook/service.yaml b/deploy/helm/templates/webhook/service.yaml
@@ -3,13 +3,16 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: webhook-service
-  namespace: system
+  name: {{ include "seaweedfs-operator.fullname" . }}-webhook
+  labels:
+    app: {{ include "seaweedfs-operator.fullname" . }}
 spec:
+  type: ClusterIP
   ports:
-    - port: 443
+    - name: https
+      port: 443
       targetPort: 9443
   selector:
-    control-plane: controller-manager
+    app: {{ include "seaweedfs-operator.fullname" . }}
 
 {{- end }}
diff --git a/deploy/helm/templates/webhook/validating-webhook.yaml b/deploy/helm/templates/webhook/validating-webhook.yaml
@@ -7,12 +7,11 @@ metadata:
   name: validating-webhook-configuration
 webhooks:
 - clientConfig:
-    caBundle: Cg==
     service:
-      name: webhook-service
-      namespace: system
+      name: {{ include "seaweedfs-operator.fullname" . }}-webhook
+      namespace: {{ .Release.Namespace }}
+      port: 443
       path: /validate-seaweed-seaweedfs-com-v1-seaweed
-  failurePolicy: Fail
   name: vseaweed.kb.io
   sideEffects: None
   admissionReviewVersions:

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -21,8 +21,6 @@ rbac:
   serviceAccount:
     # -- name of the Kubernetes service account to create
     name: default
-    # -- Kubernetes namespace to create the Kubernetes service account in
-    namespace: operators
 
 image:
   registry: chrislusf
@@ -70,8 +68,6 @@ grafanaDashboard:
 serviceMonitor:
   # -- Enable or disable ServiceMonitor for prometheus metrics
   enabled: true
-  # -- Specify the namespace in which the serviceMonitor resource will be created
-  namespace: ""
   # -- Specify the interval at which metrics should be scraped
   interval: 10s
   # -- Specify the timeout after which the scrape is ended