feat(webhook): mutating webhook manifests (#12)

* feat(webhook): mutating webhook manifests * chore: version bump * inbound ports and merge conflicts * fix: annotations in the wrong place
openmfp · Nov 19, 2024 · 430da7a · 430da7a
1 parent daa0b87
commit 430da7a
Show file tree

Hide file tree

Showing 8 changed files with 972 additions and 14 deletions.
diff --git a/charts/account-operator/Chart.yaml b/charts/account-operator/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: account-operator
 description: A Helm chart for Kubernetes
 type: application
-version: 0.4.4
+version: 0.4.5
 appVersion: "0.98.0"
 dependencies:
   - name: account-operator-crds

diff --git a/charts/account-operator/templates/deployment.yaml b/charts/account-operator/templates/deployment.yaml
@@ -3,6 +3,10 @@ kind: Deployment
 metadata:
   name: {{ include "entity.name" . }}
   namespace: {{ .Release.Namespace }}
+  {{- if .Values.webhooks.enabled }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "entity.name" . }}-serving-cert
+  {{- end }}
 spec:
   revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }}
   selector:
@@ -16,12 +20,13 @@ spec:
         {{- with .Values.deployment.specTemplate.labels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{ if .Values.deployment.specTemplate.annotations }}
       annotations:
         {{- with .Values.deployment.specTemplate.annotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- end }}
+        {{- if .Values.webhooks.enabled }}
+        traffic.sidecar.istio.io/excludeInboundPorts: "9443"
+        {{- end }}
     spec:
       serviceAccountName: {{ include "entity.name" . }}
       containers:
@@ -41,6 +46,11 @@ spec:
           - name: health-port
             containerPort: {{ .Values.health.port }}
             protocol: TCP
+          {{- if .Values.webhooks.enabled }}
+          - name: webhook-port
+            containerPort: 9443
+            protocol: TCP
+          {{- end }}
           livenessProbe:
             httpGet:
               path: /healthz
@@ -83,22 +93,37 @@ spec:
             value: "{{ .Values.kcp.enabled }}"
           - name: KCP_VIRTUAL_WORKSPACE_URL
             value: "{{ .Values.kcp.virtualWorkspaceUrl }}"
+          - name: WEBHOOKS_ENABLED
+            value: "{{ .Values.webhooks.enabled }}"
+          - name: WEBHOOKS_CERT_DIR
+            value: "{{ .Values.webhooks.certDir }}"
           {{- if .Values.kubeconfigSecret }}
           - name: KUBECONFIG
             value: /api-kubeconfig/kubeconfig
           {{- end }}
-          {{- if .Values.kubeconfigSecret }}
           volumeMounts:
+          {{- if .Values.kubeconfigSecret }}
             - name: external-api-server
               mountPath: /api-kubeconfig
           {{- end }}
+          {{- if .Values.webhooks.enabled }}
+          - mountPath: {{ .Values.webhooks.certPath }}
+            name: cert
+            readOnly: true
+          {{- end }}
       terminationGracePeriodSeconds: 10
       volumes:
         {{- if .Values.kubeconfigSecret }}
         - name: external-api-server
           secret:
             secretName: {{ .Values.kubeconfigSecret }}
         {{- end }}
+        {{- if .Values.webhooks.enabled }}
+        - name: cert
+          secret:
+            defaultMode: 420
+            secretName: {{ include "entity.name" . }}-webhook-server-cert
+        {{- end }}
 
 
 
diff --git a/charts/account-operator/templates/webhook/mutation-webhook.yaml b/charts/account-operator/templates/webhook/mutation-webhook.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.webhooks.enabled -}}
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "entity.name" . }}-mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "entity.name" . }}-serving-cert
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "entity.name" . }}-webhook
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-core-openmfp-io-v1alpha1-account
+  failurePolicy: Fail
+  name: maccount.kb.io
+  rules:
+  - apiGroups:
+    - core.openmfp.io
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    resources:
+    - accounts
+  sideEffects: None
+{{- end -}}
diff --git a/charts/account-operator/templates/webhook/pki.yaml b/charts/account-operator/templates/webhook/pki.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.webhooks.enabled -}}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "entity.name" . }}-selfsigned-issuer
+  namespace: {{ .Release.namespace }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "entity.name" . }}-serving-cert
+  namespace: {{ .Release.namespace }}
+spec:
+  dnsNames:
+  - {{ include "entity.name" . }}-webhook.{{ .Release.Namespace }}.svc
+  - {{ include "entity.name" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: selfsigned-issuer
+  secretName: {{ include "entity.name" . }}-webhook-server-cert
+{{- end -}}
diff --git a/charts/account-operator/templates/webhook/service.yaml b/charts/account-operator/templates/webhook/service.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.webhooks.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "entity.name" . }}-webhook
+  namespace: system
+spec:
+  ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 9443
+  selector:
+    service: {{ include "entity.name" . }}
+    control-plane: controller-manager
+{{- end -}}