simon/cert-manager-webhook-manitu
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update Helm chart and Dockerfile

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2019-04-29 17:55:26 +01:00
parent 2764e68e07
commit 3935fd70e7
9 changed files with 155 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -10,3 +10,6 @@
# Output of the go coverage tool, specifically when used with LiteIDE # Output of the go coverage tool, specifically when used with LiteIDE
*.out *.out
# Ignore the built binary
cert-manager-webhook-example

24
Dockerfile
View File

@ -1,7 +1,25 @@
FROM golang:1.12.1 FROM golang:1.12.4-alpine AS build_deps
COPY . /workspace RUN apk add --no-cache git
WORKDIR /workspace WORKDIR /workspace
RUN go build ENV GO111MODULE=on
COPY go.mod .
COPY go.sum .
RUN go mod download
FROM build_deps AS build
COPY . .
RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
FROM alpine:3.9
RUN apk add --no-cache ca-certificates
COPY --from=build /workspace/webhook /usr/local/bin/webhook
ENTRYPOINT ["webhook"]

18
deploy/example-webhook/templates/apiservice.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.{{ .Values.groupName }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
group: {{ .Values.groupName }}
groupPriorityMinimum: 1000
versionPriority: 15
insecureSkipTLSVerify: true
service:
name: {{ include "example-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
version: v1alpha1

18
deploy/example-webhook/templates/deployment.yaml
View File

@ -19,22 +19,28 @@ spec:
app: {{ include "example-webhook.name" . }} app: {{ include "example-webhook.name" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
spec: spec:
serviceAccountName: {{ include "example-webhook.fullname" . }}
containers: containers:
- name: {{ .Chart.Name }} - name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: GROUP_NAME
value: {{ .Values.groupName | quote }}
ports: ports:
- name: http - name: https
containerPort: 80 containerPort: 443
protocol: TCP protocol: TCP
livenessProbe: livenessProbe:
httpGet: httpGet:
path: / scheme: HTTPS
port: http path: /healthz
port: https
readinessProbe: readinessProbe:
httpGet: httpGet:
path: / scheme: HTTPS
port: http path: /healthz
port: https
resources: resources:
{{ toYaml .Values.resources | indent 12 }} {{ toYaml .Values.resources | indent 12 }}
{{- with .Values.nodeSelector }} {{- with .Values.nodeSelector }}

38
deploy/example-webhook/templates/ingress.yaml
View File

@ -1,38 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "example-webhook.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ . | quote }}
http:
paths:
- path: {{ $ingressPath }}
backend:
serviceName: {{ $fullName }}
servicePort: http
{{- end }}
{{- end }}

90
deploy/example-webhook/templates/rbac.yaml Normal file
View File

@ -0,0 +1,90 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "example-webhook.fullname" . }}
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "example-webhook.fullname" . }}:webhook-authentication-reader
namespace: kube-system
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "example-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "example-webhook.fullname" . }}:auth-delegator
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "example-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "example-webhook.fullname" . }}:domain-solver
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- {{ .Values.groupName }}
resources:
- '*'
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "example-webhook.fullname" . }}:domain-solver
labels:
app: {{ include "example-webhook.name" . }}
chart: {{ include "example-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace }}

4
deploy/example-webhook/templates/service.yaml
View File

@ -11,9 +11,9 @@ spec:
type: {{ .Values.service.type }} type: {{ .Values.service.type }}
ports: ports:
- port: {{ .Values.service.port }} - port: {{ .Values.service.port }}
targetPort: http targetPort: https
protocol: TCP protocol: TCP
name: http name: https
selector: selector:
app: {{ include "example-webhook.name" . }} app: {{ include "example-webhook.name" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}

6
deploy/example-webhook/values.yaml
View File

@ -8,6 +8,10 @@
# here is recommended. # here is recommended.
groupName: acme.mycompany.com groupName: acme.mycompany.com
certManager:
namespace: cert-manager
serviceAccountName: cert-manager
image: image:
repository: mycompany/webhook-image repository: mycompany/webhook-image
tag: stable tag: stable
@ -18,7 +22,7 @@ fullnameOverride: ""
service: service:
type: ClusterIP type: ClusterIP
port: 80 port: 443
ingress: ingress:
enabled: false enabled: false

9
main.go
View File

@ -8,8 +8,8 @@ import (
//"k8s.io/client-go/kubernetes" //"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest" "k8s.io/client-go/rest"
"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
"github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1" "github.com/jetstack/cert-manager/pkg/acme/webhook/apis/acme/v1alpha1"
"github.com/jetstack/cert-manager/pkg/acme/webhook/cmd"
) )
const GroupName = "acme.mycompany.com" const GroupName = "acme.mycompany.com"
@ -88,7 +88,7 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
fmt.Printf("Decoded configuration %v", cfg) fmt.Printf("Decoded configuration %v", cfg)
// TODO: add code that sets a record in the DNS provider's console // TODO: add code that sets a record in the DNS provider's console
panic("implement me") return nil
} }
// CleanUp should delete the relevant TXT record from the DNS provider console. // CleanUp should delete the relevant TXT record from the DNS provider console.
@ -99,7 +99,7 @@ func (c *customDNSProviderSolver) Present(ch *v1alpha1.ChallengeRequest) error {
// concurrently. // concurrently.
func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error { func (c *customDNSProviderSolver) CleanUp(ch *v1alpha1.ChallengeRequest) error {
// TODO: add code that deletes a record from the DNS provider's console // TODO: add code that deletes a record from the DNS provider's console
panic("implement me") return nil
} }
// Initialize will be called when the webhook first starts. // Initialize will be called when the webhook first starts.
@ -123,8 +123,7 @@ func (c *customDNSProviderSolver) Initialize(kubeClientConfig *rest.Config, stop
//c.client = cl //c.client = cl
///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE ///// END OF CODE TO MAKE KUBERNETES CLIENTSET AVAILABLE
return nil
panic("implement me")
} }
// loadConfig is a small helper function that decodes JSON configuration into // loadConfig is a small helper function that decodes JSON configuration into