From 67d8b822d9cc15a8cdf7583949add432239c4b80 Mon Sep 17 00:00:00 2001 From: abirsigron Date: Wed, 19 Jul 2023 21:54:53 +0300 Subject: [PATCH] Update helm chart to be compatible with latest version of kubemod (#22) * Upgrade chart with all changes * fix cert job * added section to remind labelin the namespace * bump chart version * Update README.md * change failure policy --- README.md | 20 +++++++++ helm-chart/kubemod/Chart.yaml | 5 ++- helm-chart/kubemod/crds/crd-kubemod.yaml | 33 ++++++++++++++- .../templates/job-crt/cronjob-crt.yaml | 25 +++++++++++ .../job-crt/job-crt-create-secret.yaml | 31 -------------- .../job-crt/job-crt-patch-webhooks.yaml | 42 ------------------- .../kubemod/templates/job-crt/job-crt.yaml | 22 ++++++++++ .../kubemod/templates/job-crt/role-crt.yaml | 12 ------ .../templates/job-crt/serviceaccount-crt.yaml | 3 -- .../mutatingwebhookconfiguration.yaml | 35 ++++++++++++++-- helm-chart/kubemod/templates/roles.yaml | 27 +++++++++++- .../validatingwebhookconfiguration.yaml | 2 +- helm-chart/kubemod/values.yaml | 4 +- 13 files changed, 163 insertions(+), 98 deletions(-) create mode 100644 helm-chart/kubemod/templates/job-crt/cronjob-crt.yaml delete mode 100644 helm-chart/kubemod/templates/job-crt/job-crt-create-secret.yaml delete mode 100644 helm-chart/kubemod/templates/job-crt/job-crt-patch-webhooks.yaml create mode 100644 helm-chart/kubemod/templates/job-crt/job-crt.yaml diff --git a/README.md b/README.md index d6760f5..6264531 100644 --- a/README.md +++ b/README.md @@ -16,3 +16,23 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch ct lint --all --config ct.yaml ct install --all --config ct.yaml ``` + +## Ignore kubemod-system namespace before installing the cart + +``` +# Make KubeMod ignore Kubernetes' system namespace. +kubectl label namespace kubemod-system admission.kubemod.io/ignore=true --overwrite +``` + +## Ignore webhooks differences when using ArgoCD +``` +ignoreDifferences: +- kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +- kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + jqPathExpressions: + - '.webhooks[]?.clientConfig.caBundle' +``` diff --git a/helm-chart/kubemod/Chart.yaml b/helm-chart/kubemod/Chart.yaml index 11fa7b9..c2f84e0 100644 --- a/helm-chart/kubemod/Chart.yaml +++ b/helm-chart/kubemod/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: kubemod description: KubeMod is a universal Kubernetes mutating operator. -version: 0.3.0 -appVersion: "0.13.0" +version: 0.4.0 +appVersion: "v0.19.1" kubeVersion: ">= 1.16.0-0" home: https://github.com/kubemod/kubemod sources: @@ -12,3 +12,4 @@ maintainers: - name: desaintmartin email: cedric@desaintmartin.fr - name: vassilvk + - name: abirsigron diff --git a/helm-chart/kubemod/crds/crd-kubemod.yaml b/helm-chart/kubemod/crds/crd-kubemod.yaml index df6e775..4756b92 100644 --- a/helm-chart/kubemod/crds/crd-kubemod.yaml +++ b/helm-chart/kubemod/crds/crd-kubemod.yaml @@ -34,6 +34,37 @@ spec: spec: description: ModRuleSpec defines the desired state of ModRule properties: + admissionOperations: + default: + - CREATE + - UPDATE + description: 'AdmissionOperations specifies which admission hook operations + this ModRule applies to. Valid values are: - "CREATE" - the rule + applies to all matching resources as they are created. - "UPDATE" + - the rule applies to all matching resources as they are updated. + - "DELETE" - the rule applies to all matching resources as they + are deleted. By default, a ModRule applies to all admission operations.' + items: + description: ModRuleAdmissionOperation describes the operation a + ModRule is executed on. Only the following ModRuleAdmissionOperation(s) + may be specified. + enum: + - CREATE + - UPDATE + - DELETE + type: string + type: array + executionTier: + default: 0 + description: ExecutionTier is a value between -32767 and 32766. ExecutionTier + controls when this ModRule will be executed as it relates to the + other ModRules loaded in the system. ModRules are matched and executed + in tiers, starting with the lowest tier. The results of executing + all ModRules in a tier are passed as input to the ModRules in the + next tier. This cascading execution continues until the highest + tier of ModRules has been executed. ModRules in the same tier are + executed in indeterminate order. + type: integer match: description: Match is a list of match items which consist of select queries and expected match values or regular expressions. When all @@ -174,4 +205,4 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] diff --git a/helm-chart/kubemod/templates/job-crt/cronjob-crt.yaml b/helm-chart/kubemod/templates/job-crt/cronjob-crt.yaml new file mode 100644 index 0000000..7676f4e --- /dev/null +++ b/helm-chart/kubemod/templates/job-crt/cronjob-crt.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "kubemod.fullname" . }}-crt-cron-job + labels: + {{- include "kubemod.labels" . | nindent 4 }} +spec: + jobTemplate: + spec: + backoffLimit: 4 + template: + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + containers: + - command: + - /bin/sh + - -c + - ./cert-renew.sh + image: kubemod/kubemod-crt:v1.3.0 + name: kubemod-crt + restartPolicy: Never + serviceAccountName: {{ include "kubemod.serviceAccountName" . }}-crt + schedule: 0 0 1 * * \ No newline at end of file diff --git a/helm-chart/kubemod/templates/job-crt/job-crt-create-secret.yaml b/helm-chart/kubemod/templates/job-crt/job-crt-create-secret.yaml deleted file mode 100644 index 141c026..0000000 --- a/helm-chart/kubemod/templates/job-crt/job-crt-create-secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "kubemod.fullname" . }}-crt-create-secret - labels: - {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install - "helm.sh/hook-delete-policy": before-hook-creation -spec: - backoffLimit: 4 - template: - spec: - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - containers: - - command: - - /bin/sh - - -c - - | - ./cert-generate.sh && \ - kubectl create secret tls webhook-server-cert -n {{ .Release.Namespace }} --cert=server.pem --key=server-key.pem --dry-run=client -o yaml > webhook-server-cert.yaml && \ - kubectl apply -f webhook-server-cert.yaml -n {{ .Release.Namespace }} && \ - kubectl create secret generic {{ include "kubemod.fullname" . }}-crt-ca --from-file=ca.pem --dry-run=client -o yaml > ca-secret.yaml && \ - kubectl apply -f ca-secret.yaml -n {{ .Release.Namespace }} - image: "{{ .Values.job.image.repository }}:{{ .Values.job.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.job.image.pullPolicy }} - name: kubemod-crt - restartPolicy: Never - serviceAccountName: {{ include "kubemod.serviceAccountName" . }}-crt \ No newline at end of file diff --git a/helm-chart/kubemod/templates/job-crt/job-crt-patch-webhooks.yaml b/helm-chart/kubemod/templates/job-crt/job-crt-patch-webhooks.yaml deleted file mode 100644 index 232998e..0000000 --- a/helm-chart/kubemod/templates/job-crt/job-crt-patch-webhooks.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "kubemod.fullname" . }}-crt-patch-webhooks - labels: - {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -spec: - backoffLimit: 4 - template: - spec: - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - containers: - - command: - - /bin/sh - - -c - - | - ca_bundle=$(cat /tmp/ca/ca.pem | base64 - | tr -d '\n' ) && \ - sed -r -i "s|Cg==|$ca_bundle|" patch-mutating-webhook-configuration.json && \ - sed -r -i "s|Cg==|$ca_bundle|" patch-validating-webhook-configuration.json && \ - echo "Applying mutating webhook configuration patch..." && \ - kubectl patch mutatingwebhookconfiguration {{ include "kubemod.fullname" . }}-mutating-webhook-configuration --type=json --patch "$(cat patch-mutating-webhook-configuration.json)" && \ - echo "Applying validating webhook configuration patch..." && \ - kubectl patch validatingwebhookconfiguration {{ include "kubemod.fullname" . }}-validating-webhook-configuration --type=json --patch "$(cat patch-validating-webhook-configuration.json)" - image: "{{ .Values.job.image.repository }}:{{ .Values.job.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.job.image.pullPolicy }} - name: kubemod-crt - volumeMounts: - - mountPath: /tmp/ca - name: ca - readOnly: true - restartPolicy: Never - serviceAccountName: {{ include "kubemod.serviceAccountName" . }}-crt - volumes: - - name: ca - secret: - defaultMode: 420 - secretName: {{ include "kubemod.fullname" . }}-crt-ca \ No newline at end of file diff --git a/helm-chart/kubemod/templates/job-crt/job-crt.yaml b/helm-chart/kubemod/templates/job-crt/job-crt.yaml new file mode 100644 index 0000000..33c37aa --- /dev/null +++ b/helm-chart/kubemod/templates/job-crt/job-crt.yaml @@ -0,0 +1,22 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "kubemod.fullname" . }}-crt-job + labels: + {{- include "kubemod.labels" . | nindent 4 }} +spec: + backoffLimit: 4 + template: + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + containers: + - command: + - /bin/sh + - -c + - ./cert-renew.sh + image: kubemod/kubemod-crt:v1.3.0 + name: kubemod-crt + restartPolicy: Never + serviceAccountName: {{ include "kubemod.serviceAccountName" . }}-crt \ No newline at end of file diff --git a/helm-chart/kubemod/templates/job-crt/role-crt.yaml b/helm-chart/kubemod/templates/job-crt/role-crt.yaml index a937e5d..a4eef26 100644 --- a/helm-chart/kubemod/templates/job-crt/role-crt.yaml +++ b/helm-chart/kubemod/templates/job-crt/role-crt.yaml @@ -4,9 +4,6 @@ metadata: name: {{ include "kubemod.fullname" . }}-crt labels: {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded rules: - apiGroups: - "" @@ -27,9 +24,6 @@ metadata: name: {{ include "kubemod.fullname" . }}-crt labels: {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -47,9 +41,6 @@ metadata: name: {{ include "kubemod.fullname" . }}-crt labels: {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded rules: - apiGroups: - admissionregistration.k8s.io @@ -74,9 +65,6 @@ metadata: name: {{ include "kubemod.fullname" . }}-crt labels: {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/helm-chart/kubemod/templates/job-crt/serviceaccount-crt.yaml b/helm-chart/kubemod/templates/job-crt/serviceaccount-crt.yaml index 99480e7..dcac6da 100644 --- a/helm-chart/kubemod/templates/job-crt/serviceaccount-crt.yaml +++ b/helm-chart/kubemod/templates/job-crt/serviceaccount-crt.yaml @@ -5,9 +5,6 @@ metadata: name: {{ include "kubemod.serviceAccountName" . }}-crt labels: {{- include "kubemod.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded {{- with .Values.serviceAccount.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/helm-chart/kubemod/templates/mutatingwebhookconfiguration.yaml b/helm-chart/kubemod/templates/mutatingwebhookconfiguration.yaml index 46347e8..d148ff1 100644 --- a/helm-chart/kubemod/templates/mutatingwebhookconfiguration.yaml +++ b/helm-chart/kubemod/templates/mutatingwebhookconfiguration.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "kubemod.fullname" . }}-mutating-webhook-configuration labels: {{- include "kubemod.labels" . | nindent 4 }} - creationTimestamp: null webhooks: - admissionReviewVersions: - v1beta1 @@ -14,7 +13,7 @@ webhooks: name: {{ include "kubemod.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }} path: /mutate-api-kubemod-io-v1beta1-modrule - failurePolicy: Fail + failurePolicy: {{ .Values.webhook.failurePolicy }} name: mmodrule.kubemod.io rules: - apiGroups: @@ -50,8 +49,38 @@ webhooks: operations: - CREATE - UPDATE + - DELETE resources: {{- toYaml .Values.webhook.resources | nindent 4 }} scope: '*' sideEffects: None - timeoutSeconds: 3 + timeoutSeconds: 10 +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: Cg== + service: + name: kubemod-webhook-service + namespace: kubemod-system + path: /podbinding-webhook + failurePolicy: {{ .Values.webhook.failurePolicy }} + name: podbinding.kubemod.io + namespaceSelector: + matchExpressions: + - key: admission.kubemod.io/ignore + operator: NotIn + values: + - "true" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods/binding + scope: '*' + sideEffects: None + timeoutSeconds: 10 \ No newline at end of file diff --git a/helm-chart/kubemod/templates/roles.yaml b/helm-chart/kubemod/templates/roles.yaml index 74f7c24..4f6d6ee 100644 --- a/helm-chart/kubemod/templates/roles.yaml +++ b/helm-chart/kubemod/templates/roles.yaml @@ -17,7 +17,32 @@ rules: - patch - update - watch - +- apiGroups: + - api.kubemod.io + resources: + - modrules/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - list + - get + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - list + - get + - watch + - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/helm-chart/kubemod/templates/validatingwebhookconfiguration.yaml b/helm-chart/kubemod/templates/validatingwebhookconfiguration.yaml index 0be0543..39b580f 100644 --- a/helm-chart/kubemod/templates/validatingwebhookconfiguration.yaml +++ b/helm-chart/kubemod/templates/validatingwebhookconfiguration.yaml @@ -14,7 +14,7 @@ webhooks: name: {{ include "kubemod.fullname" . }}-webhook-service namespace: {{ .Release.Namespace }} path: /validate-api-kubemod-io-v1beta1-modrule - failurePolicy: Fail + failurePolicy: {{ .Values.webhook.failurePolicy }} name: vmodrule.kubemod.io rules: - apiGroups: diff --git a/helm-chart/kubemod/values.yaml b/helm-chart/kubemod/values.yaml index c21e1e4..2f44e37 100644 --- a/helm-chart/kubemod/values.yaml +++ b/helm-chart/kubemod/values.yaml @@ -7,13 +7,13 @@ replicaCount: 1 image: repository: kubemod/kubemod pullPolicy: IfNotPresent - tag: "v0.13.0" + tag: "v0.19.1" job: image: repository: kubemod/kubemod-crt pullPolicy: IfNotPresent - tag: "v1.1.1" + tag: "v1.3.0" imagePullSecrets: [] nameOverride: ""