Skip to content

Commit

Permalink
add helm chart
Browse files Browse the repository at this point in the history
  • Loading branch information
zenyui committed Jan 10, 2022
1 parent 4ea69fc commit beec174
Show file tree
Hide file tree
Showing 8 changed files with 166 additions and 2 deletions.
5 changes: 3 additions & 2 deletions app/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ func main() {
}

mux.HandleFunc("/", handleHealthCheck)
mux.HandleFunc("/healthz", handleHealthCheck)
mux.HandleFunc("/mutate", mutateHandler.Handle)

s := &http.Server{
Expand All @@ -37,8 +38,8 @@ func main() {
MaxHeaderBytes: 1 << 20, // 1048576
}
// TODO: move to config
sslCertFilePath := "./ssl/cert.pem"
sslKeyFilePath := "./ssl/cert.key"
sslCertFilePath := "/etc/webhook/certs/tls.crt"
sslKeyFilePath := "/etc/webhook/certs/tls.key"
// start listening and block until shutdown
log.Fatal(s.ListenAndServeTLS(sslCertFilePath, sslKeyFilePath))
}
Expand Down
23 changes: 23 additions & 0 deletions helm/k8s-pod-labeler/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions helm/k8s-pod-labeler/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: k8s-pod-labeler
description: https://github.com/troop-dev/k8s-pod-labeler
type: application
version: 0.0.0
appVersion: "0.0.0"
50 changes: 50 additions & 0 deletions helm/k8s-pod-labeler/templates/deployment.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-pod-labeler
labels:
app: k8s-pod-labeler
spec:
replicas: 1
selector:
matchLabels:
app: k8s-pod-labeler
template:
metadata:
name: k8s-pod-labeler
labels:
app: k8s-pod-labeler
spec:
imagePullSecrets:
- name: troop-dev-github-docker-registry
containers:
- name: mutator
image: "{{ .Values.dockerImage }}:{{ .Chart.AppVersion }}"
imagePullPolicy: Always
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
ports:
- containerPort: {{ .Values.containerPort }}
volumeMounts:
- name: certs
mountPath: /etc/webhook/certs
readOnly: true
livenessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: http
readinessProbe:
httpGet:
scheme: HTTPS
path: /healthz
port: http
volumes:
- name: certs
secret:
secretName: {{ include "kube-secrets-init.certificateSecretName" . }}
13 changes: 13 additions & 0 deletions helm/k8s-pod-labeler/templates/service.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: k8s-pod-labeler
labels:
app: k8s-pod-labeler
spec:
publishNotReadyAddresses: true
ports:
- port: 443
targetPort: {{ .Values.containerPort }}
selector:
app: k8s-pod-labeler
63 changes: 63 additions & 0 deletions helm/k8s-pod-labeler/templates/webhook.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# generate the certs
{{- $caCrt := "" }}
{{- $tlsCrt := "" }}
{{- $tlsKey := "" }}
{{- $ca := genCA "svc-cat-ca" 3650 }}
{{- $svcName := include "kube-secrets-init.fullname" . }}
{{- $cn := printf "%s.%s.svc" $svcName .Release.Namespace }}
{{- $altName1 := printf "%s.cluster.local" $cn }}
{{- $altName2 := printf "%s" $cn }}
{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 365 $ca }}
{{- $tlsCrt = b64enc $server.Cert }}
{{- $tlsKey = b64enc $server.Key }}
{{- $caCrt = b64enc $ca.Cert }}

# create a secret
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: k8s-pod-labeler
data:
tls.crt: {{ $tlsCrt }}
tls.key: {{ $tlsKey }}
ca.crt: {{ $caCrt }}

---

# create the webhook
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: k8s-pod-labeler
webhooks:
- name: k8s-pod-labeler.troop.com
admissionReviewVersions: ["v1"]
clientConfig:
service:
name: k8s-pod-labeler
namespace: {{ .Release.Namespace }}
path: "/mutate"
caBundle: {{ $caCrt }}
rules:
- operations:
- CREATE
apiGroups:
- "*"
apiVersions:
- "*"
resources:
- pods
failurePolicy: {{ .Values.failurePolicy }}
timeoutSeconds: {{ .Values.timeoutSeconds }}
sideEffects: None
namespaceSelector:
matchExpressions:
- key: troop.com/k8s-pod-labeler
operator: In
values:
- enabled
- key: troop.com/k8s-pod-labeler
operator: NotIn
values:
- disabled
6 changes: 6 additions & 0 deletions helm/k8s-pod-labeler/values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
certificate:
generate: true
failurePolicy: "IGNORE"
timeoutSeconds: 10
dockerImage: "ghcr.io/troop-dev/frontend-api"
containerPort: 8443
2 changes: 2 additions & 0 deletions readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,5 @@ Troop uses the Linkerd service mesh in GKE, which requires a special annotation
- https://github.com/slackhq/simple-kubernetes-webhook
- https://github.com/operator-framework/operator-sdk
- https://github.com/openshift/generic-admission-server
- https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#webhookclientconfig-v1-apiextensions-k8s-io
- https://github.com/morvencao/kube-mutating-webhook-tutorial

0 comments on commit beec174

Please sign in to comment.