From de9704160288c9c481cfa1d1974bd4eb6a313eb9 Mon Sep 17 00:00:00 2001 From: Predrag Rogic Date: Tue, 24 Aug 2021 02:42:22 +0100 Subject: [PATCH] fix gcpauth and olm for k8s v1.22+ --- .../gcp-auth/gcp-auth-webhook.yaml.tmpl | 186 ++++++++++++++++++ 1 file changed, 186 insertions(+) create mode 100644 deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl diff --git a/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl new file mode 100644 index 000000000000..a951f24faa67 --- /dev/null +++ b/deploy/addons/gcp-auth/gcp-auth-webhook.yaml.tmpl @@ -0,0 +1,186 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: minikube-gcp-auth-certs + namespace: gcp-auth +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: minikube-gcp-auth-certs +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - list + - get + - create + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: minikube-gcp-auth-certs + namespace: metadata +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: minikube-gcp-auth-certs +subjects: + - kind: ServiceAccount + name: minikube-gcp-auth-certs + namespace: gcp-auth +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gcp-auth-certs-create + namespace: gcp-auth +spec: + template: + metadata: + name: gcp-auth-certs-create + spec: + serviceAccountName: minikube-gcp-auth-certs + containers: + - name: create + image: {{.CustomRegistries.KubeWebhookCertgen | default .ImageRepository | default .Registries.KubeWebhookCertgen}}{{.Images.KubeWebhookCertgen}} + imagePullPolicy: IfNotPresent + args: + - create + - --host=gcp-auth,gcp-auth.gcp-auth,gcp-auth.gcp-auth.svc + - --namespace=gcp-auth + - --secret-name=gcp-auth-certs + restartPolicy: OnFailure +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gcp-auth + namespace: gcp-auth +spec: + selector: + matchLabels: + app: gcp-auth + template: + metadata: + labels: + app: gcp-auth + kubernetes.io/minikube-addons: gcp-auth + spec: + containers: + - name: gcp-auth + image: {{.CustomRegistries.GCPAuthWebhook | default .ImageRepository | default .Registries.GCPAuthWebhook}}{{.Images.GCPAuthWebhook}} + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8443 + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + - name: gcp-project + mountPath: /var/lib/minikube/google_cloud_project + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: gcp-auth-certs + - name: gcp-project + hostPath: + path: /var/lib/minikube/google_cloud_project + type: File +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gcp-auth-certs-patch + namespace: gcp-auth +spec: + template: + metadata: + name: gcp-auth-certs-patch + spec: + serviceAccountName: minikube-gcp-auth-certs + containers: + - name: patch + image: {{.CustomRegistries.KubeWebhookCertgen | default .ImageRepository | default .Registries.KubeWebhookCertgen}}{{.Images.KubeWebhookCertgen}} + imagePullPolicy: IfNotPresent + args: + - patch + - --secret-name=gcp-auth-certs + - --namespace=gcp-auth + - --patch-validating=false + - --webhook-name=gcp-auth-webhook-cfg + restartPolicy: OnFailure +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: gcp-auth-webhook-cfg + labels: + app: gcp-auth +webhooks: +- name: gcp-auth-mutate.k8s.io + failurePolicy: Ignore + objectSelector: + matchExpressions: + - key: gcp-auth-skip-secret + operator: DoesNotExist + namespaceSelector: + matchExpressions: + - key: name + operator: NotIn + values: + - kube-system + sideEffects: None + admissionReviewVersions: ["v1","v1beta1"] + clientConfig: + service: + name: gcp-auth + namespace: gcp-auth + path: "/mutate" + rules: + - operations: ["CREATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["pods"] + scope: "*" +- name: gcp-auth-mutate-sa.k8s.io + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1","v1beta1"] + clientConfig: + service: + name: gcp-auth + namespace: gcp-auth + path: "/mutate/sa" + rules: + - operations: ["CREATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["serviceaccounts"] + scope: "*"