helm: Generate a self-signed cert for webhook if none given

Use the ingress-nginx/kube-webhook-certgen image to generate a self-signed certificate valid for 100 years for admission webhook when the caBundle is left unconfigured. Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
project-akri · Apr 21, 2023 · 931a4e5 · 931a4e5
1 parent 629bb54
commit 931a4e5
Show file tree

Hide file tree

Showing 3 changed files with 194 additions and 3 deletions.
diff --git a/deployment/helm/templates/webhook-cert-autogen.yaml b/deployment/helm/templates/webhook-cert-autogen.yaml
@@ -0,0 +1,181 @@
+{{- if and .Values.webhookConfiguration.enabled (not .Values.webhookConfiguration.caBundle) -}}
+{{- if .Values.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.webhookConfiguration.name }}-patch
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.webhookConfiguration.name }}-patch
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.webhookConfiguration.name }}-patch
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.webhookConfiguration.name }}-patch
+    namespace: {{ .Release.Namespace | quote }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+---
+{{- end }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-create
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  ttlSecondsAfterFinished: 0
+  template:
+    metadata:
+      name: {{ .Values.webhookConfiguration.name }}-create
+      labels:
+        {{- include "akri.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: create
+          image: "{{ .Values.webhookConfiguration.certImage.reference }}:{{ .Values.webhookConfiguration.certImage.tag }}"
+          imagePullPolicy: {{ .Values.webhookConfiguration.certImage.pullPolicy }}
+          args:
+            - create
+            - --host={{ .Values.webhookConfiguration.name }},{{ .Values.webhookConfiguration.name }}.{{ .Release.Namespace }}.svc
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ .Values.webhookConfiguration.name }}
+            - --cert-name=tls.crt
+            - --key-name=tls.key
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ .Values.webhookConfiguration.name }}-patch
+      {{- end }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.webhookConfiguration.name }}-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "akri.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+spec:
+  ttlSecondsAfterFinished: 0
+  template:
+    metadata:
+      name: {{ .Values.webhookConfiguration.name }}-patch
+      labels:
+        {{- include "akri.labels" . | nindent 8 }}
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: patch
+          image: "{{ .Values.webhookConfiguration.certImage.reference }}:{{ .Values.webhookConfiguration.certImage.tag }}"
+          imagePullPolicy: {{ .Values.webhookConfiguration.certImage.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ .Values.webhookConfiguration.name }}
+            - --namespace={{ .Release.Namespace }}
+            - --patch-mutating=false
+            - --secret-name={{ .Values.webhookConfiguration.name }}
+            - --patch-failure-policy=Fail
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ .Values.webhookConfiguration.name }}-patch
+      {{- end }}
+{{- end -}}
diff --git a/deployment/helm/templates/webhook-configuration.yaml b/deployment/helm/templates/webhook-configuration.yaml
@@ -130,7 +130,9 @@ items:
             namespace: {{ .Release.Namespace }}
             port: 443
             path: "/validate"
-          caBundle: {{ required "please rerun helm install" .Values.webhookConfiguration.caBundle }}
+          {{- if .Values.webhookConfiguration.caBundle }}
+          caBundle: {{ .Values.webhookConfiguration.caBundle }}
+          {{- end }}
         rules:
           - operations:
               - "CREATE"

diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
@@ -837,10 +837,11 @@ udev:
 # Admission Controllers (Webhooks)
 webhookConfiguration:
   # enabled defines whether to apply the Akri Admission Controller (Webhook) for Akri Configurations
-  enabled: false
+  enabled: true
   # name of the webhook
   name: akri-webhook-configuration
-  # base64-encoded CA certificate (PEM) used by Kubernetes to validate the Webhook's certificate
+  # base64-encoded CA certificate (PEM) used by Kubernetes to validate the Webhook's certificate, if
+  # unset, will generate a self-signed certificate valid for 100y
   caBundle: null
   image:
     # repository is the Akri Webhook for Configurations image reference
@@ -851,6 +852,13 @@ webhookConfiguration:
     tag:
     # pullPolicy is the Akri Webhook pull policy
     pullPolicy: Always
+  certImage:
+    # reference is the webhook-certgen image reference
+    reference: registry.k8s.io/ingress-nginx/kube-webhook-certgen
+    # tag is the webhook-certgen image tag
+    tag: v1.1.1
+    # pullPolicy is the webhook-certgen pull policy
+    pullPolicy: IfNotPresent
   # onlyOnControlPlane dictates whether the Akri Webhook will only run on nodes with 
   # the label with (key, value) of ("node-role.kubernetes.io/master", "")
   onlyOnControlPlane: false