[DNM] Webhook config reworking

.github/workflows/scripts/integration-test-ci

@@ -47,7 +47,7 @@ try --waitmsg "Waiting for CRDs" crds_exist
 echo "Shutting down core rancher"
 kubectl scale deploy rancher -n cattle-system --replicas=0
 kubectl wait pods -l app=rancher --for=delete -n cattle-system
-# Make sure the webhook recreates configurations on startup
+# Delete the existing webhook configurations so the helm upgrade recreates them from the chart templates.
 kubectl delete validatingwebhookconfiguration rancher.cattle.io
 kubectl delete mutatingwebhookconfiguration rancher.cattle.io
 
@@ -83,6 +83,25 @@ upgrade_rancher_webhook() {
    kubectl rollout status deployment/rancher-webhook -n cattle-system
 
    try --max 90 --waitmsg "Waiting for webhooks to be registered" --failmsg "Webhooks not registered" check_webhooks
+
+   # The chart now owns the WebhookConfigurations with caBundle: "" (filled by needacert at runtime).
+   # needacert runs inside the rancher pod, which is scaled to 0 in this test. Patch caBundle
+   # directly from the TLS secret so the kube-apiserver can verify the webhook's serving cert.
+   populate_ca_bundle() {
+     local ca_bundle
+     ca_bundle=$(kubectl get secret cattle-webhook-tls -n cattle-system \
+       -o jsonpath='{.data.tls\.crt}' 2>/dev/null)
+     [[ -z "$ca_bundle" ]] && return 1
+     for resource in validatingwebhookconfiguration mutatingwebhookconfiguration; do
+       local patch
+       patch=$(kubectl get "$resource" rancher.cattle.io -o json \
+         | jq --arg ca "$ca_bundle" \
+           '[range(.webhooks | length) | {"op":"replace","path":"/webhooks/\(.)/clientConfig/caBundle","value":$ca}]')
+       kubectl patch "$resource" rancher.cattle.io --type=json -p="$patch"
+     done
+   }
+   try --max 10 --delay 3 --waitmsg "Populating caBundle from TLS secret" \
+     --failmsg "Failed to populate caBundle" populate_ca_bundle
 }
 
 try --max 3 --delay 2 --waitmsg "Upgrading Webhook" --failmsg "Failed to upgrade webhook" upgrade_rancher_webhook

charts/rancher-webhook/templates/deployment.yaml

@@ -4,6 +4,7 @@ kind: Deployment
 metadata:
   name: rancher-webhook
 spec:
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       app: rancher-webhook
@@ -12,8 +13,12 @@ spec:
       labels:
         app: rancher-webhook
     spec:
-      {{- if $auth.clientCA }}
       volumes:
+      - name: tls
+        secret:
+          secretName: cattle-webhook-tls
+          optional: false
+      {{- if $auth.clientCA }}
       - name: client-ca
         secret:
           secretName: client-ca
@@ -49,6 +54,10 @@ spec:
         image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
         name: rancher-webhook
         imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+        {{- with .Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
         ports:
         - name: https
           containerPort: {{ .Values.port | default 9443 }}
@@ -65,21 +74,28 @@ spec:
             port: "https"
             scheme: "HTTPS"
           periodSeconds: 5
-        {{- if $auth.clientCA }}
         volumeMounts:
+        - name: tls
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
+        {{- if $auth.clientCA }}
         - name: client-ca
           mountPath: /tmp/k8s-webhook-server/client-ca
           readOnly: true
         {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
-        {{- if .Values.capNetBindService }}
+          {{- if .Values.capNetBindService }}
           capabilities:
             add:
             - NET_BIND_SERVICE
-        {{- end }}
+          {{- end }}
       serviceAccountName: rancher-webhook
       {{- if .Values.priorityClassName }}
       priorityClassName: "{{.Values.priorityClassName}}"
       {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/rancher-webhook/templates/pdb.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.podDisruptionBudget .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: rancher-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: rancher-webhook
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- else if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}

charts/rancher-webhook/templates/rbac.yaml

@@ -1,12 +1,95 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
   name: rancher-webhook
+rules:
+# --- Read-only: informer caches for validators/mutators ---
+- apiGroups: ["management.cattle.io"]
+  resources:
+    - clusters
+    - clusterproxyconfigs
+    - clusterroletemplatebindings
+    - features
+    - globalroles
+    - globalrolebindings
+    - nodes
+    - podsecurityadmissionconfigurationtemplates
+    - projects
+    - projectroletemplatebindings
+    - roletemplates
+    - settings
+    - tokens
+    - userattributes
+    - users
+  verbs: [get, list, watch]
+- apiGroups: ["provisioning.cattle.io"]
+  resources: [clusters]
+  verbs: [get, list, watch, patch]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: [roles, rolebindings, clusterroles, clusterrolebindings]
+  verbs: [get, list, watch]
+- apiGroups: [""]
+  resources: [namespaces, secrets]
+  verbs: [get, list, watch]
+- apiGroups: ["rke.cattle.io"]
+  resources: [etcdsnapshots]
+  verbs: [get, list, watch]
+- apiGroups: ["apiregistration.k8s.io"]
+  resources: [apiservices]
+  verbs: [get, list, watch]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: [customresourcedefinitions]
+  verbs: [get, list, watch]
+- apiGroups: ["cluster.x-k8s.io"]
+  resources: [machinedeployments, clusters]
+  verbs: [get, list, watch]
+- apiGroups: ["rke-machine-config.cattle.io"]
+  resources: ["*"]
+  verbs: [get, list, watch]
+- apiGroups: ["rke-machine.cattle.io"]
+  resources:
+    - amazonec2machines
+    - azuremachines
+    - digitaloceanmachines
+    - harvestermachines
+    - linodemachines
+    - vmwarevspheremachines
+  verbs: [get, list, watch]
+- apiGroups: ["catalog.cattle.io"]
+  resources: [clusterrepos]
+  verbs: [get, list, watch]
+- apiGroups: ["auditlog.cattle.io"]
+  resources: [auditpolicies]
+  verbs: [get, list, watch]
+- apiGroups: ["cluster.cattle.io"]
+  resources: [clusterauthtokens]
+  verbs: [get, list, watch]
+# --- Write operations ---
+- apiGroups: ["authorization.k8s.io"]
+  resources: [subjectaccessreviews]
+  verbs: [create]
+- apiGroups: [""]
+  resources: [namespaces]
+  verbs: [create]
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: [create, update, delete]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: [roles]
+  verbs: [update]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: [rolebindings, clusterroles, clusterrolebindings]
+  verbs: [create]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-webhook-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: rancher-webhook
 subjects:
 - kind: ServiceAccount
   name: rancher-webhook
-  namespace: {{.Release.Namespace}}
+  namespace: {{.Release.Namespace}}

charts/rancher-webhook/templates/service.yaml

@@ -3,6 +3,8 @@ apiVersion: v1
 metadata:
   name: rancher-webhook
   namespace: cattle-system
+  annotations:
+    need-a-cert.cattle.io/secret-name: cattle-webhook-tls
 spec:
   ports:
   - port: 443