k/digitalocean: add a Certificate for snapshot validation webhook

2023-05-16 03:44:24 -04:00 · 2023-05-16 03:44:24 -04:00 · 811bfc4aa3
parent 26c0d26c0c
commit 811bfc4aa3
5 changed files with 89 additions and 34 deletions
--- a/kustomizations/digitalocean/csi-driver/kustomization.yaml
+++ b/kustomizations/digitalocean/csi-driver/kustomization.yaml
@ -4,7 +4,6 @@ namespace: digitalocean-csi
 resources:
 - driver.yaml
 - crds.yaml
 - snapshot-validation-webhook.yaml
 - snapshot-controller.yaml
 images:
 - name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1
--- a/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml
+++ b/kustomizations/digitalocean/csi-driver/webhook/kustomization.yaml
@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - resources.yaml
--- a/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml
+++ b/kustomizations/digitalocean/csi-driver/webhook/kustomizeconfig.yaml
@ -0,0 +1,7 @@
 nameReference:
  - kind: Issuer
    group: cert-manager.io
    fieldSpecs:
      - kind: Certificate
        group: cert-manager.io
        path: spec/issuerRef/name
--- a/kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml
+++ b/kustomizations/digitalocean/csi-driver/snapshot-validation-webhook.yaml
@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: "validation-webhook.snapshot.storage.k8s.io"
  annotations:
    cert-manager.io/inject-ca-from: default/snapshot-validation
 webhooks:
-  - name: "validation-webhook.snapshot.storage.k8s.io"
+- name: "validation-webhook.snapshot.storage.k8s.io"
-    rules:
+  rules:
-      - apiGroups:   ["snapshot.storage.k8s.io"]
+  - apiGroups:   ["snapshot.storage.k8s.io"]
-        apiVersions: ["v1", "v1beta1"]
+    apiVersions: ["v1", "v1beta1"]
-        operations:  ["CREATE", "UPDATE"]
+    operations:  ["CREATE", "UPDATE"]
-        resources:   ["volumesnapshots", "volumesnapshotcontents"]
+    resources:   ["volumesnapshots", "volumesnapshotcontents"]
-        scope:       "*"
+    scope:       "*"
-    clientConfig:
+  clientConfig:
-      service:
+    service:
-        namespace: "kube-system"
+      namespace: "kube-system"
-        name: "snapshot-validation-service"
+      name: "snapshot-validation-service"
-        path: "/volumesnapshot"
+      path: "/volumesnapshot"
-      # XXX Uncomment and populate the CA bundle field accordingly if a dedicated
+  admissionReviewVersions: ["v1", "v1beta1"]
-      # CA is to be used.
+  sideEffects: None
-      # caBundle: ${CA_BUNDLE}
+  failurePolicy: Fail
-    admissionReviewVersions: ["v1", "v1beta1"]
+  timeoutSeconds: 5
    sideEffects: None
    failurePolicy: Fail
    timeoutSeconds: 5
 ---
@ -63,21 +62,20 @@ spec:
    spec:
      serviceAccountName: snapshot-validation
      containers:
-        - name: snapshot-validation
+      - name: snapshot-validation
-          image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
+        image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
-          imagePullPolicy: IfNotPresent
+        imagePullPolicy: IfNotPresent
-          args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
+        args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
-          ports:
+        ports:
-            - containerPort: 443
+        - containerPort: 443
-          volumeMounts:
+        volumeMounts:
            - name: snapshot-validation-webhook-certs
              mountPath: /etc/snapshot-validation-webhook/certs
              readOnly: true
      volumes:
        - name: snapshot-validation-webhook-certs
-          secret:
+          mountPath: /etc/snapshot-validation-webhook/certs
-            # XXX Populate the secret properly with a certificate and key
+          readOnly: true
-            secretName: snapshot-validation-secret
+      volumes:
      - name: snapshot-validation-webhook-certs
        secret:
          secretName: snapshot-validation-secret
 ---
@ -126,3 +124,25 @@ roleRef:
  kind: ClusterRole
  name: snapshot-validation
  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned-issuer
 spec:
  selfSigned: {}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: snapshot-validation
 spec:
  dnsNames:
    - snapshot-validation-service
    - snapshot-validation-service.default.svc
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
  secretName: snapshot-validation-secret
--- a/kustomizations/digitalocean/kustomization.yaml
+++ b/kustomizations/digitalocean/kustomization.yaml
@ -4,5 +4,30 @@ namespace: kube-system
 resources:
 - cloud-controller-manager
 - csi-driver
 - csi-driver/webhook
 generators:
 - secret-generator.yaml
 replacements:
 - source:
    kind: Certificate
    fieldPath: metadata.namespace
  targets:
  - select:
      kind: ValidatingWebhookConfiguration
    fieldPaths:
    - metadata.annotations.[cert-manager.io/inject-ca-from]
    options:
      delimiter: /
 - source:
    kind: Service
    fieldPath: metadata.namespace
    name: snapshot-validation-service
  targets:
  - select:
      kind: Certificate
      name: snapshot-validation
    fieldPaths:
    - spec.dnsNames.1
    options:
      delimiter: .
      index: 1