forked from public/stack
k/digitalocean: add a Certificate for snapshot validation webhook
This commit is contained in:
parent
26c0d26c0c
commit
811bfc4aa3
|
@ -4,7 +4,6 @@ namespace: digitalocean-csi
|
||||||
resources:
|
resources:
|
||||||
- driver.yaml
|
- driver.yaml
|
||||||
- crds.yaml
|
- crds.yaml
|
||||||
- snapshot-validation-webhook.yaml
|
|
||||||
- snapshot-controller.yaml
|
- snapshot-controller.yaml
|
||||||
images:
|
images:
|
||||||
- name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1
|
- name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- resources.yaml
|
|
@ -0,0 +1,7 @@
|
||||||
|
nameReference:
|
||||||
|
- kind: Issuer
|
||||||
|
group: cert-manager.io
|
||||||
|
fieldSpecs:
|
||||||
|
- kind: Certificate
|
||||||
|
group: cert-manager.io
|
||||||
|
path: spec/issuerRef/name
|
|
@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1
|
||||||
kind: ValidatingWebhookConfiguration
|
kind: ValidatingWebhookConfiguration
|
||||||
metadata:
|
metadata:
|
||||||
name: "validation-webhook.snapshot.storage.k8s.io"
|
name: "validation-webhook.snapshot.storage.k8s.io"
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/inject-ca-from: default/snapshot-validation
|
||||||
webhooks:
|
webhooks:
|
||||||
- name: "validation-webhook.snapshot.storage.k8s.io"
|
- name: "validation-webhook.snapshot.storage.k8s.io"
|
||||||
rules:
|
rules:
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
apiVersions: ["v1", "v1beta1"]
|
apiVersions: ["v1", "v1beta1"]
|
||||||
operations: ["CREATE", "UPDATE"]
|
operations: ["CREATE", "UPDATE"]
|
||||||
resources: ["volumesnapshots", "volumesnapshotcontents"]
|
resources: ["volumesnapshots", "volumesnapshotcontents"]
|
||||||
scope: "*"
|
scope: "*"
|
||||||
clientConfig:
|
clientConfig:
|
||||||
service:
|
service:
|
||||||
namespace: "kube-system"
|
namespace: "kube-system"
|
||||||
name: "snapshot-validation-service"
|
name: "snapshot-validation-service"
|
||||||
path: "/volumesnapshot"
|
path: "/volumesnapshot"
|
||||||
# XXX Uncomment and populate the CA bundle field accordingly if a dedicated
|
admissionReviewVersions: ["v1", "v1beta1"]
|
||||||
# CA is to be used.
|
sideEffects: None
|
||||||
# caBundle: ${CA_BUNDLE}
|
failurePolicy: Fail
|
||||||
admissionReviewVersions: ["v1", "v1beta1"]
|
timeoutSeconds: 5
|
||||||
sideEffects: None
|
|
||||||
failurePolicy: Fail
|
|
||||||
timeoutSeconds: 5
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -63,21 +62,20 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
serviceAccountName: snapshot-validation
|
serviceAccountName: snapshot-validation
|
||||||
containers:
|
containers:
|
||||||
- name: snapshot-validation
|
- name: snapshot-validation
|
||||||
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
|
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
|
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 443
|
- containerPort: 443
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: snapshot-validation-webhook-certs
|
|
||||||
mountPath: /etc/snapshot-validation-webhook/certs
|
|
||||||
readOnly: true
|
|
||||||
volumes:
|
|
||||||
- name: snapshot-validation-webhook-certs
|
- name: snapshot-validation-webhook-certs
|
||||||
secret:
|
mountPath: /etc/snapshot-validation-webhook/certs
|
||||||
# XXX Populate the secret properly with a certificate and key
|
readOnly: true
|
||||||
secretName: snapshot-validation-secret
|
volumes:
|
||||||
|
- name: snapshot-validation-webhook-certs
|
||||||
|
secret:
|
||||||
|
secretName: snapshot-validation-secret
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
@ -126,3 +124,25 @@ roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: snapshot-validation
|
name: snapshot-validation
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Issuer
|
||||||
|
metadata:
|
||||||
|
name: selfsigned-issuer
|
||||||
|
spec:
|
||||||
|
selfSigned: {}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: snapshot-validation
|
||||||
|
spec:
|
||||||
|
dnsNames:
|
||||||
|
- snapshot-validation-service
|
||||||
|
- snapshot-validation-service.default.svc
|
||||||
|
issuerRef:
|
||||||
|
kind: Issuer
|
||||||
|
name: selfsigned-issuer
|
||||||
|
secretName: snapshot-validation-secret
|
|
@ -4,5 +4,30 @@ namespace: kube-system
|
||||||
resources:
|
resources:
|
||||||
- cloud-controller-manager
|
- cloud-controller-manager
|
||||||
- csi-driver
|
- csi-driver
|
||||||
|
- csi-driver/webhook
|
||||||
generators:
|
generators:
|
||||||
- secret-generator.yaml
|
- secret-generator.yaml
|
||||||
|
replacements:
|
||||||
|
- source:
|
||||||
|
kind: Certificate
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
targets:
|
||||||
|
- select:
|
||||||
|
kind: ValidatingWebhookConfiguration
|
||||||
|
fieldPaths:
|
||||||
|
- metadata.annotations.[cert-manager.io/inject-ca-from]
|
||||||
|
options:
|
||||||
|
delimiter: /
|
||||||
|
- source:
|
||||||
|
kind: Service
|
||||||
|
fieldPath: metadata.namespace
|
||||||
|
name: snapshot-validation-service
|
||||||
|
targets:
|
||||||
|
- select:
|
||||||
|
kind: Certificate
|
||||||
|
name: snapshot-validation
|
||||||
|
fieldPaths:
|
||||||
|
- spec.dnsNames.1
|
||||||
|
options:
|
||||||
|
delimiter: .
|
||||||
|
index: 1
|
||||||
|
|
Loading…
Reference in New Issue