forked from public/stack
k/digitalocean: add a Certificate for snapshot validation webhook
This commit is contained in:
parent
26c0d26c0c
commit
811bfc4aa3
|
@ -4,7 +4,6 @@ namespace: digitalocean-csi
|
|||
resources:
|
||||
- driver.yaml
|
||||
- crds.yaml
|
||||
- snapshot-validation-webhook.yaml
|
||||
- snapshot-controller.yaml
|
||||
images:
|
||||
- name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- resources.yaml
|
|
@ -0,0 +1,7 @@
|
|||
nameReference:
|
||||
- kind: Issuer
|
||||
group: cert-manager.io
|
||||
fieldSpecs:
|
||||
- kind: Certificate
|
||||
group: cert-manager.io
|
||||
path: spec/issuerRef/name
|
|
@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1
|
|||
kind: ValidatingWebhookConfiguration
|
||||
metadata:
|
||||
name: "validation-webhook.snapshot.storage.k8s.io"
|
||||
annotations:
|
||||
cert-manager.io/inject-ca-from: default/snapshot-validation
|
||||
webhooks:
|
||||
- name: "validation-webhook.snapshot.storage.k8s.io"
|
||||
rules:
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
apiVersions: ["v1", "v1beta1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources: ["volumesnapshots", "volumesnapshotcontents"]
|
||||
scope: "*"
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: "kube-system"
|
||||
name: "snapshot-validation-service"
|
||||
path: "/volumesnapshot"
|
||||
# XXX Uncomment and populate the CA bundle field accordingly if a dedicated
|
||||
# CA is to be used.
|
||||
# caBundle: ${CA_BUNDLE}
|
||||
admissionReviewVersions: ["v1", "v1beta1"]
|
||||
sideEffects: None
|
||||
failurePolicy: Fail
|
||||
timeoutSeconds: 5
|
||||
- name: "validation-webhook.snapshot.storage.k8s.io"
|
||||
rules:
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
apiVersions: ["v1", "v1beta1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources: ["volumesnapshots", "volumesnapshotcontents"]
|
||||
scope: "*"
|
||||
clientConfig:
|
||||
service:
|
||||
namespace: "kube-system"
|
||||
name: "snapshot-validation-service"
|
||||
path: "/volumesnapshot"
|
||||
admissionReviewVersions: ["v1", "v1beta1"]
|
||||
sideEffects: None
|
||||
failurePolicy: Fail
|
||||
timeoutSeconds: 5
|
||||
|
||||
---
|
||||
|
||||
|
@ -63,21 +62,20 @@ spec:
|
|||
spec:
|
||||
serviceAccountName: snapshot-validation
|
||||
containers:
|
||||
- name: snapshot-validation
|
||||
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
|
||||
ports:
|
||||
- containerPort: 443
|
||||
volumeMounts:
|
||||
- name: snapshot-validation-webhook-certs
|
||||
mountPath: /etc/snapshot-validation-webhook/certs
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: snapshot-validation
|
||||
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
|
||||
ports:
|
||||
- containerPort: 443
|
||||
volumeMounts:
|
||||
- name: snapshot-validation-webhook-certs
|
||||
secret:
|
||||
# XXX Populate the secret properly with a certificate and key
|
||||
secretName: snapshot-validation-secret
|
||||
mountPath: /etc/snapshot-validation-webhook/certs
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: snapshot-validation-webhook-certs
|
||||
secret:
|
||||
secretName: snapshot-validation-secret
|
||||
|
||||
---
|
||||
|
||||
|
@ -126,3 +124,25 @@ roleRef:
|
|||
kind: ClusterRole
|
||||
name: snapshot-validation
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: selfsigned-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: snapshot-validation
|
||||
spec:
|
||||
dnsNames:
|
||||
- snapshot-validation-service
|
||||
- snapshot-validation-service.default.svc
|
||||
issuerRef:
|
||||
kind: Issuer
|
||||
name: selfsigned-issuer
|
||||
secretName: snapshot-validation-secret
|
|
@ -4,5 +4,30 @@ namespace: kube-system
|
|||
resources:
|
||||
- cloud-controller-manager
|
||||
- csi-driver
|
||||
- csi-driver/webhook
|
||||
generators:
|
||||
- secret-generator.yaml
|
||||
replacements:
|
||||
- source:
|
||||
kind: Certificate
|
||||
fieldPath: metadata.namespace
|
||||
targets:
|
||||
- select:
|
||||
kind: ValidatingWebhookConfiguration
|
||||
fieldPaths:
|
||||
- metadata.annotations.[cert-manager.io/inject-ca-from]
|
||||
options:
|
||||
delimiter: /
|
||||
- source:
|
||||
kind: Service
|
||||
fieldPath: metadata.namespace
|
||||
name: snapshot-validation-service
|
||||
targets:
|
||||
- select:
|
||||
kind: Certificate
|
||||
name: snapshot-validation
|
||||
fieldPaths:
|
||||
- spec.dnsNames.1
|
||||
options:
|
||||
delimiter: .
|
||||
index: 1
|
||||
|
|
Loading…
Reference in New Issue