k/digitalocean: add a Certificate for snapshot validation webhook

This commit is contained in:
ryan-distrust.co 2023-05-16 03:44:24 -04:00
parent 26c0d26c0c
commit 811bfc4aa3
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
5 changed files with 89 additions and 34 deletions

View File

@ -4,7 +4,6 @@ namespace: digitalocean-csi
resources:
- driver.yaml
- crds.yaml
- snapshot-validation-webhook.yaml
- snapshot-controller.yaml
images:
- name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1

View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- resources.yaml

View File

@ -0,0 +1,7 @@
nameReference:
- kind: Issuer
group: cert-manager.io
fieldSpecs:
- kind: Certificate
group: cert-manager.io
path: spec/issuerRef/name

View File

@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: "validation-webhook.snapshot.storage.k8s.io"
annotations:
cert-manager.io/inject-ca-from: default/snapshot-validation
webhooks:
- name: "validation-webhook.snapshot.storage.k8s.io"
rules:
- apiGroups: ["snapshot.storage.k8s.io"]
apiVersions: ["v1", "v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["volumesnapshots", "volumesnapshotcontents"]
scope: "*"
clientConfig:
service:
namespace: "kube-system"
name: "snapshot-validation-service"
path: "/volumesnapshot"
# XXX Uncomment and populate the CA bundle field accordingly if a dedicated
# CA is to be used.
# caBundle: ${CA_BUNDLE}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
failurePolicy: Fail
timeoutSeconds: 5
- name: "validation-webhook.snapshot.storage.k8s.io"
rules:
- apiGroups: ["snapshot.storage.k8s.io"]
apiVersions: ["v1", "v1beta1"]
operations: ["CREATE", "UPDATE"]
resources: ["volumesnapshots", "volumesnapshotcontents"]
scope: "*"
clientConfig:
service:
namespace: "kube-system"
name: "snapshot-validation-service"
path: "/volumesnapshot"
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
failurePolicy: Fail
timeoutSeconds: 5
---
@ -63,21 +62,20 @@ spec:
spec:
serviceAccountName: snapshot-validation
containers:
- name: snapshot-validation
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
imagePullPolicy: IfNotPresent
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
ports:
- containerPort: 443
volumeMounts:
- name: snapshot-validation-webhook-certs
mountPath: /etc/snapshot-validation-webhook/certs
readOnly: true
volumes:
- name: snapshot-validation
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
imagePullPolicy: IfNotPresent
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
ports:
- containerPort: 443
volumeMounts:
- name: snapshot-validation-webhook-certs
secret:
# XXX Populate the secret properly with a certificate and key
secretName: snapshot-validation-secret
mountPath: /etc/snapshot-validation-webhook/certs
readOnly: true
volumes:
- name: snapshot-validation-webhook-certs
secret:
secretName: snapshot-validation-secret
---
@ -126,3 +124,25 @@ roleRef:
kind: ClusterRole
name: snapshot-validation
apiGroup: rbac.authorization.k8s.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: snapshot-validation
spec:
dnsNames:
- snapshot-validation-service
- snapshot-validation-service.default.svc
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: snapshot-validation-secret

View File

@ -4,5 +4,30 @@ namespace: kube-system
resources:
- cloud-controller-manager
- csi-driver
- csi-driver/webhook
generators:
- secret-generator.yaml
replacements:
- source:
kind: Certificate
fieldPath: metadata.namespace
targets:
- select:
kind: ValidatingWebhookConfiguration
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: /
- source:
kind: Service
fieldPath: metadata.namespace
name: snapshot-validation-service
targets:
- select:
kind: Certificate
name: snapshot-validation
fieldPaths:
- spec.dnsNames.1
options:
delimiter: .
index: 1