k/digitalocean: add a Certificate for snapshot validation webhook

This commit is contained in:
ryan-distrust.co 2023-05-16 03:44:24 -04:00
parent 26c0d26c0c
commit 811bfc4aa3
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
5 changed files with 89 additions and 34 deletions

View File

@ -4,7 +4,6 @@ namespace: digitalocean-csi
resources: resources:
- driver.yaml - driver.yaml
- crds.yaml - crds.yaml
- snapshot-validation-webhook.yaml
- snapshot-controller.yaml - snapshot-controller.yaml
images: images:
- name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1 - name: k8s.gcr.io/sig-storage/snapshot-validation-webhook:v6.0.1

View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- resources.yaml

View File

@ -0,0 +1,7 @@
nameReference:
- kind: Issuer
group: cert-manager.io
fieldSpecs:
- kind: Certificate
group: cert-manager.io
path: spec/issuerRef/name

View File

@ -16,26 +16,25 @@ apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
metadata: metadata:
name: "validation-webhook.snapshot.storage.k8s.io" name: "validation-webhook.snapshot.storage.k8s.io"
annotations:
cert-manager.io/inject-ca-from: default/snapshot-validation
webhooks: webhooks:
- name: "validation-webhook.snapshot.storage.k8s.io" - name: "validation-webhook.snapshot.storage.k8s.io"
rules: rules:
- apiGroups: ["snapshot.storage.k8s.io"] - apiGroups: ["snapshot.storage.k8s.io"]
apiVersions: ["v1", "v1beta1"] apiVersions: ["v1", "v1beta1"]
operations: ["CREATE", "UPDATE"] operations: ["CREATE", "UPDATE"]
resources: ["volumesnapshots", "volumesnapshotcontents"] resources: ["volumesnapshots", "volumesnapshotcontents"]
scope: "*" scope: "*"
clientConfig: clientConfig:
service: service:
namespace: "kube-system" namespace: "kube-system"
name: "snapshot-validation-service" name: "snapshot-validation-service"
path: "/volumesnapshot" path: "/volumesnapshot"
# XXX Uncomment and populate the CA bundle field accordingly if a dedicated admissionReviewVersions: ["v1", "v1beta1"]
# CA is to be used. sideEffects: None
# caBundle: ${CA_BUNDLE} failurePolicy: Fail
admissionReviewVersions: ["v1", "v1beta1"] timeoutSeconds: 5
sideEffects: None
failurePolicy: Fail
timeoutSeconds: 5
--- ---
@ -63,21 +62,20 @@ spec:
spec: spec:
serviceAccountName: snapshot-validation serviceAccountName: snapshot-validation
containers: containers:
- name: snapshot-validation - name: snapshot-validation
image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0 image: registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.1.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem'] args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key']
ports: ports:
- containerPort: 443 - containerPort: 443
volumeMounts: volumeMounts:
- name: snapshot-validation-webhook-certs
mountPath: /etc/snapshot-validation-webhook/certs
readOnly: true
volumes:
- name: snapshot-validation-webhook-certs - name: snapshot-validation-webhook-certs
secret: mountPath: /etc/snapshot-validation-webhook/certs
# XXX Populate the secret properly with a certificate and key readOnly: true
secretName: snapshot-validation-secret volumes:
- name: snapshot-validation-webhook-certs
secret:
secretName: snapshot-validation-secret
--- ---
@ -126,3 +124,25 @@ roleRef:
kind: ClusterRole kind: ClusterRole
name: snapshot-validation name: snapshot-validation
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: snapshot-validation
spec:
dnsNames:
- snapshot-validation-service
- snapshot-validation-service.default.svc
issuerRef:
kind: Issuer
name: selfsigned-issuer
secretName: snapshot-validation-secret

View File

@ -4,5 +4,30 @@ namespace: kube-system
resources: resources:
- cloud-controller-manager - cloud-controller-manager
- csi-driver - csi-driver
- csi-driver/webhook
generators: generators:
- secret-generator.yaml - secret-generator.yaml
replacements:
- source:
kind: Certificate
fieldPath: metadata.namespace
targets:
- select:
kind: ValidatingWebhookConfiguration
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from]
options:
delimiter: /
- source:
kind: Service
fieldPath: metadata.namespace
name: snapshot-validation-service
targets:
- select:
kind: Certificate
name: snapshot-validation
fieldPaths:
- spec.dnsNames.1
options:
delimiter: .
index: 1