-
Notifications
You must be signed in to change notification settings - Fork 717
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fp: rancher-webhook 103.0.13+up0.4.14
- Loading branch information
1 parent
64eab9c
commit 3fe7871
Showing
15 changed files
with
331 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
annotations: | ||
catalog.cattle.io/certified: rancher | ||
catalog.cattle.io/hidden: "true" | ||
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0' | ||
catalog.cattle.io/namespace: cattle-system | ||
catalog.cattle.io/os: linux | ||
catalog.cattle.io/permits-os: linux,windows | ||
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' | ||
catalog.cattle.io/release-name: rancher-webhook | ||
apiVersion: v2 | ||
appVersion: 0.4.14 | ||
description: ValidatingAdmissionWebhook for Rancher types | ||
name: rancher-webhook | ||
version: 103.0.13+up0.4.14 |
22 changes: 22 additions & 0 deletions
22
charts/rancher-webhook/103.0.13+up0.4.14/templates/_helpers.tpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{- define "system_default_registry" -}} | ||
{{- if .Values.global.cattle.systemDefaultRegistry -}} | ||
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} | ||
{{- else -}} | ||
{{- "" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{- define "rancher-webhook.labels" -}} | ||
app: rancher-webhook | ||
{{- end }} | ||
|
||
{{- define "linux-node-tolerations" -}} | ||
- key: "cattle.io/os" | ||
value: "linux" | ||
effect: "NoSchedule" | ||
operator: "Equal" | ||
{{- end -}} | ||
|
||
{{- define "linux-node-selector" -}} | ||
kubernetes.io/os: linux | ||
{{- end -}} |
82 changes: 82 additions & 0 deletions
82
charts/rancher-webhook/103.0.13+up0.4.14/templates/deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
{{- $auth := .Values.auth | default dict }} | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: rancher-webhook | ||
spec: | ||
selector: | ||
matchLabels: | ||
app: rancher-webhook | ||
template: | ||
metadata: | ||
labels: | ||
app: rancher-webhook | ||
spec: | ||
{{- if $auth.clientCA }} | ||
volumes: | ||
- name: client-ca | ||
secret: | ||
secretName: client-ca | ||
{{- end }} | ||
{{- if .Values.global.hostNetwork }} | ||
hostNetwork: true | ||
{{- end }} | ||
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} | ||
{{- if .Values.nodeSelector }} | ||
{{ toYaml .Values.nodeSelector | indent 8 }} | ||
{{- end }} | ||
tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} | ||
{{- if .Values.tolerations }} | ||
{{ toYaml .Values.tolerations | indent 6 }} | ||
{{- end }} | ||
containers: | ||
- env: | ||
- name: STAMP | ||
value: "{{.Values.stamp}}" | ||
- name: ENABLE_MCM | ||
value: "{{.Values.mcm.enabled}}" | ||
- name: CATTLE_PORT | ||
value: {{.Values.port | default 9443 | quote}} | ||
- name: NAMESPACE | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
{{- if $auth.allowedCNs }} | ||
- name: ALLOWED_CNS | ||
value: '{{ join "," $auth.allowedCNs }}' | ||
{{- end }} | ||
image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' | ||
name: rancher-webhook | ||
imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" | ||
ports: | ||
- name: https | ||
containerPort: {{ .Values.port | default 9443 }} | ||
startupProbe: | ||
httpGet: | ||
path: "/healthz" | ||
port: "https" | ||
scheme: "HTTPS" | ||
failureThreshold: 60 | ||
periodSeconds: 5 | ||
livenessProbe: | ||
httpGet: | ||
path: "/healthz" | ||
port: "https" | ||
scheme: "HTTPS" | ||
periodSeconds: 5 | ||
{{- if $auth.clientCA }} | ||
volumeMounts: | ||
- name: client-ca | ||
mountPath: /tmp/k8s-webhook-server/client-ca | ||
readOnly: true | ||
{{- end }} | ||
{{- if .Values.capNetBindService }} | ||
securityContext: | ||
capabilities: | ||
add: | ||
- NET_BIND_SERVICE | ||
{{- end }} | ||
serviceAccountName: rancher-webhook | ||
{{- if .Values.priorityClassName }} | ||
priorityClassName: "{{.Values.priorityClassName}}" | ||
{{- end }} |
12 changes: 12 additions & 0 deletions
12
charts/rancher-webhook/103.0.13+up0.4.14/templates/rbac.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rancher-webhook | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: rancher-webhook | ||
namespace: {{.Release.Namespace}} |
11 changes: 11 additions & 0 deletions
11
charts/rancher-webhook/103.0.13+up0.4.14/templates/secret.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{{- $auth := .Values.auth | default dict }} | ||
{{- if $auth.clientCA }} | ||
apiVersion: v1 | ||
data: | ||
ca.crt: {{ $auth.clientCA }} | ||
kind: Secret | ||
metadata: | ||
name: client-ca | ||
namespace: cattle-system | ||
type: Opaque | ||
{{- end }} |
13 changes: 13 additions & 0 deletions
13
charts/rancher-webhook/103.0.13+up0.4.14/templates/service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
kind: Service | ||
apiVersion: v1 | ||
metadata: | ||
name: rancher-webhook | ||
namespace: cattle-system | ||
spec: | ||
ports: | ||
- port: 443 | ||
targetPort: {{ .Values.port | default 9443 }} | ||
protocol: TCP | ||
name: https | ||
selector: | ||
app: rancher-webhook |
11 changes: 11 additions & 0 deletions
11
charts/rancher-webhook/103.0.13+up0.4.14/templates/serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: rancher-webhook | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: rancher-webhook-sudo | ||
annotations: | ||
cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation" |
9 changes: 9 additions & 0 deletions
9
charts/rancher-webhook/103.0.13+up0.4.14/templates/webhook.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: ValidatingWebhookConfiguration | ||
metadata: | ||
name: rancher.cattle.io | ||
--- | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: rancher.cattle.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
|
||
## local dev testing instructions | ||
|
||
Option 1: Full chart CI run with a live cluster | ||
|
||
```bash | ||
./scripts/charts/ci | ||
``` | ||
|
||
Option 2: Test runs against the chart only | ||
|
||
```bash | ||
# install the helm plugin first - helm plugin install https://github.com/helm-unittest/helm-unittest.git | ||
bash dev-scripts/helm-unittest.sh | ||
``` | ||
|
73 changes: 73 additions & 0 deletions
73
charts/rancher-webhook/103.0.13+up0.4.14/tests/deployment_test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
suite: Test Deployment | ||
templates: | ||
- deployment.yaml | ||
|
||
tests: | ||
- it: should set webhook default port values | ||
asserts: | ||
- equal: | ||
path: spec.template.spec.containers[0].ports[0].containerPort | ||
value: 9443 | ||
- contains: | ||
path: spec.template.spec.containers[0].env | ||
content: | ||
name: CATTLE_PORT | ||
value: "9443" | ||
|
||
- it: should set updated webhook port | ||
set: | ||
port: 2319 | ||
asserts: | ||
- equal: | ||
path: spec.template.spec.containers[0].ports[0].containerPort | ||
value: 2319 | ||
- contains: | ||
path: spec.template.spec.containers[0].env | ||
content: | ||
name: CATTLE_PORT | ||
value: "2319" | ||
|
||
- it: should not set capabilities by default. | ||
asserts: | ||
- isNull: | ||
path: spec.template.spec.containers[0].securityContext | ||
|
||
- it: should set net capabilities when capNetBindService is true. | ||
set: | ||
capNetBindService: true | ||
asserts: | ||
- contains: | ||
path: spec.template.spec.containers[0].securityContext.capabilities.add | ||
content: NET_BIND_SERVICE | ||
|
||
- it: should not set volumes or volumeMounts by default | ||
asserts: | ||
- isNull: | ||
path: spec.template.spec.volumes | ||
- isNull: | ||
path: spec.template.spec.volumeMounts | ||
|
||
- it: should set CA fields when CA options are set | ||
set: | ||
auth.clientCA: base64-encoded-cert | ||
auth.allowedCNs: | ||
- kube-apiserver | ||
- joe | ||
asserts: | ||
- contains: | ||
path: spec.template.spec.volumes | ||
content: | ||
name: client-ca | ||
secret: | ||
secretName: client-ca | ||
- contains: | ||
path: spec.template.spec.containers[0].volumeMounts | ||
content: | ||
name: client-ca | ||
mountPath: /tmp/k8s-webhook-server/client-ca | ||
readOnly: true | ||
- contains: | ||
path: spec.template.spec.containers[0].env | ||
content: | ||
name: ALLOWED_CNS | ||
value: kube-apiserver,joe |
18 changes: 18 additions & 0 deletions
18
charts/rancher-webhook/103.0.13+up0.4.14/tests/service_test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
suite: Test Service | ||
templates: | ||
- service.yaml | ||
|
||
tests: | ||
- it: should set webhook default port values | ||
asserts: | ||
- equal: | ||
path: spec.ports[0].targetPort | ||
value: 9443 | ||
|
||
- it: should set updated target port | ||
set: | ||
port: 2319 | ||
asserts: | ||
- equal: | ||
path: spec.ports[0].targetPort | ||
value: 2319 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
image: | ||
repository: rancher/rancher-webhook | ||
tag: v0.4.14 | ||
imagePullPolicy: IfNotPresent | ||
|
||
global: | ||
cattle: | ||
systemDefaultRegistry: "" | ||
hostNetwork: false | ||
|
||
mcm: | ||
enabled: true | ||
|
||
# tolerations for the webhook deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info | ||
tolerations: [] | ||
nodeSelector: {} | ||
|
||
## PriorityClassName assigned to deployment. | ||
priorityClassName: "" | ||
|
||
# port assigns which port to use when running rancher-webhook | ||
port: 9443 | ||
|
||
# Parameters for authenticating the kube-apiserver. | ||
auth: | ||
# CA for authenticating kube-apiserver client certs. If empty, client connections will not be authenticated. | ||
# Must be base64-encoded. | ||
clientCA: "" | ||
# Allowlist of CNs for kube-apiserver client certs. If empty, any cert signed by the CA provided in clientCA will be accepted. | ||
allowedCNs: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters