diff --git a/assets/index.yaml b/assets/index.yaml index 9473b0975..f854a516d 100644 --- a/assets/index.yaml +++ b/assets/index.yaml @@ -793,88 +793,6 @@ entries: urls: - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz version: 1.0.100 - rancher-externalip-webhook: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: rancher-externalip-webhook - catalog.cattle.io/ui-component: rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.4 - created: "2020-12-08T22:05:21.819947668Z" - description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 - digest: abc86966d4a49e37ea0a7e90f38bc267a73cb9fc3a9ce96e407bae760eb9af95 - home: https://github.com/rancher/externalip-webhook - keywords: - - cve - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: rawmind0 - name: rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz - version: 0.1.400 - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: rancher-externalip-webhook - catalog.cattle.io/ui-component: rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.3 - created: "2020-12-08T14:39:13.286645836Z" - description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 - digest: d722d79154bb56c1366dafcecc969cb5ef3da714444eff37631b28886d13e027 - home: https://github.com/rancher/externalip-webhook - keywords: - - cve - - embargo - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: rawmind0 - name: rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.300.tgz - version: 0.1.300 - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: Externalip webhook - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.1 - created: "2020-12-08T02:12:59.751279501Z" - description: | - Deploy rancher-externalip-webhook to mitigate k8s CVE-2020-8554 - digest: 4b0ef8f0d9cfeec170e3b1a06984152d4ac4ebc4b8c4326e1613bed314d99ddc - home: https://github.com/rancher/externalip-webhook - keywords: - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: Raul Sanchez - name: rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.100.tgz - version: 0.1.100 rancher-gatekeeper: - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match @@ -2272,32 +2190,4 @@ entries: urls: - assets/rio/rio-0.8.000.tgz version: 0.8.000 - vue-rancher-externalip-webhook: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: vue-rancher-externalip-webhook - catalog.cattle.io/ui-component: vue-rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.4 - created: "2020-12-08T23:25:12.849262513Z" - description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 - digest: 51dff54b84f92ce75fef00baf8da86a635b71f92abdd7bfb01cba7169b4153e8 - home: https://github.com/rancher/externalip-webhook - keywords: - - cve - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: rawmind0 - name: vue-rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/vue-rancher-externalip-webhook-0.1.401.tgz - version: 0.1.401 generated: "2020-12-08T23:25:12.847895211Z" diff --git a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.100.tgz b/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.100.tgz deleted file mode 100644 index 72050c904..000000000 Binary files a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.100.tgz and /dev/null differ diff --git a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.300.tgz b/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.300.tgz deleted file mode 100644 index b418f6f6f..000000000 Binary files a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.300.tgz and /dev/null differ diff --git a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz b/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz deleted file mode 100644 index 903c5d654..000000000 Binary files a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz and /dev/null differ diff --git a/assets/rancher-externalip-webhook/vue-rancher-externalip-webhook-0.1.401.tgz b/assets/rancher-externalip-webhook/vue-rancher-externalip-webhook-0.1.401.tgz deleted file mode 100644 index 742c77c0d..000000000 Binary files a/assets/rancher-externalip-webhook/vue-rancher-externalip-webhook-0.1.401.tgz and /dev/null differ diff --git a/charts/rancher-externalip-webhook/Chart.yaml b/charts/rancher-externalip-webhook/Chart.yaml deleted file mode 100644 index ec9be7e1a..000000000 --- a/charts/rancher-externalip-webhook/Chart.yaml +++ /dev/null @@ -1,23 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: vue-rancher-externalip-webhook - catalog.cattle.io/ui-component: vue-rancher-externalip-webhook -apiVersion: v1 -appVersion: v0.1.4 -description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 -home: https://github.com/rancher/externalip-webhook -keywords: -- cve -- externalip -- webhook -- security -maintainers: -- email: raul@rancher.com - name: rawmind0 -name: vue-rancher-externalip-webhook -sources: -- https://github.com/rancher/externalip-webhook -version: 0.1.401 diff --git a/charts/rancher-externalip-webhook/README.md b/charts/rancher-externalip-webhook/README.md deleted file mode 100644 index fe3305025..000000000 --- a/charts/rancher-externalip-webhook/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# externalip-webhook - -## Chart Details - -This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It's required to mitigate k8s CVE-2020-8554. - -## Installing the Chart - -To install the chart with the release name `rancher-externalip-webhook`: - -```bash -$ helm install rancher-externalip-webhook stable/externalip-webhook --namespace cattle-externalip-system -f values.yaml -``` - -## Configuration - -The following table lists the configurable parameters of the externalip-webhook chart and their default values. - - -| Parameter | Description | Default | -| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | -| `allowedExternalIPCidrs` | Set allowed external IP CIDRs separated by a comma | `""` | -| `certificates.caBundle` | If cert-manager integration is disabled, add here self signed ca.crt in base64 format | `""` | -| `certificates.certManager.enabled` | Enable cert manager integration. Cert manager should be already installed at the k8s cluster | `true` | -| `certificates.certManager.version` | Cert manager version to use | `""` | -| `certificates.secretName` | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace | `"webhook-server-cert"` | -| `global.systemDefaultRegistry` | Pull docker images from systemDefaultRegistry | `""` | -| `image.pullPolicy` | Webhook server docker pull policy | `"IfNotPresent"` | -| `image.pullSecrets` | Webhook server docker pull secret | `""` | -| `image.repository` | Webhook server docker image repository | `"rancher/externalip-webhook"` | -| `image.tag` | Webhook server docker image tag Defaults to | `".Chart.appVersion"` | -| `metrics.enabled` | Enable metrics endpoint | `false` | -| `metrics.port` | Webhook metrics pod port | `8443` | -| `metrics.prometheusExport` | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false` | -| `metrics.authProxy.enabled` | Enable auth proxy for metrics endpoint | `false` | -| `metrics.authProxy.port` | Webhook auth proxy pod port | `8080` | -| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy | `"IfNotPresent"` | -| `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets | `""` | -| `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository | `"gcr.io/kubebuilder/kube-rbac-proxy"` | -| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag | `"v0.5.0"` | -| `metrics.authProxy.resources.limits.cpu` | Webhook auth proxy resource cpu limit | `"100m"` | -| `metrics.authProxy.resources.limits.memory` | Webhook auth proxy resource memory limit | `"30Mi"` | -| `metrics.authProxy.resources.requests.cpu` | Webhook auth proxy wesource cpu reservation | `"100m"` | -| `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation | `"20Mi"` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `rbac.apiVersion` | Rbac API version to use | `"v1"` | -| `resources.limits.cpu` | Resource cpu limit | `"100m"` | -| `resources.limits.memory` | Resource memory limit | `"30Mi"` | -| `resources.requests.cpu` | Resource cpu reservation | `"100m"` | -| `resources.requests.memory` | Resource memory reservation | `"20Mi"` | -| `service.metricsPort` | Webhook metrics service port | `8443` | -| `service.webhookPort` | Webhook server service port | `443` | -| `serviceAccountName` | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false | `"default"` | -| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` | -| `webhookPort` | Webhook server pod port | `9443` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```bash -$ helm install rancher-externalip-webhook stable/externalip-webhook --namespace cattle-externalip-system -f values.yaml -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/charts/rancher-externalip-webhook/app-README.md b/charts/rancher-externalip-webhook/app-README.md deleted file mode 100644 index 38c317119..000000000 --- a/charts/rancher-externalip-webhook/app-README.md +++ /dev/null @@ -1,9 +0,0 @@ -# externalip-webhook - -This chart was created to mitigate [CVE-2020-8554](https://www.cvedetails.com/cve/CVE-2020-8554/) - -External IP Webhook is a validating k8s webhook which prevents services from using random external IPs. Cluster administrators -can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter. -The webhook will only allow services which either don’t set external IP, or whose external IPs are within the range specified by the administrator. - -For more information, review the Helm README of this chart. diff --git a/charts/rancher-externalip-webhook/questions.yaml b/charts/rancher-externalip-webhook/questions.yaml deleted file mode 100644 index 8b0e19040..000000000 --- a/charts/rancher-externalip-webhook/questions.yaml +++ /dev/null @@ -1,7 +0,0 @@ -questions: -# allowedExternalIPCidrs -- variable: allowedExternalIPCidrs - label: Allowed external IP cidrs - description: Set allowed external IP CIDRs separated by a comma - type: string - group: Configuration \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/NOTES.txt b/charts/rancher-externalip-webhook/templates/NOTES.txt deleted file mode 100644 index 74271bdd5..000000000 --- a/charts/rancher-externalip-webhook/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -To verify that externalip-webhook has started, run: - - kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "externalip-webhook.name" . }},release={{ .Release.Name }}" diff --git a/charts/rancher-externalip-webhook/templates/_helpers.tpl b/charts/rancher-externalip-webhook/templates/_helpers.tpl deleted file mode 100644 index cc8a9a0d3..000000000 --- a/charts/rancher-externalip-webhook/templates/_helpers.tpl +++ /dev/null @@ -1,50 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "externalip-webhook.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "externalip-webhook.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if ne $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* Generate basic labels */}} -{{- define "externalip-webhook.labels" }} -app: {{ template "externalip-webhook.name" . }} -heritage: {{.Release.Service }} -release: {{.Release.Name }} -{{- end }} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/admissionregistration.yaml b/charts/rancher-externalip-webhook/templates/admissionregistration.yaml deleted file mode 100644 index d8152faa5..000000000 --- a/charts/rancher-externalip-webhook/templates/admissionregistration.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: -{{- if .Values.certificates.certManager.enabled }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "externalip-webhook.fullname" . }}-server-cert -{{- end }} - creationTimestamp: null - name: {{ template "externalip-webhook.fullname" . }}-validating-webhook-configuration -webhooks: -- clientConfig: -{{- if not (.Values.certificates.certManager.enabled) }} - caBundle: {{ .Values.certificates.caBundle }} -{{- end }} - service: - name: {{ template "externalip-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} - path: /validate-service - failurePolicy: Ignore - name: {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - services \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/clusterrole.yaml b/charts/rancher-externalip-webhook/templates/clusterrole.yaml deleted file mode 100644 index 46e18bf00..000000000 --- a/charts/rancher-externalip-webhook/templates/clusterrole.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) -}} -apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} -kind: ClusterRole -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} -kind: ClusterRole -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-metrics-reader -rules: -- nonResourceURLs: - - /metrics - verbs: - - get -{{- end -}} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/clusterrolebinding.yaml b/charts/rancher-externalip-webhook/templates/clusterrolebinding.yaml deleted file mode 100644 index 2fa40817f..000000000 --- a/charts/rancher-externalip-webhook/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} -kind: ClusterRoleBinding -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-cluster-view -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: -- kind: ServiceAccount - name: {{ template "externalip-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }} ---- -apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} -kind: ClusterRoleBinding -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "externalip-webhook.fullname" . }}-proxy-role -subjects: -- kind: ServiceAccount - name: {{ template "externalip-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/deployment.yaml b/charts/rancher-externalip-webhook/templates/deployment.yaml deleted file mode 100644 index c82754deb..000000000 --- a/charts/rancher-externalip-webhook/templates/deployment.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/pod: runtime/default - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: {{ template "externalip-webhook.name" . }} - template: - metadata: - annotations: - seccomp.security.alpha.kubernetes.io/pod: runtime/default - labels: {{ include "externalip-webhook.labels" . | indent 8 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - spec: - containers: - {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }} - - name: {{ template "externalip-webhook.fullname" . }}-auth-proxy - args: - - --secure-listen-address=0.0.0.0:{{ .Values.metrics.port }} - - --upstream=http://127.0.0.1:{{ .Values.metrics.authProxy.port }}/ - - --logtostderr=true - - --v=10 - image: {{ template "system_default_registry" . }}{{ .Values.metrics.authProxy.image.repository}}:{{ .Values.metrics.authProxy.image.tag }} - imagePullPolicy: "{{ .Values.metrics.authProxy.image.pullPolicy }}" - ports: - - containerPort: {{ .Values.metrics.port }} - name: webhook-metrics - protocol: TCP - resources: -{{ toYaml .Values.metrics.authProxy.resources | indent 10 }} - readinessProbe: - tcpSocket: - port: webhook-metrics - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: webhook-metrics - initialDelaySeconds: 5 - failureThreshold: 10 - periodSeconds: 30 - {{- end }} - - name: {{ template "externalip-webhook.fullname" . }} - image: {{ template "system_default_registry" . }}{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }} - imagePullPolicy: "{{ .Values.image.pullPolicy }}" - command: - - /webhook - args: - - --webhook-port={{ .Values.webhookPort }} - {{- if .Values.allowedExternalIPCidrs }} - - --allowed-external-ip-cidrs={{ .Values.allowedExternalIPCidrs }} - {{- end }} - {{- if .Values.metrics.enabled }} - {{- if .Values.metrics.authProxy.enabled }} - - --metrics-addr=127.0.0.1:{{ .Values.metrics.authProxy.port }} - {{- else }} - - --metrics-addr=0.0.0.0:{{ .Values.metrics.port }} - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.webhookPort }} - name: webhook-server - protocol: TCP - {{- if and (.Values.metrics.enabled) (not (.Values.metrics.authProxy.enabled)) }} - - containerPort: {{ .Values.metrics.port }} - name: webhook-metrics - protocol: TCP - {{- end }} - volumeMounts: - - name: server-cert - mountPath: /tmp/k8s-webhook-server/serving-certs - readOnly: true - resources: -{{ toYaml .Values.resources | indent 10 }} - readinessProbe: - tcpSocket: - port: webhook-server - initialDelaySeconds: 5 - failureThreshold: 10 - periodSeconds: 30 - livenessProbe: - tcpSocket: - port: webhook-server - initialDelaySeconds: 5 - failureThreshold: 10 - periodSeconds: 30 - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} - {{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 6}} - {{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 6 }} - {{- end }} - serviceAccountName: {{ template "externalip-webhook.fullname" . }} - volumes: - - name: server-cert - secret: - defaultMode: 420 - secretName: {{ .Values.certificates.secretName }} diff --git a/charts/rancher-externalip-webhook/templates/issuer.yaml b/charts/rancher-externalip-webhook/templates/issuer.yaml deleted file mode 100644 index ff1c2de10..000000000 --- a/charts/rancher-externalip-webhook/templates/issuer.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if .Values.certificates.certManager.enabled -}} - {{- $certmanagerVer := split "." .Values.certificates.certManager.version -}} - {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }} -apiVersion: cert-manager.io/v1 - {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }} -apiVersion: cert-manager.io/v1beta1 - {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }} -apiVersion: cert-manager.io/v1alpha2 - {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }} -apiVersion: certmanager.k8s.io/v1alpha1 - {{- else }} -# Setting latest version as default -apiVersion: cert-manager.io/v1 - {{- end }} -kind: Certificate -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-server-cert - namespace: {{ .Release.Namespace }} -spec: - dnsNames: - - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc - - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ template "externalip-webhook.fullname" . }}-issuer - secretName: {{ .Values.certificates.secretName }} ---- - {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }} -apiVersion: cert-manager.io/v1 - {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }} -apiVersion: cert-manager.io/v1beta1 - {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }} -apiVersion: cert-manager.io/v1alpha2 - {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }} -apiVersion: certmanager.k8s.io/v1alpha1 - {{- else }} -# Setting latest version as default -apiVersion: cert-manager.io/v1 - {{- end }} -kind: Issuer -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-issuer - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} -{{- end -}} - - diff --git a/charts/rancher-externalip-webhook/templates/service.yaml b/charts/rancher-externalip-webhook/templates/service.yaml deleted file mode 100644 index 256add3e4..000000000 --- a/charts/rancher-externalip-webhook/templates/service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: webhook-server - port: {{ .Values.service.webhookPort }} - protocol: TCP - targetPort: {{ .Values.webhookPort }} - selector: - app: {{ template "externalip-webhook.name" . }} - type: "ClusterIP" -{{- if .Values.metrics.enabled }} ---- -apiVersion: v1 -kind: Service -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-metrics-service - namespace: {{ .Release.Namespace }} -spec: - ports: - - name: webhook-metrics - port: {{ .Values.service.metricsPort }} - protocol: TCP - targetPort: {{ .Values.metrics.port }} - selector: - app: {{ template "externalip-webhook.name" . }} - type: "ClusterIP" -{{- end }} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/serviceaccount.yaml b/charts/rancher-externalip-webhook/templates/serviceaccount.yaml deleted file mode 100644 index 895df4f5b..000000000 --- a/charts/rancher-externalip-webhook/templates/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }} - namespace: {{ .Release.Namespace }} diff --git a/charts/rancher-externalip-webhook/templates/servicemonitor.yaml b/charts/rancher-externalip-webhook/templates/servicemonitor.yaml deleted file mode 100644 index c481ea31d..000000000 --- a/charts/rancher-externalip-webhook/templates/servicemonitor.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if and (.Values.metrics.enabled) (.Values.metrics.prometheusExport) -}} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: {{ include "externalip-webhook.labels" . | indent 4 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - name: {{ template "externalip-webhook.fullname" . }}-monitor - namespace: {{ .Release.Namespace }} -spec: - endpoints: - - path: /metrics - port: https - selector: - matchLabels: - app: {{ template "externalip-webhook.name" . }} -{{- end }} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/tests/admissionregistration_test.yaml b/charts/rancher-externalip-webhook/tests/admissionregistration_test.yaml deleted file mode 100644 index 0660aa6e8..000000000 --- a/charts/rancher-externalip-webhook/tests/admissionregistration_test.yaml +++ /dev/null @@ -1,32 +0,0 @@ -suite: Test Admission Registration -templates: -- admissionregistration.yaml -tests: -- it: should render Admission Registration - asserts: - - equal: - path: apiVersion - value: admissionregistration.k8s.io/v1beta1 -- it: should render Admission Registration annotation and not caBundle if certificates.certManager.enabled = true - release: - name: rancher-externalip-webhook - namespace: test - set: - certificates.certManager.enabled: true - asserts: - - equal: - path: metadata.annotations - value: - cert-manager.io/inject-ca-from: test/rancher-externalip-webhook-server-cert - - isNull: - path: webhooks[0].clientConfig.caBundle -- it: should render Admission Registration caBundle and not annotation if certificates.certManager.enabled = false - set: - certificates.caBundle: test - certificates.certManager.enabled: false - asserts: - - equal: - path: webhooks[0].clientConfig.caBundle - value: test - - isNull: - path: metadata.annotations diff --git a/charts/rancher-externalip-webhook/tests/clusterrole_test.yaml b/charts/rancher-externalip-webhook/tests/clusterrole_test.yaml deleted file mode 100644 index 9e563807b..000000000 --- a/charts/rancher-externalip-webhook/tests/clusterrole_test.yaml +++ /dev/null @@ -1,37 +0,0 @@ -suite: Test Cluster Roles -templates: -- clusterrole.yaml -tests: -- it: should not render Cluster Roles if metrics.enabled = false or metrics.authProxy.enabled = false - set: - metrics.enabled: false - metrics.authProxy.enabled: false - asserts: - - hasDocuments: - count: 0 - template: clusterrole.yaml -- it: should render Cluster Roles if metrics.enabled = true and metrics.authProxy.enabled = true - set: - metrics.enabled: true - metrics.authProxy.enabled: true - asserts: - - hasDocuments: - count: 2 - template: clusterrole.yaml -- it: should render Cluster Roles with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true - set: - metrics.enabled: true - metrics.authProxy.enabled: true - asserts: - - equal: - path: apiVersion - value: rbac.authorization.k8s.io/v1 -- it: should render Cluster Roles with custom rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true - set: - metrics.enabled: true - metrics.authProxy.enabled: true - rbac.apiVersion: v1beta - asserts: - - equal: - path: apiVersion - value: rbac.authorization.k8s.io/v1beta \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/tests/clusterrolebinding_test.yaml b/charts/rancher-externalip-webhook/tests/clusterrolebinding_test.yaml deleted file mode 100644 index 2129573a3..000000000 --- a/charts/rancher-externalip-webhook/tests/clusterrolebinding_test.yaml +++ /dev/null @@ -1,42 +0,0 @@ -suite: Test Cluster Role Bindings -templates: -- clusterrolebinding.yaml -tests: -- it: should render Cluster Role Bindings with default rbac api version - set: - rbac.apiVersion: v1 - asserts: - - equal: - path: apiVersion - value: rbac.authorization.k8s.io/v1 -- it: should render Cluster Role Bindings with custom rbac api version - set: - rbac.apiVersion: v1beta - asserts: - - equal: - path: apiVersion - value: rbac.authorization.k8s.io/v1beta -- it: should not render Cluster Role Binding proxy if metrics.enabled = false or metrics.authProxy.enabled = false - set: - metrics.enabled: false - metrics.authProxy.enabled: false - asserts: - - hasDocuments: - count: 1 - template: clusterrolebinding.yaml -- it: should render Cluster Role Bindings proxy if metrics.enabled = true and metrics.authProxy.enabled = true - set: - metrics.enabled: true - metrics.authProxy.enabled: true - asserts: - - hasDocuments: - count: 2 - template: clusterrolebinding.yaml -- it: should render Cluster Role Bindings with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true - set: - metrics.enabled: true - metrics.authProxy.enabled: true - asserts: - - equal: - path: apiVersion - value: rbac.authorization.k8s.io/v1 \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/tests/deployment_test.yaml b/charts/rancher-externalip-webhook/tests/deployment_test.yaml deleted file mode 100644 index 50e3f9ec1..000000000 --- a/charts/rancher-externalip-webhook/tests/deployment_test.yaml +++ /dev/null @@ -1,202 +0,0 @@ -suite: Test Deployments -templates: -- deployment.yaml -tests: -- it: should render Deployment with allowed-external-ip-cidrs arg if allowedExternalIPCidrs is set - release: - name: rancher-externalip-webhook - set: - allowedExternalIPCidrs: "1,2" - asserts: - - equal: - path: spec.template.spec.containers[0].args[1] - value: --allowed-external-ip-cidrs=1,2 -- it: should render Deployment with default port, nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false - release: - name: rancher-externalip-webhook - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 9443 - name: webhook-server - protocol: TCP - - equal: - path: spec.template.spec.tolerations[0] - value: - key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" - - equal: - path: spec.template.spec.nodeSelector - value: - kubernetes.io/os: linux -- it: should render Deployment with default port and custom nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false - release: - name: rancher-externalip-webhook - set: - tolerations: - - key: "cattle.io/test" - value: "linux" - effect: "NoSchedule" - operator: "Equal" - nodeSelector: - kubernetes.io/test: linux - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 9443 - name: webhook-server - protocol: TCP - - equal: - path: spec.template.spec.tolerations[0] - value: - key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" - - equal: - path: spec.template.spec.tolerations[1] - value: - key: "cattle.io/test" - value: "linux" - effect: "NoSchedule" - operator: "Equal" - - equal: - path: spec.template.spec.nodeSelector - value: - kubernetes.io/os: linux - kubernetes.io/test: linux -- it: should render Deployment with custom port and image if metrics.enabled = false and metrics.authProxy.enabled = false - release: - name: rancher-externalip-webhook - set: - webhookPort: 9000 - image.repository: test - image.tag: dev-test - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[0].image - value: test:dev-test - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 9000 - name: webhook-server - protocol: TCP -- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = false - release: - name: rancher-externalip-webhook - set: - metrics.enabled: true - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 9443 - name: webhook-server - protocol: TCP - - equal: - path: spec.template.spec.containers[0].ports[1] - value: - containerPort: 8443 - name: webhook-metrics - protocol: TCP -- it: should render Deployment with custom metrics port if metrics.enabled = true and metrics.authProxy.enabled = false - release: - name: rancher-externalip-webhook - set: - metrics.enabled: true - metrics.port: 8000 - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 9443 - name: webhook-server - protocol: TCP - - equal: - path: spec.template.spec.containers[0].ports[1] - value: - containerPort: 8000 - name: webhook-metrics - protocol: TCP -- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = true - release: - name: rancher-externalip-webhook - set: - metrics.enabled: true - metrics.authProxy.enabled: true - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook-auth-proxy - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 8443 - name: webhook-metrics - protocol: TCP - - equal: - path: spec.template.spec.containers[1].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[1].ports[0] - value: - containerPort: 9443 - name: webhook-server - protocol: TCP -- it: should render Deployment with custom metrics port and image if metrics.enabled = true and metrics.authProxy.enabled = true - release: - name: rancher-externalip-webhook - set: - metrics.enabled: true - metrics.authProxy.enabled: true - metrics.port: 8000 - webhookPort: 9000 - image.repository: test - image.tag: dev-test - metrics.authProxy.image.repository: auth - metrics.authProxy.image.tag: auth-test - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: rancher-externalip-webhook-auth-proxy - - equal: - path: spec.template.spec.containers[0].image - value: auth:auth-test - - equal: - path: spec.template.spec.containers[0].ports[0] - value: - containerPort: 8000 - name: webhook-metrics - protocol: TCP - - equal: - path: spec.template.spec.containers[1].name - value: rancher-externalip-webhook - - equal: - path: spec.template.spec.containers[1].image - value: test:dev-test - - equal: - path: spec.template.spec.containers[1].ports[0] - value: - containerPort: 9000 - name: webhook-server - protocol: TCP \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/tests/issuer_test.yaml b/charts/rancher-externalip-webhook/tests/issuer_test.yaml deleted file mode 100644 index eeeb660b2..000000000 --- a/charts/rancher-externalip-webhook/tests/issuer_test.yaml +++ /dev/null @@ -1,106 +0,0 @@ -suite: Test Issuers -templates: -- issuer.yaml -tests: -- it: should not render issuer if certificates.certManager.enabled = false - set: - certificates.certManager.enabled: false - asserts: - - hasDocuments: - count: 0 - template: issuer.yaml -- it: should render issuer if certificates.certManager.enabled = true - set: - certificates.certManager.enabled: true - asserts: - - hasDocuments: - count: 2 - template: issuer.yaml -- it: should set issuer apiVersion with default cert-manager - set: - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager >= 1.0.0 using capabilities - capabilities: - apiversions: - - cert-manager.io/v1 - set: - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager >= 0.16.0 using capabilities - capabilities: - apiversions: - - cert-manager.io/v1beta1 - set: - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1beta1 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager >= 0.11.0 using capabilities - capabilities: - apiversions: - - cert-manager.io/v1alpha2 - set: - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1alpha2 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager < 0.11.0 using capabilities - capabilities: - apiversions: - - certmanager.k8s.io/v1alpha1 - set: - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: certmanager.k8s.io/v1alpha1 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager >= 1.0.0 using parameter - set: - certificates.certManager.version: 1.0.0 - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager >= 0.16.0 using parameter - set: - certificates.certManager.version: 0.16.0 - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1beta1 - template: issuer.yaml -- it: should set issuer apiVersion with cert-manager >= 0.11.0 using parameter - set: - certificates.certManager.version: 0.11.0 - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: cert-manager.io/v1alpha2 - template: issuer.yaml -- it: should set letsEncrypt apiVersion with cert-manager < 0.11.0 using parameter - set: - certificates.certManager.version: 0.9.0 - certificates.certManager.enabled: true - asserts: - - equal: - path: apiVersion - value: certmanager.k8s.io/v1alpha1 - template: issuer.yaml diff --git a/charts/rancher-externalip-webhook/tests/service_test.yaml b/charts/rancher-externalip-webhook/tests/service_test.yaml deleted file mode 100644 index a0ba4d352..000000000 --- a/charts/rancher-externalip-webhook/tests/service_test.yaml +++ /dev/null @@ -1,69 +0,0 @@ -suite: Test Services -templates: -- service.yaml -tests: -- it: should render webhook-server service with default webhookPort if metrics.enabled = false - set: - metrics.enabled: false - asserts: - - equal: - path: spec.ports[0] - value: - name: webhook-server - port: 443 - protocol: TCP - targetPort: 9443 -- it: should render webhook-server service with custom webhookPort if metrics.enabled = false - set: - metrics.enabled: false - webhookPort: 9000 - asserts: - - equal: - path: spec.ports[0] - value: - name: webhook-server - port: 443 - protocol: TCP - targetPort: 9000 -- it: should render webhook-server and webhook-metrics services with default webhookPort and metrics.port, if metrics.enabled = true - set: - metrics.enabled: true - asserts: - - equal: - path: spec.ports[0] - value: - name: webhook-server - port: 443 - protocol: TCP - targetPort: 9443 - documentIndex: 0 - - equal: - path: spec.ports[0] - value: - name: webhook-metrics - port: 8443 - protocol: TCP - targetPort: 8443 - documentIndex: 1 -- it: should render webhook-server and webhook-metrics services with custom webhookPort and metrics.port, if metrics.enabled = true - set: - metrics.enabled: true - metrics.port: 8000 - webhookPort: 9000 - asserts: - - equal: - path: spec.ports[0] - value: - name: webhook-server - port: 443 - protocol: TCP - targetPort: 9000 - documentIndex: 0 - - equal: - path: spec.ports[0] - value: - name: webhook-metrics - port: 8443 - protocol: TCP - targetPort: 8000 - documentIndex: 1 \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/tests/serviceaccount_test.yaml b/charts/rancher-externalip-webhook/tests/serviceaccount_test.yaml deleted file mode 100644 index 5aebbc74b..000000000 --- a/charts/rancher-externalip-webhook/tests/serviceaccount_test.yaml +++ /dev/null @@ -1,9 +0,0 @@ -suite: Test Service Accounts -templates: -- serviceaccount.yaml -tests: -- it: should render Service Account - asserts: - - hasDocuments: - count: 1 - template: serviceaccount.yaml diff --git a/charts/rancher-externalip-webhook/tests/servicemonitor_test.yaml b/charts/rancher-externalip-webhook/tests/servicemonitor_test.yaml deleted file mode 100644 index 21989265e..000000000 --- a/charts/rancher-externalip-webhook/tests/servicemonitor_test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -suite: Test Service Monitors -templates: -- servicemonitor.yaml -tests: -- it: should not render Service Monitor if metrics.enabled = false or metrics.prometheusExport = false - set: - metrics.enabled: false - metrics.prometheusExport: false - asserts: - - hasDocuments: - count: 0 - template: servicemonitor.yaml -- it: should render Service Account if metrics.enabled = true and metrics.authProxy.enabled = true - set: - metrics.enabled: true - metrics.prometheusExport: true - asserts: - - hasDocuments: - count: 1 - template: servicemonitor.yaml diff --git a/charts/rancher-externalip-webhook/values.yaml b/charts/rancher-externalip-webhook/values.yaml deleted file mode 100644 index dc17e9796..000000000 --- a/charts/rancher-externalip-webhook/values.yaml +++ /dev/null @@ -1,67 +0,0 @@ -## Allowed external IP cidrs -allowedExternalIPCidrs: "" -## Certificates generation for webhook -certificates: - certManager: - # Enable cert manager integration. Cert manager should be already installed at the k8s cluster - enabled: true - version: "" - # If cert-manager integration is disabled, add self signed ca.crt in base64 format - caBundle: "" - # If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace - secretName: webhook-server-cert -## Details about the image to be pulled. -image: - pullPolicy: IfNotPresent - pullSecrets: [] - repository: rancher/externalip-webhook - tag: v0.1.4 -## Enabling metrics endpoint -# Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation -metrics: - enabled: false - port: 8443 - # Enable webhook metrics export to Prometheus - prometheusExport: false - # Webhook metrics auth proxy. This option is just available for amd64 arch - authProxy: - enabled: false - port: 8080 - image: - pullPolicy: IfNotPresent - pullSecrets: [] - repository: rancher/kube-rbac-proxy - tag: v0.5.0 - resources: - limits: - memory: 30Mi - cpu: 100m - requests: - memory: 20Mi - cpu: 100m -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} -## RBAC -rbac: - apiVersion: v1 -## CPU and Memory limit and request for externalip-webhook -resources: - limits: - memory: 30Mi - cpu: 100m - requests: - memory: 20Mi - cpu: 100m -service: - metricsPort: 8443 - webhookPort: 443 -## Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false -serviceAccountName: default -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] -## Webhook server pod port -webhookPort: 9443 -global: - systemDefaultRegistry: "" diff --git a/index.yaml b/index.yaml index 9473b0975..f854a516d 100644 --- a/index.yaml +++ b/index.yaml @@ -793,88 +793,6 @@ entries: urls: - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz version: 1.0.100 - rancher-externalip-webhook: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: rancher-externalip-webhook - catalog.cattle.io/ui-component: rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.4 - created: "2020-12-08T22:05:21.819947668Z" - description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 - digest: abc86966d4a49e37ea0a7e90f38bc267a73cb9fc3a9ce96e407bae760eb9af95 - home: https://github.com/rancher/externalip-webhook - keywords: - - cve - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: rawmind0 - name: rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz - version: 0.1.400 - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: rancher-externalip-webhook - catalog.cattle.io/ui-component: rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.3 - created: "2020-12-08T14:39:13.286645836Z" - description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 - digest: d722d79154bb56c1366dafcecc969cb5ef3da714444eff37631b28886d13e027 - home: https://github.com/rancher/externalip-webhook - keywords: - - cve - - embargo - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: rawmind0 - name: rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.300.tgz - version: 0.1.300 - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: Externalip webhook - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.1 - created: "2020-12-08T02:12:59.751279501Z" - description: | - Deploy rancher-externalip-webhook to mitigate k8s CVE-2020-8554 - digest: 4b0ef8f0d9cfeec170e3b1a06984152d4ac4ebc4b8c4326e1613bed314d99ddc - home: https://github.com/rancher/externalip-webhook - keywords: - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: Raul Sanchez - name: rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.100.tgz - version: 0.1.100 rancher-gatekeeper: - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match @@ -2272,32 +2190,4 @@ entries: urls: - assets/rio/rio-0.8.000.tgz version: 0.8.000 - vue-rancher-externalip-webhook: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: External IP Webhook - catalog.cattle.io/namespace: cattle-externalip-system - catalog.cattle.io/release-name: vue-rancher-externalip-webhook - catalog.cattle.io/ui-component: vue-rancher-externalip-webhook - apiVersion: v1 - appVersion: v0.1.4 - created: "2020-12-08T23:25:12.849262513Z" - description: | - Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 - digest: 51dff54b84f92ce75fef00baf8da86a635b71f92abdd7bfb01cba7169b4153e8 - home: https://github.com/rancher/externalip-webhook - keywords: - - cve - - externalip - - webhook - - security - maintainers: - - email: raul@rancher.com - name: rawmind0 - name: vue-rancher-externalip-webhook - sources: - - https://github.com/rancher/externalip-webhook - urls: - - assets/rancher-externalip-webhook/vue-rancher-externalip-webhook-0.1.401.tgz - version: 0.1.401 generated: "2020-12-08T23:25:12.847895211Z" diff --git a/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum b/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum deleted file mode 100644 index afde132c5..000000000 --- a/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum +++ /dev/null @@ -1,2 +0,0 @@ -25d99c96f967d3760ad00b656505c9de2341c4fb4f8c3174365c195a90f6c6cf packages/rancher-externalip-webhook/package.yaml -4ca181e62518cb176b861a5f0983b78a2aff389eb95c268fd4cc467887c7564e packages/rancher-externalip-webhook/rancher-externalip-webhook.patch