From a52ea99181895950d2866bd0d60ada113f90123f Mon Sep 17 00:00:00 2001 From: Kevin Joiner Date: Thu, 22 Sep 2022 08:29:51 -0400 Subject: [PATCH] make charts --- ...er-external-ip-webhook-101.0.0+up1.0.1.tgz | Bin 0 -> 7743 bytes .../101.0.0+up1.0.1/.helmignore | 21 ++ .../101.0.0+up1.0.1/Chart.yaml | 29 +++ .../101.0.0+up1.0.1/README.md | 71 ++++++ .../101.0.0+up1.0.1/app-README.md | 12 ++ .../101.0.0+up1.0.1/questions.yaml | 26 +++ .../101.0.0+up1.0.1/templates/NOTES.txt | 3 + .../101.0.0+up1.0.1/templates/_helpers.tpl | 50 +++++ .../templates/admissionregistration.yaml | 30 +++ .../templates/clusterrole.yaml | 33 +++ .../templates/clusterrolebinding.yaml | 31 +++ .../101.0.0+up1.0.1/templates/deployment.yaml | 107 ++++++++++ .../101.0.0+up1.0.1/templates/issuer.yaml | 52 +++++ .../101.0.0+up1.0.1/templates/service.yaml | 35 +++ .../templates/serviceaccount.yaml | 7 + .../templates/servicemonitor.yaml | 16 ++ .../tests/admissionregistration_test.yaml | 32 +++ .../tests/clusterrole_test.yaml | 37 ++++ .../tests/clusterrolebinding_test.yaml | 42 ++++ .../tests/deployment_test.yaml | 202 ++++++++++++++++++ .../101.0.0+up1.0.1/tests/issuer_test.yaml | 106 +++++++++ .../101.0.0+up1.0.1/tests/service_test.yaml | 69 ++++++ .../tests/serviceaccount_test.yaml | 9 + .../tests/servicemonitor_test.yaml | 20 ++ .../101.0.0+up1.0.1/values.yaml | 68 ++++++ index.yaml | 33 +++ 26 files changed, 1141 insertions(+) create mode 100644 assets/rancher-external-ip-webhook/rancher-external-ip-webhook-101.0.0+up1.0.1.tgz create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/.helmignore create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/Chart.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/README.md create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/app-README.md create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/questions.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/NOTES.txt create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/_helpers.tpl create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/admissionregistration.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrole.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/deployment.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/issuer.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/service.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/serviceaccount.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/servicemonitor.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/admissionregistration_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrole_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrolebinding_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/deployment_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/issuer_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/service_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/serviceaccount_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/servicemonitor_test.yaml create mode 100644 charts/rancher-external-ip-webhook/101.0.0+up1.0.1/values.yaml diff --git a/assets/rancher-external-ip-webhook/rancher-external-ip-webhook-101.0.0+up1.0.1.tgz b/assets/rancher-external-ip-webhook/rancher-external-ip-webhook-101.0.0+up1.0.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..2bc5224c92477ff4d22d1c4b077238ef20219683 GIT binary patch literal 7743 zcmV-F9>C!riwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBhbKAISXsqRsZjFI`#i|&ri>O>Yko-PdaD4({Ar4 z`Q+mKC+Iw^+to_W1!6yS9^6+Qx$mT)G^GLwLQ@`k01*->p`#!|LL@jKv>jn4$dKST z1S2br)ndZ41l{>5n&1%L7-@pHm+&_&O^sjO^nwe6KreVcAAW`tj5sy~TQCe8zs`vt(Md*AoQe&;&bVM0O-jJKK_}>XC?mhv zCsX+|bAGBCG3F5?nNZKZdH}C+me4y8V+;+wgP<@Wf{c*BaPyqQt6$#uy-u&=KR-J= z^~O}?Ko)6I!dp?wvJRfW|A2^P3M#P;b zg{;8Cij_A(Bo&CHn5m}l1d&8iGEe@8>0LtN0aymzPDmPeyyg7jG-nZ3t*(b!$&HSr zcIRL7OjG?4$NwVzKSfE7`NIvs68(R2-tE@)|3&X&um5*Z4i4aDlF(Zm7vo4O?TEyT zdq}^r+WhV1EBQEtR?9m$fLGcwL`Yx`Bb;KU>! zQZz`gdIJ;v3P>vONH-U#eu_7IO!Fj$0S1&XjN&^WDHkY7a12N&JtXx^l;m6}Qw4xk z2XP33g0mU(JoD6}JQHo=TP!KTzB!vOu`21Aj zK0!h$-9P1NoZ$8Q$g_l^SXJf_BZ1(V?&cUo!c~7Ljn&^b`0fx8R~T~~F)ZGr36|hU zIusVt1LtjMdE;};rkMG%BgxL!SRj&cKm(dbDRqE>RNTkL-_cs2f%PfIT4iI6{@pI0Rjj#Ds0VxkqwfLV1flB5eJ;c z86~Ok4(z-Fur%1vH*I_xB9h?v6T`pfn2S#l%~R1YzP}yg6i+4j1u*;@j)bHfo014a z#IR-uWsqmFG+8t=LhYFbB<6)Y4N<}+aWl$92+vPXPdrDUtqCkZ|19fCa$Yhz!D5Va zIjhKuA8$VEhHSGXina-qi?RIR^IZTR#)JdSto;0za{*|INTNEIV-QW^^HV@98hfBV zy_8>u)iGf^E3oK1@2H;zqt(0l%(kzq440*e=@Y^jWjOZL%#RIF@?hR=Gj$5N3n4zQ>Ca*PsS9nCYkYsJO9&?Vjs4SZQ2|URXX}R0)|MKC@ zbs#>Ajrv$J|LgQFYU}@Ar@LSO@1}g9ayCSUatVh-gZh9m;vi`xOoDcs+~2n#tR<@uu+hrizY(W6`_s3?LJkvPb z-#^)y`H{+M1f5prVgqo+Nkh zdyW$2%LJ5V3W>n`8`iC>`a1Sc^E#IT-F;aJToG~BI67R7LK4m@mHtU}7`|AYT=q*cgcO_atGd(H$QVh*5L*At{eR}I zS|$DAO0-XSQ=6@InlS8}VI};hb}V4I!X}ZOlCMHbU9|=G_a4f!5LUN3-WW3?l5M87{_^H#gTICHaRPS>ZPxiCr;y0dt9YiGH-X}ysHuT^JmBN*JQi8Kt=WmW0ApWBk2Uw<-` z{lv@+yX6iFJ81L_-MYmaXXXu3-EM8vKxK@y77P9^_5W)2AH@^GK`7Nq@tU@FV088J#HA-njH=FVp#@y_I^u;u3ZA zI269Y4`hP5K$9$lG*6OZduYvmrUm(I4L_<7&^*<VNGEKjue%m?49eR-t??usVZF(zQ9|7v`bG)nS#@zg(nuRzim zrvgq39VnMiTJbn5sr!4sd}6`*3Jhn7R0XYnZ9(f(OSiF+%2(SQz8pcGQ71KJ;;TIx zoC>LlOLBQNz2JkOH#lW@O0Wt`nPN6DZ>F+tjX7dW40$BzU~>zqbA#kTfRgXdN@K%>UQxb!z(m z@JL8+<=F;R2^VierX3f6)olf1x8&7El#x>JU^mVo!a%7z>ew?RK|!p&IBmHBe$| znrc_tO6W*XE@I5siz2MrzMQ`3c8Ui&jHYm;;B|e0MlLbb z!%HWmwY5SUWeBVaJ+f^{>QtCjh?auw5xNjtN z>EF>LS%5}Sy&QAhjtd9FC?+Z9{F2cD4xRo*lwH&41`GG0jToK}Hc5#fD0z(&ba#y- zn#MeYGZ!z+2#t$Zj?^S%igyZ%*-rQ{W|)s@5?7#^f%K%~s1aw2WK%7$mC@2XHfmub zFN-r>weQv$BMV1FL?;uJ#_pJCmjV8|%xXBxI?2cvPFGG~tqWdlTe10|N?ie(T9vu3 zI_TndxV)(up3i_&GbGi)KBw+%h;t2k>s6H6|HXQ`yVkpkMOf7O8ir*qIcksA(35jm zURRTPuXd@HT+Pr|wo~U@`@<^PcBktbC_1G{KEdzg;=Dpw-GRH4T{b?EwJ-Ias+eT$ zo9EoG(zC7h9Mh5d(uGS}hrguBopX!|mKmYPHaRmQ@K|d8p$2JZfYy$cIJ5A^7%Msd zPG=|JH5KJHs=YOJMptSyP3dRkw{o^(4xE*cG#AwKd62pha*cqx6$&`d7r@zczGNfY zu7_(eQWuR=eOS+xCu79l(HMtt+H)nrJ=r%esKYrMSPw5-&HqC<&oSHdB=8dd&)IpW zS3m!8ak}^a?4+z4pXDooR)NX#wTa341v3a=$TfFD1hj(I@&?TrT&F=Y1j^u9@Cs#U zKoTMd=E2L$w>GXO_%FnvRSyN5c3X$=OqutQfM*F#>yQPXI)~6XglG77ct%pu_`Z7x z&qjF8`>y={5NZ()vygbs{AyEdRFvITQ0go}se8T(PCDvu3y3LCQg1hybyvYm1GE`x zwxJ?8QZ=?cz9nLP?B>AaRVV!iaE*l^=?Ii+7xpkbAYL4tTusWgnKYYGcK{YB=-CDXDYt$?`^~0 zHtcP~cWoPt0{Jn_LZQvpu?QR|!)tY8jJoQfa(d~B4>7N{{xhrK4HtmR;{Q4)4d;LN z=YMumYS)ZZLVtdYA-m>SEgaSUe1CIRclX-y(crqC_2&x2Mp!I&dsia@HrW2Z%Ww!S z6DRievQGS@0`xW|MyN$_V@qnq%2bQHuU$0(D^Is_^0N_uFG2Ee?n6t=-T^0%g%px zdfl1vzrX)yH)XRp$oi#~v&TP;sE~9NM3iC5)#b-^4f9Ud`Y|+&Z*X37HfgUkElz!# zGw;>V5Ivn#*G)b~u<(A;_XjPD^nWnM$%Lqj6&}>bviaXxcP9VC`TqXL-IN2kL_)G& zT`8rRt!_z%K~9pGq$9{sbc05i2i}3cb(rUwS^@(f<0OGmLI+w0k#uwn3@1pCDOP&S zd5+T9JAf3A^d-yBGKPobGmhbwh%x-P!vOx0CU-zn^`!&}GOVt|!hsjOzW#JAD8t?X zyrPo{P2rbU*ANrNy-dJX3eyaqlSL zx0!bo4A6~t6o^UY9sO_b0DeJ?(452D*KfEd&EIc05?(-JjM};$qrZKRlgCBl|LV=l z*YDm0llXysEFS;8-q~#am(IyP{%0rUpy|eFb=$O@CfQ5jJx>jMHLue5*G1(Gi}sip z&>{3^TkER@x5 z@Vuj=_f+8U=m;FB374QU93g>Yb=lr*C%S1l7tT|o7}OgxmUl4s~uQRsa5@yq?W3 zTjTA67^in;3^E zG)X`7yneqwKz!`|6UbSGx*T3zf@nX}ZCeVcUp%mxSO~3rr*G%Ck1T`>0I2rTUR2Y$ z(RglRA@GObBuA0B=`mBe!^`_H#xSHwLT?pWl~^Q%3$BT2E6c|jVrYT|X53z@+He!I zCXu;=m9XMyhXKX&ysvO+8-fMpE4(iA_$;dU7)5rj;a=w>?<@FAi)wv&wZ|$Ob*@nB zH=jD`*9dow1)zp(EwA3bzT&{Klp?9I26uq;Ih-wWt>0?(*ZoMM)_A>Kzux*=w1zXxYAM{V@~VEJsbSyiV;0B4>=HMy>+8HKT$;&heU^u3fgow=(3cUu}Jx z8GHWwI{A7uY7J?67GSIJTH!+4{#UrnlLTTK-AJ4!a%BfYMkmd=DK=%!94I$tS^dai zQzKvN={XFN@+-*nNySGi5;Zq9&T=$sc$ow`4WBKXasgTq#Q8YN6`4Y%Uq7j@v8a%8|xQlt)7`{%P2HM z34N9QXCtw6V<_e|@O38jmd*6D1?ZPT3H|4%rza0XuC_tbue5JiSLPuz$;krv54Bu@ zkNP)BM@6X2kTSn)wOp$XD7{hlgD8KYjsqV)!tf*>Komrk&YEzRd)_g9Xt;7WoaQjTRth{7yT>O(OR| z+?@M%W}ErC#RSru;MOu5ubYXca|O}d@4r4MarN3b&0zTP*NsqHB#>q6b8=`u5bD*S zg#OPPNv3z5;fM_H0HbJJ?$$%jZNx<1_c<1DgYRCb{rHc^#h<_S0kKi8=3#mu9!)1@=BjUkb=-j7?N@U=`O}FUh)@axET^+`n?+Jl4++7rYDW|}%}r?JCtIWBNf{2$6Pe;YA?%g%qCU7XCs|91BAzdI?- z@qcc#AL1t1FRldLeXNANl>_GX_BM#7IM#uKYT!gu+^*DaA9~&!Cw|3R1i}G9nHy2< zliQ(xJ0?=|GCal77TVN!dh1%NVTRI}PTa^C9)M@U3{}Wos?%Chqb#{m>WMM7I*!Ih z*a#}MshUY3UWvCE+}TfMxBa>I%Jxg`9KZ)>M?-~B(loi#ot4;VEHM#dwN;q@zyI@p zh04tBbbkz#!L3T}>!PZ%QJYXp6`hCD5iV?p3JQ{sD`W_o`QXM!sAg?!ro!UR8k&(w z%^U+sp$E63Yo)0V!KapXmSGDqG`P|%9F^4K; zAeuTmSdgP3{>)Tx=<`>OtJXqClBp&GFnZOH1%Fnt&&E8VEGr}4j&)G^Y7uk_3PVgs zbL)FEs`3GaBYjU9*62eTztF|ypKNq7oY#;VovV& zPx9TWW?`BBzc{U*|32;Q^S|$=@SF%7!UxO+yetl-Tsf@vifaH=%G$;p@oJ&1#6{L2 zBDAA|;WWlU6gVK_6sa(r=;FmeJ83un(N9PZf%m={uIB z+LtiS_-IO$YUaWR!r$jf4H}!>{$uCYz|C%7>fkk4SMbR)&f(>1tSe0B9J&`t^9_Gi z;frl^8Do}{q9XSOf@ZQdGI`1PU#|b1+`nsS{jx04|Gn--{rCpt z6U?h>-w}fO%3cmWGgd22xf?O{?UypTa{eBT8Jha8i)uUNK!f@1%o&Yi#9z}$x#fA8 zC@xP$2s*(+kw0%1{U-gi0?txfD?POcXQR^Rqg*6lS%7hqU08r{@8Jlm8NBuIumOss z@h(C(zCm)VG2NJ-%Xr#6&1fJ^lygBR-zsGQYOy#W=xNj=QB5}e)Vgn9*0ld7WA(bz zfMxdov~yO^|9{ro+y9-EdG;Sn*7f=G03!@b*M5zyF18k~Qfp94Po>Cf(9comOMri5 zox0MD%pzi*el}eGFR}mK zlk@X>{S6J?^zuP$WFVQDDgss9$9o`H!7n1H?xBWB1ppnpu=(xO?1NiDp&rjV4(A(mf5!PaEK!jLhC)fj>b676I{Ne8CGFF zA++8|C|hd)?26qSa4WZzQ67SVZEX=(l4>T?-F7;|`oVZ-*Ri;7CWIJIee?YL81f4C*}crrL1ZVo#FBYUU9yf%E3b@U;sJ~12g}#I zRrdEGFyESuXo9Xj`JV^f^ZC$KZ~5Ou?2Kaj)}^j|qf;3?*CTN+j5`;``6}??!nkD} zxM5J$P8^L}l}vS!v%X|zM?$)>PTB~(?k)yucUJ>-Q?_iP{kv6JHN|L8>RwY?wB{*{70b=3`mu9cu~7*oAQ6sLa4G5wm$z~zWy_J(>!1SxMclz(mSi?|L^wp_kZlB zxa&WYsIayGw6{$zi~OtlE{gjmE9(%)Pq<*~eWif%m3(@Q4w)5wF3LyaI*98YE?op- zBP<+$^18G!j^Ztnrr96+O%hCkwgSOW8rL0<&YfBFB+PZC>sZRUZuhP2n?Hrb$%nD= zBD_sw{8_s`wgcphpLcfmXgQeA=YZLK=4Nf?Hw>XI^M0+Jk8e^?EWqEmpv(dDk9$IEafkqCNP6um^J>Ya-Q^!wD zwjZXfJpLy%C4z3W54dFfcRT0x^WVLT&VKywq%@8Hcbe7B= 1.16.0-0 < 1.22.0-0' + catalog.cattle.io/namespace: cattle-externalip-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-external-ip-webhook + catalog.cattle.io/ui-component: rancher-external-ip-webhook + catalog.cattle.io/upstream-version: 1.0.1 +apiVersion: v1 +appVersion: v1.0.1 +description: | + Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554 +home: https://github.com/rancher/externalip-webhook +keywords: +- cve +- externalip +- webhook +- security +kubeVersion: < 1.22.0 +maintainers: +- email: raul@rancher.com + name: rawmind0 +name: rancher-external-ip-webhook +sources: +- https://github.com/rancher/externalip-webhook +version: 101.0.0+up1.0.1 diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/README.md b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/README.md new file mode 100644 index 000000000..c461b52d0 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/README.md @@ -0,0 +1,71 @@ +# externalip-webhook + +## Chart Details + +This chart will create a deployment of `externalip-webhook` within your Kubernetes Cluster. It is required on kubernetes versions prior to 1.21 to mitigate CVE-2020-8554. + +**Note:** This chart is deprecated for kubernetes version 1.21 and unsupported starting with 1.22. To mitigate CVE-2020-8554, enable the [`DenyServiceExternalIPs` admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#denyserviceexternalips) on the cluster. + +## Installing the Chart + +To install the chart with the release name `rancher-external-ip-webhook`: + +```bash +$ helm repo add rancher-chart https://charts.rancher.io +$ helm repo update +$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml +``` + +## Configuration + +The following table lists the configurable parameters of the externalip-webhook chart and their default values. + + +| Parameter | Description | Default | +| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | +| `allowedExternalIPCidrs` | Set allowed external IP CIDRs separated by a comma | `""` | +| `certificates.caBundle` | If cert-manager integration is disabled, add here self signed ca.crt in base64 format | `""` | +| `certificates.certManager.enabled` | Enable cert manager integration. Cert manager should be already installed at the k8s cluster | `true` | +| `certificates.certManager.version` | Cert manager version to use | `""` | +| `certificates.secretName` | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace | `"webhook-server-cert"` | +| `global.cattle.systemDefaultRegistry`| Pull docker images from systemDefaultRegistry | `""` | +| `image.pullPolicy` | Webhook server docker pull policy | `"IfNotPresent"` | +| `image.pullSecrets` | Webhook server docker pull secret | `""` | +| `image.repository` | Webhook server docker image repository | `"rancher/externalip-webhook"` | +| `image.tag` | Webhook server docker image tag Defaults to | `".Chart.appVersion"` | +| `metrics.enabled` | Enable metrics endpoint | `false` | +| `metrics.port` | Webhook metrics pod port | `8443` | +| `metrics.prometheusExport` | Enable Prometheus export. Follow [exporting-metrics-for-prometheus](https://book.kubebuilder.io/reference/metrics.html#exporting-metrics-for-prometheus) to export the webhook metrics | `false` | +| `metrics.authProxy.enabled` | Enable auth proxy for metrics endpoint | `false` | +| `metrics.authProxy.port` | Webhook auth proxy pod port | `8080` | +| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker pull policy | `"IfNotPresent"` | +| `metrics.authProxy.image.pullSecrets`| Webhook auth proxy docker pull secrets | `""` | +| `metrics.authProxy.image.repository` | Webhook auth proxy docker image repository | `"gcr.io/kubebuilder/kube-rbac-proxy"` | +| `metrics.authProxy.image.pullPolicy` | Webhook auth proxy docker image tag | `"v0.5.0"` | +| `metrics.authProxy.resources.limits.cpu` | Webhook auth proxy resource cpu limit | `"100m"` | +| `metrics.authProxy.resources.limits.memory` | Webhook auth proxy resource memory limit | `"30Mi"` | +| `metrics.authProxy.resources.requests.cpu` | Webhook auth proxy wesource cpu reservation | `"100m"` | +| `metrics.authProxy.resources.requests.memory` | Webhook auth proxy resource memory reservation | `"20Mi"` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `rbac.apiVersion` | Rbac API version to use | `"v1"` | +| `resources.limits.cpu` | Resource cpu limit | `"100m"` | +| `resources.limits.memory` | Resource memory limit | `"30Mi"` | +| `resources.requests.cpu` | Resource cpu reservation | `"100m"` | +| `resources.requests.memory` | Resource memory reservation | `"20Mi"` | +| `service.metricsPort` | Webhook metrics service port | `8443` | +| `service.webhookPort` | Webhook server service port | `443` | +| `serviceAccountName` | Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false | `"default"` | +| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | `[]` | +| `webhookPort` | Webhook server pod port | `9443` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +$ helm repo add rancher-chart https://charts.rancher.io +$ helm repo update +$ helm install rancher-external-ip-webhook rancher-chart/rancher-external-ip-webhook --namespace cattle-externalip-system -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](https://github.com/rancher/externalip-webhook/blob/master/chart/values.yaml) diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/app-README.md b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/app-README.md new file mode 100644 index 000000000..bd8acd382 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/app-README.md @@ -0,0 +1,12 @@ +# externalip-webhook + +This chart was created to mitigate [CVE-2020-8554](https://www.cvedetails.com/cve/CVE-2020-8554/) + +External IP Webhook is a validating k8s webhook which prevents services from using random external IPs. +Cluster administrators can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter. The webhook will only allow services which either don’t set external IP, or whose external IPs are within the range specified by the administrator. + +External IP Webhook certificates are required. They can be generated in 2 ways: +* cert-manager: This is the default chart configuration. Cert manager should be already installed at the k8s cluster +* uploading certs: Disable `Cert Manager integration` and set `Secret name` and `CA Bundle` at `Certificates` section. + +For more information, review the Helm README of this chart. diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/questions.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/questions.yaml new file mode 100644 index 000000000..3ea9edd93 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/questions.yaml @@ -0,0 +1,26 @@ +questions: +# allowedExternalIPCidrs +- variable: allowedExternalIPCidrs + label: Allowed external IP cidrs + description: Set allowed external IP CIDRs separated by a comma + type: string + group: Configuration +- variable: certificates.certManager.enabled + default: true + description: Enable cert manager integration. Cert manager should be already installed + label: Enable Cert Manager integration + type: boolean + group: "Certificates" + show_subquestion_if: false + subquestions: + - variable: certificates.secretName + default: webhook-server-cert + description: Use certificates from secret. Secret should exists in the app namespace, with certs data (ca.crt, tls.crt & tls.key) + label: Secret name + type: string + required: true + - variable: certificates.caBundle + description: Use self signed CA Bundle. It should be provided in base64 format + label: CA Bundle + type: string + required: true diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/NOTES.txt b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/NOTES.txt new file mode 100644 index 000000000..74271bdd5 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that externalip-webhook has started, run: + + kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "externalip-webhook.name" . }},release={{ .Release.Name }}" diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/_helpers.tpl b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/_helpers.tpl new file mode 100644 index 000000000..2da94893b --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/_helpers.tpl @@ -0,0 +1,50 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "externalip-webhook.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "externalip-webhook.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if ne $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* Generate basic labels */}} +{{- define "externalip-webhook.labels" }} +app: {{ template "externalip-webhook.name" . }} +heritage: {{.Release.Service }} +release: {{.Release.Name }} +{{- end }} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/admissionregistration.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/admissionregistration.yaml new file mode 100644 index 000000000..d8152faa5 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/admissionregistration.yaml @@ -0,0 +1,30 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: +{{- if .Values.certificates.certManager.enabled }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "externalip-webhook.fullname" . }}-server-cert +{{- end }} + creationTimestamp: null + name: {{ template "externalip-webhook.fullname" . }}-validating-webhook-configuration +webhooks: +- clientConfig: +{{- if not (.Values.certificates.certManager.enabled) }} + caBundle: {{ .Values.certificates.caBundle }} +{{- end }} + service: + name: {{ template "externalip-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} + path: /validate-service + failurePolicy: Ignore + name: {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - services \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrole.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrole.yaml new file mode 100644 index 000000000..46e18bf00 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrole.yaml @@ -0,0 +1,33 @@ +{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) -}} +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRole +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRole +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-metrics-reader +rules: +- nonResourceURLs: + - /metrics + verbs: + - get +{{- end -}} \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrolebinding.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..2fa40817f --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/clusterrolebinding.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRoleBinding +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-cluster-view +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: +- kind: ServiceAccount + name: {{ template "externalip-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }} +--- +apiVersion: rbac.authorization.k8s.io/{{ .Values.rbac.apiVersion }} +kind: ClusterRoleBinding +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "externalip-webhook.fullname" . }}-proxy-role +subjects: +- kind: ServiceAccount + name: {{ template "externalip-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/deployment.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/deployment.yaml new file mode 100644 index 000000000..c82754deb --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/deployment.yaml @@ -0,0 +1,107 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: runtime/default + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ template "externalip-webhook.name" . }} + template: + metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: runtime/default + labels: {{ include "externalip-webhook.labels" . | indent 8 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + spec: + containers: + {{- if and (.Values.metrics.enabled) (.Values.metrics.authProxy.enabled) }} + - name: {{ template "externalip-webhook.fullname" . }}-auth-proxy + args: + - --secure-listen-address=0.0.0.0:{{ .Values.metrics.port }} + - --upstream=http://127.0.0.1:{{ .Values.metrics.authProxy.port }}/ + - --logtostderr=true + - --v=10 + image: {{ template "system_default_registry" . }}{{ .Values.metrics.authProxy.image.repository}}:{{ .Values.metrics.authProxy.image.tag }} + imagePullPolicy: "{{ .Values.metrics.authProxy.image.pullPolicy }}" + ports: + - containerPort: {{ .Values.metrics.port }} + name: webhook-metrics + protocol: TCP + resources: +{{ toYaml .Values.metrics.authProxy.resources | indent 10 }} + readinessProbe: + tcpSocket: + port: webhook-metrics + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: webhook-metrics + initialDelaySeconds: 5 + failureThreshold: 10 + periodSeconds: 30 + {{- end }} + - name: {{ template "externalip-webhook.fullname" . }} + image: {{ template "system_default_registry" . }}{{ .Values.image.repository}}:{{ default .Chart.AppVersion .Values.image.tag }} + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + command: + - /webhook + args: + - --webhook-port={{ .Values.webhookPort }} + {{- if .Values.allowedExternalIPCidrs }} + - --allowed-external-ip-cidrs={{ .Values.allowedExternalIPCidrs }} + {{- end }} + {{- if .Values.metrics.enabled }} + {{- if .Values.metrics.authProxy.enabled }} + - --metrics-addr=127.0.0.1:{{ .Values.metrics.authProxy.port }} + {{- else }} + - --metrics-addr=0.0.0.0:{{ .Values.metrics.port }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.webhookPort }} + name: webhook-server + protocol: TCP + {{- if and (.Values.metrics.enabled) (not (.Values.metrics.authProxy.enabled)) }} + - containerPort: {{ .Values.metrics.port }} + name: webhook-metrics + protocol: TCP + {{- end }} + volumeMounts: + - name: server-cert + mountPath: /tmp/k8s-webhook-server/serving-certs + readOnly: true + resources: +{{ toYaml .Values.resources | indent 10 }} + readinessProbe: + tcpSocket: + port: webhook-server + initialDelaySeconds: 5 + failureThreshold: 10 + periodSeconds: 30 + livenessProbe: + tcpSocket: + port: webhook-server + initialDelaySeconds: 5 + failureThreshold: 10 + periodSeconds: 30 + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 6}} + {{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 6 }} + {{- end }} + serviceAccountName: {{ template "externalip-webhook.fullname" . }} + volumes: + - name: server-cert + secret: + defaultMode: 420 + secretName: {{ .Values.certificates.secretName }} diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/issuer.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/issuer.yaml new file mode 100644 index 000000000..ff1c2de10 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/issuer.yaml @@ -0,0 +1,52 @@ +{{- if .Values.certificates.certManager.enabled -}} + {{- $certmanagerVer := split "." .Values.certificates.certManager.version -}} + {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }} +apiVersion: cert-manager.io/v1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }} +apiVersion: cert-manager.io/v1beta1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }} +apiVersion: cert-manager.io/v1alpha2 + {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }} +apiVersion: certmanager.k8s.io/v1alpha1 + {{- else }} +# Setting latest version as default +apiVersion: cert-manager.io/v1 + {{- end }} +kind: Certificate +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-server-cert + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ template "externalip-webhook.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ template "externalip-webhook.fullname" . }}-issuer + secretName: {{ .Values.certificates.secretName }} +--- + {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }} +apiVersion: cert-manager.io/v1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }} +apiVersion: cert-manager.io/v1beta1 + {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }} +apiVersion: cert-manager.io/v1alpha2 + {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }} +apiVersion: certmanager.k8s.io/v1alpha1 + {{- else }} +# Setting latest version as default +apiVersion: cert-manager.io/v1 + {{- end }} +kind: Issuer +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +{{- end -}} + + diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/service.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/service.yaml new file mode 100644 index 000000000..256add3e4 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/service.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Service +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: webhook-server + port: {{ .Values.service.webhookPort }} + protocol: TCP + targetPort: {{ .Values.webhookPort }} + selector: + app: {{ template "externalip-webhook.name" . }} + type: "ClusterIP" +{{- if .Values.metrics.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-metrics-service + namespace: {{ .Release.Namespace }} +spec: + ports: + - name: webhook-metrics + port: {{ .Values.service.metricsPort }} + protocol: TCP + targetPort: {{ .Values.metrics.port }} + selector: + app: {{ template "externalip-webhook.name" . }} + type: "ClusterIP" +{{- end }} \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/serviceaccount.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/serviceaccount.yaml new file mode 100644 index 000000000..895df4f5b --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/servicemonitor.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/servicemonitor.yaml new file mode 100644 index 000000000..c481ea31d --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/templates/servicemonitor.yaml @@ -0,0 +1,16 @@ +{{- if and (.Values.metrics.enabled) (.Values.metrics.prometheusExport) -}} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: {{ include "externalip-webhook.labels" . | indent 4 }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + name: {{ template "externalip-webhook.fullname" . }}-monitor + namespace: {{ .Release.Namespace }} +spec: + endpoints: + - path: /metrics + port: https + selector: + matchLabels: + app: {{ template "externalip-webhook.name" . }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/admissionregistration_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/admissionregistration_test.yaml new file mode 100644 index 000000000..0660aa6e8 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/admissionregistration_test.yaml @@ -0,0 +1,32 @@ +suite: Test Admission Registration +templates: +- admissionregistration.yaml +tests: +- it: should render Admission Registration + asserts: + - equal: + path: apiVersion + value: admissionregistration.k8s.io/v1beta1 +- it: should render Admission Registration annotation and not caBundle if certificates.certManager.enabled = true + release: + name: rancher-externalip-webhook + namespace: test + set: + certificates.certManager.enabled: true + asserts: + - equal: + path: metadata.annotations + value: + cert-manager.io/inject-ca-from: test/rancher-externalip-webhook-server-cert + - isNull: + path: webhooks[0].clientConfig.caBundle +- it: should render Admission Registration caBundle and not annotation if certificates.certManager.enabled = false + set: + certificates.caBundle: test + certificates.certManager.enabled: false + asserts: + - equal: + path: webhooks[0].clientConfig.caBundle + value: test + - isNull: + path: metadata.annotations diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrole_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrole_test.yaml new file mode 100644 index 000000000..9e563807b --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrole_test.yaml @@ -0,0 +1,37 @@ +suite: Test Cluster Roles +templates: +- clusterrole.yaml +tests: +- it: should not render Cluster Roles if metrics.enabled = false or metrics.authProxy.enabled = false + set: + metrics.enabled: false + metrics.authProxy.enabled: false + asserts: + - hasDocuments: + count: 0 + template: clusterrole.yaml +- it: should render Cluster Roles if metrics.enabled = true and metrics.authProxy.enabled = true + set: + metrics.enabled: true + metrics.authProxy.enabled: true + asserts: + - hasDocuments: + count: 2 + template: clusterrole.yaml +- it: should render Cluster Roles with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true + set: + metrics.enabled: true + metrics.authProxy.enabled: true + asserts: + - equal: + path: apiVersion + value: rbac.authorization.k8s.io/v1 +- it: should render Cluster Roles with custom rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true + set: + metrics.enabled: true + metrics.authProxy.enabled: true + rbac.apiVersion: v1beta + asserts: + - equal: + path: apiVersion + value: rbac.authorization.k8s.io/v1beta \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrolebinding_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrolebinding_test.yaml new file mode 100644 index 000000000..2129573a3 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/clusterrolebinding_test.yaml @@ -0,0 +1,42 @@ +suite: Test Cluster Role Bindings +templates: +- clusterrolebinding.yaml +tests: +- it: should render Cluster Role Bindings with default rbac api version + set: + rbac.apiVersion: v1 + asserts: + - equal: + path: apiVersion + value: rbac.authorization.k8s.io/v1 +- it: should render Cluster Role Bindings with custom rbac api version + set: + rbac.apiVersion: v1beta + asserts: + - equal: + path: apiVersion + value: rbac.authorization.k8s.io/v1beta +- it: should not render Cluster Role Binding proxy if metrics.enabled = false or metrics.authProxy.enabled = false + set: + metrics.enabled: false + metrics.authProxy.enabled: false + asserts: + - hasDocuments: + count: 1 + template: clusterrolebinding.yaml +- it: should render Cluster Role Bindings proxy if metrics.enabled = true and metrics.authProxy.enabled = true + set: + metrics.enabled: true + metrics.authProxy.enabled: true + asserts: + - hasDocuments: + count: 2 + template: clusterrolebinding.yaml +- it: should render Cluster Role Bindings with default rbac api version if metrics.enabled = true and metrics.authProxy.enabled = true + set: + metrics.enabled: true + metrics.authProxy.enabled: true + asserts: + - equal: + path: apiVersion + value: rbac.authorization.k8s.io/v1 \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/deployment_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/deployment_test.yaml new file mode 100644 index 000000000..50e3f9ec1 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/deployment_test.yaml @@ -0,0 +1,202 @@ +suite: Test Deployments +templates: +- deployment.yaml +tests: +- it: should render Deployment with allowed-external-ip-cidrs arg if allowedExternalIPCidrs is set + release: + name: rancher-externalip-webhook + set: + allowedExternalIPCidrs: "1,2" + asserts: + - equal: + path: spec.template.spec.containers[0].args[1] + value: --allowed-external-ip-cidrs=1,2 +- it: should render Deployment with default port, nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false + release: + name: rancher-externalip-webhook + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 9443 + name: webhook-server + protocol: TCP + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux +- it: should render Deployment with default port and custom nodeSelector and tolerations if metrics.enabled = false and metrics.authProxy.enabled = false + release: + name: rancher-externalip-webhook + set: + tolerations: + - key: "cattle.io/test" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + nodeSelector: + kubernetes.io/test: linux + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 9443 + name: webhook-server + protocol: TCP + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.tolerations[1] + value: + key: "cattle.io/test" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux + kubernetes.io/test: linux +- it: should render Deployment with custom port and image if metrics.enabled = false and metrics.authProxy.enabled = false + release: + name: rancher-externalip-webhook + set: + webhookPort: 9000 + image.repository: test + image.tag: dev-test + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[0].image + value: test:dev-test + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 9000 + name: webhook-server + protocol: TCP +- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = false + release: + name: rancher-externalip-webhook + set: + metrics.enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 9443 + name: webhook-server + protocol: TCP + - equal: + path: spec.template.spec.containers[0].ports[1] + value: + containerPort: 8443 + name: webhook-metrics + protocol: TCP +- it: should render Deployment with custom metrics port if metrics.enabled = true and metrics.authProxy.enabled = false + release: + name: rancher-externalip-webhook + set: + metrics.enabled: true + metrics.port: 8000 + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 9443 + name: webhook-server + protocol: TCP + - equal: + path: spec.template.spec.containers[0].ports[1] + value: + containerPort: 8000 + name: webhook-metrics + protocol: TCP +- it: should render Deployment with default metrics port if metrics.enabled = true and metrics.authProxy.enabled = true + release: + name: rancher-externalip-webhook + set: + metrics.enabled: true + metrics.authProxy.enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook-auth-proxy + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 8443 + name: webhook-metrics + protocol: TCP + - equal: + path: spec.template.spec.containers[1].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[1].ports[0] + value: + containerPort: 9443 + name: webhook-server + protocol: TCP +- it: should render Deployment with custom metrics port and image if metrics.enabled = true and metrics.authProxy.enabled = true + release: + name: rancher-externalip-webhook + set: + metrics.enabled: true + metrics.authProxy.enabled: true + metrics.port: 8000 + webhookPort: 9000 + image.repository: test + image.tag: dev-test + metrics.authProxy.image.repository: auth + metrics.authProxy.image.tag: auth-test + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: rancher-externalip-webhook-auth-proxy + - equal: + path: spec.template.spec.containers[0].image + value: auth:auth-test + - equal: + path: spec.template.spec.containers[0].ports[0] + value: + containerPort: 8000 + name: webhook-metrics + protocol: TCP + - equal: + path: spec.template.spec.containers[1].name + value: rancher-externalip-webhook + - equal: + path: spec.template.spec.containers[1].image + value: test:dev-test + - equal: + path: spec.template.spec.containers[1].ports[0] + value: + containerPort: 9000 + name: webhook-server + protocol: TCP \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/issuer_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/issuer_test.yaml new file mode 100644 index 000000000..eeeb660b2 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/issuer_test.yaml @@ -0,0 +1,106 @@ +suite: Test Issuers +templates: +- issuer.yaml +tests: +- it: should not render issuer if certificates.certManager.enabled = false + set: + certificates.certManager.enabled: false + asserts: + - hasDocuments: + count: 0 + template: issuer.yaml +- it: should render issuer if certificates.certManager.enabled = true + set: + certificates.certManager.enabled: true + asserts: + - hasDocuments: + count: 2 + template: issuer.yaml +- it: should set issuer apiVersion with default cert-manager + set: + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager >= 1.0.0 using capabilities + capabilities: + apiversions: + - cert-manager.io/v1 + set: + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager >= 0.16.0 using capabilities + capabilities: + apiversions: + - cert-manager.io/v1beta1 + set: + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1beta1 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager >= 0.11.0 using capabilities + capabilities: + apiversions: + - cert-manager.io/v1alpha2 + set: + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1alpha2 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager < 0.11.0 using capabilities + capabilities: + apiversions: + - certmanager.k8s.io/v1alpha1 + set: + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: certmanager.k8s.io/v1alpha1 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager >= 1.0.0 using parameter + set: + certificates.certManager.version: 1.0.0 + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager >= 0.16.0 using parameter + set: + certificates.certManager.version: 0.16.0 + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1beta1 + template: issuer.yaml +- it: should set issuer apiVersion with cert-manager >= 0.11.0 using parameter + set: + certificates.certManager.version: 0.11.0 + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: cert-manager.io/v1alpha2 + template: issuer.yaml +- it: should set letsEncrypt apiVersion with cert-manager < 0.11.0 using parameter + set: + certificates.certManager.version: 0.9.0 + certificates.certManager.enabled: true + asserts: + - equal: + path: apiVersion + value: certmanager.k8s.io/v1alpha1 + template: issuer.yaml diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/service_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/service_test.yaml new file mode 100644 index 000000000..a0ba4d352 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/service_test.yaml @@ -0,0 +1,69 @@ +suite: Test Services +templates: +- service.yaml +tests: +- it: should render webhook-server service with default webhookPort if metrics.enabled = false + set: + metrics.enabled: false + asserts: + - equal: + path: spec.ports[0] + value: + name: webhook-server + port: 443 + protocol: TCP + targetPort: 9443 +- it: should render webhook-server service with custom webhookPort if metrics.enabled = false + set: + metrics.enabled: false + webhookPort: 9000 + asserts: + - equal: + path: spec.ports[0] + value: + name: webhook-server + port: 443 + protocol: TCP + targetPort: 9000 +- it: should render webhook-server and webhook-metrics services with default webhookPort and metrics.port, if metrics.enabled = true + set: + metrics.enabled: true + asserts: + - equal: + path: spec.ports[0] + value: + name: webhook-server + port: 443 + protocol: TCP + targetPort: 9443 + documentIndex: 0 + - equal: + path: spec.ports[0] + value: + name: webhook-metrics + port: 8443 + protocol: TCP + targetPort: 8443 + documentIndex: 1 +- it: should render webhook-server and webhook-metrics services with custom webhookPort and metrics.port, if metrics.enabled = true + set: + metrics.enabled: true + metrics.port: 8000 + webhookPort: 9000 + asserts: + - equal: + path: spec.ports[0] + value: + name: webhook-server + port: 443 + protocol: TCP + targetPort: 9000 + documentIndex: 0 + - equal: + path: spec.ports[0] + value: + name: webhook-metrics + port: 8443 + protocol: TCP + targetPort: 8000 + documentIndex: 1 \ No newline at end of file diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/serviceaccount_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/serviceaccount_test.yaml new file mode 100644 index 000000000..5aebbc74b --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/serviceaccount_test.yaml @@ -0,0 +1,9 @@ +suite: Test Service Accounts +templates: +- serviceaccount.yaml +tests: +- it: should render Service Account + asserts: + - hasDocuments: + count: 1 + template: serviceaccount.yaml diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/servicemonitor_test.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/servicemonitor_test.yaml new file mode 100644 index 000000000..21989265e --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/tests/servicemonitor_test.yaml @@ -0,0 +1,20 @@ +suite: Test Service Monitors +templates: +- servicemonitor.yaml +tests: +- it: should not render Service Monitor if metrics.enabled = false or metrics.prometheusExport = false + set: + metrics.enabled: false + metrics.prometheusExport: false + asserts: + - hasDocuments: + count: 0 + template: servicemonitor.yaml +- it: should render Service Account if metrics.enabled = true and metrics.authProxy.enabled = true + set: + metrics.enabled: true + metrics.prometheusExport: true + asserts: + - hasDocuments: + count: 1 + template: servicemonitor.yaml diff --git a/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/values.yaml b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/values.yaml new file mode 100644 index 000000000..a56e423b7 --- /dev/null +++ b/charts/rancher-external-ip-webhook/101.0.0+up1.0.1/values.yaml @@ -0,0 +1,68 @@ +## Allowed external IP cidrs +allowedExternalIPCidrs: "" +## Certificates generation for webhook +certificates: + certManager: + # Enable cert manager integration. Cert manager should be already installed at the k8s cluster + enabled: true + version: "" + # If cert-manager integration is disabled, add self signed ca.crt in base64 format + caBundle: "" + # If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt and tls.key) as k8s secretName in the namespace + secretName: webhook-server-cert +## Details about the image to be pulled. +image: + pullPolicy: IfNotPresent + pullSecrets: [] + repository: rancher/externalip-webhook + tag: v1.0.1 +## Enabling metrics endpoint +# Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation +metrics: + enabled: false + port: 8443 + # Enable webhook metrics export to Prometheus + prometheusExport: false + # Webhook metrics auth proxy. This option is just available for amd64 arch + authProxy: + enabled: false + port: 8080 + image: + pullPolicy: IfNotPresent + pullSecrets: [] + repository: rancher/mirrored-kube-rbac-proxy + tag: v0.5.0 + resources: + limits: + memory: 30Mi + cpu: 100m + requests: + memory: 20Mi + cpu: 100m +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## RBAC +rbac: + apiVersion: v1 +## CPU and Memory limit and request for externalip-webhook +resources: + limits: + memory: 30Mi + cpu: 100m + requests: + memory: 20Mi + cpu: 100m +service: + metricsPort: 8443 + webhookPort: 443 +## Webhook serviceAccountName. Just used if metrics.authProxy.enabled = false +serviceAccountName: default +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] +## Webhook server pod port +webhookPort: 9443 +global: + cattle: + systemDefaultRegistry: "" diff --git a/index.yaml b/index.yaml index 47626747a..6a87cd48f 100755 --- a/index.yaml +++ b/index.yaml @@ -3966,6 +3966,39 @@ entries: - assets/rancher-eks-operator-crd/rancher-eks-operator-crd-100.0.0+up1.1.1.tgz version: 100.0.0+up1.1.1 rancher-external-ip-webhook: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: External IP Webhook + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.22.0-0' + catalog.cattle.io/namespace: cattle-externalip-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-external-ip-webhook + catalog.cattle.io/ui-component: rancher-external-ip-webhook + catalog.cattle.io/upstream-version: 1.0.1 + apiVersion: v1 + appVersion: v1.0.1 + created: "2022-09-22T08:28:58.214603-04:00" + description: | + Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554 + digest: 3c239ed2e9eb65c9e65fd4c4e915669469b1fdd08265e3ff7a4f92a22efab718 + home: https://github.com/rancher/externalip-webhook + keywords: + - cve + - externalip + - webhook + - security + kubeVersion: < 1.22.0 + maintainers: + - email: raul@rancher.com + name: rawmind0 + name: rancher-external-ip-webhook + sources: + - https://github.com/rancher/externalip-webhook + urls: + - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-101.0.0+up1.0.1.tgz + version: 101.0.0+up1.0.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: External IP Webhook