rancher-partner-charts/charts/kongmesh/kuma/0.8.101/templates/cp-webhooks-and-secrets.yaml

{{- $caBundle := .Values.controlPlane.tls.general.caBundle }}
{{/*
Generate certificates
see: https://masterminds.github.io/sprig/crypto.html
see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca
see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl

We only autogenerate certs if user did not chose their own secret.
We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades.
*/}}

{{- if eq .Values.controlPlane.tls.general.secretName "" -}}
{{- $cert := "" }}
{{- $key := "" }}
{{- $secretName := print (include "kuma.name" .) "-tls-cert" }}

{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{- if $secret -}}
  {{- $cert = index $secret.data "tls.crt" -}}
  {{- $key = index $secret.data "tls.key" -}}
  {{- $caBundle = index $secret.data "ca.crt" -}}
{{- else -}}
  {{- $commonName := (include "kuma.controlPlane.serviceName" .) -}}
  {{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}}
  {{- $certTTL := 3650 -}}
  {{- $ca := genCA "kuma-ca" $certTTL -}}

  {{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}}
  {{- $cert = $genCert.Cert | b64enc -}}
  {{- $key = $genCert.Key | b64enc -}}
  {{ $caBundle = $ca.Cert | b64enc }}
{{- end -}}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: {{ $secretName }}
  namespace: {{ .Release.Namespace }}
  labels:
  {{- include "kuma.labels" . | nindent 4 }}
data:
  tls.crt: {{ $cert }}
  tls.key: {{ $key }}
  ca.crt: {{ $caBundle }}
{{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration
  namespace: {{ .Release.Namespace }}
  labels:
  {{ include "kuma.labels" . | nindent 4 }}
webhooks:
  - name: mesh.defaulter.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Fail
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /default-kuma-io-v1alpha1-mesh
    rules:
      - apiGroups:
          - kuma.io
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
        resources:
          - meshes
    sideEffects: None
  - name: owner-reference.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Fail
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /owner-reference-kuma-io-v1alpha1
    rules:
      - apiGroups:
          - kuma.io
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
        resources:
          - circuitbreakers
          - externalservices
          - faultinjections
          - healthchecks
          - retries
          - proxytemplates
          - ratelimits
          - trafficlogs
          - trafficpermissions
          - trafficroutes
          - traffictraces
          - virtualoutbounds
    {{ .Values.controlPlane.webhooks.ownerReference.additionalRules | nindent 6 }}
    sideEffects: None
  - name: namespace-kuma-injector.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
    namespaceSelector:
      matchLabels:
        kuma.io/sidecar-injection: enabled
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /inject-sidecar
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
        resources:
          - pods
    sideEffects: None
  - name: pods-kuma-injector.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
    objectSelector:
      matchLabels:
        kuma.io/sidecar-injection: enabled
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /inject-sidecar
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
        resources:
          - pods
    sideEffects: None
  - name: kuma-injector.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Ignore {{/* Failure policy is hardcoded as Ignore because any other mode will cause CP to be unable to start after all instances are down */}}
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /inject-sidecar
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
        resources:
          - pods
    sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: {{ include "kuma.name" . }}-validating-webhook-configuration
  namespace: {{ .Release.Namespace }}
  labels:
  {{ include "kuma.labels" . | nindent 4 }}
webhooks:
  - name: validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Fail
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /validate-kuma-io-v1alpha1
    rules:
      - apiGroups:
          - kuma.io
        apiVersions:
          - v1alpha1
        operations:
          - CREATE
          - UPDATE
          - DELETE
        resources:
          - circuitbreakers
          - dataplanes
          - externalservices
          - faultinjections
          - healthchecks
          - retries
          - meshes
          - proxytemplates
          - ratelimits
          - trafficlogs
          - trafficpermissions
          - trafficroutes
          - traffictraces
          - virtualoutbounds
          - zones
    {{ .Values.controlPlane.webhooks.validator.additionalRules | nindent 6 }}
    sideEffects: None
  - name: service.validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    failurePolicy: Ignore
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" . }}
        path: /validate-v1-service
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - services
    sideEffects: None
  - name: secret.validator.kuma-admission.kuma.io
    admissionReviewVersions: ["v1"]
    namespaceSelector:
      matchLabels:
        kuma.io/system-namespace: "true"
    failurePolicy: Ignore
    clientConfig:
      caBundle: {{ $caBundle }}
      service:
        namespace: {{ .Release.Namespace }}
        name: {{ include "kuma.controlPlane.serviceName" .  }}
        path: /validate-v1-secret
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
          - DELETE
        resources:
          - secrets
    sideEffects: None
kongmesh 2022-01-31 13:35:57 +00:00			`{{- $caBundle := .Values.controlPlane.tls.general.caBundle }}`
			`{{/*`
			`Generate certificates`
			`see: https://masterminds.github.io/sprig/crypto.html`
			`see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca`
			`see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl`

			`We only autogenerate certs if user did not chose their own secret.`
			`We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades.`
			`*/}}`

			`{{- if eq .Values.controlPlane.tls.general.secretName "" -}}`
			`{{- $cert := "" }}`
			`{{- $key := "" }}`
			`{{- $secretName := print (include "kuma.name" .) "-tls-cert" }}`

			`{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}`
			`{{- if $secret -}}`
			`{{- $cert = index $secret.data "tls.crt" -}}`
			`{{- $key = index $secret.data "tls.key" -}}`
			`{{- $caBundle = index $secret.data "ca.crt" -}}`
			`{{- else -}}`
			`{{- $commonName := (include "kuma.controlPlane.serviceName" .) -}}`
			`{{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}}`
			`{{- $certTTL := 3650 -}}`
			`{{- $ca := genCA "kuma-ca" $certTTL -}}`

			`{{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}}`
			`{{- $cert = $genCert.Cert \| b64enc -}}`
			`{{- $key = $genCert.Key \| b64enc -}}`
			`{{ $caBundle = $ca.Cert \| b64enc }}`
			`{{- end -}}`
			`---`
			`apiVersion: v1`
			`kind: Secret`
			`type: kubernetes.io/tls`
			`metadata:`
			`name: {{ $secretName }}`
			`namespace: {{ .Release.Namespace }}`
			`labels:`
			`{{- include "kuma.labels" . \| nindent 4 }}`
			`data:`
			`tls.crt: {{ $cert }}`
			`tls.key: {{ $key }}`
			`ca.crt: {{ $caBundle }}`
			`{{- end }}`
			`---`
			`apiVersion: admissionregistration.k8s.io/v1`
			`kind: MutatingWebhookConfiguration`
			`metadata:`
			`name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration`
			`namespace: {{ .Release.Namespace }}`
			`labels:`
			`{{ include "kuma.labels" . \| nindent 4 }}`
			`webhooks:`
			`- name: mesh.defaulter.kuma-admission.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: Fail`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /default-kuma-io-v1alpha1-mesh`
			`rules:`
			`- apiGroups:`
			`- kuma.io`
			`apiVersions:`
			`- v1alpha1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`resources:`
			`- meshes`
			`sideEffects: None`
			`- name: owner-reference.kuma-admission.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: Fail`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /owner-reference-kuma-io-v1alpha1`
			`rules:`
			`- apiGroups:`
			`- kuma.io`
			`apiVersions:`
			`- v1alpha1`
			`operations:`
			`- CREATE`
			`resources:`
			`- circuitbreakers`
			`- externalservices`
			`- faultinjections`
			`- healthchecks`
			`- retries`
			`- proxytemplates`
			`- ratelimits`
			`- trafficlogs`
			`- trafficpermissions`
			`- trafficroutes`
			`- traffictraces`
			`- virtualoutbounds`
			`{{ .Values.controlPlane.webhooks.ownerReference.additionalRules \| nindent 6 }}`
			`sideEffects: None`
			`- name: namespace-kuma-injector.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}`
			`namespaceSelector:`
			`matchLabels:`
			`kuma.io/sidecar-injection: enabled`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /inject-sidecar`
			`rules:`
			`- apiGroups:`
			`- ""`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`resources:`
			`- pods`
			`sideEffects: None`
			`- name: pods-kuma-injector.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}`
			`objectSelector:`
			`matchLabels:`
			`kuma.io/sidecar-injection: enabled`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /inject-sidecar`
			`rules:`
			`- apiGroups:`
			`- ""`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`resources:`
			`- pods`
			`sideEffects: None`
			`- name: kuma-injector.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: Ignore {{/* Failure policy is hardcoded as Ignore because any other mode will cause CP to be unable to start after all instances are down */}}`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /inject-sidecar`
			`rules:`
			`- apiGroups:`
			`- ""`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`resources:`
			`- pods`
			`sideEffects: None`
			`---`
			`apiVersion: admissionregistration.k8s.io/v1`
			`kind: ValidatingWebhookConfiguration`
			`metadata:`
			`name: {{ include "kuma.name" . }}-validating-webhook-configuration`
			`namespace: {{ .Release.Namespace }}`
			`labels:`
			`{{ include "kuma.labels" . \| nindent 4 }}`
			`webhooks:`
			`- name: validator.kuma-admission.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: Fail`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /validate-kuma-io-v1alpha1`
			`rules:`
			`- apiGroups:`
			`- kuma.io`
			`apiVersions:`
			`- v1alpha1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`- DELETE`
			`resources:`
			`- circuitbreakers`
			`- dataplanes`
			`- externalservices`
			`- faultinjections`
			`- healthchecks`
			`- retries`
			`- meshes`
			`- proxytemplates`
			`- ratelimits`
			`- trafficlogs`
			`- trafficpermissions`
			`- trafficroutes`
			`- traffictraces`
			`- virtualoutbounds`
			`- zones`
			`{{ .Values.controlPlane.webhooks.validator.additionalRules \| nindent 6 }}`
			`sideEffects: None`
			`- name: service.validator.kuma-admission.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`failurePolicy: Ignore`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /validate-v1-service`
			`rules:`
			`- apiGroups:`
			`- ""`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`resources:`
			`- services`
			`sideEffects: None`
			`- name: secret.validator.kuma-admission.kuma.io`
			`admissionReviewVersions: ["v1"]`
			`namespaceSelector:`
			`matchLabels:`
			`kuma.io/system-namespace: "true"`
			`failurePolicy: Ignore`
			`clientConfig:`
			`caBundle: {{ $caBundle }}`
			`service:`
			`namespace: {{ .Release.Namespace }}`
			`name: {{ include "kuma.controlPlane.serviceName" . }}`
			`path: /validate-v1-secret`
			`rules:`
			`- apiGroups:`
			`- ""`
			`apiVersions:`
			`- v1`
			`operations:`
			`- CREATE`
			`- UPDATE`
			`- DELETE`
			`resources:`
			`- secrets`
			`sideEffects: None`