259 lines
7.5 KiB
YAML
259 lines
7.5 KiB
YAML
{{- $caBundle := .Values.controlPlane.tls.general.caBundle }}
|
|
{{/*
|
|
Generate certificates
|
|
see: https://masterminds.github.io/sprig/crypto.html
|
|
see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca
|
|
see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl
|
|
|
|
We only autogenerate certs if user did not chose their own secret.
|
|
We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades.
|
|
*/}}
|
|
|
|
{{- if eq .Values.controlPlane.tls.general.secretName "" -}}
|
|
{{- $cert := "" }}
|
|
{{- $key := "" }}
|
|
{{- $secretName := print (include "kuma.name" .) "-tls-cert" }}
|
|
|
|
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
|
|
{{- if $secret -}}
|
|
{{- $cert = index $secret.data "tls.crt" -}}
|
|
{{- $key = index $secret.data "tls.key" -}}
|
|
{{- $caBundle = index $secret.data "ca.crt" -}}
|
|
{{- else -}}
|
|
{{- $commonName := (include "kuma.controlPlane.serviceName" .) -}}
|
|
{{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}}
|
|
{{- $certTTL := 3650 -}}
|
|
{{- $ca := genCA "kuma-ca" $certTTL -}}
|
|
|
|
{{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}}
|
|
{{- $cert = $genCert.Cert | b64enc -}}
|
|
{{- $key = $genCert.Key | b64enc -}}
|
|
{{ $caBundle = $ca.Cert | b64enc }}
|
|
{{- end -}}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: kubernetes.io/tls
|
|
metadata:
|
|
name: {{ $secretName }}
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{- include "kuma.labels" . | nindent 4 }}
|
|
data:
|
|
tls.crt: {{ $cert }}
|
|
tls.key: {{ $key }}
|
|
ca.crt: {{ $caBundle }}
|
|
{{- end }}
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: MutatingWebhookConfiguration
|
|
metadata:
|
|
name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "kuma.labels" . | nindent 4 }}
|
|
webhooks:
|
|
- name: mesh.defaulter.kuma-admission.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: Fail
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /default-kuma-io-v1alpha1-mesh
|
|
rules:
|
|
- apiGroups:
|
|
- kuma.io
|
|
apiVersions:
|
|
- v1alpha1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- meshes
|
|
sideEffects: None
|
|
- name: owner-reference.kuma-admission.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: Fail
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /owner-reference-kuma-io-v1alpha1
|
|
rules:
|
|
- apiGroups:
|
|
- kuma.io
|
|
apiVersions:
|
|
- v1alpha1
|
|
operations:
|
|
- CREATE
|
|
resources:
|
|
- circuitbreakers
|
|
- externalservices
|
|
- faultinjections
|
|
- healthchecks
|
|
- retries
|
|
- proxytemplates
|
|
- ratelimits
|
|
- trafficlogs
|
|
- trafficpermissions
|
|
- trafficroutes
|
|
- traffictraces
|
|
- virtualoutbounds
|
|
{{ .Values.controlPlane.webhooks.ownerReference.additionalRules | nindent 6 }}
|
|
sideEffects: None
|
|
- name: namespace-kuma-injector.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
|
|
namespaceSelector:
|
|
matchLabels:
|
|
kuma.io/sidecar-injection: enabled
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /inject-sidecar
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
resources:
|
|
- pods
|
|
sideEffects: None
|
|
- name: pods-kuma-injector.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
|
|
objectSelector:
|
|
matchLabels:
|
|
kuma.io/sidecar-injection: enabled
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /inject-sidecar
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
resources:
|
|
- pods
|
|
sideEffects: None
|
|
- name: kuma-injector.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: Ignore {{/* Failure policy is hardcoded as Ignore because any other mode will cause CP to be unable to start after all instances are down */}}
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /inject-sidecar
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
resources:
|
|
- pods
|
|
sideEffects: None
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: {{ include "kuma.name" . }}-validating-webhook-configuration
|
|
namespace: {{ .Release.Namespace }}
|
|
labels:
|
|
{{ include "kuma.labels" . | nindent 4 }}
|
|
webhooks:
|
|
- name: validator.kuma-admission.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: Fail
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /validate-kuma-io-v1alpha1
|
|
rules:
|
|
- apiGroups:
|
|
- kuma.io
|
|
apiVersions:
|
|
- v1alpha1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
- DELETE
|
|
resources:
|
|
- circuitbreakers
|
|
- dataplanes
|
|
- externalservices
|
|
- faultinjections
|
|
- healthchecks
|
|
- retries
|
|
- meshes
|
|
- proxytemplates
|
|
- ratelimits
|
|
- trafficlogs
|
|
- trafficpermissions
|
|
- trafficroutes
|
|
- traffictraces
|
|
- virtualoutbounds
|
|
- zones
|
|
{{ .Values.controlPlane.webhooks.validator.additionalRules | nindent 6 }}
|
|
sideEffects: None
|
|
- name: service.validator.kuma-admission.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
failurePolicy: Ignore
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /validate-v1-service
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
resources:
|
|
- services
|
|
sideEffects: None
|
|
- name: secret.validator.kuma-admission.kuma.io
|
|
admissionReviewVersions: ["v1"]
|
|
namespaceSelector:
|
|
matchLabels:
|
|
kuma.io/system-namespace: "true"
|
|
failurePolicy: Ignore
|
|
clientConfig:
|
|
caBundle: {{ $caBundle }}
|
|
service:
|
|
namespace: {{ .Release.Namespace }}
|
|
name: {{ include "kuma.controlPlane.serviceName" . }}
|
|
path: /validate-v1-secret
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
apiVersions:
|
|
- v1
|
|
operations:
|
|
- CREATE
|
|
- UPDATE
|
|
- DELETE
|
|
resources:
|
|
- secrets
|
|
sideEffects: None
|