[stable/field-exporter] add validating webhook configuration

deliveryhero · Dec 18, 2023 · 3ad85e6 · 3ad85e6
1 parent ee9c471
commit 3ad85e6
Show file tree

Hide file tree

Showing 15 changed files with 334 additions and 25 deletions.
diff --git a/stable/field-exporter/Chart.yaml b/stable/field-exporter/Chart.yaml
@@ -4,8 +4,8 @@ description: |
   A chart to install [field-exporter](https://github.com/deliveryhero/field-exporter). This controller is used to fill the gap in [k8s-config-connector](https://github.com/GoogleCloudPlatform/k8s-config-connector) for exporting value from Config Connector managed resources into Secrets and ConfigMaps.
 
 type: application
-version: 1.1.0
-appVersion: "v1.1.0"
+version: 1.3.0
+appVersion: "v1.3.0"
 home: https://github.com/deliveryhero/field-exporter
 sources:
   - https://github.com/deliveryhero/field-exporter

diff --git a/stable/field-exporter/README.md b/stable/field-exporter/README.md
@@ -46,18 +46,15 @@ helm install my-release deliveryhero/field-exporter -f values.yaml
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| controllerManager.manager.args[0] | string | `"--health-probe-bind-address=:8081"` |  |
-| controllerManager.manager.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` |  |
-| controllerManager.manager.args[2] | string | `"--leader-elect"` |  |
+| controllerManager.manager.args[0] | string | `"--leader-elect"` |  |
 | controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controllerManager.manager.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | controllerManager.manager.image.repository | string | `"europe-docker.pkg.dev/dp-common-infra-5780/developer-platform-public/deliveryhero/field-exporter"` |  |
-| controllerManager.manager.image.tag | string | `"v1.1.0"` |  |
+| controllerManager.manager.image.tag | string | `"v1.3.0"` |  |
 | controllerManager.manager.resources.limits.cpu | string | `"500m"` |  |
 | controllerManager.manager.resources.limits.memory | string | `"128Mi"` |  |
 | controllerManager.manager.resources.requests.cpu | string | `"10m"` |  |
 | controllerManager.manager.resources.requests.memory | string | `"128Mi"` |  |
-| controllerManager.podLabels | object | `{}` |  |
 | controllerManager.replicas | int | `1` |  |
 | controllerManager.serviceAccount.annotations | object | `{}` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` |  |
@@ -66,6 +63,10 @@ helm install my-release deliveryhero/field-exporter -f values.yaml
 | metricsService.ports[0].protocol | string | `"TCP"` |  |
 | metricsService.ports[0].targetPort | string | `"https"` |  |
 | metricsService.type | string | `"ClusterIP"` |  |
+| webhookService.ports[0].port | int | `443` |  |
+| webhookService.ports[0].protocol | string | `"TCP"` |  |
+| webhookService.ports[0].targetPort | int | `9443` |  |
+| webhookService.type | string | `"ClusterIP"` |  |
 
 ## Maintainers
 

diff --git a/stable/field-exporter/templates/deployment.yaml b/stable/field-exporter/templates/deployment.yaml
@@ -15,9 +15,6 @@ spec:
       labels:
         control-plane: controller-manager
       {{- include "field-exporter.selectorLabels" . | nindent 8 }}
-      {{- if .Values.controllerManager.podLabels }}
-{{ toYaml .Values.controllerManager.podLabels | indent 8 }}
-      {{- end }}
       annotations:
         kubectl.kubernetes.io/default-container: manager
     spec:
@@ -28,14 +25,21 @@ spec:
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
+        - name: ENABLE_WEBHOOKS
+          value: "true"
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
+          | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
             path: /healthz
             port: 8081
           initialDelaySeconds: 15
           periodSeconds: 20
         name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
         readinessProbe:
           httpGet:
             path: /readyz
@@ -46,7 +50,16 @@ spec:
           }}
         securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
           | nindent 10 }}
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: {{ include "field-exporter.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
diff --git a/stable/field-exporter/templates/leader-election-rbac.yaml b/stable/field-exporter/templates/leader-election-rbac.yaml
@@ -53,4 +53,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "field-exporter.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/stable/field-exporter/templates/manager-rbac.yaml b/stable/field-exporter/templates/manager-rbac.yaml
@@ -6,23 +6,23 @@ metadata:
   {{- include "field-exporter.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - ""
+  - alloydb.cnrm.cloud.google.com
   resources:
-  - configmaps
-  - secrets
+  - '*'
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
-  - alloydb.cnrm.cloud.google.com
+  - ""
   resources:
-  - '*'
+  - configmaps
+  - secrets
   verbs:
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - gdp.deliveryhero.io
@@ -99,4 +99,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "field-exporter.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/stable/field-exporter/templates/metrics-reader-rbac.yaml b/stable/field-exporter/templates/metrics-reader-rbac.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-metrics-reader
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
diff --git a/stable/field-exporter/templates/metrics-service.yaml b/stable/field-exporter/templates/metrics-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-controller-manager-metrics-service
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+    control-plane: controller-manager
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.metricsService.type }}
+  selector:
+    control-plane: controller-manager
+  {{- include "field-exporter.selectorLabels" . | nindent 4 }}
+  ports:
+	{{- .Values.metricsService.ports | toYaml | nindent 2 -}}
diff --git a/stable/field-exporter/templates/proxy-rbac.yaml b/stable/field-exporter/templates/proxy-rbac.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-proxy-role
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-proxy-rolebinding
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "field-exporter.fullname" . }}-proxy-role'
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "field-exporter.fullname" . }}-controller-manager'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/stable/field-exporter/templates/resourcefieldexport-crd.yaml b/stable/field-exporter/templates/resourcefieldexport-crd.yaml
@@ -0,0 +1,152 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: resourcefieldexports.gdp.deliveryhero.io
+  annotations:
+    cert-manager.io/inject-ca-from: '{{ .Release.Namespace }}/{{ include "field-exporter.fullname"
+      . }}-serving-cert'
+    controller-gen.kubebuilder.io/version: v0.13.0
+  labels:
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          name: '{{ include "field-exporter.fullname" . }}-webhook-service'
+          namespace: '{{ .Release.Namespace }}'
+          path: /convert
+      conversionReviewVersions:
+      - v1
+  group: gdp.deliveryhero.io
+  names:
+    kind: ResourceFieldExport
+    listKind: ResourceFieldExportList
+    plural: resourcefieldexports
+    singular: resourcefieldexport
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ResourceFieldExport is the Schema for the resourcefieldexports
+          API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResourceFieldExportSpec defines the desired state of ResourceFieldExport
+            properties:
+              from:
+                properties:
+                  apiVersion:
+                    description: APIVersion is the group version of the resource
+                    pattern: ^([a-zA-Z0-9.-]+[a-zA-Z0-9-]\/[a-zA-Z0-9]+|[a-zA-Z0-9]+)$
+                    type: string
+                  kind:
+                    type: string
+                  name:
+                    type: string
+                required:
+                - apiVersion
+                - kind
+                - name
+                type: object
+              outputs:
+                items:
+                  properties:
+                    key:
+                      type: string
+                    path:
+                      type: string
+                  required:
+                  - key
+                  - path
+                  type: object
+                type: array
+              requiredFields:
+                properties:
+                  statusConditions:
+                    items:
+                      properties:
+                        status:
+                          type: string
+                        type:
+                          type: string
+                      required:
+                      - status
+                      - type
+                      type: object
+                    type: array
+                type: object
+              to:
+                description: DestinationRef is where the fields should be written.
+                properties:
+                  name:
+                    type: string
+                  type:
+                    description: DestinationType is a ConfigMap or a Secret
+                    enum:
+                    - ConfigMap
+                    - Secret
+                    type: string
+                required:
+                - name
+                - type
+                type: object
+            required:
+            - from
+            - outputs
+            - to
+            type: object
+          status:
+            description: ResourceFieldExportStatus defines the observed state of ResourceFieldExport
+            properties:
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      description: The last time the condition transitioned from one
+                        status to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human-readable message indicating details about
+                        the transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type is the type of the Condition
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            required:
+            - conditions
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/stable/field-exporter/templates/selfsigned-issuer.yaml b/stable/field-exporter/templates/selfsigned-issuer.yaml
@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-selfsigned-issuer
+  labels:
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
diff --git a/stable/field-exporter/templates/serviceaccount.yaml b/stable/field-exporter/templates/serviceaccount.yaml
@@ -5,4 +5,4 @@ metadata:
   labels:
   {{- include "field-exporter.labels" . | nindent 4 }}
   annotations:
-    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
+    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}