-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
- Loading branch information
1 parent
5a72331
commit 50998d9
Showing
18 changed files
with
258 additions
and
358 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,7 +19,6 @@ | |
"program": "${workspaceFolder}", | ||
"args": [ | ||
"sidecar-injector", | ||
"--local" | ||
], | ||
} | ||
] | ||
|
10 changes: 10 additions & 0 deletions
10
charts/kyverno-envoy-plugin/templates/_helpers/_deployment.tpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
|
||
{{- define "kyverno.deployment.replicas" -}} | ||
{{- if and (not (kindIs "invalid" .)) (not (kindIs "string" .)) -}} | ||
{{- if eq (int .) 0 -}} | ||
{{- fail "Kyverno does not support running with 0 replicas. Please provide a non-zero integer value." -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- . -}} | ||
{{- end -}} |
56 changes: 40 additions & 16 deletions
56
charts/kyverno-envoy-plugin/templates/sidecar-injector/certificates.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,32 +1,56 @@ | ||
{{- if .Values.sidecarInjector.enabled -}} | ||
{{- if .Values.sidecarInjector.certificates.selfSigned -}} | ||
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}} | ||
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.sidecar-injector.name" .) (include "kyverno.namespace" .)) -}} | ||
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} | ||
{{- $tls := genSignedCert $svcName nil (list $svcName) 1024 $ca -}} | ||
{{- if .Values.sidecarInjector.certificates.selfSigned -}} | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca | ||
name: {{ template "kyverno.sidecar-injector.name" . }} | ||
namespace: {{ template "kyverno.namespace" . }} | ||
labels: | ||
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} | ||
annotations: | ||
self-signed-cert: "true" | ||
type: kubernetes.io/tls | ||
data: | ||
tls.key: {{ $ca.Key | b64enc }} | ||
tls.crt: {{ $ca.Cert | b64enc }} | ||
tls.key: {{ $tls.Key | b64enc }} | ||
tls.crt: {{ $tls.Cert | b64enc }} | ||
ca.crt: {{ $ca.Cert | b64enc }} | ||
{{- end }} | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: MutatingWebhookConfiguration | ||
metadata: | ||
name: {{ template "kyverno.sidecar-injector.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair | ||
namespace: {{ template "kyverno.namespace" . }} | ||
name: {{ template "kyverno.sidecar-injector.name" . }} | ||
labels: | ||
{{- include "kyverno.sidecar-injector.labels" . | nindent 4 }} | ||
annotations: | ||
self-signed-cert: "true" | ||
type: kubernetes.io/tls | ||
data: | ||
tls.key: {{ $cert.Key | b64enc }} | ||
tls.crt: {{ $cert.Cert | b64enc }} | ||
{{- end -}} | ||
webhooks: | ||
- name: kyverno-envoy-sidecar.kyverno-envoy-sidecar-injector.svc | ||
clientConfig: | ||
service: | ||
name: {{ template "kyverno.sidecar-injector.name" . }} | ||
namespace: {{ template "kyverno.namespace" . }} | ||
path: "/mutate" | ||
caBundle: {{ $ca.Cert | b64enc }} | ||
failurePolicy: Fail | ||
sideEffects: None | ||
admissionReviewVersions: | ||
- v1 | ||
rules: | ||
- apiGroups: | ||
- '' | ||
apiVersions: | ||
- v1 | ||
resources: | ||
- pods | ||
operations: | ||
- CREATE | ||
scope: '*' | ||
objectSelector: | ||
matchExpressions: | ||
- key: kyverno-envoy-sidecar/injection | ||
operator: In | ||
values: | ||
- enabled | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 0 additions & 35 deletions
35
charts/kyverno-envoy-plugin/templates/sidecar-injector/mutating-webhook-configuration.yaml
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,112 @@ | ||
package inject | ||
|
||
import ( | ||
"context" | ||
"crypto/tls" | ||
"errors" | ||
"fmt" | ||
"net/http" | ||
"time" | ||
|
||
"github.com/kyverno/kyverno-envoy-plugin/pkg/httpd" | ||
"github.com/kyverno/kyverno-envoy-plugin/pkg/server/handlers" | ||
"github.com/kyverno/kyverno-envoy-plugin/pkg/signals" | ||
"github.com/spf13/cobra" | ||
"go.uber.org/multierr" | ||
admissionv1 "k8s.io/api/admission/v1" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/util/wait" | ||
) | ||
|
||
func Command() *cobra.Command { | ||
var httpdConf httpd.SimpleServer | ||
var address string | ||
var certFile string | ||
var keyFile string | ||
command := &cobra.Command{ | ||
Use: "sidecar-injector", | ||
Short: "Responsible for injecting sidecars into pod containers", | ||
RunE: func(cmd *cobra.Command, args []string) error { | ||
fmt.Printf("SimpleServer starting to listen in port %v", httpdConf.Port) | ||
return httpdConf.Start() | ||
return runServer(context.Background(), address, certFile, keyFile) | ||
}, | ||
} | ||
command.Flags().IntVar(&httpdConf.Port, "port", 443, "server port.") | ||
command.Flags().StringVar(&httpdConf.CertFile, "certFile", "/etc/mutator/certs/tls.crt", "File containing tls certificate") | ||
command.Flags().StringVar(&httpdConf.KeyFile, "keyFile", "/etc/mutator/certs/tls.key", "File containing tls private key") | ||
command.Flags().BoolVar(&httpdConf.Local, "local", false, "Local run mode") | ||
command.Flags().StringVar(&(&httpdConf.Patcher).SidecarDataKey, "sidecarDataKey", "sidecars.yaml", "ConfigMap Sidecar Data Key") | ||
command.Flags().StringVar(&address, "address", ":9443", "Address to listen on") | ||
command.Flags().StringVar(&certFile, "cert-file", "", "File containing tls certificate") | ||
command.Flags().StringVar(&keyFile, "key-file", "", "File containing tls private key") | ||
return command | ||
} | ||
|
||
func setupMux() http.Handler { | ||
mux := http.NewServeMux() | ||
mux.Handle("/livez", handlers.Health()) | ||
mux.Handle("/readyz", handlers.Health()) | ||
mux.Handle("/mutate", handlers.AdmissionReview(func(ctx context.Context, r *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse { | ||
var err error | ||
var warnings []string | ||
response := admissionv1.AdmissionResponse{ | ||
Allowed: err == nil, | ||
UID: r.UID, | ||
} | ||
if err != nil { | ||
response.Result = &metav1.Status{ | ||
Status: metav1.StatusFailure, | ||
Message: err.Error(), | ||
} | ||
} | ||
response.Warnings = warnings | ||
return &response | ||
})) | ||
return mux | ||
} | ||
|
||
func setupServer(addr string) *http.Server { | ||
return &http.Server{ | ||
Addr: addr, | ||
Handler: setupMux(), | ||
TLSConfig: &tls.Config{ | ||
MinVersion: tls.VersionTLS12, | ||
CipherSuites: []uint16{ | ||
// AEADs w/ ECDHE | ||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | ||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | ||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | ||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | ||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, | ||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, | ||
}, | ||
}, | ||
ReadTimeout: 30 * time.Second, | ||
WriteTimeout: 30 * time.Second, | ||
ReadHeaderTimeout: 30 * time.Second, | ||
IdleTimeout: 5 * time.Minute, | ||
} | ||
} | ||
|
||
func runServer(ctx context.Context, addr, certFile, keyFile string) error { | ||
var group wait.Group | ||
server := setupServer(addr) | ||
err := func() error { | ||
signalsCtx, signalsCancel := signals.Context(ctx) | ||
defer signalsCancel() | ||
var shutdownErr error | ||
group.StartWithContext(signalsCtx, func(ctx context.Context) { | ||
<-ctx.Done() | ||
fmt.Println("Shutting down server...") | ||
shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 10*time.Second) | ||
defer shutdownCancel() | ||
shutdownErr = server.Shutdown(shutdownCtx) | ||
}) | ||
fmt.Printf("Starting server at %s...\n", addr) | ||
var serveErr error | ||
if certFile != "" && keyFile != "" { | ||
serveErr = server.ListenAndServeTLS(certFile, keyFile) | ||
} else { | ||
serveErr = server.ListenAndServe() | ||
} | ||
if errors.Is(serveErr, http.ErrServerClosed) { | ||
serveErr = nil | ||
} | ||
return multierr.Combine(serveErr, shutdownErr) | ||
}() | ||
group.Wait() | ||
fmt.Println("Server stopped") | ||
return err | ||
} |
Oops, something went wrong.