ci/openshift-ci: Move openshift-ci from the tests repo

Move the f15be37d9bef58a0128bcba006f8abb3ea13e8da version of scripts required for openshift-ci from "kata-containers/tests/.ci/openshift-ci" into "kata-containers/kata-containers/ci/openshift-ci" and required webhook+libs into "kata-containers/kata-containers/tools/testing" as is to simplify verification, the different location handling will be added in following commit. Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-09-17 14:58:16 +00:00 · 2023-12-13 12:49:17 +01:00
parent bf54a02e16
commit 4c58478536
25 changed files with 1188 additions and 0 deletions
--- a/tools/testing/kata-webhook/deploy/webhook-registration.yaml.tpl
+++ b/tools/testing/kata-webhook/deploy/webhook-registration.yaml.tpl
@@ -0,0 +1,27 @@
+# Copyright (c) 2019 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pod-annotate-webhook
+  labels:
+    app: pod-annotate-webhook
+    kind: mutator
+webhooks:
+  - name: pod-annotate-webhook.kata.xyz
+    sideEffects: None
+    failurePolicy: Ignore
+    admissionReviewVersions: ["v1", "v1beta1"]
+    clientConfig:
+      service:
+        name: pod-annotate-webhook
+        namespace: default
+        path: "/mutate"
+      caBundle: CA_BUNDLE
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
--- a/tools/testing/kata-webhook/deploy/webhook.yaml
+++ b/tools/testing/kata-webhook/deploy/webhook.yaml
@@ -0,0 +1,69 @@
+# Copyright (c) 2019 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pod-annotate-webhook
+  labels:
+    app: pod-annotate-webhook
+spec:
+  selector:
+    matchLabels:
+      app: pod-annotate-webhook
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: pod-annotate-webhook
+    spec:
+      containers:
+        - name: pod-annotate-webhook
+          image: quay.io/kata-containers/kata-webhook-example:latest
+          imagePullPolicy: Always
+          env:
+            - name: RUNTIME_CLASS
+              valueFrom:
+                configMapKeyRef:
+                  name: kata-webhook
+                  key: runtime_class
+                  optional: true
+          args:
+            - -tls-cert-file=/etc/webhook/certs/cert.pem
+            - -tls-key-file=/etc/webhook/certs/key.pem
+            - -exclude-namespaces=rook-ceph-system,rook-ceph
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/webhook/certs
+              readOnly: true
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "250Mi"
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+                drop:
+                    - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+                type: RuntimeDefault
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: pod-annotate-webhook-certs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pod-annotate-webhook
+  labels:
+    app: pod-annotate-webhook
+spec:
+  ports:
+  - port: 443
+    targetPort: 8080
+  selector:
+    app: pod-annotate-webhook