Add deployment files for validating admission webhook

* Add script for automated certtificates and secret generation * Add pod, service and webhook configuration specification files Signed-off-by: Przemyslaw Lal <przemyslawx.lal@intel.com>
2025-08-30 15:01:24 +00:00 · 2018-08-22 15:00:58 +01:00 · 2018-08-22 15:00:58 +01:00 · 8b18175fc9
commit 8b18175fc9
parent 5892b36b7a
4 changed files with 202 additions and 0 deletions
--- a/deployment/webhook/certs.sh
+++ b/deployment/webhook/certs.sh
@ -0,0 +1,95 @@
+#!/bin/bash
+
+# Copyright (c) 2018 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# create temp dir to store intermediate files
+tmp=$(mktemp -d)
+
+# generate private key
+echo "Generating private RSA key..."
+openssl genrsa -out ${tmp}/webhook-key.pem 2048 >/dev/null 2>&1
+
+# generate CSR
+echo "Generating CSR configuration file..."
+cat <<EOF >> ${tmp}/webhook.conf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = multus-webhook-service
+DNS.2 = multus-webhook-service.default
+DNS.3 = multus-webhook-service.default.svc
+EOF
+openssl req -new -key ${tmp}/webhook-key.pem -subj "/CN=multus-webhook-service.default.svc" -out ${tmp}/server.csr -config ${tmp}/webhook.conf
+
+# push CSR to Kubernetes API server
+echo "Sending CSR to Kubernetes..."
+csr_name="multus-webhook-service.default"
+kubectl delete csr ${csr_name} >/dev/null 2>&1
+cat <<EOF | kubectl create -f -
+apiVersion: certificates.k8s.io/v1beta1
+kind: CertificateSigningRequest
+metadata:
+  name: ${csr_name}
+spec:
+  request: $(cat ${tmp}/server.csr | base64 -w0)
+  groups:
+  - system:authenticated
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
+EOF
+
+# approve certificate
+echo "Approving CSR..."
+kubectl certificate approve ${csr_name}
+
+# wait for the cert to be issued
+echo -n "Waiting for the certificate to be issued..."
+cert=""
+for sec in $(seq 15); do
+  cert=$(kubectl get csr ${csr_name} -o jsonpath='{.status.certificate}')
+  if [[ $cert != "" ]]; then
+    echo -e "\nCertificate issued succesfully."
+    echo $cert | base64 --decode > ${tmp}/webhook-cert.pem
+    break
+  fi
+  echo -n "."; sleep 1
+done
+if [[ $cert == "" ]]; then
+  echo -e "\nError: certificate not issued. Verify that the API for signing certificates is enabled."
+  exit
+fi
+
+# create secret
+echo "Creating secret..."
+kubectl delete secret "multus-webhook-secret"
+kubectl create secret generic --from-file=key.pem=${tmp}/webhook-key.pem --from-file=cert.pem=${tmp}/webhook-cert.pem "multus-webhook-secret"
+
+# set cert in webhook configuration
+echo "Patching configuration file with certificate..."
+if [[ -f configuration-template.yaml ]]; then
+  sed "s/__CERT__/${cert}/" configuration-template.yaml > configuration.yaml
+  echo "File configuration.yaml patched."
+else
+  echo -e "Error: validating configuration template file 'configuration-template.yaml' is missing. Please update it with cert.pem value from the secret manually."
+fi
--- a/deployment/webhook/configuration-template.yaml
+++ b/deployment/webhook/configuration-template.yaml
@ -0,0 +1,38 @@
+# Copyright (c) 2018 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    app: multus-webhook
+  name: multus-webhook-config
+webhooks:
+- clientConfig:
+    caBundle: __CERT__
+    service:
+      name: multus-webhook-service
+      namespace: default
+      path: /validate
+  failurePolicy: Fail
+  name: multus-webhook.k8s.cni.cncf.io
+  rules:
+  - apiGroups:
+    - k8s.cni.cncf.io
+    apiVersions:
+    - v1
+    resources:
+    - network-attachment-definitions
+    operations:
+    - CREATE
--- a/deployment/webhook/pod.yaml
+++ b/deployment/webhook/pod.yaml
@ -0,0 +1,42 @@
+# Copyright (c) 2018 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: multus-webhook
+  name: multus-webhook-pod
+  namespace: default
+spec:
+  containers:
+  - name: multus-webhook
+    image: multus-webhook
+    command:
+    - /webhook/webhook
+    args:
+    - --bind-address=0.0.0.0
+    - --port=443
+    - --tls-private-key-file=/webhook/tls/key.pem
+    - --tls-cert-file=/webhook/tls/cert.pem
+    volumeMounts:
+    - mountPath: /webhook/tls
+      name: multus-webhook-secret
+      readOnly: True
+    imagePullPolicy: IfNotPresent
+  restartPolicy: Never
+  volumes:
+  - name: multus-webhook-secret
+    secret:
+      secretName: multus-webhook-secret
--- a/deployment/webhook/service.yaml
+++ b/deployment/webhook/service.yaml
@ -0,0 +1,27 @@
+# Copyright (c) 2018 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: multus-webhook-service
+  labels:
+    app: multus-webhook
+  namespace: default
+spec:
+  ports:
+  - port: 443
+    targetPort: 443
+  selector:
+    app: multus-webhook