Helm(tls cert for webhooks): option to create via certmanager or exis…

…tingSecretRef (#384)

* support generating webhooks tls cert via certmanager
  Avoids having to create ClusterRole.
* replace admission daemonset by deployment + PDB
* support "existingSecretRef" for webhooks tls cert

charts/trow/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## unreleased
+
+* Templates:
+  * webhooks: switch from daemonset to deployment (+ PDB to ensure at least 1 pod is always running)
+  * rename `enable` to `enabled`
+* `Values.yaml`:
+  * `.webhookPatch` renamed `.webhooks.tls.patch`
+  * add in `.webhooks.tls`: `certmanager` & `existingSecretRef`
+  * add `namespaceSelector` to `.webhooks`
+
 ## v0.7.0
 
 * Renamings in `Values.yaml`:

charts/trow/templates/_helpers.tpl

@@ -79,4 +79,26 @@ Webhook selector labels
 */}}
 {{- define "webhook.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "trow.name" . }}-webhook
+app.kubernetes.io/component: webhooks
+{{- end -}}
+
+{{- define "webhook.enabled" -}}
+{{- $trowWebhooksEnabled := or (default false .Values.trow.validationWebhook.enabled) (default false .Values.trow.proxyRegistries.webhook.enabled) -}}
+{{ ternary "true" "" $trowWebhooksEnabled }}
+{{- end }}
+
+{{/*
+Webhook certificate generation is done either via patch or certmanager
+*/}}
+{{- define "webhook.validateTlsGenValues" -}}
+
+{{- $count := 0 -}}
+{{- if .Values.webhooks.tls.existingSecretRef -}}{{- $count = add $count 1 -}}{{- end -}}
+{{- if .Values.webhooks.tls.certmanager.enabled -}}{{- $count = add $count 1 -}}{{- end -}}
+{{- if .Values.webhooks.tls.patch.enabled -}}{{- $count = add $count 1 -}}{{- end -}}
+
+{{- if ne $count 1 -}}
+{{- fail "Strictly one of existingCertSecret, certmanager.enabled, or patch.enabled must be set" -}}
+{{- end -}}
+
 {{- end -}}

charts/trow/templates/webhooks/daemonset.yaml → charts/trow/templates/webhooks/deployment.yaml

@@ -1,12 +1,13 @@
-{{- if or .Values.trow.validationWebhook.enable .Values.trow.proxyRegistries.webhook.enable }}
+{{- if (include "webhook.enabled" .) }}
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   labels:
     {{- include "webhook.labels" . | nindent 4 }}
   name: {{ include "trow.fullname" . }}-webhook
   namespace: {{ .Release.Namespace }}
 spec:
+  replicas: {{ .Values.webhooks.replicas }}
   selector:
     matchLabels:
       {{- include "webhook.selectorLabels" . | nindent 6 }}
@@ -27,8 +28,8 @@ spec:
           - sh
           - -c
           - |
-            cp /etc/trow/webhook-cert-ecc/cert /etc/trow/webhook-cert && \
-            openssl pkcs8 -topk8 -nocrypt -in /etc/trow/webhook-cert-ecc/key -out /etc/trow/webhook-cert/key
+            cp /etc/trow/webhook-cert-ecc/tls.crt /etc/trow/webhook-cert/cert && \
+            openssl pkcs8 -topk8 -nocrypt -in /etc/trow/webhook-cert-ecc/tls.key -out /etc/trow/webhook-cert/key
         volumeMounts:
         - name: webhook-cert-translated
           mountPath: /etc/trow/webhook-cert
@@ -74,7 +75,13 @@ spec:
       volumes:
         - name: webhook-cert-ecc
           secret:
-            secretName: {{ include "trow.fullname" . }}-admission
+          {{- if (not (empty .Values.webhooks.tls.existingSecretRef)) }}
+            secretName: {{ .Values.webhooks.tls.existingSecretRef }}
+          {{- else if .Values.webhooks.tls.certmanager.enabled }}
+            secretName: {{ include "trow.fullname" . }}-cm-admission
+          {{- else if .Values.webhooks.tls.patch.enabled }}
+            secretName: {{ include "trow.fullname" . }}-patch-admission
+          {{- end }}
         - name: webhook-cert-translated
           emptyDir: {}
       {{- if (not (empty .Values.trow.proxyRegistries.config)) }}
@@ -104,3 +111,14 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
 {{- end }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "trow.fullname" . }}-webhook-pdb
+  namespace: {{ .Release.Namespace }}
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      {{- include "webhook.selectorLabels" . | nindent 6 }}

charts/trow/templates/webhooks/mutatingwebhook.yaml

@@ -1,23 +1,33 @@
-{{ if .Values.trow.proxyRegistries.webhook.enable }}
+{{ if .Values.trow.proxyRegistries.webhook.enabled }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: {{ include "trow.fullname" . }}-mutation
   labels:
     {{- include "trow.labels" . | nindent 4 }}
     app.kubernetes.io/component: admission-webhook
+  annotations:
+  {{- if .Values.webhooks.tls.certmanager.enabled }}
+    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-webhooks" (.Release.Namespace) (include "trow.fullname" .) | quote }}
+    cert-manager.io/inject-ca-from: {{ printf "%s/%s-webhooks" (.Release.Namespace) (include "trow.fullname" .) | quote }}
+  {{- end }}
 webhooks:
   - name: mutate.trow.io
     admissionReviewVersions: ["v1"]
     sideEffects: None
+    {{- if .Values.webhooks.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml .Values.webhooks.namespaceSelector | nindent 6 }}
+    {{- end }}
     rules:
       - apiGroups: [""]
         apiVersions: ["v1"]
         operations: ["CREATE"]
         resources: ["pods"]
+        scope: "Namespaced"
     # Patched by job-patchWebhook.yaml
     # At first deploy we have to set to "Ignore" otherwise Trow fails to deploy
-    # because the Trow webhook doesn;t exist yet :/
+    # because the Trow webhook doesn't exist yet :/
     failurePolicy: Ignore
     clientConfig:
       service:

charts/trow/templates/webhooks/service.yaml

@@ -1,4 +1,4 @@
-{{ if .Values.trow.validationWebhook.enable }}
+{{ if .Values.trow.validationWebhook.enabled }}
 apiVersion: v1
 kind: Service
 metadata: