From e8b1b3122c6707ce65556a6ba7b908f039dd7923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Wed, 15 Nov 2023 19:30:58 +0100 Subject: [PATCH] chore: add webhook configuration to dev kustomizations (#5168) --- .../manager_dev_webhook/kustomization.yaml | 12 ++++ .../manager_webhook_listen_patch.yaml | 22 +++++++ .../manager_webhook_secret.yaml | 10 +++ .../validating_webhook_configuration.yaml | 65 +++++++++++++++++++ .../multi-gw-postgres/dev/kustomization.yaml | 3 + .../variants/multi-gw/dev/kustomization.yaml | 7 +- 6 files changed, 117 insertions(+), 2 deletions(-) create mode 100644 config/components/manager_dev_webhook/kustomization.yaml create mode 100644 config/components/manager_dev_webhook/manager_webhook_listen_patch.yaml create mode 100644 config/components/manager_dev_webhook/manager_webhook_secret.yaml create mode 100644 config/components/manager_dev_webhook/validating_webhook_configuration.yaml diff --git a/config/components/manager_dev_webhook/kustomization.yaml b/config/components/manager_dev_webhook/kustomization.yaml new file mode 100644 index 0000000000..f56a64bd03 --- /dev/null +++ b/config/components/manager_dev_webhook/kustomization.yaml @@ -0,0 +1,12 @@ +# This is a kustomize Component which deploys KIC's admission webhook configuration +# with a static certificate and key for ease of use. +# This is not meant to be used in production! +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: +- ./validating_webhook_configuration.yaml +- ./manager_webhook_secret.yaml + +patches: +- path: manager_webhook_listen_patch.yaml diff --git a/config/components/manager_dev_webhook/manager_webhook_listen_patch.yaml b/config/components/manager_dev_webhook/manager_webhook_listen_patch.yaml new file mode 100644 index 0000000000..370f3245c8 --- /dev/null +++ b/config/components/manager_dev_webhook/manager_webhook_listen_patch.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ingress-kong + name: ingress-kong + namespace: kong +spec: + template: + spec: + containers: + - name: ingress-controller + env: + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: :8080 + volumeMounts: + - mountPath: /admission-webhook + name: validation-webhook + volumes: + - name: validation-webhook + secret: + secretName: kong-validation-webhook diff --git a/config/components/manager_dev_webhook/manager_webhook_secret.yaml b/config/components/manager_dev_webhook/manager_webhook_secret.yaml new file mode 100644 index 0000000000..9ee4b4018c --- /dev/null +++ b/config/components/manager_dev_webhook/manager_webhook_secret.yaml @@ -0,0 +1,10 @@ +# This file contains static certificate and key for KIC's admission webhook. +# This is provided for ease of use and is not meant to be used in production. +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURWRENDQWp5Z0F3SUJBZ0lVTUw1UEVFakNkdkg1VjdrQjRueXIySVNISVFRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF3d2dhMjl1WnkxMllXeHBaR0YwYVc5dUxYZGxZbWh2YjJzdWEyOXVaeTV6ZG1NdwpIaGNOTWpNeE1URTFNVEl5TXpNeldoY05NalF4TVRFME1USXlNek16V2pBck1Ta3dKd1lEVlFRRERDQnJiMjVuCkxYWmhiR2xrWVhScGIyNHRkMlZpYUc5dmF5NXJiMjVuTG5OMll6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFJbmc4VEdvL0ZGU3NoWitidWltY1Y1Vk9xMnYrT2xGRFFlMGVUSEp4Uk04QUtodAo0NmNTMkpQVjA1MFlLc3JzajN1M3EwMU1wZ3NzdENsS1ptWk0rYjhjcllyOUhhcE5GTmx1TUxCb1BDR1ZBcUcxCjBQVWJFTzRhUUxoeDhiQTJ4OFFYSkhLWEpzVVFqYzF3MkhmV2xPUXNJYzJBU3Vqd2t5TWJGcUNQNHRramhXWWEKU3VYNktOOXZ5RG1HZG5zWWc2dm02dEJmeWVkUWdMdmlXQ3FPN0VEMjJTd2tycFV1bWg2dzJWQ2FwTnlTQW82RAozT0QrWUFyT2p4ajF1L3g2N28xSXVnVVBFa25zakFmcTVGWGNEcWlYUldGU2tGOThVL1BEQ2V3RGp4WXgyWHhmCkJ3OFRnaW8zekhJaThOeStkQmpDOHRpQzBPVW4xcjNvREhDVytvOENBd0VBQWFOd01HNHdLd1lEVlIwUkJDUXcKSW9JZ2EyOXVaeTEyWVd4cFpHRjBhVzl1TFhkbFltaHZiMnN1YTI5dVp5NXpkbU13Q3dZRFZSMFBCQVFEQWdlQQpNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01CTUIwR0ExVWREZ1FXQkJTWnF3dHFzZFVoZ3F2b2ViNnRmelN0Cm5FUk1EakFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBWk83eDd3YU51TDZZRlFoT09pQUFJL2VGdGNqZGFEbisKcENqdWRtSEpUNllTK2l2NitWemVDMEZ2cmVqdGhlak1pV3orYTVLaUE2d2tZUXBvRzNYVkQ4azlCR25hMmFaSQpBaWtGT0MvM09uWHpwd0FZcFNNVTRIM3cvK0M1bGY3eVdoUE1jMExHNDRNMm96SHhhR21paDB6ZHpEcitObnF2CjJwdG8vVW9BelBXcVBrV2FnTUliRzVHSkFFZCtvaUthRU9xSVQ3R0lsbkhzQTI4STlBQThzMzNqL25XQ2VyY0sKZ3NqeWR5SVFmTVljY0c1L2E0T0FHeUFTcXd3TGo2Mys1TzB1V29JYzYwcy9aemZ3bkt0VDlLNmN5Ymh4T25ZZwpmVEhCdkx0emNxQjZZTldqUTk2ZFNmak4vVlkzLzZnaG5wYWVSSTNPWjVzWEU4MWpNSU9SNlE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ0o0UEV4cVB4UlVySVcKZm03b3BuRmVWVHF0ci9qcFJRMEh0SGt4eWNVVFBBQ29iZU9uRXRpVDFkT2RHQ3JLN0k5N3Q2dE5US1lMTExRcApTbVptVFBtL0hLMksvUjJxVFJUWmJqQ3dhRHdobFFLaHRkRDFHeER1R2tDNGNmR3dOc2ZFRnlSeWx5YkZFSTNOCmNOaDMxcFRrTENITmdFcm84Sk1qR3hhZ2orTFpJNFZtR2tybCtpamZiOGc1aG5aN0dJT3I1dXJRWDhublVJQzcKNGxncWp1eEE5dGtzSks2Vkxwb2VzTmxRbXFUY2tnS09nOXpnL21BS3pvOFk5YnY4ZXU2TlNMb0ZEeEpKN0l3SAo2dVJWM0E2b2wwVmhVcEJmZkZQend3bnNBNDhXTWRsOFh3Y1BFNElxTjh4eUl2RGN2blFZd3ZMWWd0RGxKOWE5CjZBeHdsdnFQQWdNQkFBRUNnZ0VBQlRodTc5bzNoUmNrUnFpT2RIcWRwWFllcWFZVmNnRTdHbmd1UVBRa01lYlgKNXJ2ZzBjQnJoYWlqOUxsYTdXN1BJL2cvdXNhSCtoL3dML1drTW9QTXpwWFYvUnc1aUxnd2JiUHE5NSs5NitoagpjYmhvYXpYSWlvVDZ2NDNmVFdlNytwZFJ1aXFZSTh6TlFhOTVoZkdxTUZWNm92aEhrUVVjZHE4M1NFOEtYLzNqCmZCakFtbG5weVFLZEZKRFBZSTQwaFdkSlppd05HNnl1WVd0RjR2Zjk5Y3hHaHBreFhYZVRRZ2hTcGNVbFNrVzgKK2M0VVNxeU9rem10bFUxRzh1dzdIK0h0QmY4dlZwVDR5U1oxaHFEeWhBSkdxcDIrN1g2MTZDZmw0STYxckZEeQpZMG5ZdWxFTmsvNWhZSmllZkhFUlhRNE5aUGFLK3UyTW1EbkhDZGNpdVFLQmdRQytYZlZ1N1FsL2VCaWNyeXdQCnVDMmR5SjdiSUgwb1pDclhqUlRIS1JZTHZYajFtdTE5U0RjQVIzenAvL1UyWWpscW56SGc3VUJNVnlZWmxCN0oKb0ZMcGJwNnJIME9kK0llcisvZGl5MnBjTnZaMmZjVkdJTjZsZmk1T1FVWmJxOGt4K1NhRDZOcmJZeWQwL3JNWAp2NmppaEVldDQ0ZTVUTnljc2Vsa0xZRVl0UUtCZ1FDNWFrczA2YTRRTlM0NVRoMVZCU2NwSEdUdFkxbXkyaU9jCnl0bEdmbXV0ekNqSWwzU1BkMEJjeVFlVnpCamo5cGtoVVpKRXEyQXdmTVIxTmlNZTAwRktpak55SWRaZ1RvNVAKaEZmV3hNOE1mamNvSTlMMFhSdTdQc2NqS0svNHV6VWtjZUtTY1VtNTY3Rk9mNWNsZmh1WDF3WGhWalpneTVpVworNWdQa254a3N3S0JnUUM4eTZweGpKdnkwMFIxZ0RVT2tmYUxtVUFTeWpIV01TRmNEUXNpU2RrWFk1M20xdlBaCllCbE1LWm4wNkdoa3V4MStaTXV1Nnh6dG1UQ3NCWDVUTUxHSjJLOTd2dEhzaFdMb2FrZDZyNHFZVWRvMHdaODQKWWJqdUlDb0VhakJCRWluRGFmbU1zUTc4cldXZ1hrbDNzQmpxTFk1NUlrS2t2MW03L2FZZU9CTGtVUUtCZ0VoQwpnWjdVZDA2L3V3MEFRWFF4OXVvUnM4L0VTVi9ubmJ0c1hyTVhiOVdpM0Q0WXNJZDgvU3RyK1RYSy9lUlI1YW5UCmhZS1htM3dxRTlKdVQ4K2lteTUybjhnYUlkY1VwbWVjOXpLdkx0WDZsbnBoUThTU1NNMTNrTnBGOEJhcXR2SkcKSS92WWhOZ2RYOU5zN0RYamFOT0xMREoraStDN1YvTjNoL0tCcjFMN0FvR0FEbzBMVC9XRWhZTnRuWnQrdkFlNwo3SEw0Y3ZrTXlBR3pPdEtSQmNna2kxQTNYWHpBUndUWkNxR2lXeDNTMXRqdURURmxHUzRONDJjdDN1VVRmRVpSCjZCZ2MzU1RqVGMvalNFbzFuZis0SnhlanJFWHFHV1dyOWJEY3pmUFcxS1lwdDF3UktHcXh3MUdUazBqL0FxZTUKMjltbFMzYlJ6T0c1NlBPZThCSWYrMjA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +kind: Secret +metadata: + name: kong-validation-webhook +type: kubernetes.io/tls diff --git a/config/components/manager_dev_webhook/validating_webhook_configuration.yaml b/config/components/manager_dev_webhook/validating_webhook_configuration.yaml new file mode 100644 index 0000000000..5124fce767 --- /dev/null +++ b/config/components/manager_dev_webhook/validating_webhook_configuration.yaml @@ -0,0 +1,65 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: kong-controller-validations +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: kong-controller-validation-webhook + namespace: kong + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: validations.kong.konghq.com + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + scope: '*' + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + - services + scope: '*' + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + scope: '*' + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + scope: '*' + sideEffects: None + timeoutSeconds: 10 diff --git a/config/variants/multi-gw-postgres/dev/kustomization.yaml b/config/variants/multi-gw-postgres/dev/kustomization.yaml index d3bdc130da..dd572f040f 100644 --- a/config/variants/multi-gw-postgres/dev/kustomization.yaml +++ b/config/variants/multi-gw-postgres/dev/kustomization.yaml @@ -6,6 +6,9 @@ namespace: kong resources: - ../base/ +components: +- ../../../components/manager_dev_webhook + patches: - patch: |- apiVersion: apps/v1 diff --git a/config/variants/multi-gw/dev/kustomization.yaml b/config/variants/multi-gw/dev/kustomization.yaml index ef8e2d5028..67cd7c3ce3 100644 --- a/config/variants/multi-gw/dev/kustomization.yaml +++ b/config/variants/multi-gw/dev/kustomization.yaml @@ -6,5 +6,8 @@ namespace: kong resources: - ../base/ -patchesStrategicMerge: -- manager.yaml +components: +- ../../../components/manager_dev_webhook + +patches: +- path: manager.yaml