From 5c92a11b8a04152f90c8ac1db6d792f3029a9aff Mon Sep 17 00:00:00 2001
From: "Crank, Daniel (dc6350)" <dc6350@att.com>
Date: Mon, 17 Jun 2019 15:46:45 -0500
Subject: [PATCH] Fixes/updates for webhook-apiserver

a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.

b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.

c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.

This patchset has passed the Promenade resiliency gate.

Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
---
 Dockerfile                                            | 1 +
 charts/apiserver-webhook/templates/configmap-etc.yaml | 2 ++
 charts/apiserver-webhook/templates/deployment.yaml    | 5 +++++
 charts/apiserver-webhook/values.yaml                  | 9 +++++++++
 4 files changed, 17 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 279ef5b2..c04c7c22 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,6 +39,7 @@ ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
 RUN set -ex \
     && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
     && chmod 555 /usr/local/bin/cfssl \
+    && apt-get clean \
     && apt-get update -q \
     && apt-get install --no-install-recommends -y \
         libyaml-dev \
diff --git a/charts/apiserver-webhook/templates/configmap-etc.yaml b/charts/apiserver-webhook/templates/configmap-etc.yaml
index cb2b4422..ee891f70 100644
--- a/charts/apiserver-webhook/templates/configmap-etc.yaml
+++ b/charts/apiserver-webhook/templates/configmap-etc.yaml
@@ -28,4 +28,6 @@ data:
 {{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   policy.json: |
 {{ toPrettyJson $envAll.Values.conf.policy | indent 4 }}
+  encryption_provider.json: |
+{{ toPrettyJson $envAll.Values.conf.encryption_provider.content | indent 4 }}
 {{- end }}
diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index d500c706..8b921b07 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -163,6 +163,7 @@ spec:
             - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
             - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
             - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
+            - --experimental-encryption-provider-config={{ $envAll.Values.conf.paths.encryption_provider }}
           readinessProbe:
             tcpSocket:
               port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@@ -184,6 +185,10 @@ spec:
               mountPath: {{ $envAll.Values.conf.paths.conf }}
               subPath: webhook.kubeconfig
               readOnly: true
+            - name: configmap-etc
+              mountPath: {{ $envAll.Values.conf.paths.encryption_provider }}
+              subPath: encryption_provider.json
+              readOnly: true
 {{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }}
 {{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
 {{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml
index 3d3dbfce..f9b6324e 100644
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@@ -48,6 +48,9 @@ apiserver_webhook:
     # Default 5(Trace level verbosity).
     log_level: 5
 
+service:
+  name: clcp-ucp-apiserver-webhook
+
 network:
   pod_cidr: '10.97.0.0/16'
   service_cidr: '10.96.0.0/16'
@@ -62,6 +65,7 @@ network:
         nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
         nginx.ingress.kubernetes.io/ssl-redirect: "true"
         nginx.ingress.kubernetes.io/secure-backends: "true"
+        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
     name: webhook_apiserver
 #
 # Insert TLS certificates, keys and CAs
@@ -270,6 +274,11 @@ conf:
     conf: '/etc/webhook_apiserver/webhook.kubeconfig'
     policy: '/etc/webhook_apiserver/conf/policy.json'
     sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
+    encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
+  encryption_provider:
+    content:
+      kind: EncryptionConfig
+      apiVersion: v1
   policy:
     - resource:
         verbs: