From ecfd773506059ba525ab67f93b4f90f06f775c28 Mon Sep 17 00:00:00 2001 From: Scott Hussey Date: Fri, 16 Aug 2019 16:43:14 -0500 Subject: [PATCH] (charts) Webhook dynamic config - support a similar dynamic config patter in the apiserver-webhook chart as the base apiserver chart - Update the example values.yaml in apiserver to fully reflect configuration of the aggregation API Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad --- .../templates/config-dynamic-config.yaml | 32 ++++++++++++++++ .../templates/configmap-etc.yaml | 2 - .../templates/deployment.yaml | 15 +++++++- charts/apiserver-webhook/values.yaml | 38 +++++++++++++++++-- charts/apiserver/values.yaml | 26 ++++++++++--- 5 files changed, 100 insertions(+), 13 deletions(-) create mode 100644 charts/apiserver-webhook/templates/config-dynamic-config.yaml diff --git a/charts/apiserver-webhook/templates/config-dynamic-config.yaml b/charts/apiserver-webhook/templates/config-dynamic-config.yaml new file mode 100644 index 00000000..da16a437 --- /dev/null +++ b/charts/apiserver-webhook/templates/config-dynamic-config.yaml @@ -0,0 +1,32 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_dynamic_config }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-dynamic-config +data: +{{- range $key, $val := .Values.conf.apiserver }} + {{ $val.file }}: | +{{- if kindIs "string" $val.content }} +{{ indent 4 $val.content }} +{{- else }} +{{ toYaml $val.content | indent 4 }} +{{- end }} +{{- end -}} +{{- end }} diff --git a/charts/apiserver-webhook/templates/configmap-etc.yaml b/charts/apiserver-webhook/templates/configmap-etc.yaml index ee891f70..cb2b4422 100644 --- a/charts/apiserver-webhook/templates/configmap-etc.yaml +++ b/charts/apiserver-webhook/templates/configmap-etc.yaml @@ -28,6 +28,4 @@ data: {{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} policy.json: | {{ toPrettyJson $envAll.Values.conf.policy | indent 4 }} - encryption_provider.json: | -{{ toPrettyJson $envAll.Values.conf.encryption_provider.content | indent 4 }} {{- end }} diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml index 8b921b07..6a9466eb 100644 --- a/charts/apiserver-webhook/templates/deployment.yaml +++ b/charts/apiserver-webhook/templates/deployment.yaml @@ -163,7 +163,13 @@ spec: - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }} - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }} - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }} - - --experimental-encryption-provider-config={{ $envAll.Values.conf.paths.encryption_provider }} + {{- range $key, $val := .Values.conf.apiserver }} + {{- if hasKey $val "command_options" }} + {{- range $val.command_options }} + - {{ . }} + {{- end }} + {{- end }} + {{- end }} readinessProbe: tcpSocket: port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} @@ -175,6 +181,9 @@ spec: volumeMounts: - name: etc-apiserver mountPath: {{ $envAll.Values.conf.paths.base }} + - name: apiserver-dynamic-config + mountPath: {{ $envAll.Values.conf.paths.base }}dynamic + readOnly: true - name: etc-apiserver-pki mountPath: {{ $envAll.Values.conf.paths.pki }} - name: configmap-etc @@ -239,6 +248,10 @@ spec: emptyDir: {} - name: etc-apiserver-pki emptyDir: {} + - name: apiserver-dynamic-config + configMap: + name: {{ .Release.Name }}-dynamic-config + defaultMode: 0444 - name: etc-webhook emptyDir: {} - name: etc-webhook-pki diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml index f9b6324e..44430760 100644 --- a/charts/apiserver-webhook/values.yaml +++ b/charts/apiserver-webhook/values.yaml @@ -275,10 +275,39 @@ conf: policy: '/etc/webhook_apiserver/conf/policy.json' sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub' encryption_provider: '/etc/webhook_apiserver/encryption_provider.json' - encryption_provider: - content: - kind: EncryptionConfig - apiVersion: v1 + # Every key below 'apiserver' yields a dynamic configuration file + # and can mutate the apiserver command-line args. + # The files are available under /dynamic in conf.paths.base + apiserver: + agg_api_ca: + file: agg-api-ca.pem + command_options: + - '--requestheader-client-ca-file=/etc/webhook_apiserver/dynamic/agg-api-ca.pem' + - '--requestheader-extra-headers-prefix=X-Remote-Extra-' + - '--requestheader-group-headers=X-Remote-Group' + - '--requestheader-username-headers=X-Remote-User' + - '--requestheader-allowed-names="aggregator"' + content: | + -----SOME CA----- + apiserver_proxy_cert: + file: 'apiserver-proxy-cert.pem' + command_options: + - '--proxy-client-cert-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-cert.pem' + content: | + ------SOME CERT----- + apiserver_proxy_key: + file: 'apiserver-proxy-key.pem' + command_options: + - '--proxy-client-key-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-key.pem' + content: | + -----SOME KEY----- + encryption_provider: + file: 'encryption_provider.yaml' + command_options: + - '--experimental-encryption-provider-config=/etc/webhook_apiserver/dynamic/encryption_provider.yaml' + content: + kind: EncryptionConfig + apiVersion: v1 policy: - resource: verbs: @@ -345,6 +374,7 @@ manifests: configmap_bin: true configmap_certs: true configmap_etc: true + configmap_dynamic_config: true job_ks_user: true deployment: true ingress_api: true diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml index de34de42..8d0a5670 100644 --- a/charts/apiserver/values.yaml +++ b/charts/apiserver/values.yaml @@ -108,14 +108,28 @@ conf: - type: Server qps: 1000 burst: 10000 -# aggapi: -# file: kube-agg-api-ca.pem +# agg_api_ca: +# file: agg-api-ca.pem # command_options: -# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/kube-agg-api-ca.pem' -# - '--requestheader-allowed-names=agg-client' +# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem' +# - '--requestheader-extra-headers-prefix=X-Remote-Extra-' +# - '--requestheader-group-headers=X-Remote-Group' +# - '--requestheader-username-headers=X-Remote-User' +# - '--requestheader-allowed-names="aggregator"' # content: | -# -----SOME CA---- -# +# -----SOME CA----- +# apiserver_proxy_cert: +# file: 'apiserver-proxy-cert.pem' +# command_options: +# - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem' +# content: | +# ------SOME CERT----- +# apiserver_proxy_key: +# file: 'apiserver-proxy-key.pem' +# command_options: +# - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem' +# content: | +# -----SOME KEY----- # Uncomment any of the below to enable enhanced Audit Logging command line options. # # auditpolicy: