Skip to content

Commit

Permalink
feat(admission-controller,sysdig-deploy): add initial support for cer…
Browse files Browse the repository at this point in the history 
…t-manager
  • Loading branch information
@yurrriq
yurrriq committed Jun 26, 2024
1 parent a4e2b8d commit 9dd2e86
Show file tree
Hide file tree
Showing 7 changed files with 66 additions and 7 deletions.
2 changes: 1 addition & 1 deletion charts/admission-controller/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
version: 0.16.3
version: 0.17.0
appVersion: 3.9.46
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
Expand Down
6 changes: 5 additions & 1 deletion charts/admission-controller/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ See the default [`values.yaml`](./values.yaml) file for more information.

The following table lists the configurable parameters of the `admission-controller` chart and their default values.

| Parameter | Description | Default |
| Parameter | Description | Default |
|----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| global.clusterConfig | The global cluster configuration options. | <code>{}</code> |
| global.sysdig.secureAPIToken | The global API token to access Sysdig Secure. | <code>""</code> |
Expand Down Expand Up @@ -176,6 +176,10 @@ The following table lists the configurable parameters of the `admission-controll
| webhook.denyOnError | Deny request when an error happened evaluating request. | <code>false</code> |
| webhook.dryRun | Dry Run request | <code>false</code> |
| webhook.logLevel | Specifies the log level. The valid values are error, info, debug, trace. | <code>info</code> |
| webhook.ssl.certManager.enabled | Whether to use cert-manager for certificate management | <code>false</code> |
| webhook.ssl.certManager.issuer.group | The group of the existing issuer to use. | <code>cert-manager.io</code> |
| webhook.ssl.certManager.issuer.kind | The kind of the existing issuer to use. | <code>ClusterIssuer</code> |
| webhook.ssl.certManager.issuer.name | The name of the existing (Cluster)Issuer to use. Required if using cert-manager. | <code>""</code> |
| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade. | <code>false</code> |
| webhook.ssl.ca.cert | Used for outbound connections, such as Secure backend and proxy. <br/>Used also for inbound connections to serve HttpRequests as Kubernetes Webhook. <br/>A PEM-encoded x509 certificate authority. | <code>""</code> |
| webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | <code>[]</code> |
Expand Down
12 changes: 9 additions & 3 deletions charts/admission-controller/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,9 @@ webhooks:
name: {{ include "admissionController.webhook.fullname" . }}
path: /validate
port: {{ .Values.webhook.v2.service.port }}
caBundle: {{ .Cert }}
{{- with .Cert }}
caBundle: {{ . }}
{{- end }}

admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
Expand Down Expand Up @@ -453,7 +455,9 @@ webhooks:
name: {{ include "admissionController.webhook.fullname" . }}
path: /allow-pod
port: {{ .Values.webhook.service.port }}
caBundle: {{ .Cert }}
{{- with .Cert }}
caBundle: {{ . }}
{{- end }}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
Expand All @@ -476,7 +480,9 @@ webhooks:
name: {{ include "admissionController.webhook.fullname" . }}
path: /k8s-audit
port: {{ .Values.webhook.service.port }}
caBundle: {{ .Cert }}
{{- with .Cert }}
caBundle: {{ . }}
{{- end }}
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
Expand Down
17 changes: 17 additions & 0 deletions charts/admission-controller/templates/webhook/admissionregistration.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,19 @@
{{- if .Values.webhook.ssl.certManager.enabled }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "admissionController.webhook.fullname" . }}
helm.sh/hook: "post-install, post-upgrade"
meta.helm.sh/release-name: {{ .Release.Name }}
meta.helm.sh/release-namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: Helm
name: {{ include "admissionController.webhook.fullname" . }}
namespace: {{ include "admissionController.namespace" . }}
{{- include "admissionController.webhookTemplate" . }}
{{- else }}
{{/*
We need to put all resources that need certificate or CA Bundle together,
so the template is executed just once
Expand Down Expand Up @@ -38,3 +54,4 @@ data:
tls.crt: {{ $certList._0 }}
tls.key: {{ $certList._1 }}
ca.crt: {{ $certList._2 }}
{{- end }}
24 changes: 24 additions & 0 deletions charts/admission-controller/templates/webhook/certificate.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{{- if .Values.webhook.ssl.certManager.enabled }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
{{- include "admissionController.webhook.labels" . | nindent 4 }}
name: {{ include "admissionController.webhook.fullname" . }}
namespace: {{ include "admissionController.namespace" . }}
spec:
dnsNames:
- {{ include "admissionController.webhook.fullname" . }}
- {{ include "admissionController.webhook.fullname" . }}.{{ include "admissionController.namespace" . }}.svc
issuerRef:
{{- with .Values.webhook.ssl.certManager.issuer.group }}
group: {{ . }}
{{- end }}
{{- with .Values.webhook.ssl.certManager.issuer.kind }}
kind: {{ . }}
{{- end }}
{{- with .Values.webhook.ssl.certManager.issuer.name }}
name: {{ . }}
{{- end }}
secretName: {{ include "admissionController.webhook.fullname" . }}-tls
{{- end }}
8 changes: 8 additions & 0 deletions charts/admission-controller/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,14 @@ webhook:
logLevel: info

ssl:
certManager:
# Use cert-manager for certificate management
enabled: false
issuer:
group: cert-manager.io
kind: ClusterIssuer
# Required if webhook.ssl.certManager.enabled is true
name: ""
# Reuse existing TLS Secret during chart upgrade.
reuseTLSSecret: false
ca:
Expand Down
4 changes: 2 additions & 2 deletions charts/sysdig-deploy/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: sysdig-deploy
description: A chart with various Sysdig components for Kubernetes
type: application
version: 1.56.11
version: 1.57.0
maintainers:
- name: AlbertoBarba
email: [email protected]
Expand All @@ -20,7 +20,7 @@ dependencies:
- name: admission-controller
# repository: https://charts.sysdig.com
repository: file://../admission-controller
version: ~0.16.3
version: ~0.17.0
alias: admissionController
condition: admissionController.enabled
- name: agent
Expand Down

0 comments on commit 9dd2e86

Please sign in to comment.