Use-case: deploying an admission webhook #976
Comments
|
/assign @Liujingfang1 @monopole |
|
@sttts I got (2) and (3) to work with the sample below (tested with kustomize v3.0.1). DEMO_HOME=$(mktemp -d)
cat > $DEMO_HOME/kustomizeconfig.yaml << EOF
varReference:
- path: webhooks/clientConfig/caBundle
kind: ValidatingWebhookConfiguration
- path: webhooks/clientConfig/caBundle
kind: MutatingWebhookConfiguration
EOF
mkdir $DEMO_HOME/secret
cat > $DEMO_HOME/secret/tls.cert << EOF
-----BEGIN CERTIFICATE-----
Li4u
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Li4u
-----END CERTIFICATE-----
EOF
cat > $DEMO_HOME/secret/tls.key << EOF
-----BEGIN RSA PRIVATE KEY-----
Li4u
-----END RSA PRIVATE KEY-----
EOF
cat > $DEMO_HOME/admission_configurations.yaml << EOF
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: mutating-webhook-configuration
webhooks:
- name: mutating-create-update
clientConfig:
url: https://example.com
caBundle: \$(TLSCERT)
failurePolicy: Fail
rules:
- apiGroups:
- mygroup
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- myresource
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: validating-webhook-configuration
webhooks:
- name: validating-create-update
clientConfig:
url: https://example.com
caBundle: \$(TLSCERT)
failurePolicy: Fail
rules:
- apiGroups:
- mygroup
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- myresource
sideEffects: None
EOF
cat > $DEMO_HOME/kustomization.yaml << EOF
resources:
- admission_configurations.yaml
namePrefix: test-
commonLabels:
foo: bar
configurations:
- kustomizeconfig.yaml
secretGenerator:
- name: webhook-server-cert
files:
- tls.crt=secret/tls.cert
- tls.key=secret/tls.key
type: "kubernetes.io/tls"
vars:
- name: TLSCERT
objref:
kind: Secret
version: v1
name: webhook-server-cert
fieldref:
fieldpath: data[tls.crt]
EOF
kustomize build $DEMO_HOME |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
@sttts for your step (1), don't you also need to create a |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
My first journey with kustomize (embedded in kubectl 1.14) was an attempt to deploy a webhook with TLS certificates, and I either miss something in the feature set or this is out of scope.
Setup:
ValidatingWebhookConfigurationas a base64 encoded field, compare https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#configure-admission-webhooks-on-the-flyI understand the secret generator can do (1) if the command feature is enabled (it is not. Will it?) and obviously (2). (3) is a kind of templating. I thought the kustomize
varfeature can help, but it doesn't as the field paths are limited and cannot go into arrays or maps (secret's data field is a map, the key istls.crtwhich cannot be part of a field part to my understanding).Will this use-case be supported eventually? Is it in-scope for kustomize embedded in kubectl?
The text was updated successfully, but these errors were encountered: