From 2a82273902de0ba52e2c084a86bc1a95a3a34328 Mon Sep 17 00:00:00 2001 From: Timofei Larkin Date: Mon, 13 Oct 2025 19:03:40 +0300 Subject: [PATCH] [lineage] Separate webhook from cozy controller The lineage-controller-webhook makes a lot of outgoing API calls for every event it handles, contributing to a high API server latency, increasing the number of in-flight requests and generally degrading performance. This patch remedies this by separating the lineage component from the cozystack-controller and deploying it as a separate component on all control-plane nodes. Additionally, a new internal label is introduced to track if a resource has already been handled by the webhook. This label is used to exclude such resources from consideration. Addresses #1513. ```release-note [lineage] Break webhook out into a separate daemonset. Reduce unnecessary webhook calls by marking handled resources and excluding them from consideration by the webhook's object selector. ``` Signed-off-by: Timofei Larkin --- Makefile | 1 + cmd/cozystack-controller/main.go | 15 -- cmd/lineage-controller-webhook/main.go | 179 ++++++++++++++++++ docs/changelogs/unreleased.md | 3 + internal/lineagecontrollerwebhook/webhook.go | 18 +- .../core/platform/bundles/distro-full.yaml | 6 + .../core/platform/bundles/distro-hosted.yaml | 6 + packages/core/platform/bundles/paas-full.yaml | 6 + .../core/platform/bundles/paas-hosted.yaml | 6 + .../templates/certmanager.yaml | 45 ----- .../templates/deployment.yaml | 12 -- .../lineage-controller-webhook/.gitignore | 27 +++ .../lineage-controller-webhook/Chart.yaml | 3 + .../lineage-controller-webhook/Makefile | 18 ++ .../lineage-controller-webhook/Dockerfile | 23 +++ .../templates/certmanager.yaml | 45 +++++ .../templates/daemonset.yaml | 46 +++++ .../mutatingwebhookconfiguration.yaml | 8 +- .../templates/rbac-bind.yaml | 12 ++ .../templates/rbac.yaml | 8 + .../templates/sa.yaml | 4 + .../templates/service.yaml | 7 +- .../lineage-controller-webhook/values.yaml | 3 + 23 files changed, 419 insertions(+), 82 deletions(-) create mode 100644 cmd/lineage-controller-webhook/main.go create mode 100644 docs/changelogs/unreleased.md delete mode 100644 packages/system/cozystack-controller/templates/certmanager.yaml create mode 100644 packages/system/lineage-controller-webhook/.gitignore create mode 100644 packages/system/lineage-controller-webhook/Chart.yaml create mode 100644 packages/system/lineage-controller-webhook/Makefile create mode 100644 packages/system/lineage-controller-webhook/images/lineage-controller-webhook/Dockerfile create mode 100644 packages/system/lineage-controller-webhook/templates/certmanager.yaml create mode 100644 packages/system/lineage-controller-webhook/templates/daemonset.yaml rename packages/system/{cozystack-controller => lineage-controller-webhook}/templates/mutatingwebhookconfiguration.yaml (81%) create mode 100644 packages/system/lineage-controller-webhook/templates/rbac-bind.yaml create mode 100644 packages/system/lineage-controller-webhook/templates/rbac.yaml create mode 100644 packages/system/lineage-controller-webhook/templates/sa.yaml rename packages/system/{cozystack-controller => lineage-controller-webhook}/templates/service.yaml (55%) create mode 100644 packages/system/lineage-controller-webhook/values.yaml diff --git a/Makefile b/Makefile index c941a9ff..bb5eb40e 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,7 @@ build: build-deps make -C packages/extra/monitoring image make -C packages/system/cozystack-api image make -C packages/system/cozystack-controller image + make -C packages/system/lineage-controller-webhook image make -C packages/system/cilium image make -C packages/system/kubeovn image make -C packages/system/kubeovn-webhook image diff --git a/cmd/cozystack-controller/main.go b/cmd/cozystack-controller/main.go index f774284a..c2ceb451 100644 --- a/cmd/cozystack-controller/main.go +++ b/cmd/cozystack-controller/main.go @@ -39,7 +39,6 @@ import ( cozystackiov1alpha1 "github.com/cozystack/cozystack/api/v1alpha1" "github.com/cozystack/cozystack/internal/controller" "github.com/cozystack/cozystack/internal/controller/dashboard" - lcw "github.com/cozystack/cozystack/internal/lineagecontrollerwebhook" "github.com/cozystack/cozystack/internal/telemetry" helmv2 "github.com/fluxcd/helm-controller/api/v2" @@ -222,20 +221,6 @@ func main() { os.Exit(1) } - // special one that's both a webhook and a reconciler - lineageControllerWebhook := &lcw.LineageControllerWebhook{ - Client: mgr.GetClient(), - Scheme: mgr.GetScheme(), - } - if err := lineageControllerWebhook.SetupWithManagerAsController(mgr); err != nil { - setupLog.Error(err, "unable to setup controller", "controller", "LineageController") - os.Exit(1) - } - if err := lineageControllerWebhook.SetupWithManagerAsWebhook(mgr); err != nil { - setupLog.Error(err, "unable to setup webhook", "webhook", "LineageWebhook") - os.Exit(1) - } - // +kubebuilder:scaffold:builder if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { diff --git a/cmd/lineage-controller-webhook/main.go b/cmd/lineage-controller-webhook/main.go new file mode 100644 index 00000000..ffe0942b --- /dev/null +++ b/cmd/lineage-controller-webhook/main.go @@ -0,0 +1,179 @@ +/* +Copyright 2025. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "crypto/tls" + "flag" + "os" + + // Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.) + // to ensure that exec-entrypoint and run can make use of them. + _ "k8s.io/client-go/plugin/pkg/client/auth" + + "k8s.io/apimachinery/pkg/runtime" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/healthz" + "sigs.k8s.io/controller-runtime/pkg/log/zap" + "sigs.k8s.io/controller-runtime/pkg/metrics/filters" + metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" + "sigs.k8s.io/controller-runtime/pkg/webhook" + + cozystackiov1alpha1 "github.com/cozystack/cozystack/api/v1alpha1" + lcw "github.com/cozystack/cozystack/internal/lineagecontrollerwebhook" + // +kubebuilder:scaffold:imports +) + +var ( + scheme = runtime.NewScheme() + setupLog = ctrl.Log.WithName("setup") +) + +func init() { + utilruntime.Must(clientgoscheme.AddToScheme(scheme)) + + utilruntime.Must(cozystackiov1alpha1.AddToScheme(scheme)) + // +kubebuilder:scaffold:scheme +} + +func main() { + var metricsAddr string + var enableLeaderElection bool + var probeAddr string + var secureMetrics bool + var enableHTTP2 bool + var tlsOpts []func(*tls.Config) + flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+ + "Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") + flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") + flag.BoolVar(&enableLeaderElection, "leader-elect", false, + "Enable leader election for controller manager. "+ + "Enabling this will ensure there is only one active controller manager.") + flag.BoolVar(&secureMetrics, "metrics-secure", true, + "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") + flag.BoolVar(&enableHTTP2, "enable-http2", false, + "If set, HTTP/2 will be enabled for the metrics and webhook servers") + opts := zap.Options{ + Development: false, + } + opts.BindFlags(flag.CommandLine) + flag.Parse() + + ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) + + // if the enable-http2 flag is false (the default), http/2 should be disabled + // due to its vulnerabilities. More specifically, disabling http/2 will + // prevent from being vulnerable to the HTTP/2 Stream Cancellation and + // Rapid Reset CVEs. For more information see: + // - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 + // - https://github.com/advisories/GHSA-4374-p667-p6c8 + disableHTTP2 := func(c *tls.Config) { + setupLog.Info("disabling http/2") + c.NextProtos = []string{"http/1.1"} + } + + if !enableHTTP2 { + tlsOpts = append(tlsOpts, disableHTTP2) + } + + webhookServer := webhook.NewServer(webhook.Options{ + TLSOpts: tlsOpts, + }) + + // Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. + // More info: + // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/server + // - https://book.kubebuilder.io/reference/metrics.html + metricsServerOptions := metricsserver.Options{ + BindAddress: metricsAddr, + SecureServing: secureMetrics, + TLSOpts: tlsOpts, + } + + if secureMetrics { + // FilterProvider is used to protect the metrics endpoint with authn/authz. + // These configurations ensure that only authorized users and service accounts + // can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: + // https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.1/pkg/metrics/filters#WithAuthenticationAndAuthorization + metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization + + // TODO(user): If CertDir, CertName, and KeyName are not specified, controller-runtime will automatically + // generate self-signed certificates for the metrics server. While convenient for development and testing, + // this setup is not recommended for production. + } + + // Configure rate limiting for the Kubernetes client + config := ctrl.GetConfigOrDie() + config.QPS = 50.0 // Increased from default 5.0 + config.Burst = 100 // Increased from default 10 + + mgr, err := ctrl.NewManager(config, ctrl.Options{ + Scheme: scheme, + Metrics: metricsServerOptions, + WebhookServer: webhookServer, + HealthProbeBindAddress: probeAddr, + LeaderElection: enableLeaderElection, + LeaderElectionID: "8796f12d.cozystack.io", + // LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily + // when the Manager ends. This requires the binary to immediately end when the + // Manager is stopped, otherwise, this setting is unsafe. Setting this significantly + // speeds up voluntary leader transitions as the new leader don't have to wait + // LeaseDuration time first. + // + // In the default scaffold provided, the program ends immediately after + // the manager stops, so would be fine to enable this option. However, + // if you are doing or is intended to do any operation such as perform cleanups + // after the manager stops then its usage might be unsafe. + // LeaderElectionReleaseOnCancel: true, + }) + if err != nil { + setupLog.Error(err, "unable to start manager") + os.Exit(1) + } + + lineageControllerWebhook := &lcw.LineageControllerWebhook{ + Client: mgr.GetClient(), + Scheme: mgr.GetScheme(), + } + if err := lineageControllerWebhook.SetupWithManagerAsController(mgr); err != nil { + setupLog.Error(err, "unable to setup controller", "controller", "LineageController") + os.Exit(1) + } + if err := lineageControllerWebhook.SetupWithManagerAsWebhook(mgr); err != nil { + setupLog.Error(err, "unable to setup webhook", "webhook", "LineageWebhook") + os.Exit(1) + } + + // +kubebuilder:scaffold:builder + + if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up health check") + os.Exit(1) + } + if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil { + setupLog.Error(err, "unable to set up ready check") + os.Exit(1) + } + + setupLog.Info("starting manager") + if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + setupLog.Error(err, "problem running manager") + os.Exit(1) + } +} diff --git a/docs/changelogs/unreleased.md b/docs/changelogs/unreleased.md new file mode 100644 index 00000000..1ea38313 --- /dev/null +++ b/docs/changelogs/unreleased.md @@ -0,0 +1,3 @@ +# Changes after v0.37.0 + +* [lineage] Break webhook out into a separate daemonset. Reduce unnecessary webhook calls by marking handled resources and excluding them from consideration by the webhook's object selector (@lllamnyp in #1515). diff --git a/internal/lineagecontrollerwebhook/webhook.go b/internal/lineagecontrollerwebhook/webhook.go index 1e7739b7..0841c891 100644 --- a/internal/lineagecontrollerwebhook/webhook.go +++ b/internal/lineagecontrollerwebhook/webhook.go @@ -26,6 +26,13 @@ var ( AncestryAmbiguous = fmt.Errorf("object ancestry is ambiguous") ) +const ( + ManagedObjectKey = "internal.cozystack.io/managed-by-cozystack" + ManagerGroupKey = "apps.cozystack.io/application.group" + ManagerKindKey = "apps.cozystack.io/application.kind" + ManagerNameKey = "apps.cozystack.io/application.name" +) + // getResourceSelectors returns the appropriate CozystackResourceDefinitionResources for a given GroupKind func (h *LineageControllerWebhook) getResourceSelectors(gk schema.GroupKind, crd *cozyv1alpha1.CozystackResourceDefinition) *cozyv1alpha1.CozystackResourceDefinitionResources { switch { @@ -91,7 +98,7 @@ func (h *LineageControllerWebhook) Handle(ctx context.Context, req admission.Req labels, err := h.computeLabels(ctx, obj) for { if err != nil && errors.Is(err, NoAncestors) { - return admission.Allowed("object not managed by app") + break // not a problem, mark object as unmanaged } if err != nil && errors.Is(err, AncestryAmbiguous) { warn = append(warn, "object ancestry ambiguous, using first ancestor found") @@ -119,7 +126,7 @@ func (h *LineageControllerWebhook) Handle(ctx context.Context, req admission.Req func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstructured.Unstructured) (map[string]string, error) { owners := lineage.WalkOwnershipGraph(ctx, h.dynClient, h.mapper, h, o) if len(owners) == 0 { - return nil, NoAncestors + return map[string]string{ManagedObjectKey: "false"}, NoAncestors } obj, err := owners[0].GetUnstructured(ctx, h.dynClient, h.mapper) if err != nil { @@ -135,7 +142,8 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc } labels := map[string]string{ // truncate apigroup to first 63 chars - "apps.cozystack.io/application.group": func(s string) string { + ManagedObjectKey: "true", + ManagerGroupKey: func(s string) string { if len(s) < 63 { return s } @@ -145,8 +153,8 @@ func (h *LineageControllerWebhook) computeLabels(ctx context.Context, o *unstruc } return s }(gv.Group), - "apps.cozystack.io/application.kind": obj.GetKind(), - "apps.cozystack.io/application.name": obj.GetName(), + ManagerKindKey: obj.GetKind(), + ManagerNameKey: obj.GetName(), } templateLabels := map[string]string{ "kind": strings.ToLower(obj.GetKind()), diff --git a/packages/core/platform/bundles/distro-full.yaml b/packages/core/platform/bundles/distro-full.yaml index 1b7366be..ed52a83a 100644 --- a/packages/core/platform/bundles/distro-full.yaml +++ b/packages/core/platform/bundles/distro-full.yaml @@ -68,6 +68,12 @@ releases: disableTelemetry: true {{- end }} +- name: lineage-controller-webhook + releaseName: lineage-controller-webhook + chart: cozy-lineage-controller-webhook + namespace: cozy-system + dependsOn: [cozystack-controller,cilium,cert-manager] + - name: cert-manager releaseName: cert-manager chart: cozy-cert-manager diff --git a/packages/core/platform/bundles/distro-hosted.yaml b/packages/core/platform/bundles/distro-hosted.yaml index 55a8688e..83aa81d9 100644 --- a/packages/core/platform/bundles/distro-hosted.yaml +++ b/packages/core/platform/bundles/distro-hosted.yaml @@ -36,6 +36,12 @@ releases: disableTelemetry: true {{- end }} +- name: lineage-controller-webhook + releaseName: lineage-controller-webhook + chart: cozy-lineage-controller-webhook + namespace: cozy-system + dependsOn: [cozystack-controller,cert-manager] + - name: cert-manager releaseName: cert-manager chart: cozy-cert-manager diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml index 556847ff..2322aee2 100644 --- a/packages/core/platform/bundles/paas-full.yaml +++ b/packages/core/platform/bundles/paas-full.yaml @@ -105,6 +105,12 @@ releases: disableTelemetry: true {{- end }} +- name: lineage-controller-webhook + releaseName: lineage-controller-webhook + chart: cozy-lineage-controller-webhook + namespace: cozy-system + dependsOn: [cozystack-controller,cilium,kubeovn,cert-manager] + - name: cozystack-resource-definition-crd releaseName: cozystack-resource-definition-crd chart: cozystack-resource-definition-crd diff --git a/packages/core/platform/bundles/paas-hosted.yaml b/packages/core/platform/bundles/paas-hosted.yaml index 055c29cf..93593673 100644 --- a/packages/core/platform/bundles/paas-hosted.yaml +++ b/packages/core/platform/bundles/paas-hosted.yaml @@ -52,6 +52,12 @@ releases: disableTelemetry: true {{- end }} +- name: lineage-controller-webhook + releaseName: lineage-controller-webhook + chart: cozy-lineage-controller-webhook + namespace: cozy-system + dependsOn: [cozystack-controller,cert-manager] + - name: cozystack-resource-definition-crd releaseName: cozystack-resource-definition-crd chart: cozystack-resource-definition-crd diff --git a/packages/system/cozystack-controller/templates/certmanager.yaml b/packages/system/cozystack-controller/templates/certmanager.yaml deleted file mode 100644 index 6d9bce7d..00000000 --- a/packages/system/cozystack-controller/templates/certmanager.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: cozystack-controller-webhook-selfsigned - namespace: {{ .Release.Namespace }} -spec: - selfSigned: {} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: cozystack-controller-webhook-ca - namespace: {{ .Release.Namespace }} -spec: - secretName: cozystack-controller-webhook-ca - duration: 43800h # 5 years - commonName: cozystack-controller-webhook-ca - issuerRef: - name: cozystack-controller-webhook-selfsigned - isCA: true ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: cozystack-controller-webhook-ca - namespace: {{ .Release.Namespace }} -spec: - ca: - secretName: cozystack-controller-webhook-ca ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: cozystack-controller-webhook - namespace: {{ .Release.Namespace }} -spec: - secretName: cozystack-controller-webhook-cert - duration: 8760h - renewBefore: 720h - issuerRef: - name: cozystack-controller-webhook-ca - commonName: cozystack-controller - dnsNames: - - cozystack-controller - - cozystack-controller.{{ .Release.Namespace }}.svc diff --git a/packages/system/cozystack-controller/templates/deployment.yaml b/packages/system/cozystack-controller/templates/deployment.yaml index 318ec3b2..bac865ef 100644 --- a/packages/system/cozystack-controller/templates/deployment.yaml +++ b/packages/system/cozystack-controller/templates/deployment.yaml @@ -28,15 +28,3 @@ spec: {{- if .Values.cozystackController.disableTelemetry }} - --disable-telemetry {{- end }} - ports: - - name: webhook - containerPort: 9443 - volumeMounts: - - name: webhook-certs - mountPath: /tmp/k8s-webhook-server/serving-certs - readOnly: true - volumes: - - name: webhook-certs - secret: - secretName: cozystack-controller-webhook-cert - defaultMode: 0400 diff --git a/packages/system/lineage-controller-webhook/.gitignore b/packages/system/lineage-controller-webhook/.gitignore new file mode 100644 index 00000000..ada68ff0 --- /dev/null +++ b/packages/system/lineage-controller-webhook/.gitignore @@ -0,0 +1,27 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib +bin/* +Dockerfile.cross + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Go workspace file +go.work + +# Kubernetes Generated files - skip generated files, except for vendored files +!vendor/**/zz_generated.* + +# editor and IDE paraphernalia +.idea +.vscode +*.swp +*.swo +*~ diff --git a/packages/system/lineage-controller-webhook/Chart.yaml b/packages/system/lineage-controller-webhook/Chart.yaml new file mode 100644 index 00000000..5b262f05 --- /dev/null +++ b/packages/system/lineage-controller-webhook/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: cozy-lineage-controller-webhook +version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process diff --git a/packages/system/lineage-controller-webhook/Makefile b/packages/system/lineage-controller-webhook/Makefile new file mode 100644 index 00000000..04d81a12 --- /dev/null +++ b/packages/system/lineage-controller-webhook/Makefile @@ -0,0 +1,18 @@ +NAME=lineage-controller-webhook +NAMESPACE=cozy-system + +include ../../../scripts/common-envs.mk +include ../../../scripts/package.mk + +image: image-lineage-controller-webhook + +image-lineage-controller-webhook: + docker buildx build -f images/lineage-controller-webhook/Dockerfile ../../.. \ + --tag $(REGISTRY)/lineage-controller-webhook:$(call settag,$(TAG)) \ + --cache-from type=registry,ref=$(REGISTRY)/lineage-controller-webhook:latest \ + --cache-to type=inline \ + --metadata-file images/lineage-controller-webhook.json \ + $(BUILDX_ARGS) + IMAGE="$(REGISTRY)/lineage-controller-webhook:$(call settag,$(TAG))@$$(yq e '."containerimage.digest"' images/lineage-controller-webhook.json -o json -r)" \ + yq -i '.lineageControllerWebhook.image = strenv(IMAGE)' values.yaml + rm -f images/lineage-controller-webhook.json diff --git a/packages/system/lineage-controller-webhook/images/lineage-controller-webhook/Dockerfile b/packages/system/lineage-controller-webhook/images/lineage-controller-webhook/Dockerfile new file mode 100644 index 00000000..e043e472 --- /dev/null +++ b/packages/system/lineage-controller-webhook/images/lineage-controller-webhook/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.24-alpine AS builder + +ARG TARGETOS +ARG TARGETARCH + +WORKDIR /workspace + +COPY go.mod go.sum ./ +RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go mod download + +COPY api api/ +COPY pkg pkg/ +COPY cmd cmd/ +COPY internal internal/ + +RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-extldflags=-static" -o /lineage-controller-webhook cmd/lineage-controller-webhook/main.go + +FROM scratch + +COPY --from=builder /lineage-controller-webhook /lineage-controller-webhook +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt + +ENTRYPOINT ["/lineage-controller-webhook"] diff --git a/packages/system/lineage-controller-webhook/templates/certmanager.yaml b/packages/system/lineage-controller-webhook/templates/certmanager.yaml new file mode 100644 index 00000000..c2dc18d2 --- /dev/null +++ b/packages/system/lineage-controller-webhook/templates/certmanager.yaml @@ -0,0 +1,45 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: lineage-controller-webhook-selfsigned + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lineage-controller-webhook-ca + namespace: {{ .Release.Namespace }} +spec: + secretName: lineage-controller-webhook-ca + duration: 43800h # 5 years + commonName: lineage-controller-webhook-ca + issuerRef: + name: lineage-controller-webhook-selfsigned + isCA: true +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: lineage-controller-webhook-ca + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: lineage-controller-webhook-ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: lineage-controller-webhook + namespace: {{ .Release.Namespace }} +spec: + secretName: lineage-controller-webhook-cert + duration: 8760h + renewBefore: 720h + issuerRef: + name: lineage-controller-webhook-ca + commonName: lineage-controller-webhook + dnsNames: + - lineage-controller-webhook + - lineage-controller-webhook.{{ .Release.Namespace }}.svc diff --git a/packages/system/lineage-controller-webhook/templates/daemonset.yaml b/packages/system/lineage-controller-webhook/templates/daemonset.yaml new file mode 100644 index 00000000..177bcd8b --- /dev/null +++ b/packages/system/lineage-controller-webhook/templates/daemonset.yaml @@ -0,0 +1,46 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: lineage-controller-webhook + labels: + app: lineage-controller-webhook +spec: + selector: + matchLabels: + app: lineage-controller-webhook + template: + metadata: + labels: + app: lineage-controller-webhook + spec: + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + serviceAccountName: lineage-controller-webhook + containers: + - name: lineage-controller-webhook + image: "{{ .Values.lineageControllerWebhook.image }}" + args: + {{- if .Values.lineageControllerWebhook.debug }} + - --zap-log-level=debug + {{- else }} + - --zap-log-level=info + {{- end }} + ports: + - name: webhook + containerPort: 9443 + volumeMounts: + - name: webhook-certs + mountPath: /tmp/k8s-webhook-server/serving-certs + readOnly: true + volumes: + - name: webhook-certs + secret: + secretName: lineage-controller-webhook-cert + defaultMode: 0400 diff --git a/packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml b/packages/system/lineage-controller-webhook/templates/mutatingwebhookconfiguration.yaml similarity index 81% rename from packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml rename to packages/system/lineage-controller-webhook/templates/mutatingwebhookconfiguration.yaml index f246865c..88b62a21 100644 --- a/packages/system/cozystack-controller/templates/mutatingwebhookconfiguration.yaml +++ b/packages/system/lineage-controller-webhook/templates/mutatingwebhookconfiguration.yaml @@ -3,7 +3,7 @@ kind: MutatingWebhookConfiguration metadata: name: lineage annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/cozystack-controller-webhook + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/lineage-controller-webhook labels: app: cozystack-controller webhooks: @@ -12,7 +12,7 @@ webhooks: sideEffects: None clientConfig: service: - name: cozystack-controller + name: lineage-controller-webhook namespace: {{ .Release.Namespace }} path: /mutate-lineage rules: @@ -40,3 +40,7 @@ webhooks: values: - kube-system - default + objectSelector: + matchExpressions: + - key: internal.cozystack.io/managed-by-cozystack + operator: DoesNotExist diff --git a/packages/system/lineage-controller-webhook/templates/rbac-bind.yaml b/packages/system/lineage-controller-webhook/templates/rbac-bind.yaml new file mode 100644 index 00000000..9a509d08 --- /dev/null +++ b/packages/system/lineage-controller-webhook/templates/rbac-bind.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: lineage-controller-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: lineage-controller-webhook +subjects: +- kind: ServiceAccount + name: lineage-controller-webhook + namespace: {{ .Release.Namespace }} diff --git a/packages/system/lineage-controller-webhook/templates/rbac.yaml b/packages/system/lineage-controller-webhook/templates/rbac.yaml new file mode 100644 index 00000000..d8b3f871 --- /dev/null +++ b/packages/system/lineage-controller-webhook/templates/rbac.yaml @@ -0,0 +1,8 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: lineage-controller-webhook +rules: +- apiGroups: ['*'] + resources: ['*'] + verbs: ["get", "list", "watch"] diff --git a/packages/system/lineage-controller-webhook/templates/sa.yaml b/packages/system/lineage-controller-webhook/templates/sa.yaml new file mode 100644 index 00000000..a17761f0 --- /dev/null +++ b/packages/system/lineage-controller-webhook/templates/sa.yaml @@ -0,0 +1,4 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: lineage-controller-webhook diff --git a/packages/system/cozystack-controller/templates/service.yaml b/packages/system/lineage-controller-webhook/templates/service.yaml similarity index 55% rename from packages/system/cozystack-controller/templates/service.yaml rename to packages/system/lineage-controller-webhook/templates/service.yaml index 8cc0eb61..c5df90fb 100644 --- a/packages/system/cozystack-controller/templates/service.yaml +++ b/packages/system/lineage-controller-webhook/templates/service.yaml @@ -1,10 +1,11 @@ apiVersion: v1 kind: Service metadata: - name: cozystack-controller + name: lineage-controller-webhook labels: - app: cozystack-controller + app: lineage-controller-webhook spec: + internalTrafficPolicy: Local type: ClusterIP ports: - port: 443 @@ -12,4 +13,4 @@ spec: protocol: TCP name: webhook selector: - app: cozystack-controller + app: lineage-controller-webhook diff --git a/packages/system/lineage-controller-webhook/values.yaml b/packages/system/lineage-controller-webhook/values.yaml new file mode 100644 index 00000000..068de2d6 --- /dev/null +++ b/packages/system/lineage-controller-webhook/values.yaml @@ -0,0 +1,3 @@ +lineageControllerWebhook: + image: ghcr.io/cozystack/cozystack/lineage-controller-webhook:v0.37.0@sha256:845b8e68cbc277c2303080bcd55597e4334610d396dad258ad56fd906530acc3 + debug: false