certificate overhaul

k8s/admission.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: deployment-validation
+webhooks:
+  - name: deployment-validation.default.svc
+    clientConfig:
+      service:
+        name: admission-server
+        namespace: default
+        path: "/validate/deployments"
+      caBundle: "${CA_BUNDLE}"
+    rules:
+      - operations: ["CREATE","DELETE"]
+        apiGroups: ["apps"]
+        apiVersions: ["v1"]
+        resources: ["deployments"]
+    failurePolicy: Ignore

k8s/configmap.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: webhook-config
+data:
+  config.yaml: |-
+    mutate-ignored-images:
+    - goharbor/chartmuseum-photon
+    - goharbor/harbor-core
+    - goharbor/harbor-db
+    - goharbor/harbor-jobservice
+    - goharbor/notary-server-photon
+    - goharbor/notary-signer-photon
+    - goharbor/harbor-portal
+    - goharbor/redis-photon
+    - goharbor/registry-photon
+    - goharbor/trivy-adapter-photon

k8s/daemonset.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: mutating-webhool
+  labels:
+    app: mutating-webhook
+spec:
+  selector:
+    matchLabels:
+      app: mutating-webhook
+  template:
+    metadata:
+      labels:
+        app: mutating-webhook
+    spec:
+      volumes:
+      - name: config
+        configMap:
+          name: webhook-config
+          defaultMode: 493
+          optional: false
+      containers:
+      - name: mutating-webhook
+        imagePullPolicy: Always
+        env:
+        - name: DOCKERHUB_REGISTRY
+          value: registry.c.test-chamber-13.lan/dockerhub
+        - name: ALLOW_ADMIN_NOMUTATE
+          value: "true"
+        - name: CONFIG_FILE
+          value: /tmp/config/config.yaml
+        image: registry.c.test-chamber-13.lan/library/webhook:latest
+        volumeMounts:
+        - name: config
+          mountPath: /tmp/config
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 8443
+            scheme: HTTPS
+          periodSeconds: 15
+          initialDelaySeconds: 10
+          timeoutSeconds: 2
+          failureThreshold: 1
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 8443
+            scheme: HTTPS
+          initialDelaySeconds: 10
+          timeoutSeconds: 2
+          failureThreshold: 1
+      terminationGracePeriodSeconds: 30
+

k8s/service.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webhook
+spec:
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 8443
+  selector:
+    app: mutating-webhook
+  type: ClusterIP

k8s/webhook.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: pod-mutation
+webhooks:
+  - name: pod-mutation.default.svc
+    clientConfig:
+      service:
+        name: webhook
+        namespace: default
+        path: "/api/v1/mutate/pod"
+    rules:
+      - operations: ["CREATE", ]
+        apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+    failurePolicy: Ignore