feat: add support to validating webhooks (#352)

* feat: add support to validating webhooks Signed-off-by: Jorge Turrado <[email protected]> * use static name for ValidatingWebhookConfiguration Signed-off-by: Jorge Turrado <[email protected]> * update values and readme Signed-off-by: Jorge Turrado <[email protected]> * apply feedback Signed-off-by: Jorge Turrado <[email protected]> Signed-off-by: Jorge Turrado <[email protected]> Signed-off-by: Jorge Turrado <[email protected]>
kedacore · Jan 13, 2023 · 32caf60 · 32caf60
1 parent 4fd2c4c
commit 32caf60
Show file tree

Hide file tree

Showing 18 changed files with 629 additions and 60 deletions.
diff --git a/.github/workflows/ci-core.yml b/.github/workflows/ci-core.yml
@@ -37,7 +37,7 @@ jobs:
       fail-fast: false
       matrix:
         enableAzureWorkloadIdentity: [false, true]
-        kubernetesVersion: [v1.25, v1.24, v1.23]
+        kubernetesVersion: [v1.26, v1.25, v1.24, v1.23]
         include:
           # Azure Workload Identity
         - enableAzureWorkloadIdentity: true
@@ -48,6 +48,8 @@ jobs:
           clientId: ""
           # Images are defined on every Kind release
           # See https://github.com/kubernetes-sigs/kind/releases
+        - kubernetesVersion: v1.26
+          kindImage: kindest/node:v1.26.0@sha256:691e24bd2417609db7e589e1a479b902d2e209892a10ce375fab60a8407c7352
         - kubernetesVersion: v1.25
           kindImage: kindest/node:v1.25.0@sha256:428aaa17ec82ccde0131cb2d1ca6547d13cf5fdabcc0bbecf749baa935387cbf
         - kubernetesVersion: v1.24
@@ -87,6 +89,8 @@ jobs:
             tag: main
           metricsApiServer:   
             tag: main
+          webhooks:   
+            tag: main
         podIdentity:
           azureWorkload:
             enabled: ${{ matrix.enableAzureWorkloadIdentity }}
@@ -97,11 +101,19 @@ jobs:
             maxUnavailable: 1 
           metricServer:
             maxUnavailable: 1
+          webhooks:
+            maxUnavailable: 1
         prometheus:
           operator:
             enabled: true
             podMonitor:
               enabled: true
+          webhooks:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+        webhooks:
+          failurePolicy: Fail
         EOF
 
     - name: Install deps

diff --git a/keda/README.md b/keda/README.md
diff --git a/keda/templates/10-keda-clusterrole.yaml b/keda/templates/10-keda-clusterrole.yaml
@@ -50,6 +50,18 @@ rules:
   - '*/scale'
   verbs:
   - '*'
+  {{- if .Values.certificates.autoGenerated }}
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+  {{- end }}
 - apiGroups:
   - apps
   resources:

diff --git a/keda/templates/12-keda-role.yaml b/keda/templates/12-keda-role.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.certificates.autoGenerated }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    {{- toYaml .Values.additionalAnnotations | nindent 4 }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.operator.name }}
+    {{- include "keda.labels" . | indent 4 }}
+  creationTimestamp: null
+  name: {{ .Values.operator.name }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end -}}
diff --git a/keda/templates/13-keda-rolebinding.yaml b/keda/templates/13-keda-rolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.certificates.autoGenerated }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    {{- toYaml .Values.additionalAnnotations | nindent 4 }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.operator.name }}
+    {{- include "keda.labels" . | indent 4 }}
+  name: {{ .Values.operator.name }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.operator.name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/keda/templates/12-keda-deployment.yaml → keda/templates/14-keda-deployment.yaml b/keda/templates/12-keda-deployment.yaml → keda/templates/14-keda-deployment.yaml
@@ -74,6 +74,12 @@ spec:
           - "--zap-log-level={{ .Values.logging.operator.level }}"
           - "--zap-encoder={{ .Values.logging.operator.format }}"
           - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}"
+          - "--cert-dir={{ .Values.certificates.mountPath }}"
+          - "--enable-cert-rotation={{ .Values.certificates.autoGenerated }}"          
+          - "--cert-secret-name={{ .Values.certificates.secretName }}"
+          - "--operator-service-name={{ .Values.operator.name }}"
+          - "--metrics-server-service-name={{ .Values.operator.name }}-metrics-apiserver"
+          - "--webhooks-service-name={{ .Values.webhooks.name }}"
           {{- if .Values.prometheus.operator.enabled }}
           - --metrics-bind-address=:{{ .Values.prometheus.operator.port }}
           {{- end }}
@@ -119,7 +125,10 @@ spec:
             {{- if .Values.env }}
             {{- toYaml .Values.env | nindent 12 -}}
             {{- end }}
-          volumeMounts:
+          volumeMounts:         
+          - mountPath: {{ .Values.certificates.mountPath }}
+            name: certificates
+            readOnly: true
           {{- if .Values.grpcTLSCertsSecret }}
           - name: grpc-certs
             mountPath: /grpccerts
@@ -130,14 +139,19 @@ spec:
           {{- end }}
           {{- if .Values.volumes.keda.extraVolumeMounts }}
           {{- toYaml .Values.volumes.keda.extraVolumeMounts | nindent 12 }}
-          {{- end }}
+          {{- end }}          
           resources:
             {{- if .Values.resources.operator }}
             {{- toYaml .Values.resources.operator | nindent 12 }}
             {{- else }}
             {{- toYaml .Values.resources | nindent 12 }}
             {{- end }}
       volumes:
+      - name: certificates
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.certificates.secretName }}
+          optional: {{ .Values.certificates.autoGenerated }}
       {{- if .Values.grpcTLSCertsSecret }}
       - name: grpc-certs
         secret:

diff --git a/keda/templates/13-keda-service.yaml → keda/templates/15-keda-service.yaml b/keda/templates/13-keda-service.yaml → keda/templates/15-keda-service.yaml
diff --git a/...emplates/14-keda-poddisruptionbudget.yaml → ...emplates/16-keda-poddisruptionbudget.yaml b/...emplates/14-keda-poddisruptionbudget.yaml → ...emplates/16-keda-poddisruptionbudget.yaml
diff --git a/keda/templates/15-keda-podmonitor.yaml → keda/templates/17-keda-podmonitor.yaml b/keda/templates/15-keda-podmonitor.yaml → keda/templates/17-keda-podmonitor.yaml
diff --git a/keda/templates/16-keda-prometheusrules.yaml → keda/templates/18-keda-prometheusrules.yaml b/keda/templates/16-keda-prometheusrules.yaml → keda/templates/18-keda-prometheusrules.yaml
diff --git a/keda/templates/22-metrics-deployment.yaml b/keda/templates/22-metrics-deployment.yaml
@@ -128,6 +128,9 @@ spec:
               protocol: TCP
             {{- end }}
           volumeMounts:
+          - mountPath: {{ .Values.certificates.mountPath }}
+            name: certificates
+            readOnly: true
           {{- if .Values.grpcTLSCertsSecret }}
           - name: grpc-certs
             mountPath: /grpccerts
@@ -146,6 +149,10 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
             {{- end }}
       volumes:
+      - name: certificates
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.certificates.secretName }}
       {{- if .Values.grpcTLSCertsSecret }}
       - name: grpc-certs
         secret:

diff --git a/keda/templates/30-webhooks-deployment.yaml b/keda/templates/30-webhooks-deployment.yaml
@@ -0,0 +1,144 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.webhooks.name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- toYaml .Values.additionalAnnotations | nindent 4 }}
+  labels:
+    app: {{ .Values.webhooks.name }}
+    name: {{ .Values.webhooks.name }}
+    app.kubernetes.io/name: {{ .Values.webhooks.name }}
+    {{- include "keda.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.webhooks.replicaCount}}
+  {{- with .Values.upgradeStrategy.webhooks }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ .Values.webhooks.name }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.webhooks.name }}
+        name: {{ .Values.webhooks.name }}
+        app.kubernetes.io/name: {{ .Values.webhooks.name }}
+        {{- include "keda.labels" . | indent 8 }}       
+      annotations:
+        {{- if .Values.podAnnotations.webhooks }}
+        {{- toYaml .Values.podAnnotations.webhooks | nindent 8 }}
+        {{- end }}
+        {{- if .Values.additionalAnnotations }}
+        {{- toYaml .Values.additionalAnnotations | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      {{- end }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      automountServiceAccountToken: true
+      securityContext:
+        {{- if .Values.podSecurityContext.webhooks }}
+        {{- toYaml .Values.podSecurityContext.webhooks | nindent 8 }}
+        {{- else }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ .Values.webhooks.name }}
+          securityContext:
+            {{- if .Values.securityContext.webhooks }}
+            {{- toYaml .Values.securityContext.webhooks | nindent 12 }}
+            {{- else }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- end }}
+          image: "{{ .Values.image.webhooks.repository }}:{{ .Values.image.webhooks.tag | default .Chart.AppVersion }}"
+          command:
+          - /keda-admission-webhooks
+          args:
+          - "--zap-log-level={{ .Values.logging.webhooks.level }}"
+          - "--zap-encoder={{ .Values.logging.webhooks.format }}"
+          - "--zap-time-encoding={{ .Values.logging.webhooks.timeEncoding }}"
+          - "--cert-dir={{ .Values.certificates.mountPath }}"
+          {{- if .Values.prometheus.webhooks.enabled }}
+          - --metrics-bind-address=:{{ .Values.prometheus.webhooks.port }}
+          {{- end }}
+          {{- range $key, $value := .Values.extraArgs.webhooks }}
+          - --{{ $key }}={{ $value }}
+          {{- end }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 25
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 20
+          ports:
+          - containerPort: 9443
+            name: http
+            protocol: TCP
+          {{- if .Values.prometheus.webhooks.enabled }}
+          - containerPort: {{ .Values.prometheus.webhooks.port }}
+            name: metrics
+            protocol: TCP
+          {{- end }}
+          env:
+            - name: WATCH_NAMESPACE
+              value: {{ .Values.watchNamespace | quote }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name            
+            {{- if .Values.env }}
+            {{- toYaml .Values.env | nindent 12 -}}
+            {{- end }}
+          volumeMounts:
+          - mountPath: {{ .Values.certificates.mountPath }}
+            name: certificates
+            readOnly: true
+          {{- if .Values.volumes.webhooks.extraVolumeMounts }}
+          {{- toYaml .Values.volumes.webhooks.extraVolumeMounts | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- if .Values.resources.webhooks }}
+            {{- toYaml .Values.resources.webhooks | nindent 12 }}
+            {{- else }}
+            {{- toYaml .Values.resources | nindent 12 }}
+            {{- end }}
+      volumes:
+      - name: certificates
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.certificates.secretName }}
+      {{- if .Values.volumes.webhooks.extraVolumes }}
+      {{- toYaml .Values.volumes.webhooks.extraVolumes | nindent 8 }}
+      {{- end }}
+      nodeSelector:
+        kubernetes.io/os: linux
+      {{- with .Values.nodeSelector }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.webhooks.affinity }}
+      affinity:
+        {{- toYaml .Values.webhooks.affinity | nindent 8 }}
+      {{- else if .Values.affinity }}
+      affinity:
+        {{- toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints.webhooks }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/keda/templates/31-webhooks-service.yaml b/keda/templates/31-webhooks-service.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{- if and .Values.prometheus.webhooks.enabled ( not .Values.prometheus.webhooks.serviceMonitor.enabled ) }}
+    prometheus.io/scrape: "true"
+    prometheus.io/port: {{ .Values.prometheus.webhooks.port | quote }}
+    prometheus.io/path: "/metrics"
+    {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.webhooks.name }}
+    {{- include "keda.labels" . | indent 4 }}
+  name: {{ .Values.webhooks.name }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: http
+    port: 443
+    protocol: TCP
+    targetPort: 9443
+  {{- if .Values.prometheus.webhooks.enabled }}
+  - name: {{ .Values.prometheus.webhooks.serviceMonitor.port }}
+    port: {{ .Values.prometheus.webhooks.port }}
+    targetPort: {{ .Values.prometheus.webhooks.port }}
+  {{- end }}
+  selector:
+    app: {{ .Values.webhooks.name }}
diff --git a/keda/templates/32-webhooks-poddisruptionbudget.yaml b/keda/templates/32-webhooks-poddisruptionbudget.yaml
@@ -0,0 +1,30 @@
+{{- if or (or .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable)  .Values.podDisruptionBudget.webhooks }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ .Values.webhooks.name }}
+  annotations:
+    {{- toYaml .Values.additionalAnnotations | nindent 4 }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.serviceAccount.name }}
+    {{- include "keda.labels" . | indent 4 }}
+spec:
+  {{- if .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{-  if .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+  {{- if .Values.podDisruptionBudget.webhooks }}
+  {{- if .Values.podDisruptionBudget.webhooks.minAvailable }}
+  minAvailable: {{ .Values.podDisruptionBudget.webhooks.minAvailable }}
+  {{- end }}
+  {{- if  .Values.podDisruptionBudget.webhooks.maxUnavailable }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.webhooks.maxUnavailable }}
+  {{- end }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ .Values.webhooks.name }}
+{{- end }}