From 4d3547ba31596e631e6d2ec187c0f131d73e2f16 Mon Sep 17 00:00:00 2001 From: Eric Bailey Date: Wed, 26 Jun 2024 18:00:31 -0500 Subject: [PATCH] feat(admission-controller,sysdig-deploy): add initial support for cert-manager --- charts/admission-controller/Chart.yaml | 2 +- charts/admission-controller/README.md | 4 ++++ .../templates/_helpers.tpl | 12 +++++++--- .../webhook/admissionregistration.yaml | 17 +++++++++++++ .../templates/webhook/certificate.yaml | 24 +++++++++++++++++++ charts/admission-controller/values.yaml | 8 +++++++ charts/sysdig-deploy/Chart.yaml | 4 ++-- 7 files changed, 65 insertions(+), 6 deletions(-) create mode 100644 charts/admission-controller/templates/webhook/certificate.yaml diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index 02e916961..87dd59c50 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.16.3 +version: 0.17.0 appVersion: 3.9.46 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index 0870ecec4..7ea746c58 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -176,6 +176,10 @@ The following table lists the configurable parameters of the `admission-controll | webhook.denyOnError | Deny request when an error happened evaluating request. | false | | webhook.dryRun | Dry Run request | false | | webhook.logLevel | Specifies the log level. The valid values are error, info, debug, trace. | info | +| webhook.ssl.certManager.enabled | Whether to use cert-manager for certificate management | false | +| webhook.ssl.certManager.issuer.group | The group of the existing issuer to use. | cert-manager.io | +| webhook.ssl.certManager.issuer.kind | The kind of the existing issuer to use. | ClusterIssuer | +| webhook.ssl.certManager.issuer.name | The name of the existing (Cluster)Issuer to use. Required if using cert-manager. | "" | | webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade. | false | | webhook.ssl.ca.cert | Used for outbound connections, such as Secure backend and proxy.
Used also for inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority. | "" | | webhook.ssl.ca.certs | For outbound connections (secure backend, proxy,...) A PEM-encoded x509 certificate. This can also be a bundle with multiple certificates. | [] | diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl index 0bf82ddb3..159f51a35 100644 --- a/charts/admission-controller/templates/_helpers.tpl +++ b/charts/admission-controller/templates/_helpers.tpl @@ -411,7 +411,9 @@ webhooks: name: {{ include "admissionController.webhook.fullname" . }} path: /validate port: {{ .Values.webhook.v2.service.port }} - caBundle: {{ .Cert }} + {{- with .Cert }} + caBundle: {{ . }} + {{- end }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None @@ -453,7 +455,9 @@ webhooks: name: {{ include "admissionController.webhook.fullname" . }} path: /allow-pod port: {{ .Values.webhook.service.port }} - caBundle: {{ .Cert }} + {{- with .Cert }} + caBundle: {{ . }} + {{- end }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} @@ -476,7 +480,9 @@ webhooks: name: {{ include "admissionController.webhook.fullname" . }} path: /k8s-audit port: {{ .Values.webhook.service.port }} - caBundle: {{ .Cert }} + {{- with .Cert }} + caBundle: {{ . }} + {{- end }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} diff --git a/charts/admission-controller/templates/webhook/admissionregistration.yaml b/charts/admission-controller/templates/webhook/admissionregistration.yaml index 13e68f2a2..367d1faac 100644 --- a/charts/admission-controller/templates/webhook/admissionregistration.yaml +++ b/charts/admission-controller/templates/webhook/admissionregistration.yaml @@ -1,3 +1,19 @@ +{{- if .Values.webhook.ssl.certManager.enabled }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "admissionController.webhook.fullname" . }} + helm.sh/hook: "post-install, post-upgrade" + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/managed-by: Helm + name: {{ include "admissionController.webhook.fullname" . }} + namespace: {{ include "admissionController.namespace" . }} +{{- include "admissionController.webhookTemplate" . }} +{{- else }} {{/* We need to put all resources that need certificate or CA Bundle together, so the template is executed just once @@ -38,3 +54,4 @@ data: tls.crt: {{ $certList._0 }} tls.key: {{ $certList._1 }} ca.crt: {{ $certList._2 }} +{{- end }} diff --git a/charts/admission-controller/templates/webhook/certificate.yaml b/charts/admission-controller/templates/webhook/certificate.yaml new file mode 100644 index 000000000..e891a1f5a --- /dev/null +++ b/charts/admission-controller/templates/webhook/certificate.yaml @@ -0,0 +1,24 @@ +{{- if .Values.webhook.ssl.certManager.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: + {{- include "admissionController.webhook.labels" . | nindent 4 }} + name: {{ include "admissionController.webhook.fullname" . }} + namespace: {{ include "admissionController.namespace" . }} +spec: + dnsNames: + - {{ include "admissionController.webhook.fullname" . }} + - {{ include "admissionController.webhook.fullname" . }}.{{ include "admissionController.namespace" . }}.svc + issuerRef: + {{- with .Values.webhook.ssl.certManager.issuer.group }} + group: {{ . }} + {{- end }} + {{- with .Values.webhook.ssl.certManager.issuer.kind }} + kind: {{ . }} + {{- end }} + {{- with .Values.webhook.ssl.certManager.issuer.name }} + name: {{ . }} + {{- end }} + secretName: {{ include "admissionController.webhook.fullname" . }}-tls +{{- end }} diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index b099ce2d9..ede2fc2b3 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -300,6 +300,14 @@ webhook: logLevel: info ssl: + certManager: + # Use cert-manager for certificate management + enabled: false + issuer: + group: cert-manager.io + kind: ClusterIssuer + # Required if webhook.ssl.certManager.enabled is true + name: "" # Reuse existing TLS Secret during chart upgrade. reuseTLSSecret: false ca: diff --git a/charts/sysdig-deploy/Chart.yaml b/charts/sysdig-deploy/Chart.yaml index dbfb0037c..019960d56 100644 --- a/charts/sysdig-deploy/Chart.yaml +++ b/charts/sysdig-deploy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: sysdig-deploy description: A chart with various Sysdig components for Kubernetes type: application -version: 1.56.11 +version: 1.57.0 maintainers: - name: AlbertoBarba email: alberto.barba@sysdig.com @@ -20,7 +20,7 @@ dependencies: - name: admission-controller # repository: https://charts.sysdig.com repository: file://../admission-controller - version: ~0.16.3 + version: ~0.17.0 alias: admissionController condition: admissionController.enabled - name: agent