kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml

   1 {{- if .Values.webhook.enabled -}}
   2 {{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}}
   3 {{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}}
   4 apiVersion: v1
   5 kind: Secret
   6 metadata:
   7   name: {{ include "cpu-manager.fullname" . }}-webhook-certs
   8   labels:
   9     {{- include "cpu-manager.labels" . | nindent 4 }}
  10 data:
  11   cert.pem: {{ $cert.Cert | b64enc }}
  12   key.pem: {{ $cert.Key | b64enc }}
  13 type: Opaque
  14 ---
  15 apiVersion: v1
  16 kind: ConfigMap
  17 metadata:
  18   name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
  19   labels:
  20     {{- include "cpu-manager.labels" . | nindent 4 }}
  21 data:
  22   server.yaml: |
  23     server:
  24       binding-address: "0.0.0.0"
  25       port: {{ .Values.webhook.service.port }}
  26       cert: "/etc/ssl/cert.pem"
  27       key: "/etc/ssl/key.pem"
  28       mutations: "/etc/webhook/mutations.yaml"
  29   mutations.yaml: |
  30     mutations:
  31       perPod:
  32         metadata:
  33           annotations:
  34             cmk.intel.com/resources-injected: "true"
  35         spec:
  36           serviceAccount: {{ include "cpu-manager.serviceAccountName" . }}
  37           tolerations:
  38           - operator: Exists
  39           volumes:
  40           - name: cmk-host-proc
  41             hostPath:
  42               path: "/proc"
  43           - name: cmk-config-dir
  44             hostPath:
  45               path: {{ .Values.configDir | quote }}
  46           - name: cmk-install-dir
  47             hostPath:
  48               path: {{ .Values.installDir | quote }}
  49       perContainer:
  50         env:
  51         - name: CMK_PROC_FS
  52           value: "/host/proc"
  53         volumeMounts:
  54         - name: cmk-host-proc
  55           mountPath: /host/proc
  56           readOnly: true
  57         - name: cmk-config-dir
  58           mountPath: /etc/cmk
  59         - name: cmk-install-dir
  60           mountPath: /opt/bin
  61 ---
  62 apiVersion: v1
  63 kind: Service
  64 metadata:
  65   name: cmk-webhook-service
  66   labels:
  67     {{- include "cpu-manager.labels" . | nindent 4 }}
  68     app: cmk-webhook-app
  69 spec:
  70   ports:
  71   - port: {{ .Values.webhook.service.port }}
  72     targetPort: 443
  73   selector:
  74     {{- include "cpu-manager.labels" . | nindent 4 }}
  75     app: cmk-webhook-app
  76 ---
  77 apiVersion: apps/v1
  78 kind: Deployment
  79 metadata:
  80   labels:
  81     {{- include "cpu-manager.labels" . | nindent 4 }}
  82     app: cmk-webhook-app
  83   name: {{ include "cpu-manager.fullname" . }}-webhook-deployment
  84 spec:
  85   replicas: {{ .Values.webhook.replicaCount }}
  86   selector:
  87     matchLabels:
  88       {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
  89       app: cmk-webhook-app
  90   template:
  91     metadata:
  92       labels:
  93         {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
  94         app: cmk-webhook-app
  95       annotations:
  96         {{- toYaml .Values.webhook.annotations | nindent 8 }}
  97     spec:
  98       {{- with .Values.imagePullSecrets }}
  99       imagePullSecrets:
 100         {{- toYaml . | nindent 8 }}
 101       {{- end }}
 102       securityContext:
 103         {{- toYaml .Values.podSecurityContext | nindent 8 }}
 104       tolerations:
 105       - operator: "Exists"
 106       containers:
 107       - args:
 108         - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml"
 109         command:
 110         - "/bin/bash"
 111         - "-c"
 112         image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
 113         imagePullPolicy: {{ .Values.image.pullPolicy }}
 114         name: cmk-webhook
 115         securityContext:
 116           {{- toYaml .Values.securityContext | nindent 10 }}
 117         volumeMounts:
 118         - mountPath: /etc/webhook
 119           name: cmk-webhook-configmap
 120         - mountPath: /etc/ssl
 121           name: cmk-webhook-certs
 122           readOnly: True
 123       volumes:
 124       - name: cmk-webhook-configmap
 125         configMap:
 126           name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
 127       - name: cmk-webhook-certs
 128         secret:
 129           secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs
 130 ---
 131 apiVersion: admissionregistration.k8s.io/v1beta1
 132 kind: MutatingWebhookConfiguration
 133 metadata:
 134   labels:
 135     {{- include "cpu-manager.labels" . | nindent 4 }}
 136     app: cmk-webhook-app
 137   name: {{ include "cpu-manager.fullname" . }}-webhook-config
 138 webhooks:
 139 - clientConfig:
 140     caBundle: {{ $cert.Cert | b64enc }}
 141     service:
 142       name: cmk-webhook-service
 143       namespace: {{ $.Release.Namespace }}
 144       path: /mutate
 145   failurePolicy: Ignore
 146   name: cmk.intel.com
 147   rules:
 148   - apiGroups:
 149     - ""
 150     apiVersions:
 151     - v1
 152     operations:
 153     - CREATE
 154     resources:
 155     - pods
 156 {{- end }}