Knative webhook

src/Makefile

@@ -74,7 +74,8 @@ run: manifests generate fmt vet ## Run a controller from your host.
 apply:  ## Deploy the controller into the current kubernetes cluster.
 	helm upgrade --install dev charts/aws-node-termination-handler-2 --namespace nthv2 --create-namespace \
 		$(HELM_OPTS) \
-		--set controller.image=$(shell $(KO) publish -B github.com/aws/aws-node-termination-handler) \
+		--set controller.image=$(shell $(KO) publish -B github.com/aws/aws-node-termination-handler/cmd/controller) \
+		--set webhook.image=$(shell $(KO) publish -B github.com/aws/aws-node-termination-handler/cmd/webhook) \
 		--set fullnameOverride=nthv2
 
 .PHONY: delete

src/api/v1alpha1/terminator_types.go

@@ -17,7 +17,10 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"context"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"knative.dev/pkg/apis"
 )
 
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
@@ -38,10 +41,10 @@ type TerminatorStatus struct {
 	// Important: Run "make" to regenerate code after modifying this file
 }
 
+// Terminator is the Schema for the terminators API
 //+kubebuilder:object:root=true
+//+kubebuilder:resource:path=terminators,scope=Cluster
 //+kubebuilder:subresource:status
-
-// Terminator is the Schema for the terminators API
 type Terminator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -50,9 +53,19 @@ type Terminator struct {
 	Status TerminatorStatus `json:"status,omitempty"`
 }
 
-//+kubebuilder:object:root=true
+func (t *Terminator) SetDefaults(_ context.Context) {
+	// Stubbed to satisfy interface requirements.
+	// TODO: actually set defaults
+}
+
+func (t *Terminator) Validate(_ context.Context) *apis.FieldError {
+	// Stubbed to satisfy interface requirements.
+	// TODO: actually validate
+	return nil
+}
 
 // TerminatorList contains a list of Terminator
+//+kubebuilder:object:root=true
 type TerminatorList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

src/charts/aws-node-termination-handler-2/templates/configmap_logging.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: config-logging
+    namespace: {{ .Release.Namespace }}
+    labels:
+        {{- include "aws-node-termination-handler.labels" . | nindent 8 }}
+    {{- with .Values.annotations }}
+    annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+data:
+    # https://github.com/uber-go/zap/blob/aa3e73ec0896f8b066ddf668597a02f89628ee50/config.go
+    zap-logger-config: |
+        {
+            "level": "{{ .Values.logLevel }}",
+            "development": false,
+            "disableStacktrace": true,
+            "disableCaller": true,
+            "sampling": {
+                "initial": 100,
+                "thereafter": 100
+            },
+            "outputPaths": ["stdout"],
+            "errorOutputPaths": ["stderr"],
+            "encoding": "console",
+            "encoderConfig": {
+                "timeKey": "time",
+                "levelKey": "level",
+                "nameKey": "logger",
+                "callerKey": "caller",
+                "messageKey": "message",
+                "stacktraceKey": "stacktrace",
+                "levelEncoder": "capital",
+                "timeEncoder": "iso8601"
+            }
+        }
+{{- with .Values.controller.logLevel }}
+    loglevel.controller: {{ . | quote }}
+{{- end }}
+{{- with .Values.webhook.logLevel }}
+    loglevel.webhook: {{ . | quote }}
+{{- end }}

src/charts/aws-node-termination-handler-2/templates/deployment.yaml

@@ -66,11 +66,15 @@ spec:
                   imagePullPolicy: {{ .Values.imagePullPolicy }}
                   {{- with .Values.controller.securityContext }}
                   securityContext:
-                      {{- toYaml . | nindent 20 }}
+                      {{- toYaml . | nindent 22 }}
                   {{- end }}
-                  {{- with .Values.controller.env }}
                   env:
-                      {{- toYaml . | nindent 20 }}
+                      - name: SYSTEM_NAMESPACE
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: metadata.namespace
+                  {{- with .Values.controller.env }}
+                      {{- toYaml . | nindent 22 }}
                   {{- end }}
                   ports:
                       - name: http-metrics
@@ -82,12 +86,49 @@ spec:
                   livenessProbe:
                       httpGet:
                           path: /healthz
-                          port: http
+                          port: http-probes
                   readinessProbe:
                       httpGet:
                           path: /readyz
-                          port: http
+                          port: http-probes
                   {{- with .Values.controller.resources }}
                   resources:
-                      {{- toYaml . | nindent 20 }}
+                      {{- toYaml . | nindent 22 }}
+                  {{- end }}
+                - name: webhook
+                  image: {{ .Values.webhook.image }}
+                  imagePullPolicy: {{ .Values.imagePullPolicy }}
+                  {{- with .Values.webhook.securityContext }}
+                  securityContext:
+                      {{- toYaml . | nindent 22 }}
+                  {{- end }}
+                  env:
+                      - name: SERVICE_PORT
+                        value: {{ .Values.webhook.port | quote }}
+                      - name: SERVICE_NAME
+                        value: {{ include "aws-node-termination-handler.fullname" . }}
+                      - name: SYSTEM_NAMESPACE
+                        valueFrom:
+                            fieldRef:
+                                fieldPath: metadata.namespace
+                      {{- with .Values.webhook.env }}
+                          {{- toYaml . | nindent 26 }}
+                      {{- end }}
+                  ports:
+                      - name: https-webhook
+                        containerPort: {{ .Values.webhook.port }}
+                        protocol: TCP
+                  livenessProbe:
+                      httpGet:
+                          port: https-webhook
+                          scheme: HTTPS
+                          path: /healthz
+                  readinessProbe:
+                      httpGet:
+                          port: https-webhook
+                          scheme: HTTPS
+                          path: /readyz
+                  {{- with .Values.webhook.resources }}
+                  resources:
+                      {{- toYaml . | nindent 22 }}
                   {{- end }}

src/charts/aws-node-termination-handler-2/templates/role_leaderelection.yaml → src/charts/aws-node-termination-handler-2/templates/role.yaml

@@ -16,11 +16,25 @@ rules:
       resources: ["configmaps"]
       verbs: ["create", "delete", "get", "list", "patch", "watch", "update"]
 
+    - apiGroups: [""]
+      resources: ["events"]
+      verbs: ["get", "list", "watch"]
+
+    - apiGroups: [""]
+      resources: ["namespaces"]
+      verbs: ["get", "list", "watch"]
+
+    - apiGroups: [""]
+      resources: ["secrets"]
+      verbs: ["get", "list", "watch"]
+
+    - apiGroups: [""]
+      resources: ["secrets"]
+      resourceNames: ["{{ include "aws-node-termination-handler.fullname" . }}-cert"]
+      verbs: ["get", "list", "watch", "update"]
+
     - apiGroups: ["coordination.k8s.io"]
       resources: ["leases"]
       verbs: ["create", "get", "patch", "update", "watch"]
 
-    - apiGroups: [""]
-      resources: ["events"]
-      verbs: ["get", "list", "watch"]
 {{- end }}

src/charts/aws-node-termination-handler-2/templates/role_binding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: {{ include "aws-node-termination-handler.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+    labels:
+        {{- include "aws-node-termination-handler.labels" . | nindent 8 }}
+    {{- with .Values.annotations }}
+    annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: {{ include "aws-node-termination-handler.fullname" . }}
+subjects:
+    - kind: ServiceAccount
+      name: {{ template "aws-node-termination-handler.serviceAccountName" . }}
+      namespace: {{ .Release.Namespace }}

src/charts/aws-node-termination-handler-2/templates/secret_webhook_cert.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: {{ include "aws-node-termination-handler.fullname" . }}-cert
+    namespace: {{ .Release.Namespace }}
+    labels:
+        {{- include "aws-node-termination-handler.labels" . | nindent 8 }}
+    {{- with .Values.annotations }}
+    annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+data: {} # Injected by webhook

src/charts/aws-node-termination-handler-2/templates/webhooks.yaml

@@ -0,0 +1,49 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+    name: defaulting.webhook.terminators.k8s.aws
+    namespace: {{ .Release.Namespace }}
+    labels:
+        {{- include "aws-node-termination-handler.labels" . | nindent 8 }}
+    {{- with .Values.annotations }}
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+webhooks:
+    - name: defaulting.webhook.terminators.k8s.aws
+      admissionReviewVersions: ["v1"]
+      clientConfig:
+          service:
+              name: {{ include "aws-node-termination-handler.fullname" . }}
+              namespace: {{ .Release.Namespace }}
+      failurePolicy: Fail
+      sideEffects: None
+      rules:
+          - apiGroups: ["k8s.aws"]
+            apiVersions: ["v1alpha1"]
+            resources: ["terminators", "terminators/status"]
+            operations: ["CREATE", "UPDATE"]
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+    name: validation.webhook.terminators.k8s.aws
+    namespace: {{ .Release.Namespace }}
+    labels:
+        {{- include "aws-node-termination-handler.labels" . | nindent 8 }}
+    {{- with .Values.annotations }}
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+webhooks:
+    - name: validation.webhook.terminators.k8s.aws
+      admissionReviewVersions: ["v1"]
+      clientConfig:
+          service:
+              name: {{ include "aws-node-termination-handler.fullname" . }}
+              namespace: {{ .Release.Namespace }}
+      failurePolicy: Fail
+      sideEffects: None
+      rules:
+          - apiGroups: ["k8s.aws"]
+            apiVersions: ["v1alpha1"]
+            resources: ["terminators", "terminators/status"]
+            operations: ["CREATE", "DELETE", "UPDATE"]