admission: add deployment files for validating webhook

Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>

Dockerfile

@@ -0,0 +1,13 @@
+# build stage
+FROM golang:1.15 AS build-env
+RUN mkdir -p /go/src/sig.k8s.io/service-apis
+WORKDIR /go/src/sig.k8s.io/service-apis
+COPY  . .
+RUN useradd -u 10001 webhook
+RUN cd cmd/controller/ && CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o serviceapiwebhook && chmod +x serviceapiwebhook
+
+FROM scratch
+COPY --from=build-env /go/src/sig.k8s.io/service-apis/cmd/controller/serviceapiwebhook .
+COPY --from=build-env /etc/passwd /etc/passwd
+USER webhook
+ENTRYPOINT ["/serviceapiwebhook"]

cmd/controller/main.go

@@ -0,0 +1,53 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"github.com/golang/glog"
+	"k8s.io/klog"
+	"net/http"
+	"os"
+	"os/signal"
+	"sigs.k8s.io/service-apis/pkg/admission"
+	"syscall"
+)
+
+var (
+	tlsCert, tlsKey string
+)
+
+func main() {
+	flag.StringVar(&tlsCert, "tlsCertFile", "/etc/certs/cert", "File with x509 certificate")
+	flag.StringVar(&tlsKey, "tlsKeyFile", "/etc/certs/key", "File with private key to tlsCertFile")
+
+	flag.Parse()
+
+	certs, err := tls.LoadX509KeyPair(tlsCert, tlsKey)
+	if err != nil {
+		klog.Fatalf("failed to load admission webhook keypair with err: %v", err)
+	}
+
+	server := &http.Server{
+		Addr:      ":8443",
+		TLSConfig: &tls.Config{Certificates: []tls.Certificate{certs}},
+	}
+	mux := http.NewServeMux()
+	mux.HandleFunc("/validate", admission.ServeHTTP)
+	server.Handler = mux
+
+	go func() {
+		err := server.ListenAndServeTLS("", "")
+		klog.Fatalf("admission webhook server stopped with err: %v", err)
+	}()
+
+	glog.Info("admission webhook server started and listening on :8443")
+
+	// gracefully shutdown
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
+	<-signalChan
+
+	glog.Info("admission webhook received kill signal, shutdown handled gracefully")
+	server.Shutdown(context.Background())
+}

deploy/duplicate_filter.yaml

@@ -0,0 +1,27 @@
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-filter-1
+  labels:
+    app: filter
+spec:
+  hostnames:
+    - my.filter.com
+  rules:
+    - matches:
+        - path:
+            type: Prefix
+            value: /
+      filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            add:
+              my-header: foo
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            add:
+              my-header: bar
+      forwardTo:
+        - serviceName: my-filter-svc1
+          weight: 1
+          port: 80

deploy/single_filter.yaml

@@ -0,0 +1,23 @@
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-filter-1
+  labels:
+    app: filter
+spec:
+  hostnames:
+    - my.filter.com
+  rules:
+    - matches:
+        - path:
+            type: Prefix
+            value: /
+      filters:
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            add:
+              my-header: foo
+      forwardTo:
+        - serviceName: my-filter-svc1
+          weight: 1
+          port: 80

deploy/webhook.yaml

@@ -0,0 +1,258 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: service-api
+  labels:
+    name: service-api
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: service-api-admission
+webhooks:
+  - name: validate.networking.x-k8s.io
+    matchPolicy: Equivalent
+    rules:
+      - operations: [ "CREATE" ]
+        apiGroups: [ "networking.x-k8s.io" ]
+        apiVersions: [ "v1alpha1" ]
+        resources: [ "httproutes" ]
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        name: service-api-admission
+        namespace: service-api
+        path: "/validate"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: service-api-admission
+  annotations:
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  namespace: service-api
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: service-api-admission
+  labels:
+    name: service-api
+    version: 0.0.1
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: service-api-admission
+  annotations:
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  namespace: service-api
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: service-api-admission
+subjects:
+  - kind: ServiceAccount
+    name: service-api-admission
+    namespace: service-api
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: service-api-admission
+  annotations:
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  namespace: service-api
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: service-api-admission
+  annotations:
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  namespace: service-api
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: service-api-admission
+subjects:
+  - kind: ServiceAccount
+    name: service-api-admission
+    namespace: service-api
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  name: service-api-admission
+  namespace: service-api
+spec:
+  type: ClusterIP
+  clusterIP: 10.96.0.2
+  ports:
+    - name: https-webhook
+      port: 443
+      targetPort: 8443
+  selector:
+    name: service-api-admission
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: service-api-admission
+  namespace: service-api
+  labels:
+    name: service-api-admission
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: service-api-admission
+  template:
+    metadata:
+      name: service-api-admission
+      labels:
+        name: service-api-admission
+    spec:
+      containers:
+        - name: webhook
+          image: cmluciano/service-api-admission:latest
+          imagePullPolicy: Always
+          args:
+            - -alsologtostderr
+            - --log_dir=/
+            - --tlsCertFile=/etc/certs/cert
+            - --tlsKeyFile=/etc/certs/key
+            - -v=10
+            - 2>&1
+          ports:
+            - containerPort: 8443
+              name: webhook
+          resources:
+            limits:
+              memory: 50Mi
+              cpu: 300m
+            requests:
+              memory: 50Mi
+              cpu: 300m
+          volumeMounts:
+            - name: webhook-certs
+              mountPath: /etc/certs
+              readOnly: true
+            - name: logs
+              mountPath: /tmp
+          securityContext:
+            readOnlyRootFilesystem: true
+      volumes:
+        - name: webhook-certs
+          secret:
+            secretName: service-api-admission
+        - name: logs
+          emptyDir: {}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: service-api-admission
+  annotations:
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  namespace: service-api
+spec:
+  template:
+    metadata:
+      name: service-api-admission-create
+      labels:
+        name: service-api-webhook
+        version: 0.0.1
+    spec:
+      containers:
+        - name: create
+          image: docker.io/jettech/kube-webhook-certgen:v1.5.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - create
+            - --host=service-api-admission,service-api-admission.service-api.svc
+            - --namespace=service-api
+            - --secret-name=service-api-admission
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      serviceAccountName: service-api-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: service-api-admission-patch
+  labels:
+    name: service-api-webhook
+    version: 0.0.1
+  namespace: service-api
+spec:
+  template:
+    metadata:
+      name: service-api-admission-patch
+      labels:
+        name: service-api-webhook
+        version: 0.0.1
+    spec:
+      containers:
+        - name: patch
+          image: docker.io/jettech/kube-webhook-certgen:v1.5.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - patch
+            - --webhook-name=service-api-admission
+            - --namespace=service-api
+            - --patch-mutating=false
+            - --patch-validating=true
+            - --secret-name=service-api-admission
+            - --patch-failure-policy=Fail
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      serviceAccountName: service-api-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000