diff options
| author |   Todd Malsbary <todd.malsbary@intel.com> | 2021-02-23 09:28:48 -0800 |
|---|---|---|
| committer | Todd Malsbary <todd.malsbary@intel.com> | 2021-04-29 08:45:07 -0700 |
| commit | 7d5f991538b2cf784645e7f1de71ff72800f8160 (patch) | |
| tree | 4c72762d46d4f4a54a871db2577462206ec462e1 /kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml | |
| parent | a53172e77dc15728a11d888dc2be718b25529fc0 (diff) | |
Add cmk addon helm chart
The chart follows the instructions laid out in the CMK operator
manual, with the following notes:
- The nodes are prepared by running each CMK subcommand as a Pod
instead of running cmk cluster-init. The first reason for this is
that the existing addon only deploys CMK to the worker nodes in the
cluster. This is not possible using cluster-init without explicitly
providing the list of worker nodes to cluster-init, and this list is
unknown by helm. Instead it is sufficient to rely on the
node-role.kubernetes.io/master:NoSchedule taint. The second reason
is that cluster-init creates resources which are unknown to helm,
thus uninstall does not behave as expected.
- The v1.4.1 version of CMK is chosen. In v1.5.2, the description key
of the cmk-nodereport resource is not correct.
- All values listed as possibly requiring modification are exposed in
values.yaml
Issue-ID: MULTICLOUD-1324
Signed-off-by: Todd Malsbary <todd.malsbary@intel.com>
Change-Id: Ibc75462de3729cd88edeb4b15602d57fe12791ca
Diffstat (limited to 'kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml')
| -rw-r--r-- | kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml new file mode 100644 index 00000000..62e9fdbf --- /dev/null +++ b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml @@ -0,0 +1,156 @@ +{{- if .Values.webhook.enabled -}} +{{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}} +{{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cpu-manager.fullname" . }}-webhook-certs + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +data: + cert.pem: {{ $cert.Cert | b64enc }} + key.pem: {{ $cert.Key | b64enc }} +type: Opaque +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cpu-manager.fullname" . }}-webhook-configmap + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} +data: + server.yaml: | + server: + binding-address: "0.0.0.0" + port: {{ .Values.webhook.service.port }} + cert: "/etc/ssl/cert.pem" + key: "/etc/ssl/key.pem" + mutations: "/etc/webhook/mutations.yaml" + mutations.yaml: | + mutations: + perPod: + metadata: + annotations: + cmk.intel.com/resources-injected: "true" + spec: + serviceAccount: {{ include "cpu-manager.serviceAccountName" . }} + tolerations: + - operator: Exists + volumes: + - name: cmk-host-proc + hostPath: + path: "/proc" + - name: cmk-config-dir + hostPath: + path: {{ .Values.configDir | quote }} + - name: cmk-install-dir + hostPath: + path: {{ .Values.installDir | quote }} + perContainer: + env: + - name: CMK_PROC_FS + value: "/host/proc" + volumeMounts: + - name: cmk-host-proc + mountPath: /host/proc + readOnly: true + - name: cmk-config-dir + mountPath: /etc/cmk + - name: cmk-install-dir + mountPath: /opt/bin +--- +apiVersion: v1 +kind: Service +metadata: + name: cmk-webhook-service + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app +spec: + ports: + - port: {{ .Values.webhook.service.port }} + targetPort: 443 + selector: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app + name: {{ include "cpu-manager.fullname" . }}-webhook-deployment +spec: + replicas: {{ .Values.webhook.replicaCount }} + selector: + matchLabels: + {{- include "cpu-manager.selectorLabels" . | nindent 6 }} + app: cmk-webhook-app + template: + metadata: + labels: + {{- include "cpu-manager.selectorLabels" . | nindent 8 }} + app: cmk-webhook-app + annotations: + {{- toYaml .Values.webhook.annotations | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + tolerations: + - operator: "Exists" + containers: + - args: + - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml" + command: + - "/bin/bash" + - "-c" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cmk-webhook + securityContext: + {{- toYaml .Values.securityContext | nindent 10 }} + volumeMounts: + - mountPath: /etc/webhook + name: cmk-webhook-configmap + - mountPath: /etc/ssl + name: cmk-webhook-certs + readOnly: True + volumes: + - name: cmk-webhook-configmap + configMap: + name: {{ include "cpu-manager.fullname" . }}-webhook-configmap + - name: cmk-webhook-certs + secret: + secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + labels: + {{- include "cpu-manager.labels" . | nindent 4 }} + app: cmk-webhook-app + name: {{ include "cpu-manager.fullname" . }}-webhook-config +webhooks: +- clientConfig: + caBundle: {{ $cert.Cert | b64enc }} + service: + name: cmk-webhook-service + namespace: {{ $.Release.Namespace }} + path: /mutate + failurePolicy: Ignore + name: cmk.intel.com + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods +{{- end }} |