1 files changed, 156 insertions, 0 deletions

diff --git a/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml
new file mode 100644
index 00000000..62e9fdbf
--- /dev/null
+++ b/kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml
@@ -0,0 +1,156 @@
+{{- if .Values.webhook.enabled -}}
+{{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}}
+{{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cpu-manager.fullname" . }}-webhook-certs
+  labels:
+    {{- include "cpu-manager.labels" . | nindent 4 }}
+data:
+  cert.pem: {{ $cert.Cert | b64enc }}
+  key.pem: {{ $cert.Key | b64enc }}
+type: Opaque
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
+  labels:
+    {{- include "cpu-manager.labels" . | nindent 4 }}
+data:
+  server.yaml: |
+    server:
+      binding-address: "0.0.0.0"
+      port: {{ .Values.webhook.service.port }}
+      cert: "/etc/ssl/cert.pem"
+      key: "/etc/ssl/key.pem"
+      mutations: "/etc/webhook/mutations.yaml"
+  mutations.yaml: |
+    mutations:
+      perPod:
+        metadata:
+          annotations:
+            cmk.intel.com/resources-injected: "true"
+        spec:
+          serviceAccount: {{ include "cpu-manager.serviceAccountName" . }}
+          tolerations:
+          - operator: Exists
+          volumes:
+          - name: cmk-host-proc
+            hostPath:
+              path: "/proc"
+          - name: cmk-config-dir
+            hostPath:
+              path: {{ .Values.configDir | quote }}
+          - name: cmk-install-dir
+            hostPath:
+              path: {{ .Values.installDir | quote }}
+      perContainer:
+        env:
+        - name: CMK_PROC_FS
+          value: "/host/proc"
+        volumeMounts:
+        - name: cmk-host-proc
+          mountPath: /host/proc
+          readOnly: true
+        - name: cmk-config-dir
+          mountPath: /etc/cmk
+        - name: cmk-install-dir
+          mountPath: /opt/bin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cmk-webhook-service
+  labels:
+    {{- include "cpu-manager.labels" . | nindent 4 }}
+    app: cmk-webhook-app
+spec:
+  ports:
+  - port: {{ .Values.webhook.service.port }}
+    targetPort: 443
+  selector:
+    {{- include "cpu-manager.labels" . | nindent 4 }}
+    app: cmk-webhook-app
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    {{- include "cpu-manager.labels" . | nindent 4 }}
+    app: cmk-webhook-app
+  name: {{ include "cpu-manager.fullname" . }}-webhook-deployment
+spec:
+  replicas: {{ .Values.webhook.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
+      app: cmk-webhook-app
+  template:
+    metadata:
+      labels:
+        {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
+        app: cmk-webhook-app
+      annotations:
+        {{- toYaml .Values.webhook.annotations | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      tolerations:
+      - operator: "Exists"
+      containers:
+      - args:
+        - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml"
+        command:
+        - "/bin/bash"
+        - "-c"
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        name: cmk-webhook
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
+        volumeMounts:
+        - mountPath: /etc/webhook
+          name: cmk-webhook-configmap
+        - mountPath: /etc/ssl
+          name: cmk-webhook-certs
+          readOnly: True
+      volumes:
+      - name: cmk-webhook-configmap
+        configMap:
+          name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
+      - name: cmk-webhook-certs
+        secret:
+          secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs
+---
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  labels:
+    {{- include "cpu-manager.labels" . | nindent 4 }}
+    app: cmk-webhook-app
+  name: {{ include "cpu-manager.fullname" . }}-webhook-config
+webhooks:
+- clientConfig:
+    caBundle: {{ $cert.Cert | b64enc }}
+    service:
+      name: cmk-webhook-service
+      namespace: {{ $.Release.Namespace }}
+      path: /mutate
+  failurePolicy: Ignore
+  name: cmk.intel.com
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+{{- end }}