{{- if .Values.webhook.enabled -}} {{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}} {{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}} apiVersion: v1 kind: Secret metadata: name: {{ include "cpu-manager.fullname" . }}-webhook-certs labels: {{- include "cpu-manager.labels" . | nindent 4 }} data: cert.pem: {{ $cert.Cert | b64enc }} key.pem: {{ $cert.Key | b64enc }} type: Opaque --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "cpu-manager.fullname" . }}-webhook-configmap labels: {{- include "cpu-manager.labels" . | nindent 4 }} data: server.yaml: | server: binding-address: "0.0.0.0" port: {{ .Values.webhook.service.port }} cert: "/etc/ssl/cert.pem" key: "/etc/ssl/key.pem" mutations: "/etc/webhook/mutations.yaml" mutations.yaml: | mutations: perPod: metadata: annotations: cmk.intel.com/resources-injected: "true" spec: serviceAccount: {{ include "cpu-manager.serviceAccountName" . }} tolerations: - operator: Exists volumes: - name: cmk-host-proc hostPath: path: "/proc" - name: cmk-config-dir hostPath: path: {{ .Values.configDir | quote }} - name: cmk-install-dir hostPath: path: {{ .Values.installDir | quote }} perContainer: env: - name: CMK_PROC_FS value: "/host/proc" volumeMounts: - name: cmk-host-proc mountPath: /host/proc readOnly: true - name: cmk-config-dir mountPath: /etc/cmk - name: cmk-install-dir mountPath: /opt/bin --- apiVersion: v1 kind: Service metadata: name: cmk-webhook-service labels: {{- include "cpu-manager.labels" . | nindent 4 }} app: cmk-webhook-app spec: ports: - port: {{ .Values.webhook.service.port }} targetPort: 443 selector: {{- include "cpu-manager.labels" . | nindent 4 }} app: cmk-webhook-app --- apiVersion: apps/v1 kind: Deployment metadata: labels: {{- include "cpu-manager.labels" . | nindent 4 }} app: cmk-webhook-app name: {{ include "cpu-manager.fullname" . }}-webhook-deployment spec: replicas: {{ .Values.webhook.replicaCount }} selector: matchLabels: {{- include "cpu-manager.selectorLabels" . | nindent 6 }} app: cmk-webhook-app template: metadata: labels: {{- include "cpu-manager.selectorLabels" . | nindent 8 }} app: cmk-webhook-app annotations: {{- toYaml .Values.webhook.annotations | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} tolerations: - operator: "Exists" containers: - args: - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml" command: - "/bin/bash" - "-c" image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} name: cmk-webhook resources: {{- toYaml .Values.resources | nindent 10 }} securityContext: {{- toYaml .Values.securityContext | nindent 10 }} volumeMounts: - mountPath: /etc/webhook name: cmk-webhook-configmap - mountPath: /etc/ssl name: cmk-webhook-certs readOnly: True volumes: - name: cmk-webhook-configmap configMap: name: {{ include "cpu-manager.fullname" . }}-webhook-configmap - name: cmk-webhook-certs secret: secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: MutatingWebhookConfiguration metadata: labels: {{- include "cpu-manager.labels" . | nindent 4 }} app: cmk-webhook-app name: {{ include "cpu-manager.fullname" . }}-webhook-config webhooks: - clientConfig: caBundle: {{ $cert.Cert | b64enc }} service: name: cmk-webhook-service namespace: {{ $.Release.Namespace }} path: /mutate failurePolicy: Ignore name: cmk.intel.com rules: - apiGroups: - "" apiVersions: - v1 operations: - CREATE resources: - pods {{- end }}