kud/deployment_infra/helm/cpu-manager/templates/webhook.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

{{- if .Values.webhook.enabled -}}
{{- $altNames := list "cmk-webhook-service" ( printf "cmk-webhook-service.%s" .Release.Namespace ) ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) -}}
{{- $cert := genSelfSignedCert ( printf "cmk-webhook-service.%s.svc" .Release.Namespace ) nil $altNames 36500 -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "cpu-manager.fullname" . }}-webhook-certs
  labels:
    {{- include "cpu-manager.labels" . | nindent 4 }}
data:
  cert.pem: {{ $cert.Cert | b64enc }}
  key.pem: {{ $cert.Key | b64enc }}
type: Opaque
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
  labels:
    {{- include "cpu-manager.labels" . | nindent 4 }}
data:
  server.yaml: |
    server:
      binding-address: "0.0.0.0"
      port: {{ .Values.webhook.service.port }}
      cert: "/etc/ssl/cert.pem"
      key: "/etc/ssl/key.pem"
      mutations: "/etc/webhook/mutations.yaml"
  mutations.yaml: |
    mutations:
      perPod:
        metadata:
          annotations:
            cmk.intel.com/resources-injected: "true"
        spec:
          serviceAccount: {{ include "cpu-manager.serviceAccountName" . }}
          tolerations:
          - operator: Exists
          volumes:
          - name: cmk-host-proc
            hostPath:
              path: "/proc"
          - name: cmk-config-dir
            hostPath:
              path: {{ .Values.configDir | quote }}
          - name: cmk-install-dir
            hostPath:
              path: {{ .Values.installDir | quote }}
      perContainer:
        env:
        - name: CMK_PROC_FS
          value: "/host/proc"
        volumeMounts:
        - name: cmk-host-proc
          mountPath: /host/proc
          readOnly: true
        - name: cmk-config-dir
          mountPath: /etc/cmk
        - name: cmk-install-dir
          mountPath: /opt/bin
---
apiVersion: v1
kind: Service
metadata:
  name: cmk-webhook-service
  labels:
    {{- include "cpu-manager.labels" . | nindent 4 }}
    app: cmk-webhook-app
spec:
  ports:
  - port: {{ .Values.webhook.service.port }}
    targetPort: 443
  selector:
    {{- include "cpu-manager.labels" . | nindent 4 }}
    app: cmk-webhook-app
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    {{- include "cpu-manager.labels" . | nindent 4 }}
    app: cmk-webhook-app
  name: {{ include "cpu-manager.fullname" . }}-webhook-deployment
spec:
  replicas: {{ .Values.webhook.replicaCount }}
  selector:
    matchLabels:
      {{- include "cpu-manager.selectorLabels" . | nindent 6 }}
      app: cmk-webhook-app
  template:
    metadata:
      labels:
        {{- include "cpu-manager.selectorLabels" . | nindent 8 }}
        app: cmk-webhook-app
      annotations:
        {{- toYaml .Values.webhook.annotations | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      tolerations:
      - operator: "Exists"
      containers:
      - args:
        - "/cmk/cmk.py webhook --conf-file /etc/webhook/server.yaml"
        command:
        - "/bin/bash"
        - "-c"
        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
        imagePullPolicy: {{ .Values.image.pullPolicy }}
        name: cmk-webhook
        securityContext:
          {{- toYaml .Values.securityContext | nindent 10 }}
        volumeMounts:
        - mountPath: /etc/webhook
          name: cmk-webhook-configmap
        - mountPath: /etc/ssl
          name: cmk-webhook-certs
          readOnly: True
      volumes:
      - name: cmk-webhook-configmap
        configMap:
          name: {{ include "cpu-manager.fullname" . }}-webhook-configmap
      - name: cmk-webhook-certs
        secret:
          secretName: {{ include "cpu-manager.fullname" . }}-webhook-certs
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  labels:
    {{- include "cpu-manager.labels" . | nindent 4 }}
    app: cmk-webhook-app
  name: {{ include "cpu-manager.fullname" . }}-webhook-config
webhooks:
- clientConfig:
    caBundle: {{ $cert.Cert | b64enc }}
    service:
      name: cmk-webhook-service
      namespace: {{ $.Release.Namespace }}
      path: /mutate
  failurePolicy: Ignore
  name: cmk.intel.com
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - pods
{{- end }}