| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 |
- apiVersion: v1
- kind: Namespace
- metadata:
- name: kilo
- ---
- apiVersion: admissionregistration.k8s.io/v1
- kind: ValidatingWebhookConfiguration
- metadata:
- name: "peers.kilo.squat.ai"
- webhooks:
- - name: "peers.kilo.squat.ai"
- rules:
- - apiGroups: ["kilo.squat.ai"]
- apiVersions: ["v1alpha1"]
- operations: ["CREATE", "UPDATE"]
- resources: ["peers"]
- scope: "Cluster"
- clientConfig:
- service:
- namespace: "kilo"
- name: "peer-validation"
- path: "/validate"
- admissionReviewVersions: ["v1"]
- sideEffects: None
- timeoutSeconds: 5
- ---
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: peer-validation-server
- namespace: kilo
- labels:
- app.kubernetes.io/name: peer-validation-server
- spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: peer-validation-server
- template:
- metadata:
- labels:
- app.kubernetes.io/name: peer-validation-server
- spec:
- securityContext:
- runAsNonRoot: true
- runAsUser: 1000
- containers:
- - name: server
- image: squat/kilo:0.7.0
- args:
- - webhook
- - --cert-file=/run/secrets/tls/tls.crt
- - --key-file=/run/secrets/tls/tls.key
- - --listen-metrics=:1107
- - --listen=:8443
- ports:
- - containerPort: 8443
- name: webhook
- - containerPort: 1107
- name: metrics
- volumeMounts:
- - name: tls
- mountPath: /run/secrets/tls
- readOnly: true
- volumes:
- - name: tls
- secret:
- secretName: peer-validation-webhook-tls
- ---
- apiVersion: v1
- kind: Service
- metadata:
- name: peer-validation
- namespace: kilo
- spec:
- selector:
- app.kubernetes.io/name: peer-validation-server
- ports:
- - port: 443
- targetPort: webhook
- ---
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: kilo-peer-validation
- namespace: kilo
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- name: kilo-peer-validation
- rules:
- - apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- resourceNames:
- - peers.kilo.squat.ai
- verbs:
- - get
- - update
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: ClusterRoleBinding
- metadata:
- name: kilo-peer-validation
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: kilo-peer-validation
- subjects:
- - kind: ServiceAccount
- namespace: kilo
- name: kilo-peer-validation
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: Role
- metadata:
- name: kilo-peer-validation
- namespace: kilo
- rules:
- - apiGroups:
- - ""
- resources:
- - secrets
- verbs:
- - get
- - create
- ---
- apiVersion: rbac.authorization.k8s.io/v1
- kind: RoleBinding
- metadata:
- name: kilo-peer-validation
- namespace: kilo
- roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: kilo-peer-validation
- subjects:
- - kind: ServiceAccount
- namespace: kilo
- name: kilo-peer-validation
- ---
- apiVersion: batch/v1
- kind: Job
- metadata:
- name: cert-gen
- namespace: kilo
- spec:
- template:
- spec:
- serviceAccountName: kilo-peer-validation
- initContainers:
- - name: create
- image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0
- args:
- - create
- - --namespace=kilo
- - --secret-name=peer-validation-webhook-tls
- - --host=peer-validation,peer-validation.kilo.svc
- - --key-name=tls.key
- - --cert-name=tls.crt
- containers:
- - name: patch
- image: k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0
- args:
- - patch
- - --webhook-name=peers.kilo.squat.ai
- - --secret-name=peer-validation-webhook-tls
- - --namespace=kilo
- - --patch-mutating=false
- restartPolicy: OnFailure
- backoffLimit: 4
|
