Merge branch 'master' into jd/ui-refresh

FairwindsOps · Dec 11, 2020 · 2bf5a19 · 2bf5a19
2 parents 2d32641 + 86b856a
commit 2bf5a19
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 188 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -45,6 +45,19 @@ references:
 
         kubectl version
 
+        echo "Installing Helm"
+        curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+
+        echo "Installing cert-manager"
+        kubectl create namespace cert-manager
+        helm repo add jetstack https://charts.jetstack.io
+        helm repo update
+        echo "Helm install"
+        helm install cert-manager jetstack/cert-manager --namespace cert-manager --version 0.16.1 --set "installCRDs=true" --wait
+        echo "Install cert-manager successful"
+
   # Test scripts
   update_coverage: &update_coverage
     run:

diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml
@@ -5,7 +5,7 @@ kind: Namespace
 metadata:
   name: polaris
 ---
-# Source: polaris/templates/rbac.yaml
+# Source: polaris/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -15,7 +15,7 @@ metadata:
     app: polaris
 ---
 # Source: polaris/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: polaris
@@ -33,7 +33,7 @@ rules:
       - 'list'
 ---
 # Source: polaris/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: polaris-view
@@ -109,7 +109,7 @@ spec:
       - command:
         - polaris
         - dashboard
-        image: 'quay.io/fairwinds/polaris:1.2'
+        image: 'quay.io/fairwinds/polaris:2.0'
         imagePullPolicy: 'Always'
         name: dashboard
         ports:

diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml
@@ -5,7 +5,7 @@ kind: Namespace
 metadata:
   name: polaris
 ---
-# Source: polaris/templates/rbac.yaml
+# Source: polaris/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -14,31 +14,8 @@ metadata:
   labels:
     app: polaris
 ---
-# Source: polaris/templates/webhook.rbac.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: polaris-certificates
-  namespace: polaris
-  labels:
-    app: polaris
----
-# Source: polaris/templates/webhook.secret.yaml
-# The name of this secret is static as it is populated by the webhook pod.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: polaris-webhook
-  namespace: polaris
-  labels:
-    app: polaris
-type: kubernetes.io/tls
-data:
-  tls.crt: ''
-  tls.key: ''
----
 # Source: polaris/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: polaris
@@ -55,50 +32,8 @@ rules:
       - 'get'
       - 'list'
 ---
-# Source: polaris/templates/webhook.rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRole
-metadata:
-  name: polaris-webhook
-  labels:
-    app: polaris
-rules:
-  - apiGroups:
-      - ''
-    resources:
-      - 'secrets'
-      - 'services'
-    verbs:
-      - 'get'
-      - 'list'
-      - 'watch'
-  - apiGroups:
-    - 'certificates.k8s.io'
-    resources:
-    - 'certificatesigningrequests'
-    - 'certificatesigningrequests/approval'
-    verbs:
-    - 'get'
-    - 'update'
-    - 'create'
-    - 'delete'
-  - apiGroups:
-    - 'certificates.k8s.io'
-    resources:
-    - 'signers'
-    resourceNames:
-    - 'kubernetes.io/legacy-unknown'
-    verbs:
-    - 'approve'
-  - apiGroups:
-      - 'admissionregistration.k8s.io'
-    resources:
-      - 'validatingwebhookconfigurations'
-    verbs:
-      - '*'
----
 # Source: polaris/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: polaris-view
@@ -129,57 +64,6 @@ subjects:
     name: polaris
     namespace: polaris
 ---
-# Source: polaris/templates/webhook.rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: polaris-webhook
-  labels:
-    app: polaris
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: polaris-webhook
-subjects:
-  - kind: ServiceAccount
-    name: polaris-certificates
-    namespace: polaris
----
-# Source: polaris/templates/webhook.rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
-  name: polaris-webhook
-  namespace: polaris
-  labels:
-    app: polaris
-rules:
-  # required for current controller-runtime bootstrap method
-  - apiGroups:
-      - ''
-    resources:
-      - 'secrets'
-      - 'services'
-    verbs:
-      - '*'
----
-# Source: polaris/templates/webhook.rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
-  name: polaris-webhook
-  namespace: polaris
-  labels:
-    app: polaris
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: polaris-webhook
-subjects:
-  - kind: ServiceAccount
-    name: polaris-certificates
-    namespace: polaris
----
 # Source: polaris/templates/webhook.service.yaml
 apiVersion: v1
 kind: Service
@@ -225,7 +109,7 @@ spec:
           command:
             - polaris
             - webhook
-          image: 'quay.io/fairwinds/polaris:1.2'
+          image: 'quay.io/fairwinds/polaris:2.0'
           imagePullPolicy: 'Always'
           ports:
             - containerPort: 9876
@@ -276,93 +160,66 @@ spec:
       volumes:
         - name: secret
           secret:
-            secretName: polaris-webhook
+            secretName: polaris
         - name: cr-logs
           emptyDir: {}
 ---
-# Source: polaris/templates/webhook.job.yaml
-apiVersion: batch/v1
-kind: Job
+# Source: polaris/templates/webhook.cert.yaml
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
 metadata:
-  name: polaris-certificate-updater
+  name: polaris-cert
   namespace: polaris
   labels:
-
     app: polaris
-    component: certificate-updater
 spec:
-  template:
-    metadata:
-      labels:
-
-        app: polaris
-        component: certificate-updater
-    spec:
-      containers:
-      - name: webhook-certificate-generator
-        image: 'newrelic/k8s-webhook-cert-manager:1.3.0'
-        imagePullPolicy: Always
-        command:
-          - ./generate_certificate.sh
-          - --service
-          - polaris-webhook
-          - --namespace
-          - polaris
-          - --secret
-          - polaris-webhook
-          - --webhook
-          - polaris-webhook
-          - --webhook-kind
-          - ValidatingWebhookConfiguration
-        resources:
-          limits:
-            cpu: 150m
-            memory: 512Mi
-          requests:
-            cpu: 100m
-            memory: 128Mi
-        volumeMounts:
-        - name: tmp
-          mountPath: /tmp/
-          readOnly: false
-        securityContext:
-          allowPrivilegeEscalation: false
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 1000
-          capabilities:
-            drop:
-            - ALL
-      serviceAccountName:  polaris-certificates
-      restartPolicy: Never
-      volumes:
-        - name: tmp
-          emptyDir: {}
+  commonName: polaris-webhook.polaris.svc
+  dnsNames:
+  - polaris-webhook.polaris.svc
+  - polaris-webhook.polaris
+  - polaris-webhook
+  - polaris-webhook.polaris.svc.
+  issuerRef:
+    kind: Issuer
+    name: polaris-selfsigned
+  secretName: polaris
+---
+# Source: polaris/templates/webhook.cert.yaml
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: polaris-selfsigned
+  namespace: polaris
+spec:
+  selfSigned: {}
 ---
 # Source: polaris/templates/webhook.configuration.yaml
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: polaris-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: polaris/polaris-cert
 webhooks:
 - admissionReviewVersions:
   - v1beta1
   clientConfig:
-    caBundle: "" 
     service:
       name: polaris-webhook
       namespace: polaris
       path: /validate
       port: 443
-  failurePolicy: Ignore
+  failurePolicy: Fail
   matchPolicy: Exact
   name: polaris.fairwinds.com
   namespaceSelector:
+
     matchExpressions:
     - key: control-plane
       operator: DoesNotExist
-  objectSelector: {}
+  objectSelector:
+
+    {}
   rules:
   - apiGroups:
     - apps
@@ -402,4 +259,4 @@ webhooks:
     - replicationcontrollers
     scope: Namespaced
   sideEffects: None
-  timeoutSeconds: 30
+  timeoutSeconds: 10
diff --git a/test/webhook_test.sh b/test/webhook_test.sh
@@ -13,11 +13,6 @@ function check_webhook_is_ready() {
     # Reset another 4 minutes to wait for webhook
     timeout_epoch=$(date -d "+4 minutes" +%s)
 
-    while ! kubectl get csr | grep -E "polaris-webhook.polaris"; do
-        check_timeout "${timeout_epoch}"
-        echo -n "."
-    done
-
     # loop until this fails (desired condition is we cannot apply this yaml doc, which means the webhook is working
     echo "Waiting for webhook to be ready"
     while ! kubectl get pods -n polaris | grep -E "webhook.*1/1.*Running"; do