Jazz 🙌 support for Istio (#22)

* makes manager webhook port configurable this was hard-coded here and in the chart. making this configurable since there's no need to lock in a value. default remains 9443 * changes changes for istio adds "--webhook-server-port" flag for manager uses new default value to set previously hard-coded 9443 port renames root container "manager" enables psps/netpols by default (security-first measure) * adds ns suffix to cluster-scope resources gk! (gross kid) this ensures dco can be deployed multiple times. strictly speaking, if you use a unique release name for each instance, then is is not required. ugh...this hurts so much. * fixes helm chart incorrect ref clusterrole name needs to change to match clusterrolebinding ref
dominodatalab · Apr 2, 2021 · 22e657e · 22e657e
1 parent ecc90eb
commit 22e657e
Show file tree

Hide file tree

Showing 12 changed files with 43 additions and 17 deletions.
diff --git a/cmd/start.go b/cmd/start.go
@@ -13,6 +13,7 @@ var (
 	namespace            string
 	probeAddr            string
 	metricsAddr          string
+	webhookPort          int
 	enableLeaderElection bool
 
 	zapOpts = zap.Options{}
@@ -26,6 +27,7 @@ var startCmd = &cobra.Command{
 			Namespace:            namespace,
 			MetricsAddr:          metricsAddr,
 			HealthProbeAddr:      probeAddr,
+			WebhookServerPort:    webhookPort,
 			EnableLeaderElection: enableLeaderElection,
 			ZapOptions:           zapOpts,
 		}
@@ -39,9 +41,10 @@ func init() {
 
 	fs := new(flag.FlagSet)
 	zapOpts.BindFlags(fs)
-	startCmd.Flags().AddGoFlagSet(fs)
 
+	startCmd.Flags().AddGoFlagSet(fs)
 	startCmd.Flags().StringVar(&namespace, "namespace", "default", "Reconcile clusters resources in this namespace")
+	startCmd.Flags().IntVar(&webhookPort, "webhook-server-port", 9443, "Webhook server will bind to this port")
 	startCmd.Flags().StringVar(&metricsAddr, "metrics-bind-address", ":8080",
 		"Metrics endpoint will bind to this address")
 	startCmd.Flags().StringVar(&probeAddr, "health-probe-bind-address", ":8081",

diff --git a/deploy/helm/distributed-compute-operator/templates/deployment.yaml b/deploy/helm/distributed-compute-operator/templates/deployment.yaml
@@ -26,7 +26,7 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
-        - name: {{ .Chart.Name }}
+        - name: manager
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: {{ include "dco.image" . }}
@@ -35,6 +35,7 @@ spec:
             - start
             - --namespace={{ .Release.Namespace }}
             {{- with .Values.config }}
+            - --webhook-server-port={{ .webhookPort }}
             - --metrics-bind-address=:{{ .metricsPort }}
             - --health-probe-bind-address=:{{ .healthProbePort }}
             {{- if .enableLeaderElection }}
@@ -55,7 +56,7 @@ spec:
             {{- end }}
           ports:
             - name: webhooks
-              containerPort: 9443
+              containerPort: {{ .Values.config.webhookPort }}
               protocol: TCP
             - name: metrics
               containerPort: {{ .Values.config.metricsPort }}

diff --git a/deploy/helm/distributed-compute-operator/templates/hooks.yaml b/deploy/helm/distributed-compute-operator/templates/hooks.yaml
@@ -14,7 +14,7 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "dco.rbac.hookName" . }}
+  name: {{ include "dco.rbac.hookName" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
   annotations:
@@ -42,7 +42,7 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "dco.rbac.hookName" . }}
+  name: {{ include "dco.rbac.hookName" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
   annotations:
@@ -52,7 +52,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "dco.rbac.hookName" . }}
+  name: {{ include "dco.rbac.hookName" . }}.{{ .Release.Namespace }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "dco.serviceAccountName" . }}-hook

diff --git a/deploy/helm/distributed-compute-operator/templates/istio.yaml b/deploy/helm/distributed-compute-operator/templates/istio.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.istio.enabled }}
+apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: {{ include "dco.webhook.service" .}}
+  labels:
+    {{- include "common.labels.standard" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "common.labels.matchLabels" . | nindent 6 }}
+  mtls:
+    mode: UNSET
+  portLevelMtls:
+    {{ .Values.config.webhookPort }}:
+      mode: PERMISSIVE
+{{- end }}
diff --git a/deploy/helm/distributed-compute-operator/templates/networkpolicy.yaml b/deploy/helm/distributed-compute-operator/templates/networkpolicy.yaml
@@ -13,7 +13,7 @@ spec:
   - Ingress
   ingress:
   - ports:
-    - port: 9443
+    - port: {{ .Values.config.webhookPort }}
       protocol: TCP
     - port: {{ .Values.config.healthProbePort }}
       protocol: TCP

diff --git a/deploy/helm/distributed-compute-operator/templates/podsecuritypolicy.yaml b/deploy/helm/distributed-compute-operator/templates/podsecuritypolicy.yaml
@@ -3,7 +3,7 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
   annotations:

diff --git a/deploy/helm/distributed-compute-operator/templates/rbac.yaml b/deploy/helm/distributed-compute-operator/templates/rbac.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "dco.rbac.managerName" . }}
+  name: {{ include "dco.rbac.managerName" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
 rules:
@@ -18,13 +18,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "dco.rbac.managerName" . }}
+  name: {{ include "dco.rbac.managerName" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "dco.rbac.managerName" . }}
+  name: {{ include "dco.rbac.managerName" . }}.{{ .Release.Namespace }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "dco.serviceAccountName" . }}

diff --git a/deploy/helm/distributed-compute-operator/templates/webhook-configuration-mutating.yaml b/deploy/helm/distributed-compute-operator/templates/webhook-configuration-mutating.yaml
@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
   annotations:

diff --git a/deploy/helm/distributed-compute-operator/templates/webhook-configuration-validating.yaml b/deploy/helm/distributed-compute-operator/templates/webhook-configuration-validating.yaml
@@ -1,7 +1,7 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: {{ include "common.names.fullname" . }}
+  name: {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}
   labels:
     {{- include "common.labels.standard" . | nindent 4 }}
   annotations:

diff --git a/deploy/helm/distributed-compute-operator/values.yaml b/deploy/helm/distributed-compute-operator/values.yaml
@@ -11,6 +11,8 @@ installCRDs: true
 
 # Controller manager configuration
 config:
+  # Webhook server port
+  webhookPort: 9443
   # Prometheus metrics port
   metricsPort: 8080
   # Health probe port
@@ -36,11 +38,11 @@ istio:
 
 podSecurityPolicy:
   # Create custom PSP for operator
-  enabled: false
+  enabled: true
 
 networkPolicy:
   # Restrict network ingress to operator pods
-  enabled: false
+  enabled: true
 
 image:
   registry: ghcr.io

diff --git a/pkg/manager/config.go b/pkg/manager/config.go
@@ -7,6 +7,7 @@ type Config struct {
 	Namespace            string
 	MetricsAddr          string
 	HealthProbeAddr      string
+	WebhookServerPort    int
 	EnableLeaderElection bool
 	ZapOptions           zap.Options
 }
diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go
@@ -20,6 +20,8 @@ import (
 	//+kubebuilder:scaffold:imports
 )
 
+const leaderElectionID = "a846cbf2.dominodatalab.com"
+
 var (
 	scheme   = runtime.NewScheme()
 	setupLog = ctrl.Log.WithName("setup")
@@ -33,10 +35,10 @@ func Start(cfg *Config) error {
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     cfg.MetricsAddr,
-		Port:                   9443,
+		Port:                   cfg.WebhookServerPort,
 		HealthProbeBindAddress: cfg.HealthProbeAddr,
 		LeaderElection:         cfg.EnableLeaderElection,
-		LeaderElectionID:       "a846cbf2.dominodatalab.com",
+		LeaderElectionID:       leaderElectionID,
 		Namespace:              cfg.Namespace,
 	})
 	if err != nil {