kubevela · FogDong · Dec 9, 2022 · Dec 9, 2022
@@ -171,7 +171,7 @@ type WorkflowStepMeta struct {
 // WorkflowStepBase defines the workflow step base
 type WorkflowStepBase struct {
 	// Name is the unique name of the workflow step.
-	Name string `json:"name"`
+	Name string `json:"name,omitempty"`
 	// Type is the type of the workflow step.
 	Type string `json:"type"`
 	// Meta is the meta data of the workflow step.
@@ -260,7 +260,7 @@ type StepOutputs []outputItem
 type StepInputs []inputItem
 
 type inputItem struct {
-	ParameterKey string `json:"parameterKey"`
+	ParameterKey string `json:"parameterKey,omitempty"`
 	From         string `json:"from"`
 }
 

@@ -87,7 +87,6 @@ spec:
                                 type: string
                             required:
                             - from
-                            - parameterKey
                             type: object
                           type: array
                         meta:
@@ -139,7 +138,6 @@ spec:
                                       type: string
                                   required:
                                   - from
-                                  - parameterKey
                                   type: object
                                 type: array
                               meta:
@@ -177,7 +175,6 @@ spec:
                                 description: Type is the type of the workflow step.
                                 type: string
                             required:
-                            - name
                             - type
                             type: object
                           type: array
@@ -188,7 +185,6 @@ spec:
                           description: Type is the type of the workflow step.
                           type: string
                       required:
-                      - name
                       - type
                       type: object
                     type: array

@@ -66,7 +66,6 @@ spec:
                         type: string
                     required:
                     - from
-                    - parameterKey
                     type: object
                   type: array
                 meta:
@@ -117,7 +116,6 @@ spec:
                               type: string
                           required:
                           - from
-                          - parameterKey
                           type: object
                         type: array
                       meta:
@@ -153,7 +151,6 @@ spec:
                         description: Type is the type of the workflow step.
                         type: string
                     required:
-                    - name
                     - type
                     type: object
                   type: array
@@ -164,7 +161,6 @@ spec:
                   description: Type is the type of the workflow step.
                   type: string
               required:
-              - name
               - type
               type: object
             type: array

@@ -0,0 +1,55 @@
+{{- if and .Values.admissionWebhooks.certManager.enabled -}}
+
+# The following manifests contain a self-signed issuer CR and a certificate CR.
+# More document can be found at https://docs.cert-manager.io
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kubevela.fullname" . }}-self-signed-issuer
+spec:
+  selfSigned: {}
+
+---
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kubevela.fullname" . }}-root-cert
+spec:
+  secretName: {{ template "kubevela.fullname" . }}-root-cert
+  duration: 43800h # 5y
+  revisionHistoryLimit: {{ .Values.admissionWebhooks.certManager.revisionHistoryLimit }}
+  issuerRef:
+    name: {{ template "kubevela.fullname" . }}-self-signed-issuer
+  commonName: "ca.webhook.kubevela"
+  isCA: true
+
+---
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ template "kubevela.fullname" . }}-root-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: {{ template "kubevela.fullname" . }}-root-cert
+
+---
+# generate a serving certificate for the apiservices to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "kubevela.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ template "kubevela.fullname" . }}-admission
+  duration: 8760h # 1y
+  revisionHistoryLimit: {{ .Values.admissionWebhooks.certManager.revisionHistoryLimit }}
+  issuerRef:
+    name: {{ template "kubevela.fullname" . }}-root-issuer
+  dnsNames:
+    - {{ template "kubevela.name" . }}-webhook.{{ .Release.Namespace }}.svc
+    - {{ template "kubevela.name" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local
+
+{{- end }}
@@ -0,0 +1,28 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - update
+{{- end }}
@@ -0,0 +1,20 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kubevela.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kubevela.fullname" . }}-admission
+    namespace: {{ .Release.Namespace }}
+{{- end }}
@@ -0,0 +1,58 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission-create
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission-create
+    {{- include "kubevela.labels" . | nindent 4 }}
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name:  {{ template "kubevela.fullname" . }}-admission-create
+      labels:
+        app: {{ template "kubevela.name" . }}-admission-create
+        {{- include "kubevela.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: create
+          image: {{ .Values.imageRegistry }}{{ .Values.admissionWebhooks.patch.image.repository }}:{{ .Values.admissionWebhooks.patch.image.tag }}
+          imagePullPolicy: {{ .Values.admissionWebhooks.patch.image.pullPolicy }}
+          args:
+            - create
+            - --host={{ template "kubevela.name" . }}-webhook,{{ template "kubevela.name" . }}-webhook.{{ .Release.Namespace }}.svc
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ template "kubevela.fullname" . }}-admission
+            - --key-name=tls.key
+            - --cert-name=tls.crt
+      restartPolicy: OnFailure
+      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
+      {{- with .Values.admissionWebhooks.patch.nodeSelector }}
+      nodeSelector:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionWebhooks.patch.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      securityContext:
+        runAsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+{{- end }}
@@ -0,0 +1,53 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission-patch
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission-patch
+    {{- include "kubevela.labels" . | nindent 4 }}
+spec:
+  {{- if .Capabilities.APIVersions.Has "batch/v1alpha1" }}
+  # Alpha feature since k8s 1.12
+  ttlSecondsAfterFinished: 0
+  {{- end }}
+  template:
+    metadata:
+      name:  {{ template "kubevela.fullname" . }}-admission-patch
+      labels:
+        app: {{ template "kubevela.name" . }}-admission-patch
+        {{- include "kubevela.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: patch
+          image: {{ .Values.imageRegistry }}{{ .Values.admissionWebhooks.patch.image.repository }}:{{ .Values.admissionWebhooks.patch.image.tag }}
+          imagePullPolicy: {{ .Values.admissionWebhooks.patch.image.pullPolicy }}
+          args:
+            - patch
+            - --webhook-name={{ template "kubevela.fullname" . }}-admission
+            - --namespace={{ .Release.Namespace }}
+            - --secret-name={{ template "kubevela.fullname" . }}-admission
+            - --patch-failure-policy={{ .Values.admissionWebhooks.failurePolicy }}
+      restartPolicy: OnFailure
+      serviceAccountName: {{ template "kubevela.fullname" . }}-admission
+      {{- with .Values.admissionWebhooks.patch.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      {{- with .Values.admissionWebhooks.patch.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+      {{- end }}
+      securityContext:
+        runAsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 2000
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kubevela.fullname" . }}-admission
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kubevela.fullname" . }}-admission
+    namespace: {{ .Release.Namespace }}
+{{- end }}
@@ -0,0 +1,13 @@
+{{- if and .Values.admissionWebhooks.enabled .Values.admissionWebhooks.patch.enabled .Values.rbac.create (not .Values.admissionWebhooks.certManager.enabled) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name:  {{ template "kubevela.fullname" . }}-admission
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    app: {{ template "kubevela.name" . }}-admission
+    {{- include "kubevela.labels" . | nindent 4 }}
+{{- end }}