Network identity: node-specific certificate in ovnkube-node, admissio…

…n webhook

Signed-off-by: Patryk Diak <pdiak@redhat.com>

bindata/network-identity/common/network-identity-namespace.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-network-identity
+  labels:
+    openshift.io/cluster-monitoring: "true"
+    openshift.io/run-level: "0"
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    openshift.io/node-selector: ""
+    openshift.io/description: "OpenShift network identity namespace - a controller used to manage network-identity components"
+    workload.openshift.io/allowed: "management"

bindata/network-identity/common/network-identity-rbac.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: network-identity
+  namespace: openshift-network-identity
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: network-identity
+roleRef:
+  name: network-identity
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: network-identity
+    namespace: openshift-network-identity
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: network-identity
+rules:
+  - apiGroups: [""]
+    resources:
+      - nodes
+      - pods
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - certificatesigningrequests
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - certificatesigningrequests/approval
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources:
+      - events
+    verbs: ["create", "patch", "update"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources:
+      - signers
+    resourceNames:
+      - kubernetes.io/kube-apiserver-client
+    verbs: ["approve"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: network-identity-leases
+  namespace: openshift-network-identity
+roleRef:
+  name: network-identity-leases
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: network-identity
+    namespace: openshift-network-identity
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: openshift-network-identity
+  name: network-identity-leases
+rules:
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - get
+      - list
+      - update

bindata/network-identity/managed/network-identity-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: network-identity
+  namespace: {{.HostedClusterNamespace}}
+  labels:
+    app: network-identity
+    hypershift.openshift.io/allow-guest-webhooks: "true"
+  annotations:
+    network.operator.openshift.io/cluster-name: {{.ManagementClusterName}}
+    service.alpha.openshift.io/serving-cert-secret-name: network-identity-secret
+spec:
+  ports:
+    - name: webhook
+      port: {{.NetworkIdentityPort}}
+      targetPort: {{.NetworkIdentityPort}}
+  selector:
+    app: network-identity

bindata/network-identity/managed/network-identity-webhook.yaml

@@ -0,0 +1,29 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: network-identity.openshift.io
+webhooks:
+  - name: node.network-identity.openshift.io
+    clientConfig:
+      url: https://network-identity.{{.HostedClusterNamespace}}.svc:{{.NetworkIdentityPort}}/node
+      caBundle: {{.NetworkIdentityCABundle}}
+    admissionReviewVersions: ['v1']
+    sideEffects: None
+    rules:
+      - operations: [ "UPDATE" ]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["nodes/status"]
+        scope: "*"
+  - name: pod.network-identity.openshift.io
+    clientConfig:
+      url: https://network-identity.{{.HostedClusterNamespace}}.svc:{{.NetworkIdentityPort}}/pod
+      caBundle: {{.NetworkIdentityCABundle}}
+    admissionReviewVersions: ['v1']
+    sideEffects: None
+    rules:
+      - operations: [ "UPDATE" ]
+        apiGroups: ["*"]
+        apiVersions: ["*"]
+        resources: ["pods/status"]
+        scope: "*"

bindata/network-identity/managed/network-identity.yaml

@@ -0,0 +1,245 @@
+# The network-identity components
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: network-identity
+  namespace: {{.HostedClusterNamespace}}
+  annotations:
+    network.operator.openshift.io/cluster-name:  {{.ManagementClusterName}}
+    kubernetes.io/description: |
+      This deployment launches the network-identity control plane components.
+    release.openshift.io/version: "{{.ReleaseVersion}}"
+  labels:
+    # used by PodAffinity to prefer co-locating pods that belong to the same hosted cluster.
+    hypershift.openshift.io/hosted-control-plane: {{.HostedClusterNamespace}}
+spec:
+  replicas: {{.NetworkIdentityReplicas}}
+{{ if (gt .NetworkIdentityReplicas 1)}}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+{{ end }}
+  selector:
+    matchLabels:
+      app: network-identity
+  template:
+    metadata:
+      annotations:
+        hypershift.openshift.io/release-image: {{.ReleaseImage}}
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+      labels:
+        app: network-identity
+        component: network
+        type: infra
+        openshift.io/component: network
+        hypershift.openshift.io/control-plane-component: network-identity
+        kubernetes.io/os: "linux"
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hypershift.openshift.io/control-plane
+                    operator: In
+                    values:
+                      - "true"
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: hypershift.openshift.io/cluster
+                    operator: In
+                    values:
+                      - {{.HostedClusterNamespace}}
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: network-identity
+              topologyKey: topology.kubernetes.io/zone
+        podAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    hypershift.openshift.io/hosted-control-plane: {{.HostedClusterNamespace}}
+                topologyKey: kubernetes.io/hostname
+      priorityClassName: hypershift-api-critical
+      initContainers:
+        - name: hosted-cluster-kubecfg-setup
+          image: "{{.CLIImage}}"
+          command:
+            - /bin/bash
+            - -c
+            - |
+              kc=/var/run/secrets/hosted_cluster/kubeconfig
+              kubectl --kubeconfig $kc config set clusters.default.server {{ .K8S_LOCAL_APISERVER }}
+              kubectl --kubeconfig $kc config set clusters.default.certificate-authority /hosted-ca/ca.crt
+              kubectl --kubeconfig $kc config set users.admin.tokenFile /var/run/secrets/hosted_cluster/token
+              kubectl --kubeconfig $kc config set contexts.default.cluster default
+              kubectl --kubeconfig $kc config set contexts.default.user admin
+              kubectl --kubeconfig $kc config set contexts.default.namespace openshift-network-identity
+              kubectl --kubeconfig $kc config use-context default
+          volumeMounts:
+            - mountPath: /var/run/secrets/hosted_cluster
+              name: hosted-cluster-api-access
+      containers:
+      - name: network-identity-webhook
+        image: "{{.NetworkIdentityImage}}"
+        command:
+          - /bin/bash
+          - -c
+          - |
+            set -xe
+            if [[ -f "/env/_master" ]]; then
+              set -o allexport
+              source "/env/_master"
+              set +o allexport
+            fi
+            
+            retries=0
+            while [ ! -f /var/run/secrets/hosted_cluster/token ]; do
+              (( retries += 1 ))
+              sleep 1
+              if [[ "${retries}" -gt 30 ]]; then
+                echo "$(date -Iseconds) - Hosted cluster token not found"
+                exit 1
+              fi
+            done
+            ho_enable=
+{{- if .OVNHybridOverlayEnable }}
+            ho_enable="--enable-hybrid-overlay"
+{{ end }}
+            echo "I$(date "+%m%d %H:%M:%S.%N") - start network-identity-webhook"
+            exec /usr/bin/ovnkube-identity \
+                --kubeconfig=/var/run/secrets/hosted_cluster/kubeconfig \
+                --webhook-cert-dir=/etc/webhook-cert \
+                --webhook-host="" \
+                --webhook-port={{.NetworkIdentityPort}} \
+                ${ho_enable} \
+                --enable-interconnect \
+                --disable-approver \
+                --loglevel="${LOGLEVEL}"
+        env:
+          - name: LOGLEVEL
+            value: "5"
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        ports:
+          - name: webhook
+            containerPort: {{.NetworkIdentityPort}}
+            protocol: TCP
+        volumeMounts:
+          - mountPath: /etc/webhook-cert/
+            name: webhook-cert
+          - mountPath: /env
+            name: env-overrides
+          - mountPath: /var/run/secrets/hosted_cluster
+            name: hosted-cluster-api-access
+          - mountPath: /hosted-ca
+            name: hosted-ca-cert
+      - name: network-identity-approver
+        image: "{{.NetworkIdentityImage}}"
+        command:
+          - /bin/bash
+          - -c
+          - |
+            set -xe
+            if [[ -f "/env/_master" ]]; then
+              set -o allexport
+              source "/env/_master"
+              set +o allexport
+            fi
+            
+            retries=0
+            while [ ! -f /var/run/secrets/hosted_cluster/token ]; do
+              (( retries += 1 ))
+              sleep 1
+              if [[ "${retries}" -gt 30 ]]; then
+                echo "$(date -Iseconds) - Hosted cluster token not found"
+                exit 1
+              fi
+            done
+            echo "I$(date "+%m%d %H:%M:%S.%N") - start network-identity-approver"
+            exec /usr/bin/ovnkube-identity \
+                --kubeconfig=/var/run/secrets/hosted_cluster/kubeconfig \
+                --lease-namespace=openshift-network-identity \
+                --disable-webhook \
+                --loglevel="${LOGLEVEL}"
+        env:
+          - name: LOGLEVEL
+            value: "5"
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+          - mountPath: /env
+            name: env-overrides
+          - mountPath: /var/run/secrets/hosted_cluster
+            name: hosted-cluster-api-access
+          - mountPath: /hosted-ca
+            name: hosted-ca-cert
+      # token-minter creates a token with the default service account path
+      # The token is read by the containers to authenticate against the hosted cluster api server
+      - name: token-minter
+        image: "{{.TokenMinterImage}}"
+        command: ["/usr/bin/control-plane-operator", "token-minter"]
+        args:
+          - --service-account-namespace=openshift-network-identity
+          - --service-account-name=network-identity
+          - --token-audience={{.TokenAudience}}
+          - --token-file=/var/run/secrets/hosted_cluster/token
+          - --kubeconfig=/etc/kubernetes/kubeconfig
+        resources:
+          requests:
+            cpu: 10m
+            memory: 30Mi
+        volumeMounts:
+          - mountPath: /etc/kubernetes
+            name: admin-kubeconfig
+          - mountPath: /var/run/secrets/hosted_cluster
+            name: hosted-cluster-api-access
+      {{ if .HCPNodeSelector }}
+      nodeSelector:
+        {{ range $key, $value := .HCPNodeSelector }}
+        "{{$key}}": "{{$value}}"
+        {{ end }}
+      {{ end }}
+      volumes:
+        - name: env-overrides
+          configMap:
+            name: env-overrides
+            optional: true
+        - name: admin-kubeconfig
+          secret:
+            secretName: service-network-admin-kubeconfig
+        - name: hosted-cluster-api-access
+          emptyDir: {}
+        - name: hosted-ca-cert
+          secret:
+            secretName: root-ca
+            items:
+              - key: ca.crt
+                path: ca.crt
+        - name: webhook-cert
+          secret:
+            defaultMode: 0640
+            secretName: network-identity-secret
+      tolerations:
+        - key: "hypershift.openshift.io/control-plane"
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+        - key: "hypershift.openshift.io/cluster"
+          operator: "Equal"
+          value: {{.HostedClusterNamespace}}
+          effect: "NoSchedule"