Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Network identity: node-specific certificate in ovnkube-node, admissio…
…n webhook Signed-off-by: Patryk Diak <pdiak@redhat.com>
- Loading branch information
Showing
22 changed files
with
1,178 additions
and
13 deletions.
There are no files selected for viewing
17 changes: 17 additions & 0 deletions
17
bindata/network-identity/common/network-identity-namespace.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: openshift-network-identity | ||
labels: | ||
openshift.io/cluster-monitoring: "true" | ||
openshift.io/run-level: "0" | ||
pod-security.kubernetes.io/enforce: privileged | ||
pod-security.kubernetes.io/audit: privileged | ||
pod-security.kubernetes.io/warn: privileged | ||
annotations: | ||
include.release.openshift.io/self-managed-high-availability: "true" | ||
include.release.openshift.io/ibm-cloud-managed: "true" | ||
include.release.openshift.io/single-node-developer: "true" | ||
openshift.io/node-selector: "" | ||
openshift.io/description: "OpenShift network identity namespace - a controller used to manage network-identity components" | ||
workload.openshift.io/allowed: "management" |
81 changes: 81 additions & 0 deletions
81
bindata/network-identity/common/network-identity-rbac.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: network-identity | ||
namespace: openshift-network-identity | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: network-identity | ||
roleRef: | ||
name: network-identity | ||
kind: ClusterRole | ||
apiGroup: rbac.authorization.k8s.io | ||
subjects: | ||
- kind: ServiceAccount | ||
name: network-identity | ||
namespace: openshift-network-identity | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: network-identity | ||
rules: | ||
- apiGroups: [""] | ||
resources: | ||
- nodes | ||
- pods | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["certificates.k8s.io"] | ||
resources: | ||
- certificatesigningrequests | ||
verbs: ["get", "list", "watch"] | ||
- apiGroups: ["certificates.k8s.io"] | ||
resources: | ||
- certificatesigningrequests/approval | ||
verbs: ["update"] | ||
- apiGroups: [""] | ||
resources: | ||
- events | ||
verbs: ["create", "patch", "update"] | ||
- apiGroups: ["certificates.k8s.io"] | ||
resources: | ||
- signers | ||
resourceNames: | ||
- kubernetes.io/kube-apiserver-client | ||
verbs: ["approve"] | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: network-identity-leases | ||
namespace: openshift-network-identity | ||
roleRef: | ||
name: network-identity-leases | ||
kind: Role | ||
apiGroup: rbac.authorization.k8s.io | ||
subjects: | ||
- kind: ServiceAccount | ||
name: network-identity | ||
namespace: openshift-network-identity | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
namespace: openshift-network-identity | ||
name: network-identity-leases | ||
rules: | ||
- apiGroups: | ||
- coordination.k8s.io | ||
resources: | ||
- leases | ||
verbs: | ||
- create | ||
- get | ||
- list | ||
- update |
18 changes: 18 additions & 0 deletions
18
bindata/network-identity/managed/network-identity-service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: network-identity | ||
namespace: {{.HostedClusterNamespace}} | ||
labels: | ||
app: network-identity | ||
hypershift.openshift.io/allow-guest-webhooks: "true" | ||
annotations: | ||
network.operator.openshift.io/cluster-name: {{.ManagementClusterName}} | ||
service.alpha.openshift.io/serving-cert-secret-name: network-identity-secret | ||
spec: | ||
ports: | ||
- name: webhook | ||
port: {{.NetworkIdentityPort}} | ||
targetPort: {{.NetworkIdentityPort}} | ||
selector: | ||
app: network-identity |
29 changes: 29 additions & 0 deletions
29
bindata/network-identity/managed/network-identity-webhook.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
apiVersion: admissionregistration.k8s.io/v1 | ||
kind: ValidatingWebhookConfiguration | ||
metadata: | ||
name: network-identity.openshift.io | ||
webhooks: | ||
- name: node.network-identity.openshift.io | ||
clientConfig: | ||
url: https://network-identity.{{.HostedClusterNamespace}}.svc:{{.NetworkIdentityPort}}/node | ||
caBundle: {{.NetworkIdentityCABundle}} | ||
admissionReviewVersions: ['v1'] | ||
sideEffects: None | ||
rules: | ||
- operations: [ "UPDATE" ] | ||
apiGroups: ["*"] | ||
apiVersions: ["*"] | ||
resources: ["nodes/status"] | ||
scope: "*" | ||
- name: pod.network-identity.openshift.io | ||
clientConfig: | ||
url: https://network-identity.{{.HostedClusterNamespace}}.svc:{{.NetworkIdentityPort}}/pod | ||
caBundle: {{.NetworkIdentityCABundle}} | ||
admissionReviewVersions: ['v1'] | ||
sideEffects: None | ||
rules: | ||
- operations: [ "UPDATE" ] | ||
apiGroups: ["*"] | ||
apiVersions: ["*"] | ||
resources: ["pods/status"] | ||
scope: "*" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,245 @@ | ||
# The network-identity components | ||
kind: Deployment | ||
apiVersion: apps/v1 | ||
metadata: | ||
name: network-identity | ||
namespace: {{.HostedClusterNamespace}} | ||
annotations: | ||
network.operator.openshift.io/cluster-name: {{.ManagementClusterName}} | ||
kubernetes.io/description: | | ||
This deployment launches the network-identity control plane components. | ||
release.openshift.io/version: "{{.ReleaseVersion}}" | ||
labels: | ||
# used by PodAffinity to prefer co-locating pods that belong to the same hosted cluster. | ||
hypershift.openshift.io/hosted-control-plane: {{.HostedClusterNamespace}} | ||
spec: | ||
replicas: {{.NetworkIdentityReplicas}} | ||
{{ if (gt .NetworkIdentityReplicas 1)}} | ||
strategy: | ||
type: RollingUpdate | ||
rollingUpdate: | ||
maxSurge: 0 | ||
maxUnavailable: 1 | ||
{{ end }} | ||
selector: | ||
matchLabels: | ||
app: network-identity | ||
template: | ||
metadata: | ||
annotations: | ||
hypershift.openshift.io/release-image: {{.ReleaseImage}} | ||
target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' | ||
labels: | ||
app: network-identity | ||
component: network | ||
type: infra | ||
openshift.io/component: network | ||
hypershift.openshift.io/control-plane-component: network-identity | ||
kubernetes.io/os: "linux" | ||
spec: | ||
affinity: | ||
nodeAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 50 | ||
preference: | ||
matchExpressions: | ||
- key: hypershift.openshift.io/control-plane | ||
operator: In | ||
values: | ||
- "true" | ||
- weight: 100 | ||
preference: | ||
matchExpressions: | ||
- key: hypershift.openshift.io/cluster | ||
operator: In | ||
values: | ||
- {{.HostedClusterNamespace}} | ||
podAntiAffinity: | ||
requiredDuringSchedulingIgnoredDuringExecution: | ||
- labelSelector: | ||
matchLabels: | ||
app: network-identity | ||
topologyKey: topology.kubernetes.io/zone | ||
podAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 100 | ||
podAffinityTerm: | ||
labelSelector: | ||
matchLabels: | ||
hypershift.openshift.io/hosted-control-plane: {{.HostedClusterNamespace}} | ||
topologyKey: kubernetes.io/hostname | ||
priorityClassName: hypershift-api-critical | ||
initContainers: | ||
- name: hosted-cluster-kubecfg-setup | ||
image: "{{.CLIImage}}" | ||
command: | ||
- /bin/bash | ||
- -c | ||
- | | ||
kc=/var/run/secrets/hosted_cluster/kubeconfig | ||
kubectl --kubeconfig $kc config set clusters.default.server {{ .K8S_LOCAL_APISERVER }} | ||
kubectl --kubeconfig $kc config set clusters.default.certificate-authority /hosted-ca/ca.crt | ||
kubectl --kubeconfig $kc config set users.admin.tokenFile /var/run/secrets/hosted_cluster/token | ||
kubectl --kubeconfig $kc config set contexts.default.cluster default | ||
kubectl --kubeconfig $kc config set contexts.default.user admin | ||
kubectl --kubeconfig $kc config set contexts.default.namespace openshift-network-identity | ||
kubectl --kubeconfig $kc config use-context default | ||
volumeMounts: | ||
- mountPath: /var/run/secrets/hosted_cluster | ||
name: hosted-cluster-api-access | ||
containers: | ||
- name: network-identity-webhook | ||
image: "{{.NetworkIdentityImage}}" | ||
command: | ||
- /bin/bash | ||
- -c | ||
- | | ||
set -xe | ||
if [[ -f "/env/_master" ]]; then | ||
set -o allexport | ||
source "/env/_master" | ||
set +o allexport | ||
fi | ||
retries=0 | ||
while [ ! -f /var/run/secrets/hosted_cluster/token ]; do | ||
(( retries += 1 )) | ||
sleep 1 | ||
if [[ "${retries}" -gt 30 ]]; then | ||
echo "$(date -Iseconds) - Hosted cluster token not found" | ||
exit 1 | ||
fi | ||
done | ||
ho_enable= | ||
{{- if .OVNHybridOverlayEnable }} | ||
ho_enable="--enable-hybrid-overlay" | ||
{{ end }} | ||
echo "I$(date "+%m%d %H:%M:%S.%N") - start network-identity-webhook" | ||
exec /usr/bin/ovnkube-identity \ | ||
--kubeconfig=/var/run/secrets/hosted_cluster/kubeconfig \ | ||
--webhook-cert-dir=/etc/webhook-cert \ | ||
--webhook-host="" \ | ||
--webhook-port={{.NetworkIdentityPort}} \ | ||
${ho_enable} \ | ||
--enable-interconnect \ | ||
--disable-approver \ | ||
--loglevel="${LOGLEVEL}" | ||
env: | ||
- name: LOGLEVEL | ||
value: "5" | ||
resources: | ||
requests: | ||
cpu: 10m | ||
memory: 50Mi | ||
terminationMessagePolicy: FallbackToLogsOnError | ||
ports: | ||
- name: webhook | ||
containerPort: {{.NetworkIdentityPort}} | ||
protocol: TCP | ||
volumeMounts: | ||
- mountPath: /etc/webhook-cert/ | ||
name: webhook-cert | ||
- mountPath: /env | ||
name: env-overrides | ||
- mountPath: /var/run/secrets/hosted_cluster | ||
name: hosted-cluster-api-access | ||
- mountPath: /hosted-ca | ||
name: hosted-ca-cert | ||
- name: network-identity-approver | ||
image: "{{.NetworkIdentityImage}}" | ||
command: | ||
- /bin/bash | ||
- -c | ||
- | | ||
set -xe | ||
if [[ -f "/env/_master" ]]; then | ||
set -o allexport | ||
source "/env/_master" | ||
set +o allexport | ||
fi | ||
retries=0 | ||
while [ ! -f /var/run/secrets/hosted_cluster/token ]; do | ||
(( retries += 1 )) | ||
sleep 1 | ||
if [[ "${retries}" -gt 30 ]]; then | ||
echo "$(date -Iseconds) - Hosted cluster token not found" | ||
exit 1 | ||
fi | ||
done | ||
echo "I$(date "+%m%d %H:%M:%S.%N") - start network-identity-approver" | ||
exec /usr/bin/ovnkube-identity \ | ||
--kubeconfig=/var/run/secrets/hosted_cluster/kubeconfig \ | ||
--lease-namespace=openshift-network-identity \ | ||
--disable-webhook \ | ||
--loglevel="${LOGLEVEL}" | ||
env: | ||
- name: LOGLEVEL | ||
value: "5" | ||
resources: | ||
requests: | ||
cpu: 10m | ||
memory: 50Mi | ||
terminationMessagePolicy: FallbackToLogsOnError | ||
volumeMounts: | ||
- mountPath: /env | ||
name: env-overrides | ||
- mountPath: /var/run/secrets/hosted_cluster | ||
name: hosted-cluster-api-access | ||
- mountPath: /hosted-ca | ||
name: hosted-ca-cert | ||
# token-minter creates a token with the default service account path | ||
# The token is read by the containers to authenticate against the hosted cluster api server | ||
- name: token-minter | ||
image: "{{.TokenMinterImage}}" | ||
command: ["/usr/bin/control-plane-operator", "token-minter"] | ||
args: | ||
- --service-account-namespace=openshift-network-identity | ||
- --service-account-name=network-identity | ||
- --token-audience={{.TokenAudience}} | ||
- --token-file=/var/run/secrets/hosted_cluster/token | ||
- --kubeconfig=/etc/kubernetes/kubeconfig | ||
resources: | ||
requests: | ||
cpu: 10m | ||
memory: 30Mi | ||
volumeMounts: | ||
- mountPath: /etc/kubernetes | ||
name: admin-kubeconfig | ||
- mountPath: /var/run/secrets/hosted_cluster | ||
name: hosted-cluster-api-access | ||
{{ if .HCPNodeSelector }} | ||
nodeSelector: | ||
{{ range $key, $value := .HCPNodeSelector }} | ||
"{{$key}}": "{{$value}}" | ||
{{ end }} | ||
{{ end }} | ||
volumes: | ||
- name: env-overrides | ||
configMap: | ||
name: env-overrides | ||
optional: true | ||
- name: admin-kubeconfig | ||
secret: | ||
secretName: service-network-admin-kubeconfig | ||
- name: hosted-cluster-api-access | ||
emptyDir: {} | ||
- name: hosted-ca-cert | ||
secret: | ||
secretName: root-ca | ||
items: | ||
- key: ca.crt | ||
path: ca.crt | ||
- name: webhook-cert | ||
secret: | ||
defaultMode: 0640 | ||
secretName: network-identity-secret | ||
tolerations: | ||
- key: "hypershift.openshift.io/control-plane" | ||
operator: "Equal" | ||
value: "true" | ||
effect: "NoSchedule" | ||
- key: "hypershift.openshift.io/cluster" | ||
operator: "Equal" | ||
value: {{.HostedClusterNamespace}} | ||
effect: "NoSchedule" |
Oops, something went wrong.