Add webhook skeleton, remove api-server from chart, add webhoook serv…

…er in chart, move PrepareForCreate login into webhook handler (kubernetes-retired#2) * Add webhook skeleton, remove api-server from chart, add webhoook server in chart, move PrepareForCreate login into webhook handler * Add logger and GVK matcher
piotrmiskiewicz · May 16, 2019 · a272caa · a272caa
1 parent 2e5cfdd
commit a272caa
Show file tree

Hide file tree

Showing 81 changed files with 7,734 additions and 1,335 deletions.
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -30,6 +30,10 @@ required = [
   name = "github.com/pmorie/go-open-service-broker-client"
   branch = "master" # latest commit
 
+[[constraint]]
+  name="sigs.k8s.io/controller-runtime"
+  revision="89c373a86c19b6e5fc8f7b0c49a671039b8188c9"
+
 # All dependencies of Kubernetes from branch release-1.13 converted to override clauses. This include dependencies that
 # are not used in this project. See
 # https://github.com/kubernetes/kubernetes/blob/release-1.13/Godeps/Godeps.json

diff --git a/charts/catalog/README.md b/charts/catalog/README.md
@@ -11,7 +11,7 @@ For more information,
 
 ## Prerequisites
 
-- Kubernetes 1.7+ with Beta APIs enabled
+- Kubernetes 1.9+ with Beta APIs enabled
 - `charts/catalog` already exists in your local machine
 
 ## Installing the Chart
@@ -40,38 +40,18 @@ chart and their default values.
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `image` | apiserver image to use | `quay.io/kubernetes-service-catalog/service-catalog:v0.2.0` |
+| `image` | Service catalog image to use | `quay.io/kubernetes-service-catalog/service-catalog:v0.1.41` |
 | `imagePullPolicy` | `imagePullPolicy` for the service catalog | `Always` |
-| `apiserver.replicas` | `replicas` for the service catalog apiserver pod count | `1` |
-| `apiserver.updateStrategy` | `updateStrategy` for the service catalog apiserver deployments | `RollingUpdate` |
-| `apiserver.minReadySeconds` | how many seconds an apiServer pod needs to be ready before killing the next, during update | `1` |
-| `apiserver.annotations` | Annotations for apiserver pods | `{}` |
-| `apiserver.nodeSelector` | A nodeSelector value to apply to the apiserver pods. If not specified, no nodeSelector will be applied | |
-| `apiserver.aggregator.priority` | Priority of the APIService. | `100` |
-| `apiserver.aggregator.groupPriorityMinimum` | The minimum priority the group should have. | `10000` |
-| `apiserver.aggregator.versionPriority` | The ordering of this API inside of the group | `20` |
-| `apiserver.tls.requestHeaderCA` | Base64-encoded CA used to validate request-header authentication, when receiving delegated authentication from an aggregator. If not set, the service catalog API server will inherit this CA from the `extension-apiserver-authentication` ConfigMap if available. | `nil` |
-| `apiserver.service.type` | Type of service; valid values are `LoadBalancer` , `NodePort` and `ClusterIP` | `NodePort` |
-| `apiserver.service.nodePort.securePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The TLS-enabled endpoint will be exposed here | `30443` |
-| `apiserver.service.clusterIP` | If service type is ClusterIP, specify clusterIP as `None` for `headless services` OR specify your own specific IP OR leave blank to let Kubernetes assign a cluster IP |  |
-| `apiserver.storage.type` | The storage backend to use; the only valid value is `etcd`, left for other storages support in future, e.g. `crd` | `etcd` |
-| `apiserver.storage.etcd.useEmbedded` | If storage type is `etcd`: Whether to embed an etcd container in the apiserver pod; THIS IS INADEQUATE FOR PRODUCTION USE! | `true` |
-| `apiserver.storage.etcd.servers` | If storage type is `etcd`: etcd URL(s); override this if NOT using embedded etcd. Only etcd v3 is supported. | `http://localhost:2379` |
-| `apiserver.storage.etcd.image` | etcd image to use | `quay.io/coreos/etcd:latest` |
-| `apiserver.storage.etcd.imagePullPolicy` | `imagePullPolicy` for etcd | `Always` |
-| `apiserver.storage.etcd.persistence.enabled` | Enable persistence using PVC | `false` |
-| `apiserver.storage.etcd.persistence.storageClass` | PVC Storage Class | `nil` (uses alpha storage class annotation) |
-| `apiserver.storage.etcd.persistence.accessMode` | PVC Access Mode | `ReadWriteOnce` |
-| `apiserver.storage.etcd.persistence.size` | PVC Storage Request | `4Gi` |
-| `apiserver.storage.etcd.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 100m, memory: 30Mi}, limits: {cpu: 100m, memory: 40Mi}}` |
-| `apiserver.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
-| `apiserver.auth.enabled` | Enable authentication and authorization | `true` |
-| `apiserver.audit.activated` | If true, enables the use of audit features via this chart. | `false` |
-| `apiserver.audit.logPath` | If specified, audit log goes to specified path. | `"/tmp/service-catalog-apiserver-audit.log"` |
-| `apiserver.healthcheck.enabled` | Enable readiness and liveliness probes | `true` |
-| `apiserver.serviceAccount` | Service account. | `service-catalog-apiserver` |
-| `apiserver.serveOpenAPISpec` | If true, makes the API server serve the OpenAPI schema | `false` |
-| `apiserver.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 100m, memory: 20Mi}, limits: {cpu: 100m, memory: 30Mi}}` |
+| `webhook.updateStrategy` | `updateStrategy` for the service catalog webhook deployment | `RollingUpdate` |
+| `webhook.minReadySeconds` | how many seconds an webhook server pod needs to be ready before killing the next, during update | `1` |
+| `webhook.annotations` | Annotations for webhook pods | `{}` |
+| `webhook.nodeSelector` | A nodeSelector value to apply to the webhook pods. If not specified, no nodeSelector will be applied | |
+| `webhook.service.type` | Type of service; valid values are `LoadBalancer` , `NodePort` and `ClusterIP` | `NodePort` |
+| `webhook.service.nodePort.securePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The TLS-enabled endpoint will be exposed here | `30443` |
+| `webhook.service.clusterIP` | If service type is ClusterIP, specify clusterIP as `None` for `headless services` OR specify your own specific IP OR leave blank to let Kubernetes assign a cluster IP |  |
+| `webhook.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
+| `webhook.healthcheck.enabled` | Enable readiness and liveliness probes | `true` |
+| `webhook.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 100m, memory: 20Mi}, limits: {cpu: 100m, memory: 30Mi}}` |
 | `controllerManager.replicas` | `replicas` for the service catalog controllerManager pod count | `1` |
 | `controllerManager.updateStrategy` | `updateStrategy` for the service catalog controllerManager deployments | `RollingUpdate` |
 | `controllerManager.minReadySeconds` | how many seconds a controllerManager pod needs to be ready before killing the next, during update | `1` |
@@ -86,13 +66,8 @@ chart and their default values.
 | `controllerManager.profiling.contentionProfiling` | Enables lock contention profiling, if profiling is enabled | `false` |
 | `controllerManager.leaderElection.activated` | Whether the controller has leader election enabled | `false` |
 | `controllerManager.serviceAccount` | Service account | `service-catalog-controller-manager` |
-| `controllerManager.apiserverSkipVerify` | Controls whether the API server's TLS verification should be skipped | `true` |
 | `controllerManager.enablePrometheusScrape` | Whether the controller will expose metrics on /metrics | `false` |
-| `controllerManager.service.type` | Type of service; valid values are `LoadBalancer` , `NodePort` and `ClusterIP` | `ClusterIP` |
-| `controllerManager.service.nodePort.securePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The TLS-enabled endpoint will be exposed here | `30444` |
-| `controllerManager.service.clusterIP` | If service type is ClusterIP, specify clusterIP as `None` for `headless services` OR specify your own specific IP OR leave blank to let Kubernetes assign a cluster IP |  |
 | `controllerManager.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 100m, memory: 20Mi}, limits: {cpu: 100m, memory: 30Mi}}` |
-| `useAggregator` | whether or not to set up the controller-manager to go through the main Kubernetes API server's API aggregator | `true` |
 | `rbacEnable` | If true, create & use RBAC resources | `true` |
 | `originatingIdentityEnabled` | Whether the OriginatingIdentity feature should be enabled | `true` |
 | `asyncBindingOperationsEnabled` | Whether or not alpha support for async binding operations is enabled | `false` |

diff --git a/charts/catalog/templates/apiregistration.yaml b/charts/catalog/templates/apiregistration.yaml
diff --git a/charts/catalog/templates/apiserver-deployment.yaml b/charts/catalog/templates/apiserver-deployment.yaml
diff --git a/charts/catalog/templates/apiserver-service.yaml b/charts/catalog/templates/apiserver-service.yaml
diff --git a/charts/catalog/templates/controller-manager-deployment.yaml b/charts/catalog/templates/controller-manager-deployment.yaml
@@ -11,7 +11,7 @@ spec:
   replicas: {{ .Values.controllerManager.replicas }}
   strategy:
     type: {{ .Values.controllerManager.updateStrategy }}
-  minReadySeconds: {{ .Values.apiserver.minReadySeconds }}
+  minReadySeconds: {{ .Values.controllerManager.minReadySeconds }}
   selector:
     matchLabels:
       app: {{ template "fullname" . }}-controller-manager
@@ -61,13 +61,6 @@ spec:
         {{ if .Values.controllerManager.profiling.contentionProfiling -}}
         - "--contention-profiling=true"
         {{- end}}
-        {{- if not .Values.useAggregator }}
-        - --service-catalog-api-server-url
-        - https://{{ template "fullname" . }}-apiserver
-        {{- end }}
-        {{ if and (.Values.controllerManager.apiserverSkipVerify) (not .Values.useAggregator) -}}
-        - "--service-catalog-insecure-skip-verify=true"
-        {{- end }}
         - -v
         - "{{ .Values.controllerManager.verbosity }}"
         - --resync-interval
@@ -98,10 +91,6 @@ spec:
         {{- end }}
         ports:
         - containerPort: 8444
-        volumeMounts:
-        - name: service-catalog-cert
-          mountPath: /var/run/kubernetes-service-catalog
-          readOnly: true
         {{- if .Values.controllerManager.healthcheck.enabled }}
         readinessProbe:
           httpGet:
@@ -128,16 +117,3 @@ spec:
       nodeSelector:
          {{ .Values.controllerManager.nodeSelector }}
       {{ end }}
-      volumes:
-      - name: service-catalog-cert
-        secret:
-          secretName: {{ template "fullname" . }}-apiserver-cert
-          items:
-          - key: tls.crt
-            path: apiserver.crt
-          - key: tls.key
-            path: apiserver.key
-          {{- if .Values.apiserver.tls.requestHeaderCA }}
-          - key: requestheader-ca.crt
-            path: requestheader-ca.crt
-          {{- end }}