Merge pull request #6341 from zalando-incubator/validation-webhook-fo…

…r-ingress

Validation webhook for ingress

cluster/manifests/01-admission-control/routegroups-webhook.yaml

@@ -1,11 +1,12 @@
-{{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: "routegroup-admitter.teapot.zalan.do"
+  name: "skipper-admitter.teapot.zalan.do"
   labels:
-    application: routegroups-admission-webhook
+    application: skipper-ingress
+    component: webhook
 webhooks:
+{{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }}
   - name: "routegroup-admitter.teapot.zalan.do"
     rules:
       - operations: ["CREATE", "UPDATE"]
@@ -19,3 +20,15 @@ webhooks:
     sideEffects: None
     timeoutSeconds: 5
 {{ end }}
+  - name: "ingress-admitter.teapot.zalan.do"
+    rules:
+      - operations: ["CREATE", "UPDATE"]
+        apiGroups: ["networking.k8s.io"]
+        apiVersions: ["v1"]
+        resources: ["ingresses"]
+    clientConfig:
+      url: "https://localhost:9085/ingresses"
+      caBundle: "{{ .ConfigItems.ca_cert_decompressed }}"
+    admissionReviewVersions: ["v1"]
+    sideEffects: None
+    timeoutSeconds: 5 

cluster/manifests/deletions.yaml

@@ -1,15 +1,14 @@
 # everything defined under here will be deleted before applying the manifests
 pre_apply:
-{{ if ne .Cluster.ConfigItems.routegroups_validation "enabled" }}
-- name: "routegroup-admitter.teapot.zalan.do"
-  kind: ValidatingWebhookConfiguration
-{{ end }}
 - name: cronjob-monitor
   namespace: kube-system
   kind: Deployment
 
 # everything defined under here will be deleted after applying the manifests
 post_apply:
+# TODO: remove later
+- name: "routegroup-admitter.teapot.zalan.do"
+  kind: ValidatingWebhookConfiguration
 - name: cronjob-monitor
   namespace: kube-system
   kind: VerticalPodAutoscaler

cluster/manifests/prometheus/configmap.yaml

@@ -139,8 +139,8 @@ data:
       job_name: "auth-webhook"
       metrics_path: "/auth-webhook"
     - <<: *apiserver_container_metric
-      job_name: "routegroups-admission-webhook"
-      metrics_path: "/routegroups-admission-webhook"
+      job_name: "skipper-admission-webhook"
+      metrics_path: "/skipper-admission-webhook"
     - <<: *apiserver_container_metric
       job_name: "aws-encryption-provider"
       metrics_path: "/aws-encryption-provider"

cluster/node-pools/master-default/userdata.yaml

@@ -242,9 +242,8 @@ write_files:
             - mountPath: /etc/kubernetes/admission-controller-kubeconfig
               name: admission-controller-kubeconfig
               readOnly: true
-{{- if or (eq .Cluster.ConfigItems.routegroups_validation "provisioned") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }}
-        - name: routegroups-admission-webhook
-          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.16.167
+        - name: skipper-admission-webhook
+          image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.17.1
           args:
             - webhook
             - --address=:9085
@@ -271,7 +270,6 @@ write_files:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
-{{- end}}
         - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-127
           name: webhook
           ports:
@@ -492,7 +490,7 @@ write_files:
               -> disableAccessLog()
               -> setPath("/metrics")
               -> "http://127.0.0.1:8081";
-            routegroups_admission_webhook: Path("/routegroups-admission-webhook")
+            skipper_admission_webhook: Path("/skipper-admission-webhook")
               -> disableAccessLog()
               -> setPath("/metrics")
               -> "https://127.0.0.1:9085";