From 800901e23a258a99606581f93fc8457db0763c7f Mon Sep 17 00:00:00 2001 From: Mustafa Abdelrahman Date: Mon, 7 Aug 2023 11:14:02 +0200 Subject: [PATCH 1/6] Validate `Ingress` annotations Signed-off-by: Mustafa Abdelrahman --- .../01-admission-control/routegroups-webhook.yaml | 12 ++++++++++++ cluster/node-pools/master-default/userdata.yaml | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/cluster/manifests/01-admission-control/routegroups-webhook.yaml b/cluster/manifests/01-admission-control/routegroups-webhook.yaml index 14c6aad93e..cc94f1a883 100644 --- a/cluster/manifests/01-admission-control/routegroups-webhook.yaml +++ b/cluster/manifests/01-admission-control/routegroups-webhook.yaml @@ -18,4 +18,16 @@ webhooks: admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5 + - name: "ingress-admitter.teapot.zalan.do" + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["networking.k8s.io"] + apiVersions: ["v1"] + resources: ["ingresses"] + clientConfig: + url: "https://localhost:9085/ingresses" + caBundle: "{{ .ConfigItems.ca_cert_decompressed }}" + admissionReviewVersions: ["v1"] + sideEffects: None + timeoutSeconds: 5 {{ end }} diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml index 63060c5b81..7c1bae0e74 100644 --- a/cluster/node-pools/master-default/userdata.yaml +++ b/cluster/node-pools/master-default/userdata.yaml @@ -243,7 +243,7 @@ write_files: readOnly: true {{- if or (eq .Cluster.ConfigItems.routegroups_validation "provisioned") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }} - name: routegroups-admission-webhook - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.16.167 + image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/skipper-test:pr-2493-1 args: - webhook - --address=:9085 From 192701f3b363dbfe75abad1e004f13fd737883e7 Mon Sep 17 00:00:00 2001 From: Mustafa Abdelrahman Date: Tue, 8 Aug 2023 14:41:03 +0200 Subject: [PATCH 2/6] Rename validation webhook and narrow the condition Signed-off-by: Mustafa Abdelrahman --- .../01-admission-control/routegroups-webhook.yaml | 8 ++++---- cluster/manifests/deletions.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cluster/manifests/01-admission-control/routegroups-webhook.yaml b/cluster/manifests/01-admission-control/routegroups-webhook.yaml index cc94f1a883..28251e0444 100644 --- a/cluster/manifests/01-admission-control/routegroups-webhook.yaml +++ b/cluster/manifests/01-admission-control/routegroups-webhook.yaml @@ -1,11 +1,11 @@ -{{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: - name: "routegroup-admitter.teapot.zalan.do" + name: "skipper-admitter.teapot.zalan.do" labels: - application: routegroups-admission-webhook + application: skipper-admission-webhook webhooks: +{{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }} - name: "routegroup-admitter.teapot.zalan.do" rules: - operations: ["CREATE", "UPDATE"] @@ -18,6 +18,7 @@ webhooks: admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5 +{{ end }} - name: "ingress-admitter.teapot.zalan.do" rules: - operations: ["CREATE", "UPDATE"] @@ -30,4 +31,3 @@ webhooks: admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5 -{{ end }} diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml index d75d4c010c..7c6fe81f20 100644 --- a/cluster/manifests/deletions.yaml +++ b/cluster/manifests/deletions.yaml @@ -1,7 +1,7 @@ # everything defined under here will be deleted before applying the manifests pre_apply: {{ if ne .Cluster.ConfigItems.routegroups_validation "enabled" }} -- name: "routegroup-admitter.teapot.zalan.do" +- name: "skipper-admitter.teapot.zalan.do" kind: ValidatingWebhookConfiguration {{ end }} - name: cronjob-monitor From af668457ae2bcec27380823a88bb8e1e983e82ce Mon Sep 17 00:00:00 2001 From: Mustafa Abdelrahman Date: Tue, 15 Aug 2023 12:00:01 +0200 Subject: [PATCH 3/6] Update skipper version for webhook binary Signed-off-by: Mustafa Abdelrahman --- cluster/node-pools/master-default/userdata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml index 7c1bae0e74..0f9fce5910 100644 --- a/cluster/node-pools/master-default/userdata.yaml +++ b/cluster/node-pools/master-default/userdata.yaml @@ -243,7 +243,7 @@ write_files: readOnly: true {{- if or (eq .Cluster.ConfigItems.routegroups_validation "provisioned") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }} - name: routegroups-admission-webhook - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/skipper-test:pr-2493-1 + image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.17.1 args: - webhook - --address=:9085 From ac7b3a8936675fcdb4a68dbdb456e8930c1789f6 Mon Sep 17 00:00:00 2001 From: Mustafa Abdelrahman Date: Wed, 16 Aug 2023 16:57:45 +0200 Subject: [PATCH 4/6] Use same application for skipper add initial deletion remove condition for webhook to work always with ingress at least Signed-off-by: Mustafa Abdelrahman --- .../manifests/01-admission-control/routegroups-webhook.yaml | 3 ++- cluster/manifests/deletions.yaml | 4 +++- cluster/node-pools/master-default/userdata.yaml | 6 ++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cluster/manifests/01-admission-control/routegroups-webhook.yaml b/cluster/manifests/01-admission-control/routegroups-webhook.yaml index 28251e0444..78d7f04aba 100644 --- a/cluster/manifests/01-admission-control/routegroups-webhook.yaml +++ b/cluster/manifests/01-admission-control/routegroups-webhook.yaml @@ -3,7 +3,8 @@ kind: ValidatingWebhookConfiguration metadata: name: "skipper-admitter.teapot.zalan.do" labels: - application: skipper-admission-webhook + application: skipper-ingress + component: webhook webhooks: {{ if eq .Cluster.ConfigItems.routegroups_validation "enabled" }} - name: "routegroup-admitter.teapot.zalan.do" diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml index 7c6fe81f20..075dbaaea8 100644 --- a/cluster/manifests/deletions.yaml +++ b/cluster/manifests/deletions.yaml @@ -1,8 +1,10 @@ # everything defined under here will be deleted before applying the manifests pre_apply: -{{ if ne .Cluster.ConfigItems.routegroups_validation "enabled" }} - name: "skipper-admitter.teapot.zalan.do" kind: ValidatingWebhookConfiguration +{{ if ne .Cluster.ConfigItems.routegroups_validation "enabled" }} +- name: "routegroup-admitter.teapot.zalan.do" + kind: ValidatingWebhookConfiguration {{ end }} - name: cronjob-monitor namespace: kube-system diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml index 0f9fce5910..13f78e761e 100644 --- a/cluster/node-pools/master-default/userdata.yaml +++ b/cluster/node-pools/master-default/userdata.yaml @@ -241,8 +241,7 @@ write_files: - mountPath: /etc/kubernetes/admission-controller-kubeconfig name: admission-controller-kubeconfig readOnly: true -{{- if or (eq .Cluster.ConfigItems.routegroups_validation "provisioned") (eq .Cluster.ConfigItems.routegroups_validation "enabled") }} - - name: routegroups-admission-webhook + - name: skipper-admission-webhook image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/skipper:v0.17.1 args: - webhook @@ -270,7 +269,6 @@ write_files: - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true -{{- end}} - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-127 name: webhook ports: @@ -491,7 +489,7 @@ write_files: -> disableAccessLog() -> setPath("/metrics") -> "http://127.0.0.1:8081"; - routegroups_admission_webhook: Path("/routegroups-admission-webhook") + skipper_admission_webhook: Path("/skipper-admission-webhook") -> disableAccessLog() -> setPath("/metrics") -> "https://127.0.0.1:9085"; From b2e9c67c63a9221910a9e55e70523ad0e0d6195c Mon Sep 17 00:00:00 2001 From: Mustafa Abdelrahman Date: Wed, 16 Aug 2023 17:07:44 +0200 Subject: [PATCH 5/6] fix deletion order Signed-off-by: Mustafa Abdelrahman --- cluster/manifests/deletions.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml index 075dbaaea8..b264886c0d 100644 --- a/cluster/manifests/deletions.yaml +++ b/cluster/manifests/deletions.yaml @@ -1,17 +1,14 @@ # everything defined under here will be deleted before applying the manifests pre_apply: -- name: "skipper-admitter.teapot.zalan.do" - kind: ValidatingWebhookConfiguration -{{ if ne .Cluster.ConfigItems.routegroups_validation "enabled" }} -- name: "routegroup-admitter.teapot.zalan.do" - kind: ValidatingWebhookConfiguration -{{ end }} - name: cronjob-monitor namespace: kube-system kind: Deployment # everything defined under here will be deleted after applying the manifests post_apply: +# TODO: remove later +- name: "routegroup-admitter.teapot.zalan.do" + kind: ValidatingWebhookConfiguration - name: cronjob-monitor namespace: kube-system kind: VerticalPodAutoscaler From 7993869bf3ab29751306e95225f8144815feb344 Mon Sep 17 00:00:00 2001 From: Mustafa Abdelrahman Date: Wed, 16 Aug 2023 17:10:25 +0200 Subject: [PATCH 6/6] fix metrics job naming and path Signed-off-by: Mustafa Abdelrahman --- cluster/manifests/prometheus/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cluster/manifests/prometheus/configmap.yaml b/cluster/manifests/prometheus/configmap.yaml index d3298023ac..239ba964ca 100644 --- a/cluster/manifests/prometheus/configmap.yaml +++ b/cluster/manifests/prometheus/configmap.yaml @@ -139,8 +139,8 @@ data: job_name: "auth-webhook" metrics_path: "/auth-webhook" - <<: *apiserver_container_metric - job_name: "routegroups-admission-webhook" - metrics_path: "/routegroups-admission-webhook" + job_name: "skipper-admission-webhook" + metrics_path: "/skipper-admission-webhook" - <<: *apiserver_container_metric job_name: "aws-encryption-provider" metrics_path: "/aws-encryption-provider"