refactor admission controller chart (#12)

* refactor resource-templates
fix invalid cluter-rolebinding
fix rolebinding

Signed-off-by: David J. M. Karlsen <[email protected]>

* add labels

Signed-off-by: David J. M. Karlsen <[email protected]>

* refactor labels into a helper function

Signed-off-by: David J. M. Karlsen <[email protected]>

* fix labels and selector

Signed-off-by: David J. M. Karlsen <[email protected]>

* bump chart-version

Signed-off-by: David J. M. Karlsen <[email protected]>

* bump version

Signed-off-by: David J. M. Karlsen <[email protected]>

* fix indenting

Signed-off-by: David J. M. Karlsen <[email protected]>

* handle secrets

Signed-off-by: David J. M. Karlsen <[email protected]>

* base64 encode

Signed-off-by: David J. M. Karlsen <[email protected]>

stable/anchore-admission-controller/Chart.yaml

@@ -2,7 +2,7 @@ name: anchore-admission-controller
 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations
 apiVersion: v1
 appVersion: 0.2.2
-version: 0.2.6
+version: 0.2.7
 home: https://github.com/anchore/kubernetes-admission-controller
 maintainers:
   - name: zhill

stable/anchore-admission-controller/ci/fake-values.yaml

@@ -0,0 +1,6 @@
+credentials:
+  users:
+  - username: user1
+    password: password1
+  - username: user2
+    password: password2

stable/anchore-admission-controller/templates/_helpers.tpl

@@ -14,3 +14,23 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "anchore-admission-controller.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "anchore-admission-controller.labels" -}}
+app.kubernetes.io/name: {{ include "anchore-admission-controller.name" . }}
+helm.sh/chart: {{ include "anchore-admission-controller.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}

stable/anchore-admission-controller/templates/clusterrole.yaml

@@ -0,0 +1,16 @@
+# to let the admission server read the namespace reservations
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+  name: {{ template "anchore-admission-controller.fullname" . }}
+rules:
+- apiGroups:
+  - {{ .Values.apiService.group }}
+  resources:
+  - {{ template "anchore-admission-controller.fullname" . }}
+  verbs:
+  - get
+  - list
+  - watch
+  - create

stable/anchore-admission-controller/templates/clusterrolebinding.yaml

@@ -0,0 +1,43 @@
+# Allow delegate authentication and authorization to the service account
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: auth-delegator-{{ template "anchore-admission-controller.fullname" . }}-default
+  labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "anchore-admission-controller.fullname" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: auth-delegator-{{ template "anchore-admission-controller.fullname" . }}-admin
+  labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "anchore-admission-controller.fullname" . }}
+---
+# to let the admission server read the namespace reservations
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "anchore-admission-controller.fullname" . }}-default
+  labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: {{ template "anchore-admission-controller.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ template "anchore-admission-controller.fullname" . }}

stable/anchore-admission-controller/templates/configmap.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-controller-config
+  labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+data:
+  config.json: |-
+    {
+      "validator": {
+        "requestanalysis": {{ .Values.requestAnalysis }}
+      },
+      "AnchoreEndpoint": "{{ .Values.anchoreEndpoint }}",
+      "PolicySelectors": {{ toJson .Values.policySelectors }}
+    }

stable/anchore-admission-controller/templates/deployment.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "anchore-admission-controller.fullname" . }}
+  labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "anchore-admission-controller.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels: {{- include "anchore-admission-controller.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ template "anchore-admission-controller.fullname" . }}
+      volumes:
+      - name: serving-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ template "anchore-admission-controller.name" . }}-certs
+      - name: controller-config
+        configMap:
+          name: {{.Release.Name}}-controller-config
+      - name: anchore-auth
+        secret:
+          secretName: {{ if .Values.existingCredentialsSecret }}{{ .Values.existingCredentialsSecret }}{{ else }}{{ template "anchore-admission-controller.fullname" . }}{{ end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ .Values.image }}"
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        command:
+        - "/anchore-kubernetes-admission-controller"
+        - "--audit-log-path=-"
+        - "--tls-cert-file=/var/serving-cert/tls.crt"
+        - "--tls-private-key-file=/var/serving-cert/tls.key"
+        - "--v={{ .Values.logVerbosity }}"
+        - "--secure-port={{ .Values.service.internalPort }}"
+        ports:
+        - containerPort: {{ .Values.service.internalPort }}
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: {{ .Values.service.internalPort }}
+            scheme: HTTPS
+        volumeMounts:
+        - mountPath: /var/serving-cert
+          name: serving-cert
+          readOnly: true
+        - mountPath: /config
+          name: controller-config
+        - mountPath: /credentials
+          name: anchore-auth
+        env:
+        - name: CONFIG_FILE_PATH
+          value: /config/config.json
+        - name: CREDENTIALS_FILE_PATH
+          value: /credentials/credentials.json
+        resources: {{- toYaml .Values.resources | nindent 12 }}
+    {{- if .Values.nodeSelector }}
+    nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}
+    {{- end }}
+    {{- if .Values.tolerations }}
+    tolerations: {{- toYaml .Values.tolerations | nindent 8 }}
+    {{- end }}
+    {{- if .Values.affinity }}
+    affinity: {{- toYaml .Values.affinity | nindent 8 }}
+    {{- end }}

stable/anchore-admission-controller/templates/init-ca/rbac.yaml

@@ -65,4 +65,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   namespace: {{ .Release.Namespace }}
-  name: {{ template "anchore-admission-controller.fullname" . }}-init-ca
+  name: {{ template "anchore-admission-controller.fullname" . }}-init-ca