[stable/field-exporter] add validating webhook configuration

Author: arjunrn

stable/field-exporter/Chart.yaml

@@ -4,8 +4,8 @@ description: |
   A chart to install [field-exporter](https://github.com/deliveryhero/field-exporter). This controller is used to fill the gap in [k8s-config-connector](https://github.com/GoogleCloudPlatform/k8s-config-connector) for exporting value from Config Connector managed resources into Secrets and ConfigMaps.
 
 type: application
-version: 1.1.0
-appVersion: "v1.1.0"
+version: 1.3.0
+appVersion: "v1.3.0"
 home: https://github.com/deliveryhero/field-exporter
 sources:
   - https://github.com/deliveryhero/field-exporter

stable/field-exporter/README.md

@@ -1,6 +1,6 @@
 # field-exporter
 
-![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square)
+![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.3.0](https://img.shields.io/badge/AppVersion-v1.3.0-informational?style=flat-square)
 
 A chart to install [field-exporter](https://github.com/deliveryhero/field-exporter). This controller is used to fill the gap in [k8s-config-connector](https://github.com/GoogleCloudPlatform/k8s-config-connector) for exporting value from Config Connector managed resources into Secrets and ConfigMaps.
 
@@ -46,18 +46,15 @@ helm install my-release deliveryhero/field-exporter -f values.yaml
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| controllerManager.manager.args[0] | string | `"--health-probe-bind-address=:8081"` |  |
-| controllerManager.manager.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` |  |
-| controllerManager.manager.args[2] | string | `"--leader-elect"` |  |
+| controllerManager.manager.args[0] | string | `"--leader-elect"` |  |
 | controllerManager.manager.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
 | controllerManager.manager.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` |  |
 | controllerManager.manager.image.repository | string | `"europe-docker.pkg.dev/dp-common-infra-5780/developer-platform-public/deliveryhero/field-exporter"` |  |
-| controllerManager.manager.image.tag | string | `"v1.1.0"` |  |
+| controllerManager.manager.image.tag | string | `"v1.3.0"` |  |
 | controllerManager.manager.resources.limits.cpu | string | `"500m"` |  |
 | controllerManager.manager.resources.limits.memory | string | `"128Mi"` |  |
 | controllerManager.manager.resources.requests.cpu | string | `"10m"` |  |
 | controllerManager.manager.resources.requests.memory | string | `"128Mi"` |  |
-| controllerManager.podLabels | object | `{}` |  |
 | controllerManager.replicas | int | `1` |  |
 | controllerManager.serviceAccount.annotations | object | `{}` |  |
 | kubernetesClusterDomain | string | `"cluster.local"` |  |
@@ -66,6 +63,10 @@ helm install my-release deliveryhero/field-exporter -f values.yaml
 | metricsService.ports[0].protocol | string | `"TCP"` |  |
 | metricsService.ports[0].targetPort | string | `"https"` |  |
 | metricsService.type | string | `"ClusterIP"` |  |
+| webhookService.ports[0].port | int | `443` |  |
+| webhookService.ports[0].protocol | string | `"TCP"` |  |
+| webhookService.ports[0].targetPort | int | `9443` |  |
+| webhookService.type | string | `"ClusterIP"` |  |
 
 ## Maintainers
 

stable/field-exporter/templates/_helpers.tpl

@@ -60,3 +60,42 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the webhook service
+*/}}
+{{- define "field-exporter.webhookService" -}}
+{{- printf "%s-webhook-service" (include "field-exporter.name" .) -}}
+{{- end -}}
+
+{{/*
+Create the name of the webhook cert secret
+*/}}
+{{- define "field-exporter.webhookCertSecret" -}}
+{{- printf "%s-tls" (include "field-exporter.name" .) -}}
+{{- end -}}
+
+{{/*
+Generate certificates for webhook
+*/}}
+{{- define "field-exporter.webhookCerts" -}}
+{{- $serviceName := (include "field-exporter.webhookService" .) -}}
+{{- $secretName := (include "field-exporter.webhookCertSecret" .) -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- if (and .Values.webhookTLS.caCert .Values.webhookTLS.cert .Values.webhookTLS.key) -}}
+caCert: {{ .Values.webhookTLS.caCert | b64enc }}
+clientCert: {{ .Values.webhookTLS.cert | b64enc }}
+clientKey: {{ .Values.webhookTLS.key | b64enc }}
+{{- else if and .Values.keepTLSSecret $secret -}}
+caCert: {{ index $secret.data "ca.crt" }}
+clientCert: {{ index $secret.data "tls.crt" }}
+clientKey: {{ index $secret.data "tls.key" }}
+{{- else -}}
+{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}}
+{{- $ca := genCA "field-exporter-ca" 3650 -}}
+{{- $cert := genSignedCert (include "field-exporter.fullname" .) nil $altNames 3650 $ca -}}
+caCert: {{ $ca.Cert | b64enc }}
+clientCert: {{ $cert.Cert | b64enc }}
+clientKey: {{ $cert.Key | b64enc }}
+{{- end -}}
+{{- end -}}

stable/field-exporter/templates/deployment.yaml

@@ -15,9 +15,6 @@ spec:
       labels:
         control-plane: controller-manager
       {{- include "field-exporter.selectorLabels" . | nindent 8 }}
-      {{- if .Values.controllerManager.podLabels }}
-{{ toYaml .Values.controllerManager.podLabels | indent 8 }}
-      {{- end }}
       annotations:
         kubectl.kubernetes.io/default-container: manager
     spec:
@@ -28,14 +25,21 @@ spec:
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
-        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
+        - name: ENABLE_WEBHOOKS
+          value: "true"
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag
+          | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
             path: /healthz
             port: 8081
           initialDelaySeconds: 15
           periodSeconds: 20
         name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
         readinessProbe:
           httpGet:
             path: /readyz
@@ -46,7 +50,16 @@ spec:
           }}
         securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
           | nindent 10 }}
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
       securityContext:
         runAsNonRoot: true
       serviceAccountName: {{ include "field-exporter.fullname" . }}-controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert

stable/field-exporter/templates/leader-election-rbac.yaml

@@ -53,4 +53,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "field-exporter.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'

stable/field-exporter/templates/manager-rbac.yaml

@@ -6,23 +6,23 @@ metadata:
   {{- include "field-exporter.labels" . | nindent 4 }}
 rules:
 - apiGroups:
-  - ""
+  - alloydb.cnrm.cloud.google.com
   resources:
-  - configmaps
-  - secrets
+  - '*'
   verbs:
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
-  - alloydb.cnrm.cloud.google.com
+  - ""
   resources:
-  - '*'
+  - configmaps
+  - secrets
   verbs:
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
   - gdp.deliveryhero.io
@@ -99,4 +99,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: '{{ include "field-exporter.fullname" . }}-controller-manager'
-  namespace: '{{ .Release.Namespace }}'
+  namespace: '{{ .Release.Namespace }}'

stable/field-exporter/templates/metrics-reader-rbac.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-metrics-reader
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

stable/field-exporter/templates/metrics-service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-controller-manager-metrics-service
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+    control-plane: controller-manager
+  {{- include "field-exporter.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.metricsService.type }}
+  selector:
+    control-plane: controller-manager
+  {{- include "field-exporter.selectorLabels" . | nindent 4 }}
+  ports:
+	{{- .Values.metricsService.ports | toYaml | nindent 2 -}}

stable/field-exporter/templates/proxy-rbac.yaml

@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-proxy-role
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "field-exporter.fullname" . }}-proxy-rolebinding
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: field-exporter
+    app.kubernetes.io/part-of: field-exporter
+  {{- include "field-exporter.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "field-exporter.fullname" . }}-proxy-role'
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "field-exporter.fullname" . }}-controller-manager'
+  namespace: '{{ .Release.Namespace }}'