feat(k8s-ycl)!: Archive

2025-07-04 08:57:04 +02:00 · 2025-02-07 20:05:37 +01:00 · 2025-02-07 20:05:37 +01:00 · 1cbcf20cfe
commit 1cbcf20cfe
parent 8b33237e27
10 changed files with 0 additions and 0 deletions
--- a/.archive/k8s-ycl/templates/_hardcodedValues.tpl
+++ b/.archive/k8s-ycl/templates/_hardcodedValues.tpl
@ -0,0 +1,2 @@
+{{- define "k8s-ycl.hardcodedValues" -}}
+{{- end -}}
--- a/.archive/k8s-ycl/templates/_helpers.tpl
+++ b/.archive/k8s-ycl/templates/_helpers.tpl
@ -0,0 +1,44 @@
+{{- define "k8s-ycl.init" -}}
+  {{/* Make sure all variables are set properly */}}
+  {{- include "bjw-s.common.loader.init" . }}
+
+  {{- $_ := include "k8s-ycl.hardcodedValues" . | fromYaml | merge .Values -}}
+{{- end -}}
+
+{{- define "k8s-ycl.webhookPort" -}}
+9443
+{{- end -}}
+
+{{- define "k8s-ycl.webhookPath" -}}
+/mutate--v1-pod
+{{- end -}}
+
+{{- define "k8s-ycl.ignoredNamespaces" -}}
+  {{- $ownNamespace := $.Release.Namespace -}}
+  {{- $ignoredNamespaces := list -}}
+  {{- if $.Values.webhook.ignoreOwnNamespace -}}
+    {{- $ignoredNamespaces = append $ignoredNamespaces $ownNamespace -}}
+  {{- end -}}
+  {{- with $.Values.webhook.ignoredNamespaces -}}
+    {{- range . -}}
+      {{- $ignoredNamespaces = append $ignoredNamespaces . -}}
+    {{- end -}}
+  {{- end -}}
+  {{- $ignoredNamespaces | uniq | toYaml -}}
+{{- end -}}
+
+{{- define "k8s-ycl.selfSignedIssuer" -}}
+{{ printf "%s-webhook-selfsign" (include "bjw-s.common.lib.chart.names.fullname" .) }}
+{{- end -}}
+
+{{- define "k8s-ycl.rootCAIssuer" -}}
+{{ printf "%s-webhook-ca" (include "bjw-s.common.lib.chart.names.fullname" .) }}
+{{- end -}}
+
+{{- define "k8s-ycl.rootCACertificate" -}}
+{{ printf "%s-webhook-ca" (include "bjw-s.common.lib.chart.names.fullname" .) }}
+{{- end -}}
+
+{{- define "k8s-ycl.servingCertificate" -}}
+{{ printf "%s-webhook-tls" (include "bjw-s.common.lib.chart.names.fullname" .) }}
+{{- end -}}
--- a/.archive/k8s-ycl/templates/admissionregistration.yaml
+++ b/.archive/k8s-ycl/templates/admissionregistration.yaml
@ -0,0 +1,39 @@
+{{/* Make sure all variables are set properly */}}
+{{- include "k8s-ycl.init" . -}}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "bjw-s.common.lib.chart.names.fullname" . | quote }}
+  {{- with (include "bjw-s.common.lib.metadata.allLabels" $ | fromYaml) }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  annotations:
+    cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "k8s-ycl.servingCertificate" . }}"
+webhooks:
+  - name: "{{ include "bjw-s.common.lib.chart.names.fullname" . }}.svc.cluster.local"
+    namespaceSelector:
+      matchExpressions:
+      - key: kubernetes.io/metadata.name
+        operator: NotIn
+        values: {{ include "k8s-ycl.ignoredNamespaces" . | nindent  10 }}
+    clientConfig:
+      service:
+        namespace: {{ .Release.Namespace | quote }}
+        name: {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook
+        path: {{ include "k8s-ycl.webhookPath" . }}
+        port: {{ include "k8s-ycl.webhookPort" . }}
+    failurePolicy: Fail
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    timeoutSeconds: 5
+    rules:
+      - apiGroups:
+        - ""
+        apiVersions:
+        - v1
+        operations:
+        - CREATE
+        - UPDATE
+        resources:
+        - pods
--- a/.archive/k8s-ycl/templates/common.yaml
+++ b/.archive/k8s-ycl/templates/common.yaml
@ -0,0 +1,6 @@
+---
+{{/* Make sure all variables are set properly */}}
+{{- include "k8s-ycl.init" . }}
+
+{{/* Render the templates */}}
+{{- include "bjw-s.common.loader.all" . }}
--- a/.archive/k8s-ycl/templates/pki.yaml
+++ b/.archive/k8s-ycl/templates/pki.yaml
@ -0,0 +1,62 @@
+{{/* Make sure all variables are set properly */}}
+{{- include "k8s-ycl.init" . -}}
+---
+# Create a selfsigned Issuer, in order to create a root CA certificate for
+# signing webhook serving certificates
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "k8s-ycl.selfSignedIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+---
+# Generate a CA Certificate used to sign certificates for the webhook
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "k8s-ycl.rootCACertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }}
+spec:
+  secretName: {{ include "k8s-ycl.rootCACertificate" . }}
+  duration: 43800h # 5y
+  issuerRef:
+    name: {{ include "k8s-ycl.selfSignedIssuer" . }}
+    kind: Issuer
+  commonName: "ca.k8s-ycl.cert-manager"
+  isCA: true
+---
+# Create an Issuer that uses the above generated CA certificate to issue certs
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "k8s-ycl.rootCAIssuer" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: {{ include "k8s-ycl.rootCACertificate" . }}
+---
+# Finally, generate a serving certificate for the webhook to use
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "k8s-ycl.servingCertificate" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }}
+spec:
+  secretName: {{ include "k8s-ycl.servingCertificate" . }}
+  duration: 8760h # 1y
+  issuerRef:
+    name: {{ include "k8s-ycl.rootCAIssuer" . }}
+    kind: Issuer
+  dnsNames:
+  - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook
+  - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook.{{ .Release.Namespace }}
+  - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook.{{ .Release.Namespace }}.svc