In order to enable the REDB admission controller one has to deploy multiple Kubernetes resource.
One can either install them via the provided yaml bundle, or individually.
- one installs them via a bundle after editing it to use the correct namespace.
NOTE: One must replace REPLACE_WITH_NAMESPACE in the following command with the proper namespace
sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_NAMESPACE/g' admission.bundle.yaml | kubectl create -f -If this is the first time one is deploying the admission controller, one has to approve the CSR and setup the webhook to enable resource validation. If one has already set these up, and one is just updating the admission controller, one skips steps 2 and 3 as they are already configured correctly
- and waits for the secret to be created
kubectl get secret admission-tls
NAME TYPE DATA AGE
admission-tls Opaque 2 2m43s- and modifies the webhook to use the certificate generated
# save cert
CERT=`kubectl get secret admission-tls -o jsonpath='{.data.cert}'`
# create patch file
cat > modified-webhook.yaml <<EOF
webhooks:
- admissionReviewVersions:
clientConfig:
caBundle: $CERT
name: redb.admission.redislabs
admissionReviewVersions: ["v1beta1"]
EOF
# patch webhook with caBundle
kubectl patch ValidatingWebhookConfiguration redb-admission --patch "$(cat modified-webhook.yaml)"- ClusterRole that allows creation and watching of CertificateSigningRequest resources
kubectl apply -f cluster_role.yaml- namespaced Role that allows creation and reading of Secrets
kubectl apply -f role.yaml- ServiceAccount for admission controller to run as
kubectl apply -f service_account.yaml- Binding ClusterRole and namespaced Role to the service account
NOTE: one must change the namespace for the ClusterRoleBinding to the namespace you are loading these resources into
sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_NAMESPACE/g' cluster_role_binding.yaml | kubectl apply -f -
kubectl apply -f role_binding.yaml- Kubernetes Service that is used to access the Admission Control HTTP Server
kubectl apply -f service.yaml- TLS Key generator and Signing Requester + Admission Controller HTTP Server
kubectl apply -f deployment.yamlNote: Same as above with the bundle installation, the first time deploying the admission controller, one has to approve the CertificateSigningRequest and deploy the admisison webhook resource.
- approve CSR
kubectl certificate approve admission-tlsor on openshift
oc adm certificate approve admission-tls- and modifies the webhook to use the certificate generated
# replace REPLACE_WITH_NAMESPACE with the correct namespace
sed 's/NAMESPACE_OF_SERVICE_ACCOUNT/REPLACE_WITH_NAMESPACE/g' webhook.yaml | kubectl apply -f -
# save cert
CERT=`kubectl get csr admission-tls -o jsonpath='{.status.certificate}'`
# create patch file
cat > modified-webhook.yaml <<EOF
webhooks:
- admissionReviewVersions:
clientConfig:
caBundle: $CERT
name: redb.admission.redislabs
admissionReviewVersions: ["v1beta1"]
EOF
# patch webhook with caBundle
kubectl patch ValidatingWebhookConfiguration redb-admission --patch "$(cat modified-webhook.yaml)"In order to verify that the all the components of the webhook are installed correctly, we will try to apply an invalid resource that should force the admission controller to reject it. If it applies succesfully, it means the admission controller has not been hooked up correctly.
$ kubectl apply -f - << EOF
apiVersion: app.redislabs.com/v1alpha1
kind: RedisEnterpriseDatabase
metadata:
name: test-database-custom-resource
EOFThis must fail with an error output by the admissio nwebhook redb.admisison.redislabs that is being denied becuase it can't get the login crendentials for the Redis Enterprise Cluster as none was specified.
Error from server: error when creating "STDIN": admission webhook "redb.admission.redislabs" denied the request: createRECClient: GetLoginInfo: resource name may not be empty