Postgreslet mutating webhook (#102)

charts/postgreslet/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.14.0
+version: 0.15.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.16.0"
+appVersion: "v0.17.1"

charts/postgreslet/templates/certificate.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }}
+{{- if .Values.postgreslet.tlsClusterIssuer }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "postgreslet.fullname" . }}-webhook-tls
+  namespace: {{ .Release.Namespace }}
+spec:
+  dnsNames: 
+  - {{ include "postgreslet.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: {{ .Values.postgreslet.tlsClusterIssuer | quote  }}
+  secretName: {{ include "postgreslet.fullname" . }}-webhook-tls
+{{- end }}
+{{- end }}

charts/postgreslet/templates/configmap.yaml

@@ -56,6 +56,7 @@ data:
   TENANT: {{ .Values.postgreslet.tenant | quote }}
   TLS_CLUSTER_ISSUER: {{ .Values.postgreslet.tlsClusterIssuer | quote  }}
   TLS_SUB_DOMAIN: {{ .Values.postgreslet.tlsSubDomain | quote  }}
+  ENABLE_FSGROUP_CHANGE_POLICY_WEBHOOK: {{ .Values.postgreslet.enableFsGroupChangePolicyWebhook | quote  }}
 kind: ConfigMap
 metadata:
   name: {{ include "postgreslet.fullname" . }}

charts/postgreslet/templates/deployment.yaml

@@ -51,6 +51,13 @@ spec:
             - mountPath: /var/run/secrets/postgreslet
               name: controlplane-kubeconfig
               readOnly: true
+{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }}
+{{- if .Values.postgreslet.tlsClusterIssuer }}
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: webhook-tls
+              readOnly: true
+{{- end }}
+{{- end }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       volumes:
         - name: controlplane-kubeconfig
@@ -59,6 +66,14 @@ spec:
               - key: controlplane-kubeconfig
                 path: kube/config
             secretName: {{ include "postgreslet.fullname" . }}
+{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }}
+{{- if .Values.postgreslet.tlsClusterIssuer }}
+        - name: webhook-tls
+          secret:
+            defaultMode: 420
+            secretName: {{ include "postgreslet.fullname" . }}-webhook-tls
+{{- end }}
+{{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/postgreslet/templates/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,38 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "postgreslet.fullname" . }}-webhook-tls
+  name: {{ include "postgreslet.fullname" . }}-webhook
+{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }}
+{{- if .Values.postgreslet.tlsClusterIssuer }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ include "postgreslet.fullname" . }}-webhook
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-v1-pod
+  failurePolicy: Ignore
+  name: webhook.postgres.fits.cloud
+  objectSelector:
+    matchLabels:
+      application: spilo
+      postgres.database.fits.cloud/partition-id: {{ .Values.postgreslet.partitionId | quote }}
+  rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    resources:
+    - pods
+  sideEffects: None
+{{- else }}
+webhooks: []
+{{- end }}
+{{- else }}
+webhooks: []
+{{- end }}

charts/postgreslet/templates/service.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -19,4 +20,25 @@ spec:
   selector:
     control-plane: controller-manager
     {{- include "postgreslet.selectorLabels" . | nindent 4 }}
-  type: ClusterIP
+  type: ClusterIP
+---
+{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }}
+{{- if .Values.postgreslet.tlsClusterIssuer }}
+apiVersion: v1
+kind: Service
+metadata:
+{{- with .Values.podAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
+  name: {{ include "postgreslet.fullname" . }}-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - port: 443
+      targetPort: 9443
+  selector:
+    control-plane: controller-manager
+    {{- include "postgreslet.selectorLabels" . | nindent 4 }}
+{{- end }}
+{{- end }}

charts/postgreslet/values.yaml

@@ -7,7 +7,7 @@ replicaCount: 1
 image:
   repository: r.metal-stack.io/postgreslet
   pullPolicy: IfNotPresent
-  tag: "v0.16.0"
+  tag: "v0.17.1"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -144,6 +144,8 @@ postgreslet:
   tlsClusterIssuer: ""
   # tlsSubDomain when enabled, uses the given subdomain (in combination with the postgres instance's UUID) as common name when requesting the certificate
   tlsSubDomain: ""
+  # enableFsGroupChangePolicyWebhook when enabled, deploys a webhook that adds securityContext.fsGroupChangePolicy=OnRootMismatch to the Spilo StatefulSet when the securityContext.fsGroup field is set
+  enableFsGroupChangePolicyWebhook: true
 
 # addRandomLabel adds a random label each time the deployment.yaml is rendered, forcing k8s to update that deployment.
 # In combination with image.PullPolicy=Always, this effetifely forces a reload of the pod, even if the image tag stays the same.