From 73670f4fbe79d0f008d0408c7a5b14f99048c4e9 Mon Sep 17 00:00:00 2001 From: eberlep Date: Tue, 12 Nov 2024 10:15:37 +0100 Subject: [PATCH] Postgreslet mutating webhook (#102) --- charts/postgreslet/Chart.yaml | 4 +- charts/postgreslet/templates/certificate.yaml | 18 +++++++++ charts/postgreslet/templates/configmap.yaml | 1 + charts/postgreslet/templates/deployment.yaml | 15 ++++++++ .../mutatingwebhookconfiguration.yaml | 38 +++++++++++++++++++ charts/postgreslet/templates/service.yaml | 24 +++++++++++- charts/postgreslet/values.yaml | 4 +- 7 files changed, 100 insertions(+), 4 deletions(-) create mode 100644 charts/postgreslet/templates/certificate.yaml create mode 100644 charts/postgreslet/templates/mutatingwebhookconfiguration.yaml diff --git a/charts/postgreslet/Chart.yaml b/charts/postgreslet/Chart.yaml index 286c806..0443940 100644 --- a/charts/postgreslet/Chart.yaml +++ b/charts/postgreslet/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.14.0 +version: 0.15.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "v0.16.0" +appVersion: "v0.17.1" diff --git a/charts/postgreslet/templates/certificate.yaml b/charts/postgreslet/templates/certificate.yaml new file mode 100644 index 0000000..3671d44 --- /dev/null +++ b/charts/postgreslet/templates/certificate.yaml @@ -0,0 +1,18 @@ +{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }} +{{- if .Values.postgreslet.tlsClusterIssuer }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "postgreslet.fullname" . }}-webhook-tls + namespace: {{ .Release.Namespace }} +spec: + dnsNames: + - {{ include "postgreslet.fullname" . }}-webhook.{{ .Release.Namespace }}.svc + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: {{ .Values.postgreslet.tlsClusterIssuer | quote }} + secretName: {{ include "postgreslet.fullname" . }}-webhook-tls +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/postgreslet/templates/configmap.yaml b/charts/postgreslet/templates/configmap.yaml index 831ff01..ac9ba3d 100644 --- a/charts/postgreslet/templates/configmap.yaml +++ b/charts/postgreslet/templates/configmap.yaml @@ -56,6 +56,7 @@ data: TENANT: {{ .Values.postgreslet.tenant | quote }} TLS_CLUSTER_ISSUER: {{ .Values.postgreslet.tlsClusterIssuer | quote }} TLS_SUB_DOMAIN: {{ .Values.postgreslet.tlsSubDomain | quote }} + ENABLE_FSGROUP_CHANGE_POLICY_WEBHOOK: {{ .Values.postgreslet.enableFsGroupChangePolicyWebhook | quote }} kind: ConfigMap metadata: name: {{ include "postgreslet.fullname" . }} diff --git a/charts/postgreslet/templates/deployment.yaml b/charts/postgreslet/templates/deployment.yaml index e665bcc..7ee4b95 100644 --- a/charts/postgreslet/templates/deployment.yaml +++ b/charts/postgreslet/templates/deployment.yaml @@ -51,6 +51,13 @@ spec: - mountPath: /var/run/secrets/postgreslet name: controlplane-kubeconfig readOnly: true +{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }} +{{- if .Values.postgreslet.tlsClusterIssuer }} + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-tls + readOnly: true +{{- end }} +{{- end }} terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} volumes: - name: controlplane-kubeconfig @@ -59,6 +66,14 @@ spec: - key: controlplane-kubeconfig path: kube/config secretName: {{ include "postgreslet.fullname" . }} +{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }} +{{- if .Values.postgreslet.tlsClusterIssuer }} + - name: webhook-tls + secret: + defaultMode: 420 + secretName: {{ include "postgreslet.fullname" . }}-webhook-tls +{{- end }} +{{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/postgreslet/templates/mutatingwebhookconfiguration.yaml b/charts/postgreslet/templates/mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000..2dc153b --- /dev/null +++ b/charts/postgreslet/templates/mutatingwebhookconfiguration.yaml @@ -0,0 +1,38 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "postgreslet.fullname" . }}-webhook-tls + name: {{ include "postgreslet.fullname" . }}-webhook +{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }} +{{- if .Values.postgreslet.tlsClusterIssuer }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "postgreslet.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} + path: /mutate-v1-pod + failurePolicy: Ignore + name: webhook.postgres.fits.cloud + objectSelector: + matchLabels: + application: spilo + postgres.database.fits.cloud/partition-id: {{ .Values.postgreslet.partitionId | quote }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +{{- else }} +webhooks: [] +{{- end }} +{{- else }} +webhooks: [] +{{- end }} \ No newline at end of file diff --git a/charts/postgreslet/templates/service.yaml b/charts/postgreslet/templates/service.yaml index 30fbf19..cbdc498 100644 --- a/charts/postgreslet/templates/service.yaml +++ b/charts/postgreslet/templates/service.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: @@ -19,4 +20,25 @@ spec: selector: control-plane: controller-manager {{- include "postgreslet.selectorLabels" . | nindent 4 }} - type: ClusterIP \ No newline at end of file + type: ClusterIP +--- +{{- if .Values.postgreslet.enableFsGroupChangePolicyWebhook }} +{{- if .Values.postgreslet.tlsClusterIssuer }} +apiVersion: v1 +kind: Service +metadata: +{{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} + name: {{ include "postgreslet.fullname" . }}-webhook + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + control-plane: controller-manager + {{- include "postgreslet.selectorLabels" . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/postgreslet/values.yaml b/charts/postgreslet/values.yaml index 3e7bbce..a2ff1da 100644 --- a/charts/postgreslet/values.yaml +++ b/charts/postgreslet/values.yaml @@ -7,7 +7,7 @@ replicaCount: 1 image: repository: r.metal-stack.io/postgreslet pullPolicy: IfNotPresent - tag: "v0.16.0" + tag: "v0.17.1" imagePullSecrets: [] nameOverride: "" @@ -144,6 +144,8 @@ postgreslet: tlsClusterIssuer: "" # tlsSubDomain when enabled, uses the given subdomain (in combination with the postgres instance's UUID) as common name when requesting the certificate tlsSubDomain: "" + # enableFsGroupChangePolicyWebhook when enabled, deploys a webhook that adds securityContext.fsGroupChangePolicy=OnRootMismatch to the Spilo StatefulSet when the securityContext.fsGroup field is set + enableFsGroupChangePolicyWebhook: true # addRandomLabel adds a random label each time the deployment.yaml is rendered, forcing k8s to update that deployment. # In combination with image.PullPolicy=Always, this effetifely forces a reload of the pod, even if the image tag stays the same.