X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=src%2Ffoundation%2Fscripts%2Fcni%2Fdanm%2Fintegration%2Fmanifests%2Fwebhook%2Fwebhook.yaml;fp=src%2Ffoundation%2Fscripts%2Fcni%2Fdanm%2Fintegration%2Fmanifests%2Fwebhook%2Fwebhook.yaml;h=aef040f472ea9393a91f1a4fbb3f922a641f4a34;hb=9bb5493922a305ff0491058a1ddffef00a3fe67c;hp=0000000000000000000000000000000000000000;hpb=a4546182269b01038a1e672cb16b081930bd11bb;p=iec.git diff --git a/src/foundation/scripts/cni/danm/integration/manifests/webhook/webhook.yaml b/src/foundation/scripts/cni/danm/integration/manifests/webhook/webhook.yaml new file mode 100644 index 0000000..aef040f --- /dev/null +++ b/src/foundation/scripts/cni/danm/integration/manifests/webhook/webhook.yaml @@ -0,0 +1,135 @@ +# yamllint disable rule:hyphens rule:commas rule:indentation rule:brackets rule:line-length +apiVersion: v1 +kind: ServiceAccount +metadata: + name: danm-webhook + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: caas:danm-webhook +rules: +- apiGroups: + - danm.k8s.io + resources: + - tenantconfigs + verbs: [ "*" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: caas:danm-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: caas:danm-webhook +subjects: +- kind: ServiceAccount + name: danm-webhook + namespace: kube-system +--- +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: danm-webhook-config + namespace: kube-system +webhooks: + - name: danm-netvalidation.nokia.k8s.io + clientConfig: + service: + name: danm-webhook-svc + namespace: kube-system + path: "/netvalidation" + # Configure your pre-generated certificate matching the details of your environment + caBundle: + rules: + - operations: ["CREATE","UPDATE"] + apiGroups: ["danm.k8s.io"] + apiVersions: ["v1"] + resources: ["danmnets","clusternetworks","tenantnetworks"] + failurePolicy: Fail + - name: danm-configvalidation.nokia.k8s.io + clientConfig: + service: + name: danm-webhook-svc + namespace: kube-system + path: "/confvalidation" + # Configure your pre-generated certificate matching the details of your environment + caBundle: + rules: + - operations: ["CREATE","UPDATE"] + apiGroups: ["danm.k8s.io"] + apiVersions: ["v1"] + resources: ["tenantconfigs"] + failurePolicy: Fail + - name: danm-netdeletion.nokia.k8s.io + clientConfig: + service: + name: danm-webhook-svc + namespace: kube-system + path: "/netdeletion" + # Configure your pre-generated certificate matching the details of your environment + caBundle: + rules: + - operations: ["DELETE"] + apiGroups: ["danm.k8s.io"] + apiVersions: ["v1"] + resources: ["tenantnetworks"] + failurePolicy: Fail +--- +apiVersion: v1 +kind: Service +metadata: + name: danm-webhook-svc + namespace: kube-system + labels: + danm: webhook +spec: + ports: + - name: webhook + port: 443 + targetPort: 8443 + selector: + danm: webhook +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: danm-webhook-deployment + namespace: kube-system + labels: + danm: webhook +spec: + selector: + matchLabels: + danm: webhook + template: + metadata: + annotations: + # Adapt to your own network environment! + danm.k8s.io/interfaces: | + [ + { + "network":"flannel" + } + ] + name: danm-webhook + labels: + danm: webhook + spec: + serviceAccountName: danm-webhook + containers: + - name: danm-webhook + image: danm_webhook + command: [ "/usr/local/bin/webhook", "-tls-cert-bundle=/etc/webhook/certs/danm_webhook.crt", "-tls-private-key-file=/etc/webhook/certs/danm_webhook.key", "bind-port=8443" ] + imagePullPolicy: IfNotPresent + volumeMounts: + - name: webhook-certs + mountPath: /etc/webhook/certs + readOnly: true + # Configure the directory holding the Webhook's server certificates + volumes: + - name: webhook-certs + hostPath: + path: /etc/kubernetes/ssl/