Create jsonnet-based Kubernetes example with cert-manager

Author: metalmatze

examples/kubernetes/main-webhook.jsonnet

@@ -0,0 +1,117 @@
+// This example is super close to the kube-prometheus structure.
+// It's just simplified to be standalone. kube-prometheus packs the entire monitoring stack, including Prometheus.
+// Additionally, it adds the necessary objects to enable validating webhooks with cert-manager.
+local kp =
+  (import '../../jsonnet/pyrra/kubernetes.libsonnet') +
+  {
+    values+:: {
+      common+: {
+        namespace: 'monitoring',
+        versions+: {
+          pyrra: '0.7.0-rc.0',
+        },
+      },
+    },
+
+    pyrra+: {
+      // We add the additional necessary configuration to mount the self-signed certiciate via a Kubernetes secret.
+      // This certificate is used to serve the webhook http server.
+      kubernetesDeployment+: {
+        spec+: {
+          template+: {
+            spec+: {
+              containers: [
+                c {
+                  args+: [
+                    '--disable-webhooks=false',
+                  ],
+                  volumeMounts+: [{
+                    name: 'certs',
+                    mountPath: '/tmp/k8s-webhook-server/serving-certs',
+                  }],
+                }
+                for c in super.containers
+              ],
+              volumes+: [{
+                name: 'certs',
+                secret: {
+                  secretName: 'pyrra-webhook-validation',
+                },
+              }],
+            },
+          },
+        },
+      },
+
+      // This webhook tells the Kubernetes API server which objects to validate
+      // and where to send the validation webhooks to.
+      webhook: {
+        apiVersion: 'admissionregistration.k8s.io/v1',
+        kind: 'ValidatingWebhookConfiguration',
+        metadata: {
+          name: 'validating-webhook-configuration',
+          annotations: {
+            'cert-manager.io/inject-ca-from': 'monitoring/pyrra-webhook-validation',
+          },
+        },
+        webhooks: [
+          {
+            admissionReviewVersions: ['v1'],
+            clientConfig: {
+              service: {
+                name: 'pyrra-kubernetes',
+                namespace: $.pyrra._config.namespace,
+                path: '/validate-pyrra-dev-v1alpha1-servicelevelobjective',
+                port: 9443,
+              },
+            },
+            failurePolicy: 'Fail',
+            name: 'slo.pyrra.dev-servicelevelobjectives',
+            rules: [
+              {
+                apiGroups: ['pyrra.dev'],
+                apiVersions: ['v1alpha1'],
+                operations: ['CREATE', 'UPDATE'],
+                resources: ['servicelevelobjectives'],
+              },
+            ],
+            sideEffects: 'None',
+          },
+        ],
+      },
+
+      // This certificate requests a self-signed certificate from cert-manager to be written to a Kubernetes secret.
+      certificate: {
+        apiVersion: 'cert-manager.io/v1',
+        kind: 'Certificate',
+        metadata: {
+          name: 'pyrra-webhook-validation',
+          namespace: $.pyrra._config.namespace,
+        },
+        spec: {
+          dnsNames: ['pyrra-kubernetes.%s.svc' % $.pyrra._config.namespace],
+          issuerRef: {
+            name: 'selfsigned',
+          },
+          secretName: 'pyrra-webhook-validation',
+        },
+      },
+
+      // This issuer creates self-signed certificates if requested.
+      issuer: {
+        apiVersion: 'cert-manager.io/v1',
+        kind: 'Issuer',
+        metadata: {
+          name: 'selfsigned',
+          namespace: 'monitoring',
+        },
+        spec: {
+          selfSigned: {},
+        },
+      },
+    },
+  };
+
+{ 'setup/pyrra-slo-CustomResourceDefinition': kp.pyrra.crd } +
+{ ['pyrra-' + name]: kp.pyrra[name] for name in std.objectFields(kp.pyrra) if name != 'crd' && !std.startsWith(name, 'slo-') }
+{ ['slos/' + name]: kp.pyrra[name] for name in std.objectFields(kp.pyrra) if std.startsWith(name, 'slo-') }

examples/kubernetes/manifests-webhook/pyrra-apiDeployment.yaml

@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-api
+  namespace: monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: api
+      app.kubernetes.io/name: pyrra
+      app.kubernetes.io/part-of: kube-prometheus
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: api
+        app.kubernetes.io/name: pyrra
+        app.kubernetes.io/part-of: kube-prometheus
+        app.kubernetes.io/version: 0.7.0-rc.0
+    spec:
+      containers:
+      - args:
+        - api
+        - --api-url=http://pyrra-kubernetes.monitoring.svc.cluster.local:9444
+        - --prometheus-url=http://prometheus-k8s.monitoring.svc.cluster.local:9090
+        image: ghcr.io/pyrra-dev/pyrra:v0.7.0-rc.0
+        name: pyrra
+        ports:
+        - containerPort: 9099
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+      nodeSelector:
+        kubernetes.io/os: linux

examples/kubernetes/manifests-webhook/pyrra-apiService.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-api
+  namespace: monitoring
+spec:
+  ports:
+  - name: http
+    port: 9099
+    targetPort: 9099
+  selector:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus

examples/kubernetes/manifests-webhook/pyrra-certificate.yaml

@@ -0,0 +1,11 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: pyrra-webhook-validation
+  namespace: monitoring
+spec:
+  dnsNames:
+  - pyrra-kubernetes.monitoring.svc
+  issuerRef:
+    name: selfsigned
+  secretName: pyrra-webhook-validation

examples/kubernetes/manifests-webhook/pyrra-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+  namespace: monitoring
+spec:
+  selfSigned: {}

examples/kubernetes/manifests-webhook/pyrra-kubernetesClusterRole.yaml

@@ -0,0 +1,49 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: kubernetes
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-kubernetes
+  namespace: monitoring
+rules:
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheusrules
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheusrules/status
+  verbs:
+  - get
+- apiGroups:
+  - pyrra.dev
+  resources:
+  - servicelevelobjectives
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - pyrra.dev
+  resources:
+  - servicelevelobjectives/status
+  verbs:
+  - get
+  - patch
+  - update

examples/kubernetes/manifests-webhook/pyrra-kubernetesClusterRoleBinding.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: kubernetes
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-kubernetes
+  namespace: monitoring
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pyrra-kubernetes
+subjects:
+- kind: ServiceAccount
+  name: pyrra-kubernetes
+  namespace: monitoring

examples/kubernetes/manifests-webhook/pyrra-kubernetesDeployment.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: kubernetes
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-kubernetes
+  namespace: monitoring
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: kubernetes
+      app.kubernetes.io/name: pyrra
+      app.kubernetes.io/part-of: kube-prometheus
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: kubernetes
+        app.kubernetes.io/name: pyrra
+        app.kubernetes.io/part-of: kube-prometheus
+        app.kubernetes.io/version: 0.7.0-rc.0
+    spec:
+      containers:
+      - args:
+        - kubernetes
+        - --disable-webhooks=false
+        image: ghcr.io/pyrra-dev/pyrra:v0.7.0-rc.0
+        name: pyrra
+        ports:
+        - containerPort: 9099
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: certs
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: pyrra-kubernetes
+      volumes:
+      - name: certs
+        secret:
+          secretName: pyrra-webhook-validation

examples/kubernetes/manifests-webhook/pyrra-kubernetesService.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: kubernetes
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-kubernetes
+  namespace: monitoring
+spec:
+  ports:
+  - name: http
+    port: 9444
+    targetPort: 9444
+  - name: webhooks
+    port: 9443
+    targetPort: 9443
+  selector:
+    app.kubernetes.io/component: kubernetes
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus

examples/kubernetes/manifests-webhook/pyrra-kubernetesServiceAccount.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: kubernetes
+    app.kubernetes.io/name: pyrra
+    app.kubernetes.io/part-of: kube-prometheus
+    app.kubernetes.io/version: 0.7.0-rc.0
+  name: pyrra-kubernetes
+  namespace: monitoring

examples/kubernetes/manifests-webhook/pyrra-webhook.yaml

@@ -0,0 +1,28 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: monitoring/pyrra-webhook-validation
+  name: validating-webhook-configuration
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: pyrra-kubernetes
+      namespace: monitoring
+      path: /validate-pyrra-dev-v1alpha1-servicelevelobjective
+      port: 9443
+  failurePolicy: Fail
+  name: slo.pyrra.dev-servicelevelobjectives
+  rules:
+  - apiGroups:
+    - pyrra.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - servicelevelobjectives
+  sideEffects: None