Fixes/updates for webhook-apiserver

a. Adding the same encryption configuration to webhook-apiserver as is used for kubernetes-apiserver, so it can access secrets stored in etcd by kubernetes-apiserver. b. Adding an additional ingress annotation to allow for TLS access to the Keystone backend. c. Adding an apt-get clean to Dockerfile as this seems to be needed to get image building working properly. This patchset has passed the Promenade resiliency gate. Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
2019-06-17 15:46:45 -05:00 · 2019-06-17 15:46:45 -05:00 · 5c92a11b8a
commit 5c92a11b8a
parent 3fed9e38e9
4 changed files with 17 additions and 0 deletions
--- a/1
+++ b/1
@ -39,6 +39,7 @@ ENTRYPOINT ["/opt/promenade/entrypoint.sh"]
 RUN set -ex \
    && curl -Lo /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
    && chmod 555 /usr/local/bin/cfssl \
+    && apt-get clean \
    && apt-get update -q \
    && apt-get install --no-install-recommends -y \
        libyaml-dev \
--- a/charts/apiserver-webhook/templates/configmap-etc.yaml
+++ b/charts/apiserver-webhook/templates/configmap-etc.yaml
@ -28,4 +28,6 @@ data:
 {{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
  policy.json: |
 {{ toPrettyJson $envAll.Values.conf.policy | indent 4 }}
+  encryption_provider.json: |
+{{ toPrettyJson $envAll.Values.conf.encryption_provider.content | indent 4 }}
 {{- end }}
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@ -163,6 +163,7 @@ spec:
            - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
            - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
            - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
+            - --experimental-encryption-provider-config={{ $envAll.Values.conf.paths.encryption_provider }}
          readinessProbe:
            tcpSocket:
              port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -184,6 +185,10 @@ spec:
              mountPath: {{ $envAll.Values.conf.paths.conf }}
              subPath: webhook.kubeconfig
              readOnly: true
+            - name: configmap-etc
+              mountPath: {{ $envAll.Values.conf.paths.encryption_provider }}
+              subPath: encryption_provider.json
+              readOnly: true
 {{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }}
 {{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
 {{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@ -48,6 +48,9 @@ apiserver_webhook:
    # Default 5(Trace level verbosity).
    log_level: 5

+service:
+  name: clcp-ucp-apiserver-webhook
+
 network:
  pod_cidr: '10.97.0.0/16'
  service_cidr: '10.96.0.0/16'
@ -62,6 +65,7 @@ network:
        nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
        nginx.ingress.kubernetes.io/secure-backends: "true"
+        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    name: webhook_apiserver
 #
 # Insert TLS certificates, keys and CAs
@ -270,6 +274,11 @@ conf:
    conf: '/etc/webhook_apiserver/webhook.kubeconfig'
    policy: '/etc/webhook_apiserver/conf/policy.json'
    sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
+    encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
+  encryption_provider:
+    content:
+      kind: EncryptionConfig
+      apiVersion: v1
  policy:
    - resource:
        verbs: