Added kubectl manifests to deploy webhook

- Updatedd Makefile - Added yaml manifests in deploy/ - Removed webhook/
2021-08-27 03:39:38 +05:30 · 2021-08-27 03:39:38 +05:30 · b8f5157906
parent 55c3e88037
commit b8f5157906
7 changed files with 85 additions and 674 deletions
--- a/20
+++ b/20
@ -96,8 +96,8 @@ e2e: deepcopy-gen manifests ## Runs e2e tests, you can use EXTRA_ARGS
 .PHONY: helm-e2e
 IMAGE_NAME := $(DOCKER_REGISTRY):$(GITCOMMIT)
-#TODO: install cert-manager before running helm charts
+
-helm-e2e:  helm container-runtime-build ## Runs helm e2e tests, you can use EXTRA_ARGS
+helm-e2e: helm container-runtime-build ## Runs helm e2e tests, you can use EXTRA_ARGS
 	@echo "+ $@"
 	RUNNING_TESTS=1 go test -parallel=1 "./test/helm/" -ginkgo.v -tags "$(BUILDTAGS) cgo" -v -timeout 60m -run "$(E2E_TEST_SELECTOR)" -image-name=$(IMAGE_NAME) $(E2E_TEST_ARGS)
@ -519,17 +519,7 @@ kubebuilder:
 	test -f ${ENVTEST_ASSETS_DIR}/setup-envtest.sh || curl -sSLo ${ENVTEST_ASSETS_DIR}/setup-envtest.sh https://raw.githubusercontent.com/kubernetes-sigs/controller-runtime/v0.7.0/hack/setup-envtest.sh
 	source ${ENVTEST_ASSETS_DIR}/setup-envtest.sh; fetch_envtest_tools $(ENVTEST_ASSETS_DIR); setup_envtest_env $(ENVTEST_ASSETS_DIR);
-#TODO Integrate with master Makefile.
+#TODO: Integrate with master Makefile	
 MANIFESTS := webhook/all_in_one_$(API_VERSION).yaml
 all-in-one-build-webhook: ## Re-generate all-in-one yaml
 	@echo "+ $@"
 	> $(MANIFESTS)
 	cat webhook/rbac.yaml >> $(MANIFESTS)
 	cat webhook/operator.yaml >> $(MANIFESTS)
 	cat webhook/cert-manager.yaml >> $(MANIFESTS)
 	cat webhook/webhook.yaml >> $(MANIFESTS)
 	sed -i "s~{DOCKER_REGISTRY}:{GITCOMMIT}~${DOCKER_REGISTRY}:${GITCOMMIT}~;" ${MANIFESTS} 
 # start the cluster locally and set it to use the docker daemon from minikube
 install-cert-manager: minikube-start
 	kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.yaml 
@ -538,6 +528,6 @@ uninstall-cert-manager: minikube-start
 	kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v1.5.1/cert-manager.yaml 
 #Launch cert-manager and deploy the operator locally along with webhook
-deploy-webhook: install-cert-manager install-crds container-runtime-build all-in-one-build-webhook 
+deploy-webhook: container-runtime-build  
 	@echo "+ $@"
-	kubectl apply -f ${MANIFESTS}
+	bin/helm upgrade jenkins chart/jenkins-operator --install --set-string operator.image=${IMAGE_NAME} --set webhook.enabled=true --set jenkins.enabled=false
--- a/deploy/all-in-one-webhook.yaml
+++ b/deploy/all-in-one-webhook.yaml
@ -0,0 +1,67 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: jenkins-webhook-certificate
  namespace: default
 spec:
  duration: 2160h 
  renewBefore: 360h
  secretName: jenkins-webhook-certificate
  dnsNames:
  - jenkins-webhook-service.default.svc
  - jenkins-webhook-service.default.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: selfsigned
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned
  namespace: default
 spec:
  selfSigned: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: jenkins-webhook
  annotations:
    cert-manager.io/inject-ca-from: default/jenkins-webhook-certificate
 webhooks:
 - admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: jenkins-webhook-service
      namespace: default
      path: /validate-jenkins-io-v1alpha2-jenkins
  failurePolicy: Fail
  name: vjenkins.kb.io
  timeoutSeconds: 30
  rules:
  - apiGroups:
    - jenkins.io
    apiVersions:
    - v1alpha2
    operations:
    - CREATE
    - UPDATE
    resources:
    - jenkins
    scope: "Namespaced"
  sideEffects: None
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: jenkins-webhook-service
  namespace: default
 spec:
  ports:
    - port: 443
      targetPort: 9443
  selector:
    control-plane: controller-manager
 ---
--- a/webhook/cert-manager.yaml
+++ b/webhook/cert-manager.yaml
@ -1,15 +1,15 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: webhook-certificate
+  name: jenkins-webhook-certificate
  namespace: default
 spec:
  duration: 2160h 
  renewBefore: 360h
-  secretName: webhook-server-cert
+  secretName: jenkins-webhook-certificate
  dnsNames:
-  - webhook-service.default.svc
+  - jenkins-webhook-service.default.svc
-  - webhook-service.default.svc.cluster.local
+  - jenkins-webhook-service.default.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: selfsigned
@ -21,6 +21,4 @@ metadata:
  name: selfsigned
  namespace: default
 spec:
-  selfSigned: {}
+  selfSigned: {}
 ---
--- a/webhook/webhook.yaml
+++ b/webhook/webhook.yaml
@ -1,16 +1,17 @@
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: validating-webhook-configuration
+  name: jenkins-webhook
  annotations:
-    cert-manager.io/inject-ca-from: default/webhook-certificate
+    cert-manager.io/inject-ca-from: default/jenkins-webhook-certificate
 webhooks:
 - admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
-      name: webhook-service
+      name: jenkins-webhook-service
      namespace: default
      path: /validate-jenkins-io-v1alpha2-jenkins
  failurePolicy: Fail
@ -26,18 +27,19 @@ webhooks:
    - UPDATE
    resources:
    - jenkins
    scope: "Namespaced"
  sideEffects: None
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: webhook-service
+  name: jenkins-webhook-service
  namespace: default
 spec:
  ports:
    - port: 443
      targetPort: 9443
  selector:
-    control-plane: controller-manager
+    name: jenkins-operator
 ---
--- a/webhook/all_in_one_v1alpha2.yaml
+++ b/webhook/all_in_one_v1alpha2.yaml
@ -1,357 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: jenkins-operator
 ---
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: leader-election-role
 rules:
 - apiGroups:
  - ""
  - coordination.k8s.io
  resources:
  - configmaps
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: leader-election-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: leader-election-role
 subjects:
 - kind: ServiceAccount
  name: jenkins-operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: jenkins-operator
 rules:
 - apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - '*'
 - apiGroups:
  - apps
  - jenkins-operator
  resources:
  - deployments/finalizers
  verbs:
  - update
 - apiGroups:
  - build.openshift.io
  resources:
  - buildconfigs
  - builds
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  - services
  verbs:
  - create
  - get
  - list
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - watch
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - pods/portforward
  verbs:
  - create
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - get
  - list
  - update
  - watch
 - apiGroups:
  - image.openshift.io
  resources:
  - imagestreams
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - jenkins.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - jenkins.io
  resources:
  - jenkins
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - jenkins.io
  resources:
  - jenkins/finalizers
  verbs:
  - update
 - apiGroups:
  - jenkins.io
  resources:
  - jenkins/status
  verbs:
  - get
  - patch
  - update
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - create
  - get
  - list
  - update
  - watch
 - apiGroups:
  - route.openshift.io
  resources:
  - routes
  verbs:
  - create
  - get
  - list
  - update
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: manager-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins-operator
 subjects:
 - kind: ServiceAccount
  name: jenkins-operator
 ---
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: jenkins-operator
  labels:
    control-plane: controller-manager
 spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      serviceAccountName: jenkins-operator
      securityContext:
        runAsUser: 65532
      containers:
      - command:
        - /manager
        args:
        - --leader-elect
        image: jenkins-operator:37d0eac4-dirty
        name: jenkins-operator
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 15
          periodSeconds: 20
        readinessProbe:
          httpGet:
            path: /readyz
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 10
        resources:
          limits:
            cpu: 200m
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 80Mi
        env:
          - name: WATCH_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        volumeMounts:
          - mountPath: /tmp/k8s-webhook-server/serving-certs
            name: cert       
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: webhook-server-cert
      terminationGracePeriodSeconds: 10
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: webhook-certificate
  namespace: default
 spec:
  duration: 2160h 
  renewBefore: 360h
  secretName: webhook-server-cert
  dnsNames:
  - webhook-service.default.svc
  - webhook-service.default.svc.cluster.local
  issuerRef:
    kind: Issuer
    name: selfsigned
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: selfsigned
  namespace: default
 spec:
  selfSigned: {}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
  name: validating-webhook-configuration
  annotations:
    cert-manager.io/inject-ca-from: default/webhook-certificate
 webhooks:
 - admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      name: webhook-service
      namespace: default
      path: /validate-jenkins-io-v1alpha2-jenkins
  failurePolicy: Fail
  name: vjenkins.kb.io
  timeoutSeconds: 30
  rules:
  - apiGroups:
    - jenkins.io
    apiVersions:
    - v1alpha2
    operations:
    - CREATE
    - UPDATE
    resources:
    - jenkins
  sideEffects: None
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: webhook-service
  namespace: default
 spec:
  ports:
    - port: 443
      targetPort: 9443
  selector:
    control-plane: controller-manager
 ---
--- a/webhook/operator.yaml
+++ b/webhook/operator.yaml
@ -1,65 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: jenkins-operator
  labels:
    control-plane: controller-manager
 spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      serviceAccountName: jenkins-operator
      securityContext:
        runAsUser: 65532
      containers:
      - command:
        - /manager
        args:
        - --leader-elect
        - --validate-security-warnings 
        image: {DOCKER_REGISTRY}:{GITCOMMIT}
        name: jenkins-operator
        imagePullPolicy: IfNotPresent
        securityContext:
          allowPrivilegeEscalation: false
        livenessProbe:
          httpGet:
            path: /healthz
            port: 8081
          initialDelaySeconds: 15
          periodSeconds: 20
        readinessProbe:
          httpGet:
            path: /readyz
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 10
        resources:
          limits:
            cpu: 200m
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 80Mi
        env:
          - name: WATCH_NAMESPACE
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
        volumeMounts:
          - mountPath: /tmp/k8s-webhook-server/serving-certs
            name: cert       
      volumes:
      - name: cert
        secret:
          defaultMode: 420
          secretName: webhook-server-cert
      terminationGracePeriodSeconds: 10
 ---
--- a/webhook/rbac.yaml
+++ b/webhook/rbac.yaml
@ -1,224 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: jenkins-operator
 ---
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: leader-election-role
 rules:
 - apiGroups:
  - ""
  - coordination.k8s.io
  resources:
  - configmaps
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: leader-election-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: leader-election-role
 subjects:
 - kind: ServiceAccount
  name: jenkins-operator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: jenkins-operator
 rules:
 - apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - '*'
 - apiGroups:
  - apps
  - jenkins-operator
  resources:
  - deployments/finalizers
  verbs:
  - update
 - apiGroups:
  - build.openshift.io
  resources:
  - buildconfigs
  - builds
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - configmaps
  - secrets
  - services
  verbs:
  - create
  - get
  - list
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - get
  - list
  - patch
  - watch
 - apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - pods
  - pods/exec
  verbs:
  - '*'
 - apiGroups:
  - ""
  resources:
  - pods/log
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
  - pods/portforward
  verbs:
  - create
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - create
  - get
  - list
  - update
  - watch
 - apiGroups:
  - image.openshift.io
  resources:
  - imagestreams
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - jenkins.io
  resources:
  - '*'
  verbs:
  - '*'
 - apiGroups:
  - jenkins.io
  resources:
  - jenkins
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
 - apiGroups:
  - jenkins.io
  resources:
  - jenkins/finalizers
  verbs:
  - update
 - apiGroups:
  - jenkins.io
  resources:
  - jenkins/status
  verbs:
  - get
  - patch
  - update
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - create
  - get
  - list
  - update
  - watch
 - apiGroups:
  - route.openshift.io
  resources:
  - routes
  verbs:
  - create
  - get
  - list
  - update
  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: manager-rolebinding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins-operator
 subjects:
 - kind: ServiceAccount
  name: jenkins-operator
 ---