search

kubernetes-sigs / controller-tools

Tools to use with the controller-runtime libraries
Apache License 2.0
733 stars 418 forks source link

Webhook configuration is fairly limited #540

Closed raz-bn closed 7 months ago

raz-bn commented 3 years ago

Currently, it is only possible to generate a webhook manifest for a service running inside the cluster. However, I think it should also be possible to generate manifests for webhook running outside the cluster by providing the Validating/MutatingWebhookConfiguration with a URL instead of a service. This use case can be handy when trying to run a local webhook while developing one. I order to achieve this with the current controller-gen, you need to this manual changes:

  1. Edit webhook/manifests.yaml and replace Service with the desired URL: 
    ---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
name: validating-webhook-configuration
webhooks:
- clientConfig:
caBundle: Cg==
url: https://example.com/validate
failurePolicy: Fail
name: exa.mple.com
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- DELETE
resources:
- namespaces
  2. Edit webhook/kustomization.yaml and comment those lines: 
    
resources:
- manifests. yaml
#- service.yaml

configurations:

- kustomizeconfig.yaml

3. Edit certmanager/certificate.yaml and add the DNS name:

The following manifests contain a self-signed issuer CR and a certificate CR.

More document can be found at https://docs.cert-manager.io

WARNING: Targets CertManager 0.11 check https://docs.cert-manager.io/en/latest/tasks/upgrading/index.html for

breaking changes

apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: selfsigned-issuer namespace: system spec: selfSigned: {}

apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml namespace: system spec:

$(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize

dnsNames:

Value of this field is prepended to the

names of all resources, e.g. a deployment named

"wordpress" becomes "alices-wordpress".

Note that it should also match with the prefix (text before '-') of the namespace

field above.

namePrefix: sns-

Labels to add to all resources and selectors.

commonLabels:

someName: someValue

bases:

patchesStrategicMerge:

Protect the /metrics endpoint by putting it behind auth.

If you want your controller-manager to expose the /metrics

endpoint w/o any authn/z, please comment the following line.

[WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in

crd/kustomization.yaml

[CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.

Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.

'CERTMANAGER' needs to be enabled to use ca injection

the following config is for teaching kustomize how to do var substitution

vars:

[CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot commented 3 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten

fejta-bot commented 3 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community. /close

k8s-ci-robot commented 3 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/controller-tools/issues/540#issuecomment-869185326): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
rikatz commented 1 year ago

/reopen

k8s-ci-robot commented 1 year ago

@rikatz: Reopened this issue.

In response to [this](https://github.com/kubernetes-sigs/controller-tools/issues/540#issuecomment-1594845252): >/reopen Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 1 year ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/controller-tools/issues/540#issuecomment-1637119721): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
sbueringer commented 1 year ago

/reopen /remove-lifecycle rotten /lifecycle active

k8s-triage-robot commented 9 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 8 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 7 months ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/controller-tools/issues/540#issuecomment-2016867713): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
sbueringer commented 7 months ago

This was fixed in https://github.com/kubernetes-sigs/controller-tools/pull/824

sbueringer commented 7 months ago

/close

k8s-ci-robot commented 7 months ago

@sbueringer: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/controller-tools/issues/540#issuecomment-2033669630): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.