icecheng/freeleaps-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c2d2fa6345
freeleaps-ops/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/agentInjectorWebhook.yaml
zhenyus c2d2fa6345 fix: update Jenkins token in gitea webhook configuration 
Signed-off-by: zhenyus <zhenyus@mathmast.com>
2025-07-24 16:51:35 +08:00

141 lines
5.8 KiB
YAML
Raw Blame History

{{- if and (not (and .Values.rbac .Values.rbac.only)) .Values.agentInjector.enabled }}
{{- $namespaceSelector := mustFromJson (include "traffic-manager.namespaceSelector" $) }}
{{- /*
Perform a check that the new namespaceSelector doesn't select namespaces that are
already managed by some other traffic-manager.
*/}}
{{- $namespaces := (lookup "v1" "Namespace" "" "").items }}
{{- $configs := dict }}
{{- $cmName := include "traffic-manager.name" $ }}
{{- $cmNs := include "traffic-manager.namespace" $}}
{{- /* Find all existing traffic-manager configmaps and their namespaceSelectors */}}
{{- range $namespaces }}
{{- $ns := .metadata.name }}
{{- $cm := lookup "v1" "ConfigMap" $ns $cmName }}
{{- with $cm }}
{{- with fromYaml (get .data "namespace-selector.yaml" ) }}
{{- $configs = set $configs $ns . }}
{{- end }}
{{- end }}
{{- end }}
{{- /* No use testing if the added selector is the only one */}}
{{- if $configs }}
{{- $configs = set $configs $cmNs $namespaceSelector }}
{{- /* Validate that no selector overlaps with another */}}
{{- $allManagedNamespaces := dict }}
{{- range $configNs, $config := $configs }}
{{- $rqs := $config.matchExpressions }}
{{- /* Normalise the selector, i.e. turn each matchLabel into a machRequirement */}}
{{- range $key, $value := $config.matchLabels }}
{{- $rqs = append $rqs (dict "key" $key "operator" "In" "values" (list $value))}}
{{- end }}
{{- /* Figure out what namespaces this selector selects, and for each one, assert that it's not selected already */}}
{{- range $namespaces }}
{{- $ns := .metadata.name }}
{{- $labels := .metadata.labels }}
{{- $isMatch := true }}
{{- range $rqs }}
{{- $rqMatch := false }}
{{- $val := get $labels .key }}
{{- if eq .operator "In" }}
{{- $rqMatch = has $val .values }}
{{- else if eq .operator "NotIn" }}
{{- $rqMatch = not (has $val .values) }}
{{- else if eq .operator "Exists" }}
{{- $rqMatch = not (eq $val "") }}
{{- else if eq .operator "DoesNotExist" }}
{{- $rqMatch = eq $val "" }}
{{- else }}
{{- fail printf "unsupported labelSelectorOperator %s" .operator}}
{{- end }}
{{- if not $rqMatch }}
{{- $isMatch = false }}
{{- break }}
{{- end }}
{{- end }}
{{- if $isMatch }}
{{- $conflictingConfig := get $allManagedNamespaces $ns }}
{{- if $conflictingConfig }}
{{- if eq $conflictingConfig $cmNs }}
{{- $conflictingConfig = $configNs }}
{{- end }}
{{- fail (printf "traffic-manager in namespace %s already manages namespace %s" $conflictingConfig $ns) }}
{{- end }}
{{- $allManagedNamespaces = set $allManagedNamespaces $ns $configNs }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- $altNames := list ( printf "agent-injector.%s" (include "traffic-manager.namespace" $)) ( printf "agent-injector.%s.svc" (include "traffic-manager.namespace" $)) -}}
{{- $genCA := genCA "agent-injector-ca" 365 -}}
{{- $genCert := genSignedCert "agent-injector" nil $altNames 365 $genCA -}}
{{- $secretData := (lookup "v1" "Secret" (include "traffic-manager.namespace" $) .Values.agentInjector.secret.name).data -}}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
{{- if eq .Values.agentInjector.certificate.method "certmanager" }}
annotations:
cert-manager.io/inject-ca-from: {{ include "traffic-manager.namespace" $}}/{{ .Values.agentInjector.secret.name }}
{{- end }}
name: {{ .Values.agentInjector.webhook.name }}-{{ include "traffic-manager.namespace" $ }}
labels:
{{- include "telepresence.labels" $ | nindent 4 }}
webhooks:
{{- with .Values.agentInjector.webhook.admissionReviewVersions }}
- admissionReviewVersions:
{{- toYaml . | nindent 2 }}
{{- end }}
clientConfig:
{{- if not (eq .Values.agentInjector.certificate.method "certmanager") }}
{{- if and ($secretData) (or (not .Values.agentInjector.certificate.regenerate) (eq .Values.agentInjector.certificate.method "supplied") )}}
caBundle: {{ or (get $secretData "ca.crt") (get $secretData "ca.pem") }}
{{- else }}
caBundle: {{ $genCA.Cert | b64enc }}
{{- end }}
{{- end }}
service:
name: {{ .Values.agentInjector.name }}
namespace: {{ include "traffic-manager.namespace" $ }}
path: {{ .Values.agentInjector.webhook.servicePath }}
port: {{ .Values.agentInjector.webhook.port }}
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- DELETE
resources:
- pods
scope: '*'
failurePolicy: {{ .Values.agentInjector.webhook.failurePolicy }}
reinvocationPolicy: {{ .Values.agentInjector.webhook.reinvocationPolicy }}
name: agent-injector-{{ include "traffic-manager.namespace" $ }}.telepresence.io
sideEffects: {{ .Values.agentInjector.webhook.sideEffects }}
timeoutSeconds: {{ .Values.agentInjector.webhook.timeoutSeconds }}
namespaceSelector:
{{- toYaml $namespaceSelector | nindent 4 }}
{{- if not (or (eq .Values.agentInjector.certificate.method "certmanager") (eq .Values.agentInjector.certificate.method "supplied")) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.agentInjector.secret.name }}
namespace: {{ include "traffic-manager.namespace" $ }}
labels:
{{- include "telepresence.labels" $ | nindent 4 }}
data:
{{- if and ($secretData) (not .Values.agentInjector.certificate.regenerate) }}
ca.crt: {{ or (get $secretData "ca.crt") (get $secretData "ca.pem") }}
tls.crt: {{ or (get $secretData "tls.crt") (get $secretData "crt.pem") }}
tls.key: {{ or (get $secretData "tls.key") (get $secretData "key.pem") }}
{{- else }}
ca.crt: {{ $genCA.Cert | b64enc }}
tls.crt: {{ $genCert.Cert | b64enc }}
tls.key: {{ $genCert.Key | b64enc }}
{{- end }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink